After almost ten years, a new major version of sudo has been released. For many users, sudo is just a prefix for administrative commands. What changes justify a version number jump in such a simple utility?
Taking a closer look at sudo, you can see that even version 1.8 was much more than a simple tool to run applications as root. You could fine-tune policy, control who can execute which commands, record and play-back the terminal IO, and it has plug-in friendly architecture the enables you to extend its functionality.
Version 1.9 builds on this stable foundation and extends it with some major new features:
- Central session recording collection
- Audit plugin
- Approval plugin
- Python support for plugins
Before we learn a bit more about the new features, a quick word about stability. When I installed 1.9 on a test system, I forgot to remove a plugin I had compiled for sudo 1.8. It worked perfectly well with sudo 1.9 as well, even without recompiling it.
Session recording has been available in sudo for quite some time now. If you had to give shell access to your users instead of a limited set of sudo commands, you could still see what they are doing thanks to session recording. The problem is that with full shell access, it is easy to delete anything on the system, including the recordings. But now, this loophole is closed with central-session-recording collection and anything that happens on the terminal is streamed live to a central server.
The audit plugin does not provide any new user-visible features. It is an API to access log data generated by sudo. This can come in handy if you want to implement custom logging and alerting without using an external application.
The approval plugin allows you to create additional policy requirements without replacing the sudoers’ policy plugin. For example, it only allows commands to be executed through sudo during regular work hours.
The most interesting new feature of sudo 1.9 is Python support for the plugins. Python plugins use the same API as the C-based plugins but are a lot easier to develop and distribute. In an extreme case, you can even replace the policy plugin with a Python script. Here are just a few examples of things that are easy to do using Python that require a lot more effort when using C for development:
- Logging and alerting to different cloud providers
- Checking a ticketing system if a ticket is open before allowing the user to execute a command
- Monitoring terminal output for keywords and terminating sessions before sensitive information can appear on screen
Depending on which Linux distribution you use, you might already be using a pre-release version of sudo 1.9. For example, Fedora 31+ and openSUSE Tumbleweed both include sudo 1.9. If sudo 1.9 is not yet available on your platform, check the sudo website at https://www.sudo.ws/ to see if a package is available there. If not, you can easily build sudo yourself from source, as it has minimal dependencies.
If you are using sudo you can centralize the management and reporting on your sudoers files using One Identity’s plugin for Sudo, Privilege Manager for Sudo. To learn more about Privilege Manager for Sudo read our white paper: Sudo is cool but what if it could…?
