[Bug 2104840] Re: sudo_logsrvd TLS log transport in Jammy
Wesley Hershberger
2104840 at bugs.launchpad.net
Tue Apr 22 15:51:25 UTC 2025
Discussed internally; this would likely require an SRU exception which
is unlikely to be granted for a feature request.
** Changed in: sudo (Ubuntu)
Status: New => Won't Fix
** Changed in: sudo (Ubuntu Jammy)
Status: New => Won't Fix
** Changed in: sudo (Ubuntu)
Status: Won't Fix => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2104840
Title:
sudo_logsrvd TLS log transport in Jammy
Status in sudo package in Ubuntu:
Invalid
Status in sudo source package in Jammy:
Won't Fix
Bug description:
[ Impact ]
Users of sudo_logsrvd in Jammy are unable to configure TLS transport
as sudo was built without OpenSSL in Jammy.
This functionality is available in Noble and above as OpenSSL was inadvertantly included in sudo builds: 564d6d7f in cyrus-sasl2 introduced an indirect libssl-dev build-dep to sudo [1]. sudo's build system automatically enables openssl when it is present in the build environment:
```
--enable-openssl[=DIR]
Use OpenSSL's TLS and SHA-2 message digest functions. If
it is detected, OpenSSL will be used by default unless the
sudo log client and server are disabled via the
--disable-log-client and --disable-log-server options. To
explicitly disable the use of OpenSSL, the --disable-openssl
option can be used. OpenSSL versions prior to 1.0.1 will
not be used as they do not support TLS 1.2. If specified,
DIR should contain the OpenSSL include and lib directories.
```
I reported this in Debian as an MR to make the dependency explicit
[2]. The Debian sudo team would prefer that `sudo` not link against
OpenSSL and is considering dropping logsrvd altogether unless they are
able to find a maintainer [3].
I'm opening this bug for two reasons:
- To guage the feasibility of an SRU of TLS support for `sudo` in Jammy
- To raise the issue of logsrvd in Ubuntu more generally
I have verified that a rebuild of the package with the libssl-dev
dependency does allow TLS log transport to function, although I have
not thoroughly tested it.
It is my feeling that this does not meet the requirements for an SRU for several
reasons:
- It is not a regression from Focal (logsrvd was introduced in Jammy) [4]
- It is not a minimal change (the debdiff is trivial but the flag enables several
hundred lines of code, a few of which modify routines in the logging plugin) [5]
- It affects a core package with potential security implications [6]
I'd appreciate a second opinion regarding the feasibility of SRU here.
Thanks!
[1] https://salsa.debian.org/debian/cyrus-sasl2/-/commit/564d6d7f17bc7afbb124af06ac11d4ba4b5d73bf
[2] https://salsa.debian.org/sudo-team/sudo/-/merge_requests/18
[3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101451
[4] https://documentation.ubuntu.com/sru/en/latest/reference/requirements/#what-is-acceptable-to-sru
[5] https://documentation.ubuntu.com/sru/en/latest/explanation/requirements/#minimal-changes-only
[6] https://documentation.ubuntu.com/sru/en/latest/reference/requirements/#other-safe-cases
[ Reproduction ]
In a Jammy container/VM, add the following lines to /etc/sudoers:
```
Defaults iolog_dir=/var/log/sudo-io/%{user}, log_input, log_output
Defaults log_servers = 192.168.0.243:30344(tls)
```
```
$ sudo echo hello
sudo: 192.168.0.243:30344(tls): Protocol not supported
sudo: unable to connect to log server
sudo: error initializing I/O plugin sudoers_io
```
With a libssl-dev enabled sudo build, set up a sudo_logsrvd server and
verify that a configuration equivalent to the above results in logs
being shipped over TLS [1].
[1]
https://manpages.ubuntu.com/manpages/jammy/en/man8/sudo_logsrvd.8.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2104840/+subscriptions
More information about the foundations-bugs
mailing list