We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Extending sudo in Python

00:00

Formal Metadata

Title
Extending sudo in Python
Subtitle
Best of both worlds
Title of Series
Number of Parts
490
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
From my talk you will learn about some lesser-known features of sudo, and how you can make your security more flexible by extending sudo using Python. Everybody knows sudo, right? Sudo allows a system administrator to give certain users the ability to run some commands as root, while logging the executed commands and their arguments. It is installed by default on almost all Linux systems, and is available for most commercial UNIX systems. Sudo allows you to fine-tune access policies, record sessions, and do extensive logging. Still, even system administrators often only know it is the “prefix” to use before entering a command requiring root privileges, and don’t realize its true powers. Did you know that with version 1.8 sudo changed to a plugin-based architecture? You can extend or even replace basic functionality through plugins. While plugins provide the ultimate flexibility – and there are both open source and commercial plugins for sudo available – it is not easy to extend sudo. This is why the Python plugin is under way to sudo (and will be released before FOSDEM). Sudo has a number of well defined APIs for plugins (https://www.sudo.ws/man/sudo_plugin.man.html). The Python plugin builds on these APIs. For example, you can set your own policies using the policy API, or access what is happening on the screen using the I/O API (used by session recording). Using Python for extending sudo makes development not just easier (no development environment necessary), but opens up many new possibilities. For example, you can develop a plugin which analyzes on-screen activity in real-time, and breaks the session if the infamous “rm -fr /” command appears on screen. As multiple I/O plugins can work in parallel, you do not have to give up session recording to analyze sessions in real-time from Python. From my talk you will learn about some lesser-known features of sudo, and how you can make your security more flexible by extending sudo using Python.
Identity managementPhysical systemGoodness of fitWater vaporInterface (computing)
Integrated development environmentSystem administratorSqueeze theoremFormal verificationArchitecturePlug-in (computing)Revision controlFunction (mathematics)EmailEvent horizonBlogRule of inferenceAuthorizationRow (database)Hydraulic jumpEvent horizonSystem administratorDatabaseOpen sourceLoginPoint cloudSoftware maintenanceOnline helpPlug-in (computing)BitComputer programmingMessage passingExtension (kinesiology)Functional (mathematics)RootBinary codeRule of inferenceTrailRevision controlLaptopCartesian coordinate systemDifferent (Kate Ryan album)Computer architectureMoment (mathematics)Cloud computingState of matterProcess (computing)Order (biology)Natural numberNeuroinformatikWebsiteTransport Layer SecurityEmailMereologyPattern languageCircleSuite (music)Descriptive statisticsGastropod shellObservational studySurfacePseudonymizationOrbitView (database)Squeeze theoremBlogBlock (periodic table)Right angle
Plug-in (computing)Software frameworkService (economics)BlogElasticity (physics)Point cloudSystem programmingCompilation albumCodeParameter (computer programming)Local GroupTouchscreenPlug-in (computing)Right angleSoftware frameworkRow (database)Cartesian coordinate systemModule (mathematics)Integrated development environmentMereologyCodeParameter (computer programming)Link (knot theory)Real-time operating systemVirtual machineData managementInformationConfiguration spaceSoftware developerMessage passingArrow of timeDistribution (mathematics)CASE <Informatik>Social classSystem administratorRevision controlCentralizer and normalizerGroup actionUniform resource locatorRepetitionWebsiteWater vaporStaff (military)Student's t-testGrass (card game)InternetworkingComputer programmingComplete metric spaceVideo gamePoint (geometry)DemosceneProcess (computing)NeuroinformatikMultiplication signCrash (computing)Game theoryRandom matrixArithmetic meanSuite (music)Streaming mediaOrder (biology)Sheaf (mathematics)Physical systemMusical ensembleSource code
Plug-in (computing)Local GroupoutputFunction (mathematics)ImplementationCodeBlogCapability Maturity Model IntegrationRevision controlDefault (computer science)PasswordDirectory serviceMultiplication signType theoryoutputSubsetComputer filePasswordContent (media)Row (database)CodeGroup actionTouchscreenMultiplicationBitImplementationSampling (statistics)Different (Kate Ryan album)Plug-in (computing)Buffer solutionMessage passingSystem administratorElectronic mailing listRootControl flowFunction (mathematics)WritingSocial classState of matterSoftware testingArithmetic meanMenu (computing)Boss CorporationNetwork topologyTrailCASE <Informatik>Grass (card game)FamilyMoment (mathematics)WordPlanningMathematicsQuadrilateralRight anglePhysical lawCore dumpHTTP cookieSuite (music)Computer animation
Plug-in (computing)LoginComputer animation
Directory serviceMultiplication signOrder (biology)TouchscreenProcess (computing)Software testingSheaf (mathematics)Matching (graph theory)Cellular automatonOntologyStudent's t-testMeasurementBit rateSystem callRotationComputer animation
Point cloudFacebookOpen source
Transcript: English(auto-generated)