Open-source News

AMD Lands Video Encoding Quality Improvements For Mesa 22.3

Phoronix - Thu, 08/25/2022 - 02:24
AMD has merged video acceleration quality improvements into Mesa 22.3's Gallium3D VA front-end for benefiting open-source video acceleration on Radeon GPUs...

Intel Announces Data Center GPU Flex Series

Phoronix - Thu, 08/25/2022 - 00:00
Intel's Arctic Sound M is being announced today as the Intel Data Center GPU Flex Series.

Intel Begins Readying Graphics Driver Changes For Linux 6.1 - More DG2/Alchemist Work

Phoronix - Wed, 08/24/2022 - 21:00
Intel open-source engineers have readied their first batch of "drm-intel-gt-next" changes for DRM-Next of material they are preparing for introduction with the Linux 6.1 kernel cycle later this year...

Cemu Emulator For The Wii U Now Open-Source, Building On Linux

Phoronix - Wed, 08/24/2022 - 18:35
Cemu is a popular emulator for the Nintendo Wii U that can successfully run many games as well as homebrew titles. Cemu started off with just Windows support but then at the beginning of the year laid out plans to go open-source and provide Linux support. They've pulled that off and the code is now out there in a public GitHub repository...

Intel To Split Off Their Old Haswell/Broadwell Vulkan Code Into Separate Driver

Phoronix - Wed, 08/24/2022 - 17:53
The current Intel open-source "ANV" Vulkan driver within Mesa supports graphics hardware going back to the "Gen7" graphics found with Haswell. However, Intel open-source Linux graphics driver engineers are preparing to separate the old Haswell (Gen7) and Broadwell (Gen8) graphics into a separate Mesa driver so they can better focus on improving their modern Vulkan driver that would then be limited to Skylake Gen9 graphics and newer...

"xisxwayland" Version Two Released For This Simple X.Org Program

Phoronix - Wed, 08/24/2022 - 17:31
The X.Org project "xisxwayland" is out with a new version of this simple program that can be easily called by shell scripts and other simple uses for checking to see whether the running X.Org Server is a genuine X11 server or more commonly these days an XWayland server running within a Wayland environment...

Mesa CI Begins Making Use Of Mold Linker For "Substantial" Performance Improvement

Phoronix - Wed, 08/24/2022 - 17:12
For speeding up the actual Mesa continuous integration (CI) process itself with frequently building new revisions of Mesa3D, their CI infrastructure is beginning to make use of the Mold linker as a high performance alternative to the GNU Gold and LLVM LLD linkers. This is yielding a "substantial" performance improvement in tests for being able to turnaround CI jobs faster and in turn allowing Mesa developers to be more efficient...

3mdeb Eyes Fwupd Support For DragonFlyBSD To Handle UEFI Firmware Updates

Phoronix - Wed, 08/24/2022 - 17:00
Open-source firmware consulting firm 3mdeb last year worked on Fwupd support for FreeBSD so system firmware updates can be more easily handled on that popular BSD operating system and leveraging the Fwupd/LVFS infrastructure that's been happening for years in the Linux space. Their most recent target is now DragonFlyBSD for handling of UEFI firmware updates with Fwupd...

RADV Prepares To Switch Completely To Dynamic Rendering

Phoronix - Wed, 08/24/2022 - 16:47
One of the great things about Jason Ekstrand having joined Collabora at the start of the year is that the former Intel graphics engineer, who was on the team that created their original Vulkan driver, can now work on whatever open-source driver code he wishes. Among other upstream Mesa work, he's recently been contributing to the new "NVK" NVIDIA Vulkan driver and also the RADV driver too...

7 sudo myths debunked

opensource.com - Wed, 08/24/2022 - 15:00
7 sudo myths debunked Peter Czanik Wed, 08/24/2022 - 03:00 Register or Login to like Register or Login to like

Whether attending conferences or reading blogs, I often hear several misconceptions about sudo. Most of these misconceptions focus on security, flexibility, and central management. In this article, I will debunk some of these myths.

Many misconceptions likely arise because users know only the basic functionality of sudo. The sudoers file, by default, has only two rules: The root user, and members of the administrative wheel group, can do practically anything using sudo. There are barely any limits, and optional features are not enabled at all. Even this setup is better than sharing the root password, as you can usually follow who did what on your systems using the logs. However, learning some of the lesser-known old and new features gives you much more control and visibility on your systems.

If you only know how to give access in sudo to a specific command for a specific user or group, I would recommend reading some of my earlier articles on sudo:

As these article titles suggest, many beneficial possibilities have been available for over a decade without users noticing or using them, and sudo is still continuously developed. My responses to these common misconceptions may teach you about some new features!

