** Tags added: sts
** Also affects: sudo (Ubuntu Jammy)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2104840
Title:
sudo_logsrvd TLS log transport in Jammy
Status in sudo package in Ubuntu:
New
Status in sudo source package in Jammy:
New
Bug description:
[ Impact ]
Users of sudo_logsrvd in Jammy are unable to configure TLS transport
as sudo was built without OpenSSL in Jammy.
This functionality is available in Noble and above as OpenSSL was
inadvertantly included in sudo builds: 564d6d7f in cyrus-sasl2 introduced an
indirect libssl-dev build-dep to sudo [1]. sudo's build system automatically
enables openssl when it is present in the build environment:
```
--enable-openssl[=DIR]
Use OpenSSL's TLS and SHA-2 message digest functions. If
it is detected, OpenSSL will be used by default unless the
sudo log client and server are disabled via the
--disable-log-client and --disable-log-server options. To
explicitly disable the use of OpenSSL, the --disable-openssl
option can be used. OpenSSL versions prior to 1.0.1 will
not be used as they do not support TLS 1.2. If specified,
DIR should contain the OpenSSL include and lib directories.
```
I reported this in Debian as an MR to make the dependency explicit
[2]. The Debian sudo team would prefer that `sudo` not link against
OpenSSL and is considering dropping logsrvd altogether unless they are
able to find a maintainer [3].
I'm opening this bug for two reasons:
- To guage the feasibility of an SRU of TLS support for `sudo` in Jammy
- To raise the issue of logsrvd in Ubuntu more generally
I have verified that a rebuild of the package with the libssl-dev
dependency does allow TLS log transport to function, although I have
not thoroughly tested it.
It is my feeling that this does not meet the requirements for an SRU for
several
reasons:
- It is not a regression from Focal (logsrvd was introduced in Jammy) [4]
- It is not a minimal change (the debdiff is trivial but the flag enables
several
hundred lines of code, a few of which modify routines in the logging
plugin) [5]
- It affects a core package with potential security implications [6]
I'd appreciate a second opinion regarding the feasibility of SRU here.
Thanks!
[1]
https://salsa.debian.org/debian/cyrus-sasl2/-/commit/564d6d7f17bc7afbb124af06ac11d4ba4b5d73bf
[2] https://salsa.debian.org/sudo-team/sudo/-/merge_requests/18
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101451
[4]
https://documentation.ubuntu.com/sru/en/latest/reference/requirements/#what-is-acceptable-to-sru
[5]
https://documentation.ubuntu.com/sru/en/latest/explanation/requirements/#minimal-changes-only
[6]
https://documentation.ubuntu.com/sru/en/latest/reference/requirements/#other-safe-cases
[ Reproduction ]
In a Jammy container/VM, add the following lines to /etc/sudoers:
```
Defaults iolog_dir=/var/log/sudo-io/%{user}, log_input, log_output
Defaults log_servers = 192.168.0.243:30344(tls)
```
```
$ sudo echo hello
sudo: 192.168.0.243:30344(tls): Protocol not supported
sudo: unable to connect to log server
sudo: error initializing I/O plugin sudoers_io
```
With a libssl-dev enabled sudo build, set up a sudo_logsrvd server and
verify that a configuration equivalent to the above results in logs
being shipped over TLS [1].
[1]
https://manpages.ubuntu.com/manpages/jammy/en/man8/sudo_logsrvd.8.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2104840/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
