TSL

sources/tech/20201028 5 new sudo features you need to know in 2020.md

@@ -1,133 +0,0 @@
-[#]: collector: (lujun9972)
-[#]: translator: (wxy)
-[#]: reviewer: ( )
-[#]: publisher: ( )
-[#]: url: ( )
-[#]: subject: (5 new sudo features you need to know in 2020)
-[#]: via: (https://opensource.com/article/20/10/sudo-19)
-[#]: author: (Peter Czanik https://opensource.com/users/czanik)
-
-5 new sudo features you need to know in 2020
-======
-From central session recording through chroot support to Python API,
-sudo 1.9 offers many new features.
-![Wratchet set tools][1]
-
-When you want to perform an action on a [POSIX system][2], one of the safest ways to do so is to use the sudo command. Unlike logging in as the root user and performing what could be a dangerous action, sudo grants any user [designated as a "sudoer"][3]  by the sysadmin temporary permission to perform a normally restricted activity.
-
-This system has helped keep Linux, Unix, and macOS systems safe from silly mistakes and malicious attacks for decades, and it is the default administrative mechanism on all major Linux distributions today.
-
-When it was released in May 2020, sudo 1.9 brought many new features, including central collection of session recordings, support for chroot within sudo, and a Python API. If you are surprised by any of these, read my article about some [lesser-known features of sudo][4].
-
-Sudo is a lot more than just a prefix for administrative commands. You can fine-tune permissions, record what is happening on the terminal, extend sudo using plugins, store configurations in LDAP, do extensive logging, and much more.
-
-Version 1.9.0 and subsequent minor releases added a variety of new features (which I'll describe below), including:
-
-  * A recording service to collect sudo session recordings centrally
-  * Audit plugin API
-  * Approval plugin API
-  * Python support for plugins
-  * Chroot and CWD support built into sudo (starting with 1.9.3)
-
-
-
-### Where to get sudo 1.9
-
-Most Linux distributions still package the previous generation of sudo (version 1.8), and it will stay that way in long-term support (LTS) releases for several years. The most complete sudo 1.9 package I am aware of in a Linux distribution is openSUSE [Tumbleweed][5], which is a rolling distro, and the sudo package has Python support available in a subpackage. Recent [Fedora][6] releases include sudo 1.9 but without Python. [FreeBSD Ports][7] has the latest sudo version available, and you can enable Python support if you build sudo yourself instead of using the package.
-
-If your favorite Linux distribution does not yet include sudo 1.9, check the [sudo binaries page][8] to see if a ready-to-use package is available for your system. This page also has packages for several commercial Unix variants.
-
-As usual, before you start experimenting with sudo settings, _make sure you know the root password_. Yes, even on Ubuntu. Having a temporary "backdoor" is important; without it, you would have to hack your own system if something goes wrong. And remember: a syntactically correct configuration does not mean that anybody can do anything through sudo on that system!
-
-### Recording service
-
-The recording service collects session recordings centrally. This offers many advantages compared to local session log storage:
-
-  * It is more convenient to search in one place instead of visiting individual machines for recordings
-  * Recordings are available even if the sending machine is down
-  * Recordings cannot be deleted by local users who want to cover their tracks
-
-
-
-For a quick test, you can send sessions through non-encrypted connections to the recording service. My blog contains [instructions][9] for setting it up in just a few minutes. For a production setup, I recommend using encryption. There are many possibilities, so read the [documentation][10] that best suits your environment.
-
-### Audit plugin API
-
-The new audit plugin API is not a user-visible feature. In other words, you cannot configure it from the sudoers file. It is an API, meaning that you can access audit information from plugins, including ones written in Python. You can use it in many different ways, like sending events from sudo directly to Elasticsearch or Logging-as-a-Service (LaaS) when something interesting happens. You can also use it for debugging and print otherwise difficult-to-access information to the screen in whatever format you like.
-
-Depending on how you want to use it, you can find its documentation in the sudo plugin manual page (for C) and the sudo Python plugin manual. [Sample Python code][11] is available in the sudo source code, and there is also a [simplified example][12] on my blog.
