Control: tags -1 - patch thanks On Thu, Jun 04, 2026 at 06:00:50PM +0200, Marc Haber wrote: > Now with sudo-ldap gone, I revisited the issue recently. It looks like > sudo_sendlog and sudo_logsrvd are already linked against OpenSSL: > > $ ldd /usr/sbin/sudo_sendlog | grep -i ssl > libssl.so.3 => /usr/lib/x86_64-linux-gnu/libssl.so.3 (0x00007fef89645000) > $ ldd /usr/sbin/sudo_logsrvd | grep -i ssl > libssl.so.3 => /usr/lib/x86_64-linux-gnu/libssl.so.3 (0x00007f50e6bd2000) > $ > > and I was able to verify that sudo_sendlog is actually talking encrypted > to sudo_logsrvd. > > So we are already pulling in OpenSSL with the current package, right?
We are. libsasl2-dev depends on libssl-dev, and sudo automatically uses --enable-openssl when it finds the development libs. > I stumble a bit over the word "directly" in your bug report. I apologize > for my ignorance. Is this entire bug report about linking the actual > /usr/bin/sudo against OpenSSL so that sudo can send its logs directly to > the log server without first writing a local log and without using > sudo_sendlog? Actually, this is already the case in our current packages in trixie, forky and sid. the logging code is in sudoers.so, which IS already linked against OpenSSL in trixie. So, you should be able to have sudo directly log to a remote logsrvd over OpenSSL. The ssl-enabled sudo and sudo_logsrvd are in the regular sudo packages. I therefore intend to close this bug report by the End of June 2026, marking the issue as fixed in sudo 1.9.16p2-3+deb13u2. If you disagree with my reasoning, please let me know. Greetings Marc
