Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
Why sudo 1.9.16 enables secure_path by default?
Sudo 1.9.16 is now out, containing mostly bug fixes. However, there are also some new features, like the json_compact option I wrote about a while ago. The other major change is, secure_path is now enabled by default in the sudoers file, and there is a new option to fine-tune its content. Before you begin As usual, operating systems usually lag behind with sudo versions. If your OS does not have yet 1. ...
When it comes to sudo logging, pretty is not always better
Version 1.9.16 of sudo will introduce a new logging option: json_compact. This does not affect logging to syslog, only logging to files. Previously, sudo created human-readable JSON log files. With this new setting enabled, logs are no longer pretty but can be easily read by logging software. Before you begin As I am writing this blog, version 1.9.16 is not yet released, not even a beta. For now, if you want to test this feature, you will have to compile sudo yourself from source. ...
More info with -ll in sudo 1.9.15
Version 1.9.15 of sudo gives more detailed information when using the -ll option. For commands, it adds the rule that allows it. Without a command parameter, it lists rules affecting a given user. It also prints which file contains the given rule, making debugging easier. Before you begin Unless you are using a rolling Linux distribution, there is a good chance that sudo 1.9.15 is not yet available for your system. ...
The list pseudo-command
Version 1.9.13 of sudo adds the list pseudo-command. Previously, only root or a user with the ability to run any command as either root or the target user could list privileges. Using the list pseudo-command it is possible to list the privileges of another user without any additional privileges, thus tightening security even more. Before you begin Unless you are using a rolling Linux distribution, there is a good chance that sudo 1. ...
Running sudo without updating cached credentials
One of the recurring questions at conferences was whether there is a way to check cached sudo credentials without updating them. Version 1.9.12 of sudo introduces the -N option which makes this possible, and also allows running any commands without updating the cached credentials. Before you begin The -N option was introduced in sudo version 1.9.12. There is a good chance that your choice of operating system still has an older version of sudo. ...
Central configuration and session analytics for sudo
Sudo is one of the most used command line tools in the Linux / UNIX / macOS world. It gives users the ability to execute commands as another user. Most often it is used to gain root (administrator) privileges. Sudo was created when there were a small number of independent large systems. Some support for multiple hosts, central management and monitoring were later added to it. These tools do their jobs, however large enterprises require ease of use, reporting and monitoring. ...
Sudo 1.9.11: sub-command detection improved on Linux
Version 1.9.8 of sudo introduced support for logging and intercepting sub-commands. These features quickly became very popular. The original implementation is portable, however it also has a number of limitations. Version 1.9.11 of sudo introduced an alternative, Linux-specific, implementation that allows sudo to detect sub-commands in even more situations. Before you begin Version 1.9.11 of sudo was released very recently. There is a good chance that your OS of choice still has an earlier version. ...
Looking inside sudo shell sessions: auditd, session recordings, log_subcmds
There are situations where you cannot avoid giving a user full shell access through sudo. A shell with administrative privileges gives complete control over your hosts. Until recently, sudo could only log the start of the shell, not the commands executed within it. You could record sessions with sudo, but watching recordings is boring, time consuming and can still be subverted. Version 1.9.8 introduced logging of sub-commands, but that is not yet available on many systems. ...
Sudo for blue teams: how to control and log better
Sudo had many features to help blue teams in their daily job even before 1.9 was released. Session recordings, plugins and others made sure that most administrative access could be controlled and problems easily detected. Version 1.9 introduced Python support, new APIs, centralized session recordings, however some blind spots still remained. Learn how some of the latest sudo features can help you to better control and log administrative access to your hosts. ...
Sudo 1.9.10: hiding passwords in session recordings
Session recording has been available in sudo for many years, however not many people are aware of it. Even less well-known is that you can save not just the terminal output, but also what the user types. That way you can analyze what the user is doing within a shell session. Recordings may also include user passwords, which is not always desirable. Version 1.9.10 of sudo allows you to hide passwords in session recordings if it recognizes a password entry. ...