-
-### Approval plugin API
-
-The approval plugin API makes it possible to include extra restrictions before a command will execute. These will run only after the policy plugin succeeds, so you can effectively add additional policy layers without replacing the policy plugin and thus sudoers. Multiple approval plugins may be defined, and all must succeed for the command to execute.
-
-As with the audit plugin API, you can use it both from C and Python. The [sample Python code][13] documented on my blog is a good introduction to the API. Once you understand how it works, you can extend it to connect sudo to ticketing systems and approve sessions only with a related open ticket. You can also connect to an HR database so that only the engineer on duty can gain administrative privileges.
-
-### Python support for plugins
-
-Even though I am not a programmer, my favorite new sudo 1.9 feature is Python support for plugins. You can use most of the APIs available from C with Python as well. Luckily, sudo is not performance-sensitive, so the relatively slow speed of running Python code is not a problem for sudo. Using Python for extending sudo has many advantages:
-
-  * Easier, faster development
-  * No need to compile; code might even be distributed by configuration management
-  * Many APIs do not have ready-to-use C clients, but Python code is available
-
-
-
-In addition to the audit and approval plugin APIs, there are a few others available, and you can do very interesting things with them.
-
-By using the policy plugin API, you can replace the sudo policy engine. Note you will lose most sudo features, and there is no more sudoers-based configuration. This can still be useful in niche cases, but most of the time, it is better to keep using sudoers and create additional policies using the approval plugin API. If you want to give it a try, my [introduction to the Python plugin][14] provides a very simple policy: allowing only the `id` command. Once again, make sure you know the root password, as once this policy is enabled, it prevents any practical use of sudo.
-
-Using the I/O logs API, you can access input and output from user sessions. This means you can analyze what is happening in a session and even terminate it if you find something suspicious. This API has many possible uses, such as data-leak prevention. You can monitor the screen for keywords and, if any of them appear in the data stream, you can break the connection before the keyword can appear on the user's screen. Another possibility is checking what the user is typing and using that data to reconstruct the command line the user is entering. For example, if a user enters `rm -fr /`, you can disconnect the user even before Enter is hit.
-
-The group plugin API allows non-Unix group lookups. In a way, this is similar to the approval plugin API as it also extends the policy plugin. You can check if a user is part of a given group and act based on this in later parts of the configuration.
-
-### Chroot and CWD support
-
-The latest additions to sudo are chroot and change working directory (CWD) support. Neither option is enabled by default—you need to explicitly enable them in the sudoers file. When they're enabled, you can fine-tune target directories or allow users to specify which directory to use. The logs reflect when these settings were used.
-
-On most systems, chroot is available only to root. If one of your users needs chroot, you need to give them root access, which gives them a lot more power than just chroot. Alternately, you can allow access to the chroot command through sudo, but it still allows loopholes where they can gain full access. When you use sudo's built-in chroot support, you can easily restrict access to a single directory. You can also give users the flexibility to specify the root directory. Of course, this might lead to disasters (e.g., `sudo --chroot / -s`), but at least the event is logged.
-
-When you run a command through sudo, it sets the working directory to the current directory. This is the expected behavior, but there may be cases when the command needs to be run in a different directory. For example, I recall using an application that checked my privileges by checking whether my working directory was `/root`.
-
-### Try the new features
-
-I hope that this article inspires you to take a closer look at sudo 1.9. Central session recording is both more convenient and secure than storing session logs locally. Chroot and CWD support give you additional security and flexibility. And using Python to extend sudo makes it easy to custom-tailor sudo to your environment. You can try the new features by using one of the latest Linux distributions or the ready-to-use packages from the sudo website.
