Explicit build-dep on libssl-dev (!18) · Merge requests · Sudo Maintainers / sudo

Wesley Hershberger requested to merge MggMuggins/sudo:explicit-libssl-dev into master Mar 27, 2025

564d6d7f17bc7afbb124af06ac11d4ba4b5d73bf in cyrus-sasl2 introduced libssl-dev in sudo's build environment.

sudo's build system automatically enables openssl support when it detects openssl in the build environment:

    --enable-openssl[=DIR]
            Use OpenSSL's TLS and SHA-2 message digest functions.  If
            it is detected, OpenSSL will be used by default unless the
            sudo log client and server are disabled via the
            --disable-log-client and --disable-log-server options.  To
            explicitly disable the use of OpenSSL, the --disable-openssl
            option can be used.  OpenSSL versions prior to 1.0.1 will
            not be used as they do not support TLS 1.2.  If specified,
            DIR should contain the OpenSSL include and lib directories.

Since sudo links directly against libcrypto, make this dependency explicit to prevent regressions should cyrus-sasl2 drop libssl-dev:

$ ldd /usr/bin/sudo | grep libcrypto
	libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x0000728bcd798000)

sudo_logsrvd can optionally use openssl to encrypt logs when they're sent over the network (via sudo_sendlog).

Edited Mar 27, 2025 by Wesley Hershberger

Explicit build-dep on libssl-dev

Merge request reports