More Linux resources Linux commands cheat sheet Advanced Linux commands cheat sheet Free online course: RHEL technical overview Linux networking cheat sheet SELinux cheat sheet Linux common commands cheat sheet What are Linux containers? Our latest Linux articles Sudo configuration is stored locally, making it vulnerable

Yes, by default, configuration is stored locally. If you give users root shell or editor access, they can modify the sudoers file. On a single host, there is nothing you can do about it. Once you have multiple hosts, however, there are many ways to solve this problem.

All major configuration management platforms, including Ansible, have support to maintain the sudoers file. Even if the actual configuration is a local file, it is maintained from a central location. Any local changes can be detected, reported, and changed back automatically to the centrally managed version.

Another possibility is using LDAP (lightweight directory access protocol) to store sudo's configuration. It has quite a few limitations—for example, you cannot use aliases—but using LDAP means that the configuration is stored in a central directory, any change is effective immediately, and the local user cannot modify the settings.

Using LDAP for central configuration is difficult

If you have just a couple of freshly installed hosts, getting started with LDAP to store the sudo configuration can be difficult. However, most organizations, even with just a few hosts, already have LDAP or Active Directory (AD) running and personnel who know how to configure and maintain these directory services. Adding sudo support to an already existing directory service is not prohibitively difficult. It is even possible to have both local sudoers and LDAP sudoers, and to specify the order of evaluation, for example, LDAP first, then local, or local first, then LDAP.

Maintaining a sudoers file on multiple hosts is error prone and a compliance problem

Yes, this is right, as long as you edit individual sudoers files by hand. However, as suggested in my response to the previous myth, even with a very low host count, most organizations introduce some kind of directory services, such as LDAP or AD, and configuration management. You can use a directory service to store the sudo configuration centrally, or you can use Ansible and other configuration management applications to maintain the sudoers files on your hosts from a central configuration repository.

The sudo codebase is too large

Yes, it is large. Some even call it a Death Star and say that a large codebase also means that it is insecure. There are smaller software projects; however, those implement only a very basic subset of sudo functionality. Using those, you lose a lot of visibility into what is happening on your systems (just think about session recording). Commercial sudo replacements might implement many sudo features. However, sudo is open source and one of the most analyzed open source codes. Commercial codebases are even larger—and not analyzed by third parties.

Shell access visibility is tricky

Using just the default settings, shell or editor access makes it hard to see what's happening inside a shell session. However, session recordings have been able to make visible what happened inside a shell session for well over a decade. Version 1.9.0 of sudo introduced a central collection of session recordings, so they could not be deleted or modified by the local user. Version 1.9.8 also includes subcommand logging. You can use the logs to check any commands executed in a sudo session and only watch recordings when necessary (for example, if a user starts Midnight Commander). Watching session recordings is tedious and can be very time consuming—some people even have three-day-long sudo sessions—so reviewing logs whenever possible is definitely preferable.

You can't use two-factor authentication in sudo

That is right: There is no out-of-the-box two-factor authentication (2FA) in sudo. However, you can implement 2FA using Linux PAM. Or, if you prefer, you can do it inside sudo. Sudo has a modular architecture and thus can be extended. Version 1.9 of sudo introduced the approval plugin API (application programming interface), making it possible to have additional restrictions before executing a command. You can code your approval plugin in either C or Python and implement 2FA yourself.

More for sysadmins Enable Sysadmin blog The Automated Enterprise: A guide to managing IT with automation eBook: Ansible automation for Sysadmins Tales from the field: A system administrator's guide to IT automation eBook: A guide to Kubernetes for SREs and sysadmins Latest sysadmin articles Sudo logs do not improve security

If you collect log messages only locally and you do not check them at all, then log messages do not improve security. However, even syslogd, the original syslog implementation from more than three decades ago, supported central log collection. Removing sudo logs from a remote host or a cloud service is not as easy as modifying local logs.

There is also built-in support for central logging in sudo. Using sudo_logsrvd you can collect not only session recordings but event logs as well. In the end, sudo_logsrvd can forward events to syslog (default) or maintain its own log files.

Any questions?

I hope my article helped to resolve some of the myths surrounding sudo. If you have any sudo questions, do not hesitate to reach out to the sudo users mailing list.

The most common misconceptions I've come across involve security, flexibility, and central management. Here, I debunk these sudo myths.

Image by:

Internet Archive Book Images. Modified by Opensource.com. CC BY-SA 4.0

Linux Sysadmin What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

Pages