Sudo
Sudo 1.8.7
Your rating: Now say why...

(1) 1

Run programs with security privileges of another user.   Free
Add to my Watch List
Email me when discounted
Sudo (su "do") allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, it is not a replacement for the shell. Its features include:

The ability to restrict what commands a user may run on a per-host basis.

Sudo does copious logging of each command, providing a clear audit trail of who did what. When used in tandem with syslogd, the system log daemon, Sudo can log all commands to a central host (as well as on the
What's New
Version 1.8.7:
  • The non-Unix group plugin is now supported when sudoers data is stored in LDAP.
  • Sudo now uses a workaround for a locale bug on Solaris 11.0 that prevents setuid programs like sudo from fully using locales.
  • User messages are now always displayed in the user's locale, even when the same message is being logged or mailed in a different locale.
  • Log files created by sudo now explicitly have the group set to group ID 0 rather than relying on BSD group semantics (which may not be the default).
  • A new exec_background sudoers option can be used to initially run the command without read access to the terminal when running a command in a pseudo-tty. If the command tries to read from the terminal it will be stopped by the kernel (via SIGTTIN or SIGTTOU) and sudo will immediately restart it as the forground process (if possible). This allows sudo to only pass terminal input to the program if the program actually is expecting it. Unfortunately, a few poorly-behaved programs (like "su" on most Linux systems) do not handle SIGTTIN and SIGTTOU properly.
  • Sudo now uses an efficient group query to get all the groups for a user instead of iterating over every record in the group database on HP-UX and Solaris.
  • Sudo now produces better error messages when there is an error in the sudo.conf file.
  • Two new settings have been added to sudo.conf to give the admin better control of how group database queries are performed. The group_source specifies how the group list for a user will be determined. Legal values are static (use the kernel groups list), dynamic (perform a group database query) and adaptive (only perform a group database query if the kernel list is full). The max_groups setting specifies the maximum number of groups a user may belong to when performing a group database query.
  • The sudo.conf file now supports line continuation by using a backslash as the last character on the line.
  • There is now a standalone sudo.conf manual page.
  • Sudo now stores its libexec files in a sudo subdirectory instead of in libexec itself. For backwards compatibility, if the plugin is not found in the default plugin directory, sudo will check the parent directory if the default directory ends in /sudo.
  • The sudoers I/O logging plugin now logs the terminal size.
  • A new sudoers option maxseq can be used to limit the number of I/O log entries that are stored.
  • The system_group and group_file sudoers group provider plugins are now installed by default.
  • The list output (sudo -l) output from the sudoers plugin is now less ambiguous when an entry includes different runas users. The long list output (sudo -ll) for file-based sudoers is now more consistent with the format of LDAP-based sudoers.
  • A uid may now be used in the sudoRunAsUser attributes for LDAP sudoers.
  • Minor plugin API change: the close and version functions are now optional. If the policy plugin does not provide a close function and the command is not being run in a new pseudo-tty, sudo may now execute the command directly instead of in a child process.
  • A new sudoers option pam_session can be used to disable sudo's PAM session support.
  • On HP-UX systems, sudo will now use the pstat() function to determine the tty instead of ttyname().
  • Turkish translation for sudo and sudoers from translationproject.org.
  • Dutch translation for sudo and sudoers from translationproject.org.
  • Tivoli Directory Server client libraries may now be used with HP-UX where libibmldap has a hidden dependency on libCsup.
  • The sudoers plugin will now ignore invalid domain names when checking netgroup membership. Most Linux systems use the string "(none)" for the NIS-style domain name instead of an empty string.
  • New support for specifying a SHA-2 digest along with the command in sudoers. Supported hash types are sha224, sha256, sha384 and sha512. See the description of Digest_Spec in the sudoers manual or the description of sudoCommand in the sudoers.ldap manual for details.
  • The paths to ldap.conf and ldap.secret may now be specified as arguments to the sudoers plugin in the sudo.conf file.
  • Fixed potential false positives in visudo's alias cycle detection.
  • Fixed a problem where the time stamp file was being treated as out of date on Linux systems where the change time on the pseudo-tty device node can change after it is allocated.
  • Sudo now only builds Position Independent Executables (PIE) by default on Linux systems and verifies that a trivial test program builds and runs.
  • On Solaris 11.1 and higher, sudo binaries will now have the ASLR tag enabled if supported by the linker.
Version 1.8.7:
  • The non-Unix group plugin is now supported when sudoers data is stored in LDAP.
  • Sudo now uses a workaround for a locale bug on Solaris 11.0 that prevents setuid programs like sudo from fully using locales.
  • User messages are now always displayed in the user's locale, even when the same message is being logged or mailed in a different locale.
  • Log more...
Requirements
Intel, 64-bit processor, OS X 10.8 or later