-
-If you want to learn more about sudo, here are a few resources:
-
-  * [Sudo website][15]
-  * [Sudo blog][16]
-  * [Sudo on Twitter][17]
-
-
-
---------------------------------------------------------------------------------
-
-via: https://opensource.com/article/20/10/sudo-19
-
-作者：[Peter Czanik][a]
-选题：[lujun9972][b]
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
-
-[a]: https://opensource.com/users/czanik
-[b]: https://github.com/lujun9972
-[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/tools_osyearbook2016_sysadmin_cc.png?itok=Y1AHCKI4 (Wratchet set tools)
-[2]: https://opensource.com/article/19/7/what-posix-richard-stallman-explains
-[3]: https://opensource.com/article/17/12/using-sudo-delegate
-[4]: https://opensource.com/article/19/10/know-about-sudo
-[5]: https://software.opensuse.org/distributions/tumbleweed
-[6]: https://getfedora.org/
-[7]: https://www.freebsd.org/ports/
-[8]: https://www.sudo.ws/download.html#binary
-[9]: https://blog.sudo.ws/posts/2020/03/whats-new-in-sudo-1.9-recording-service/
-[10]: https://www.sudo.ws/man/sudo_logsrvd.man.html#EXAMPLES
-[11]: https://github.com/sudo-project/sudo/blob/master/plugins/python/example_audit_plugin.py
-[12]: https://blog.sudo.ws/posts/2020/06/sudo-1.9-using-the-new-audit-api-from-python/
-[13]: https://blog.sudo.ws/posts/2020/08/sudo-1.9-using-the-new-approval-api-from-python/
-[14]: https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/
-[15]: https://www.sudo.ws/
-[16]: https://blog.sudo.ws/
-[17]: https://twitter.com/sudoproject

translated/tech/20201028 5 new sudo features you need to know in 2020.md

@@ -0,0 +1,126 @@
+[#]: collector: (lujun9972)
+[#]: translator: (wxy)
+[#]: reviewer: ( )
+[#]: publisher: ( )
+[#]: url: ( )
+[#]: subject: (5 new sudo features you need to know in 2020)
+[#]: via: (https://opensource.com/article/20/10/sudo-19)
+[#]: author: (Peter Czanik https://opensource.com/users/czanik)
+
+2020 年的 5 个 新 sudo 功能
+======
+
+> 从通过 chroot 支持集中会话录制到 Python API，sudo 1.9 提供了许多新功能。
+
+![Wratchet set tools][1] 。
+
+当你想在 [POSIX 系统][2]上执行一个操作时，最安全的方法之一就是使用 `sudo` 命令。与以 root 用户身份登录并执行命令可能是个危险的操作不同，`sudo` 授予任何被系统管理员[指定为 “sudoer”][3]的用户临时权限来执行通常受限制的活动。
+
+几十年来，这个系统帮助 Linux、Unix 和 macOS 系统免受愚蠢的错误和恶意攻击，它是当今所有主要 Linux 发行版的默认管理机制。
+
+当在 2020 年 5 月发布 sudo 1.9 时，它带来了许多新功能，包括集中收集会话记录，支持 `sudo` 内的 chroot，以及 Python API。如果你对其中的任何一项感到惊讶，请阅读我的文章，了解一些 [sudo 鲜为人知的功能][4]。
+
