Sudo version 1.9 introduced a new plugin API to apply extra restrictions to a command after it has been accepted by the sudoers policy. Safeguard for Sudo supports loading sudo-compatible approval plugins, including those written in Python, on the policy server. You can specify multiple approval plugins in the sudoers file. Safeguard for Sudo currently supports loading up to 8 Python approval plugins at once.
For more information about configuring a C-based approval plugin, see the Sudo Plugin API man page.
Prerequisites
-
Install Sudo version 1.9 or newer.
-
To use plugins written in Python:
-
Install Python version 3.0 or newer.
-
Install the sudo-python package, available at https://www.sudo.ws/download.html.
-
To configure a Python-based approval plugin in the sudoers file
To configure the sudoers policy to load the Python-based approval plugin, use the following configuration in the sudoers file:
Defaults plugins += "python_approval python_plugin.so ModulePath=<path> ClassName=<class>"
Where ModulePath is the path to the Python script that the plugin uses, and ClassName denotes what gets called within the plugin.
The following example Python approval plugin only allows users running commands during business hours, that is, from Monday to Friday between 8:00 and 17:59:59.
Defaults plugins += "python_approval python_plugin.so \ ModulePath=/root/example_approval_plugin.py \ ClassName=BusinessHoursApprovalPlugin"
Defaults plugins += "python_approval python_plugin.so \ ModulePath=/root/example_approval_plugin.py \ ClassName=BusinessHoursApprovalPlugin"
For a more detailed Python approval plugin example, see the sudo repository on GitHub.