MacUpdate - Sudo




  • MacPorts
    +3
Sudo User Discussion (Write a Review)
ver. 1.x:
(1)
Your rating: Now say why...
Overall:
(1)

sort: smiles | time
burypromote

+27
Stephenej commented on 30 Aug 2013
I would recommend doing the following fix more than replacing or altering permissions on sudo.

From command prompt:

If you have BBEdit:
bbedit /etc/sudoers
Or if you use TextWrangler:
edit /etc/sudoers

If you have neither:
sudo visudo

Add the following line to the Defaults (after the last one)
(Which should be Defaults env_keep += "HOME MAIL")
Defaults timestamp_timeout=0

Save it and now sudo will always prompt for a password.
[Version 1.8.7]


burypromote
+1

+852
Negritude commented on 29 Aug 2013
I just submitted a change to this entry so that it would become the official listing for sudo, and it has been approved.

Now, read this important article about a vulnerability in the out of date versions of sudo that are included with OS X:

http://arstechnica.com/security/2013/08/unpatched-mac-bug-gives-attackers-super-user-status-by-going-back-in-time/

Until Apple provides a security update, the easiest way to fix this is to install a copy of sudo using the links in this entry (or via a package manager such as MacPorts), and then overwrite the Apple included sudo binary so that it can't be invoked. If you use one of the package installers, the sudo binary will be placed in /usr/local/bin. After installing, to patch your system, enter at a terminal prompt:

/usr/local/bin/sudo chmod u+w /usr/bin/sudo

/usr/local/bin/sudo cp -p /usr/local/bin/sudo /usr/bin

/usr/local/bin/sudo chmod a-w,go-r /usr/bin/sudo

If you've installed sudo via MacPorts, then the commands would be:

/opt/local/bin/sudo chmod u+w /usr/bin/sudo

/opt/local/bin/sudo cp -p /opt/local/bin/sudo /usr/bin

/opt/local/bin/sudo chmod a-w,go-r /usr/bin/sudo

As I said, Apple will eventually provide an updated sudo binary, but to fix it right now, the system sudo needs to be replaced.
[Version 1.8.7]


burypromote
-2

+852

Negritude reviewed on 13 Nov 2010
Is this some kind of joke? This is not the official sudo distribution!

You would have to be clinically insane to install some third-party build of such a critical piece of your security infrastructure!

The official sudo web site is here:

http://www.sudo.ws

If you absolutely must mess around and replace sudo on your machine, then download it from there only and build it yourself, or use MacPorts.

I can't even believe the insanity of this listing.
[Version 1.7.4p]

6 Replies

burypromote
+1

+10
Berndsworld (developer) replied on 13 Nov 2010
Its a newer version of the sudo command. OS X comes with 1.7.0 and it freeze all the time my machine :( I got bunch of idle threads and ended often up into rebooting :(

So it was very annoying for me, thats the reason i compiled a newer version. Beside this i decide to do it in 64 Bit finally.

There is nothing insane on that, sorry. Developers can download and compile thereselfes, just users who need it once a while might not be possible, this is the target group for the files.