+`sudo` 不仅仅是一个管理命令的前缀。你可以微调权限，记录终端上发生的事情，使用插件扩展`sudo`，在 LDAP 中存储配置，进行广泛的日志记录，以及更多。
+
+1.9.0 版本和后续的小版本增加了各种新功能（我将在下面介绍），包括：
+
+  * 一个集中收集 `sudo` 会话记录的记录服务
+  * 审计插件 API
+  * 审批插件 API
+  * Python 对插件的支持
+  * `sudo` 内置 chroot 和 CWD 支持（从 1.9.3 开始）
+
+### 哪里可以得到 sudo 1.9？
+
+大多数的 Linux 发行版仍然封装了上一代的 `sudo`（1.8 版本），并且在长期支持（LTS）的发行版中会保持这种方式数年。据我所知，提供了最完整的 sudo 1.9 包的 Linux 发行版是 openSUSE[Tumbleweed][5]，它是一个滚动发行版，而且该 `sudo` 包的子包中有 Python 支持。最近的  [Fedora][6] 版本包含了 sudo 1.9，但没有 Python。[FreeBSD Ports][7] 有最新的 `sudo` 版本，如果你自己编译 `sudo` 而不是使用软件包，你可以启用 Python 支持。
+
+如果你喜欢的 Linux 发行版还没有包含 sudo 1.9，请查看 [sudo 二进制页面][8]来查看是否有现成的包可以用于你的系统。这个页面还提供了一些商用 Unix 变种的软件包。
+
+像往常一样，在你开始试验 `sudo` 设置之前，*确保你知道 root 密码*。是的，即使在 Ubuntu 上也是如此。有一个临时的“后门”是很重要的；如果没有这个后门，如果出了问题，你就必须得黑掉自己的系统。记住：语法正确的配置并不意味着任何人都可以在该系统上通过 `sudo` 做任何事情！
+
+### 记录服务
+
+记录服务可以集中收集会话记录。与本地会话记录存储相比，这有很多优势：
+
+  * 更方便地在一个地方进行搜索，而不是访问各个机器来寻找记录
+  * 即使在发送机器停机的情况下也可以进行记录
+  * 本地用户若想掩盖其轨迹，不能删除记录
+
+为了快速测试，你可以通过非加密连接向记录服务发送会话。我的博客中包含了[说明][9]，可以在几分钟内完成设置。对于生产环境，我建议使用加密连接。有很多可能性，所以阅读最适合你的环境的[文档][10]。
+
+### 审计插件 API
+
+新的审计插件 API 不是一个用户可见的功能。换句话说，你不能从 `sudoers` 文件中配置它。它是一个 API，意味着你可以从插件中访问审计信息，包括用 Python 编写的插件。你可以用很多不同的方式来使用它，比如当一些有趣的事情发生时，从 `sudo` 直接发送事件到 Elasticsearch 或日志即服务（LaaS）。你也可以用它来进行调试，并以任何你喜欢的格式将其他难以访问的信息打印到屏幕上。
+
+根据你使用它的方式，你可以在 `sudo` 插件手册页（针对 C 语言）和 `sudo` Python 插件手册中找到它的文档。在 `sudo` 源代码中可以找到 [Python 代码示例][11]，在我的博客上也有一个[简化的例子][12]。
+
+### 审批插件 API
+
+审批插件 API 可以在命令执行之前加入额外的限制。这些限制只有在策略插件成功后才会运行，因此你可以有效地添加额外的策略层，而无需更换策略插件，进而无需更换 `sudoers`。可以定义多个审批插件，而且所有插件都必须成功，命令才能执行。
+
+与审计插件 API 一样，你可以从 C 和 Python 中使用它。我博客上记录的[示例 Python 代码][13]是对该 API 的一个很好的介绍。一旦你理解了它是如何工作的，你就可以扩展它来连接 `sudo` 到工单系统，并且只批准有相关开放工单的会话。你也可以连接到人力资源数据库，这样只有当班的工程师才能获得管理权限。
+
+### Python 对插件的支持
+
+尽管我不是程序员，但我最喜欢的 sudo 1.9 新特性是 Python 对插件的支持。你可以用 Python 也能使用 C 语言调用大部分 API。幸运的是，`sudo` 对性能不敏感，所以运行速度相对较慢的 Python 代码对 `sudo` 来说不是问题。使用 Python 来扩展 `sudo` 有很多优势：
+
+  * 更简单、更快速的开发
+  * 不需要编译；甚至可以通过配置管理分发代码
+  * 许多 API 没有现成的 C 客户端，但有 Python 代码
+
+除了审计和审批插件 API 之外，还有一些其他的 API，你可以用它们做一些非常有趣的事情。
+
+通过使用策略插件 API，你可以取代 `sudo` 策略引擎。请注意，你将失去大部分的 `sudo` 功能，而且没有更多基于 `sudoers` 的配置。这在小众情况下还是很有用的，但大多数时候，最好还是继续使用 `sudoers`，并使用审批插件 API 创建额外的策略。如果你想尝试一下，我的 [Python 插件介绍][14]提供了一个非常简单的策略：只允许使用 `id` 命令。再次确认你知道 root 密码，因为一旦启用这个策略，它就会阻止任何实际使用 `sudo` 的行为。
+
+使用 I/O 日志 API，你可以访问用户会话的输入和输出。这意味着你可以分析会话中发生了什么，甚至在发现可疑情况时终止会话。这个 API 有很多可能的用途，比如防止数据泄露。你可以监控屏幕上的关键字，如果数据流中出现任何关键字，你可以在关键字出现在用户的屏幕上之前中断连接。另一种可能是检查用户正在输入的内容，并使用这些数据来重建用户正在输入的命令行。例如，如果用户输入 `rm -fr /`，你可以在按下回车键之前就断开用户的连接。
