[unisog] sudowin 0.3.0-r139 released

Kutz, Schley Andrew a.kutz at its.utexas.edu
Sat Jan 6 20:15:59 GMT 2007


Over the last four days two new versions of sudowin have been released.
I hope you enjoy!

sudowin 0.3.0-r139
------------------

Not one to cool my heels, sudowin version 0.3.0-r139 has just hit the
mirrors.  Although this comes only 2 days after sudowin's last update,
this is no minor update.  This version includes the ability to restrict
sudo usage by ip address, ip ranges, and host names.  However, I did not
implement basic network notation syntax for this, I chose to stick with
regular expressions.  So 192.168.0.0/24 would be expressed as
192.16.8.0.[0-255].  This version also provides administrators the
ability to cache remote plugin data sources.  For example, the
Sudowin.Plugins.Authorization.Xml plugin uses an xml file as a data
source.  This xml file can be stored on a remote server accessible via
the http protocol so that remote computers can access one central
sudoers data source.  However, what happens if this connection is cut
off?  Should users be stopped from sudoing?  Now you can cache remote
data locally to a specified cache file.  You can describe how long you
would like it cached, whether or not the cache should always be used --
only hitting up the originating source for updates, and if you should
use stale cached data if the originating data source cannot be
contacted.

Check it out at
http://sourceforge.net/project/showfiles.php?group_id=143653.


sudowin 0.2.0-r134
------------------

And there was dancing in the street and the masses once again knew peace
in their hearts for their fellow man.  Ah, the power of cheese.  So
what's new since the last version (0.1.1-r95) in June?  Well, there has
been a complete architectural redesign.  The state server that persisted
credentials between invocations has now been turned into a plugin so
that credentials can be stored anywhere, just write a plugin for it.
Speaking of plugins, writing them is much easier now as well since I
provide an IPlugin interface which anything can implement and become a
plugin.  There are currently 3 types of plugins that I respect,
authorization, authentication, and credentialcache.  A future plugin
type will most likely be executionhandler -- something to handle how
unique files such as MSI and CPL are executed so that you can write a
plugin to handle them in case the core server does not already.

I also listened to the feature requests posted on sourceforge and have
implemented a MD5 checksum capability so that you can restrict sudo
usage based on not just a command name, but also its checksum -- in
order to help prevent against file tampering.  Additionally you can now
restrict sudo based on a command's argument list by adding a
Perl-compliant regular expression that sudo will check the command's
arguments against.

Anyway, the new version is up for download at
http://sourceforge.net/project/showfiles.php?group_id=143653.  I have
not updated the sudowin website yet with this news, I thought I would
announce it to the home crowd first.  Please let me know what you think!

What's in store for the next version?  Well, Vista includes an API that
will allow me to launch processes on the behalf of others without their
password, just their logon token, while at the same time loading their
profile.  This will enable me to completely get rid of the callback
application necessary in XP, and will also mean that you will be able to
sudo an application without having to enter your password again.  This
is useful if there are certain batch jobs that need to run with elevated
privileges, but you don't want the account running them to have those
elevated privileges during the times that said jobs are not running.

-- 
-a

"Condensing fact from the vapor of nuance."

ITS at The University of Texas at Austin

name:	Schley Andrew Kutz, MCSD, GCWN, VCP-VI3
mail:	a.kutz at its.utexas.edu
work:	512.475.9246



More information about the unisog mailing list