There is nothing hacked into it, if you want i can mail you the tree i used (which btw is 1:1 the one from the website you pointed to)

Thx,
Bernd
burypromote
+7

+143
Borlox commented on 13 Nov 2010
If sudo is freezing your machine, then there's something wrong with your machine or with the way you're using it. Replacing an important system binary with one from an unknown source is highly inadvisable.
burypromote
+3

+852
Negritude replied on 14 Nov 2010
Users who don't even know how to build from source should not be messing with sudo. This is a solution that will lead to a problem.
burypromote
+3

+162
Psychos replied on 14 Nov 2010
Sorry, but I have to agree with the above. Not sure why the original comment I'm replying to got voted down so much. This is an important piece of OS infrastructure that the average user should not be messing with. Unix-savvy users can compile their own upgraded sudo if they want to, from official source, Fink, or MacPorts. I do not believe it is a good idea for people to be installing 3rd party versions of integral components like sudo.

Now, I'm not completely against providing an upgraded version of sudo. However, the description should VERY clearly state that this is simply an updated version of sudo, compiled from newer official sources than what Apple currently provides, and state what major differences are present from the Apple-supplied version. The description here absolutely does not do so.
burypromote
+1

+10
Berndsworld (developer) replied on 14 Nov 2010
I had the description in, so i dont know why it is not in. Also with Links....

The Changelog is here: http://www.sudo.ws/sudo/changes.html


And to clear it, it is the 64Bit Version of the ORIGINAL Sourcecode without modifications!
burypromote
+3

+680
sjk commented on 14 Nov 2010
.
> Users who don't even know how to build from source should not be messing with sudo.

And it can be easily built from source with MacPorts.
burypromote
+5

+290
Cgc commented on 13 Nov 2010
How is this different than the SUDO command that's built-in to the Terminal and OSX? I'm a little leery of something like this...but maybe I'm overlooking something.
[Version 1.7.4p]

1 Reply

burypromote
+9

+332
cksum replied on 13 Nov 2010
It's just a newer version. 10.6.5 ships with sudo 1.7.0.

But unless you really need to be bleeding edge (requiring a fix found only in the updated version), I'd advise general users to stay clear. Installing such a mission critical (and a potentially security breech) program from an untrusted source is not advisable.
There are currently no troubleshooting comments. If you are experiencing a problem with this app, please post a comment.

There are currently no ratings. Write a comment or review now.

Downloads:1,974
Version Downloads:456
Type:Utilities : System
License:Free
Date:29 Aug 2013
Platform:Intel 64 / OS X
Price:Free0.00
Overall (Version 1.x):
Features:
Ease of Use:
Value:
Stability:
Displaying 1-4 of 4
-
-
-
Please login or create a new
MacUpdate Member account
to use this feature
Watch Lists are available to
MacUpdate Desktop Members
Upgrade Now
Install with MacUpdate Desktop.
Save time moving files & cleaning
up space wasting archives.
Sudo (su "do") allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, it is not a replacement for the shell. Its features include:

The ability to restrict what commands a user may run on a per-host basis.

Sudo does copious logging of each command, providing a clear audit trail of who did what. When used in tandem with syslogd, the system log daemon, Sudo can log all commands to a central host (as well as on the local host). At CU, all admins use Sudo in lieu of a root shell to take advantage of this logging.

Sudo uses timestamp files to implement a "ticketing" system. When a user invokes Sudo and enters their password, they are granted a ticket for 5 minutes (this timeout is configurable at compile-time). Each subsequent Sudo command updates the ticket for another 5 minutes. This avoids the problem of leaving a root shell where others can physically get to your keyboard. There is also an easy way for a user to remove their ticket file, useful for placing in a .logout file.

Sudo's configuration file, the Sudoers file, is setup in such a way that the same Sudoers file may be used on many machines. This allows for central administration while keeping the flexibility to define a user's privileges on a per-host basis. Please see the samples Sudoers file below for a real-world example.


- -