+
+组插件 API 允许非 Unix 组的查找。在某种程度上，这与审批插件 API 类似，因为它也扩展了策略插件。你可以检查一个用户是否属于一个给定的组，并在后面的配置部分基于此采取行动。
+
+### chroot 和 CWD 支持
+
+`sudo` 的最新功能是支持 chroot 和改变工作目录（CWD），这两个选项都不是默认启用的，你需要在 `sudoers` 文件中明确启用它们。当它们被启用时，你可以微调目标目录或允许用户指定使用哪个目录。日志反映了这些设置何时被使用。
+
+在大多数系统中，chroot 只对 root 用户开放。如果你的某个用户需要 chroot，你需要给他们 root 权限，这比仅仅给他们 chroot 权限要大得多。另外，你可以通过 `sudo` 允许访问 chroot 命令，但它仍然允许漏洞，他们可以获得完全的权限。当你使用 `sudo` 内置的 chroot 支持时，你可以轻松地限制对单个目录的访问。你也可以让用户灵活地指定根目录。当然，这可能会导致灾难（例如，`sudo --chroot / -s`），但至少事件会被记录下来。
+
+当你通过 `sudo` 运行一个命令时，它会将工作目录设置为当前目录。这是预期的行为，但可能有一些情况下，命令需要在不同的目录下运行。例如，我记得使用一个应用程序，它通过检查我的工作目录是否是 `/root` 来检查我的权限。
+
+### 尝试新功能
+
+希望这篇文章能启发你仔细研究一下 sudo 1.9。集中会话记录比在本地存储会话日志更加方便和安全。chroot 和 CWD 支持为你提供了额外的安全性和灵活性。而使用 Python 来扩展 `sudo`，可以很容易地根据你的环境来定制 `sudo`。你可以通过使用最新的 Linux 发行版或 `sudo` 网站上的即用型软件包来尝试这些新功能。
+
+如果你想了解更多关于 sudo 的信息，这里有一些资源：
+
+  * [Sudo 官网][15]
+  * [Sudo 博客][16]
+  * [Sudo on Twitter][17]
+
+--------------------------------------------------------------------------------
+
+via: https://opensource.com/article/20/10/sudo-19
+
+作者：[Peter Czanik][a]
+选题：[lujun9972][b]
+译者：[wxy](https://github.com/wxy)
+校对：[校对者ID](https://github.com/校对者ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
+
+[a]: https://opensource.com/users/czanik
+[b]: https://github.com/lujun9972
+[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/tools_osyearbook2016_sysadmin_cc.png?itok=Y1AHCKI4 (Wratchet set tools)
+[2]: https://opensource.com/article/19/7/what-posix-richard-stallman-explains
+[3]: https://opensource.com/article/17/12/using-sudo-delegate
+[4]: https://opensource.com/article/19/10/know-about-sudo
+[5]: https://software.opensuse.org/distributions/tumbleweed
+[6]: https://getfedora.org/
+[7]: https://www.freebsd.org/ports/
+[8]: https://www.sudo.ws/download.html#binary
+[9]: https://blog.sudo.ws/posts/2020/03/whats-new-in-sudo-1.9-recording-service/
+[10]: https://www.sudo.ws/man/sudo_logsrvd.man.html#EXAMPLES
+[11]: https://github.com/sudo-project/sudo/blob/master/plugins/python/example_audit_plugin.py
+[12]: https://blog.sudo.ws/posts/2020/06/sudo-1.9-using-the-new-audit-api-from-python/
+[13]: https://blog.sudo.ws/posts/2020/08/sudo-1.9-using-the-new-approval-api-from-python/
+[14]: https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/
+[15]: https://www.sudo.ws/
+[16]: https://blog.sudo.ws/
+[17]: https://twitter.com/sudoproject