Bug#1059896: sudo: Please add openssl support for sudo and sudo_logsrvd for secure transfer of sudo log files
On Wed, Jan 03, 2024 at 07:10:46PM +0100, Alexander Reichle-Schmehl wrote: > Yes, it is the daemon responsible to receive and store log files from > other hosts running sudo. As most people will need it, it makes sense > to split it of. However, if you do so, that package should IMHO use > ssl. Because I can't think of a scenario, were people would like to use > the log deamon, without using ssl. And here I think simplicity of > direct ssl usage wins over extra package stunnel. But that also brings us the burden of having OpenSSL in the sudo package. I shudder at that thought. I have written things up a bit in #1059924 just in case you want to chip in. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#1059896: sudo: Please add openssl support for sudo and sudo_logsrvd for secure transfer of sudo log files
Hi Marc, * Marc Haber [240103 18:00]: > Would it be very unfriendly to indeed suggest using stunnel instead of > native SSL? Not at all, that's why I mentioned it in the first place ;) > What is a motivation to use sudo_logsrvd instead of normal > syslog? Well... Because sudo_logsrvd can do much more than regular syslog. With regular logs you get very basic informatio: Which user did run run which command as which other user. And if your user does stuff like "sudo /bin/bash" or "sudo su -" or so you will have trouble finding out what they did. If you are unlucky, you will even find an empty shell history. That's when sudo's input output logging comes in handy. If you set LOG_INPUT and LOG_OUTPUT, sudo will basically create a screen capture. You know the tool "script" to log the output of your console? It is similar. And for these io logs, the log_srvd comes in handy. Because if you want to store these logs at a central location, regular syslog won't do. That's why they came up with a dedicated server for sudo logs. And as these logs can contain confidential information, you want to transfer them via tls. Allthoug that is IMHO a pretty cool feature I grant you, that it is a limited use case, and is not a very common scenario. So if you don't want to add openssl to make me happy, I will happily provide configuration examples on how to archive the same thing via stunnel. With that in mind, coming back to: > I was not aware of sudo_logsrvd at all, since that's a daemon, it should > probably be in its own package (or disabled). Yes, it is the daemon responsible to receive and store log files from other hosts running sudo. As most people will need it, it makes sense to split it of. However, if you do so, that package should IMHO use ssl. Because I can't think of a scenario, were people would like to use the log deamon, without using ssl. And here I think simplicity of direct ssl usage wins over extra package stunnel. Best regards, Alexander
Bug#1059896: sudo: Please add openssl support for sudo and sudo_logsrvd for secure transfer of sudo log files
Hi Alexander, thanks for your patch. I am indeed reluctant to have OpenSSL added as a dependency to sudo. This might open a can of worms; other team members might give their opinion here as well. And since we just are working on getting rid of sudo-ldap, having a variant, sudo-ssl, would probably be too much as well. I was not aware of sudo_logsrvd at all, since that's a daemon, it should probably be in its own package (or disabled). Would it be very unfriendly to indeed suggest using stunnel instead of native SSL? What is a motivation to use sudo_logsrvd instead of normal syslog? Greetings Marc On Wed, Jan 03, 2024 at 09:49:37AM +0100, Alexander Reichle-Schmehl wrote: > From: Alexander Reichle-Schmehl > Subject: Bug#1059896: sudo: Please add openssl support for sudo and > sudo_logsrvd for secure transfer of sudo log files > To: Debian Bug Tracking System > Reply-To: Alexander Reichle-Schmehl , > 1059...@bugs.debian.org > Date: Wed, 03 Jan 2024 09:49:37 +0100 > X-Mailer: reportbug 7.10.3+deb11u1 > > Package: sudo > Version: 1.9.5p2-3+deb11u1 > Severity: wishlist > Tags: patch > > Dear Maintainer, > > sudo 1.9 introduced the functionality to directly send log files (especially > input/output logs) to a log server. As these logs might contain private data, > they should be transfered using ssl. Both sudo as well as sudo_logsrvd > support this, when the feature is enabled at compile time. > > I send merge request on salsa to add this functionality, and verified, that > it works for me. > > However, I should also point out, that an alternative approach would be to use > stunnel. If you prefer that instead of adding additional complexity to an > security critical package, would you consider adding a Readme file explaining > how that's doen? I use it for sudo an other distribution anyway, and could > write one for you, if you prefer it that way. > > > Best regards, > Alexander > > > > -- System Information: > Debian Release: 11.8 > APT prefers oldstable-security > APT policy: (500, 'oldstable-security'), (500, 'oldoldstable-updates'), > (500, 'oldstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 5.10.0-26-cloud-amd64 (SMP w/2 CPU threads) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US:en > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages sudo depends on: > ii libaudit1 1:3.0-2 > ii libc6 2.31-13+deb11u7 > ii libpam-modules 1.4.0-9+deb11u1 > ii libpam0g1.4.0-9+deb11u1 > ii libselinux1 3.1-3 > ii lsb-base11.1.0 > ii zlib1g 1:1.2.11.dfsg-2+deb11u2 > > sudo recommends no packages. > > sudo suggests no packages. > > -- Configuration Files: > /etc/pam.d/sudo changed [not included] > /etc/sudoers [Errno 13] Permission denied: '/etc/sudoers' > /etc/sudoers.d/README [Errno 13] Permission denied: '/etc/sudoers.d/README' > > -- no debconf information
Bug#1059896: sudo: Please add openssl support for sudo and sudo_logsrvd for secure transfer of sudo log files
Package: sudo Version: 1.9.5p2-3+deb11u1 Severity: wishlist Tags: patch Dear Maintainer, sudo 1.9 introduced the functionality to directly send log files (especially input/output logs) to a log server. As these logs might contain private data, they should be transfered using ssl. Both sudo as well as sudo_logsrvd support this, when the feature is enabled at compile time. I send merge request on salsa to add this functionality, and verified, that it works for me. However, I should also point out, that an alternative approach would be to use stunnel. If you prefer that instead of adding additional complexity to an security critical package, would you consider adding a Readme file explaining how that's doen? I use it for sudo an other distribution anyway, and could write one for you, if you prefer it that way. Best regards, Alexander -- System Information: Debian Release: 11.8 APT prefers oldstable-security APT policy: (500, 'oldstable-security'), (500, 'oldoldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-26-cloud-amd64 (SMP w/2 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages sudo depends on: ii libaudit1 1:3.0-2 ii libc6 2.31-13+deb11u7 ii libpam-modules 1.4.0-9+deb11u1 ii libpam0g1.4.0-9+deb11u1 ii libselinux1 3.1-3 ii lsb-base11.1.0 ii zlib1g 1:1.2.11.dfsg-2+deb11u2 sudo recommends no packages. sudo suggests no packages. -- Configuration Files: /etc/pam.d/sudo changed [not included] /etc/sudoers [Errno 13] Permission denied: '/etc/sudoers' /etc/sudoers.d/README [Errno 13] Permission denied: '/etc/sudoers.d/README' -- no debconf information
