Session
Schedule FOSDEM 2020
Python

Extending sudo in Python

Best of both worlds
UB2.252A (Lameere)
Peter Czanik
From my talk you will learn about some lesser-known features of sudo, and how you can make your security more flexible by extending sudo using Python.

Everybody knows sudo, right? Sudo allows a system administrator to give certain users the ability to run some commands as root, while logging the executed commands and their arguments. It is installed by default on almost all Linux systems, and is available for most commercial UNIX systems. Sudo allows you to fine-tune access policies, record sessions, and do extensive logging. Still, even system administrators often only know it is the “prefix” to use before entering a command requiring root privileges, and don’t realize its true powers.

Did you know that with version 1.8 sudo changed to a plugin-based architecture? You can extend or even replace basic functionality through plugins. While plugins provide the ultimate flexibility – and there are both open source and commercial plugins for sudo available – it is not easy to extend sudo. This is why the Python plugin is under way to sudo (and will be released before FOSDEM).

Sudo has a number of well defined APIs for plugins (https://www.sudo.ws/man/sudo_plugin.man.html). The Python plugin builds on these APIs. For example, you can set your own policies using the policy API, or access what is happening on the screen using the I/O API (used by session recording).

Using Python for extending sudo makes development not just easier (no development environment necessary), but opens up many new possibilities. For example, you can develop a plugin which analyzes on-screen activity in real-time, and breaks the session if the infamous “rm -fr /” command appears on screen. As multiple I/O plugins can work in parallel, you do not have to give up session recording to analyze sessions in real-time from Python.

From my talk you will learn about some lesser-known features of sudo, and how you can make your security more flexible by extending sudo using Python.

Additional information

Type devroom

More sessions

2/1/20
Python
Raphaël Gomès
UB2.252A (Lameere)
While working on the Mercurial version control system, we hit our heads against the limits of Python's performance. In this talk we will see how Python and Rust can cohabit to play off of each other's strenghts to improve a big open-source project, and what advances have been made in bridging the two languages.
2/1/20
Python
Adrin Jalali
UB2.252A (Lameere)
This is a hands-on short tutorial on how to write your own estimator or transformer which can be used in a scikit-learn pipeline, and works seamlessly with the other meta-estimators of the library. It also includes how they can be conveniently tested with a simple set of tests.
2/1/20
Python
Rémy Hubscher
UB2.252A (Lameere)
For almost 20 years, we relied on a CGI based protocol called WSGI to use Python to handle HTTP requests and responses software. Because Python is singled threaded we relied on a couple of hacks such as Gunicorn or uWSGI to share a socket through multiple processes. However the cost of all these multiple processes was a bit heavy and error prone. Through Django Channels Andrew Godwin paved the way for a better way of creating web services with Python. This work landed in Django 3.0. Let's ...
2/1/20
Python
Stephen Finucane
UB2.252A (Lameere)
How does one manage and document change in Python projects, be that new features or deprecation or removal of a feature? Let's explore some of the tools a Python developer can keep in their toolbox for just this purpose.
2/1/20
Python
Lionel Lonkap Tsamba
UB2.252A (Lameere)
We, as developer, aim to provide code that, almost matches our team code style, looks better and behaves right. Static code analysis (SCA) tools are one of the way to achieves that. But, with multi-programming languages projects and all kinds of code related needs, It's difficult to address all thoses usecases without dealing with a vast majority of SCA tools. Coala is a — language agnostic — static code analysis framework that provides a common command-line interface for linting and fixing ...
2/1/20
Python
Miguel-Ángel Fernández
UB2.252A (Lameere)
SortingHat is an open source Python tool that helps to manage the different contributor identities within an open source project. Under the hood SortingHat relies on a relational database, which can be queried via SQL, command line or directly via its Python interface. However, these ways of interacting with SortingHat hinder its integration with external tools, web interfaces and new web technologies (e.g., Django, REST services). To overcome these obstacles, we have evolved SortingHat's ...
2/1/20
Python
Nicolas Crocfer
UB2.252A (Lameere)
All Python developer who want to run asynchronous tasks should know Celery. If you have already used it, you know how great it is ! But you also discovered how it can be complicated to follow the state of a complex workflow. Celery Director is a tool we created at OVH to fix this problem : using some concepts of Event Sourcing, Celery Director helps us to follow the whole lifecycle of our workflows. It allows us to check when a problem occurred and relaunch the whole DAG (or just a subpart if ...