|
version 1.1.1.1, 2012/02/21 16:23:01
|
version 1.1.1.3, 2012/10/09 09:29:52
|
|
Line 1
|
Line 1
|
| |
What's new in Sudo 1.8.6p3? |
| |
|
| |
* Fixed post-processing of the man pages on systems with legacy |
| |
versions of sed. |
| |
|
| |
* Fixed "sudoreplay -l" on Linux systems with file systems that |
| |
set DT_UNKNOWN in the d_type field of struct dirent. |
| |
|
| |
What's new in Sudo 1.8.6p2? |
| |
|
| |
* Fixed suspending a command after it has already been resumed |
| |
once when I/O logging (or use_pty) is not enabled. |
| |
This was a regression introduced in version 1.8.6. |
| |
|
| |
What's new in Sudo 1.8.6p1? |
| |
|
| |
* Fixed the setting of LOGNAME, USER and USERNAME variables in the |
| |
command's environment when env_reset is enabled (the default). |
| |
This was a regression introduced in version 1.8.6. |
| |
|
| |
* Sudo now honors SUCCESS=return in /etc/nsswitch.conf. |
| |
|
| |
What's new in Sudo 1.8.6? |
| |
|
| |
* Sudo is now built with the -fstack-protector flag if the the |
| |
compiler supports it. Also, the -zrelro linker flag is used if |
| |
supported. The --disable-hardening configure option can be used |
| |
to build sudo without stack smashing protection. |
| |
|
| |
* Sudo is now built as a Position Independent Executable (PIE) |
| |
if supported by the compiler and linker. |
| |
|
| |
* If the user is a member of the "exempt" group in sudoers, they |
| |
will no longer be prompted for a password even if the -k flag |
| |
is specified with the command. This makes "sudo -k command" |
| |
consistent with the behavior one would get if the user ran "sudo |
| |
-k" immediately before running the command. |
| |
|
| |
* The sudoers file may now be a symbolic link. Previously, sudo |
| |
would refuse to read sudoers unless it was a regular file. |
| |
|
| |
* The sudoreplay command can now properly replay sessions where |
| |
no tty was present. |
| |
|
| |
* The sudoers plugin now takes advantage of symbol visibility |
| |
controls when supported by the compiler or linker. As a result, |
| |
only a small number of symbols are exported which significantly |
| |
reduces the chances of a conflict with other shared objects. |
| |
|
| |
* Improved support for the Tivoli Directory Server LDAP client |
| |
libraries. This includes support for using LDAP over SSL (ldaps) |
| |
as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS |
| |
ldap.conf options. A new ldap.conf option, TLS_KEYPW can be |
| |
used to specify a password to decrypt the key database. |
| |
|
| |
* When constructing a time filter for use with LDAP sudoNotBefore |
| |
and sudoNotAfter attributes, the current time now includes tenths |
| |
of a second. This fixes a problem with timed entries on Active |
| |
Directory. |
| |
|
| |
* If a user fails to authenticate and the command would be rejected |
| |
by sudoers, it is now logged with "command not allowed" instead |
| |
of "N incorrect password attempts". Likewise, the "mail_no_perms" |
| |
sudoers option now takes precedence over "mail_badpass". |
| |
|
| |
* The sudo manuals are now formatted using the mdoc macros. Versions |
| |
using the legacy man macros are provided for systems that lack mdoc. |
| |
|
| |
* New support for Solaris privilege sets. This makes it possible |
| |
to specify fine-grained privileges in the sudoers file on Solaris |
| |
10 and above. A Runas_Spec that contains no Runas_Lists can be |
| |
used to give a user the ability to run a command as themselves |
| |
but with an expanded privilege set. |
| |
|
| |
* Fixed a problem with the reboot and shutdown commands on some |
| |
systems (such as HP-UX and BSD). On these systems, reboot sends |
| |
all processes (except itself) SIGTERM. When sudo received |
| |
SIGTERM, it would relay it to the reboot process, thus killing |
| |
reboot before it had a chance to actually reboot the system. |
| |
|
| |
* Support for using the System Security Services Daemon (SSSD) as |
| |
a source of sudoers data. |
| |
|
| |
* Slovenian translation for sudo and sudoers from translationproject.org. |
| |
|
| |
* Visudo will now warn about unknown Defaults entries that are |
| |
per-host, per-user, per-runas or per-command. |
| |
|
| |
* Fixed a race condition that could cause sudo to receive SIGTTOU |
| |
(and stop) when resuming a shell that was run via sudo when I/O |
| |
logging (and use_pty) is not enabled. |
| |
|
| |
* Sending SIGTSTP directly to the sudo process will now suspend the |
| |
running command when I/O logging (and use_pty) is not enabled. |
| |
|
| |
What's new in Sudo 1.8.5p3? |
| |
|
| |
* Fixed the loading of I/O plugins that conform to a plugin API |
| |
version older than 1.2. |
| |
|
| |
What's new in Sudo 1.8.5p2? |
| |
|
| |
* Fixed use of the SUDO_ASKPASS environment variable which was |
| |
broken in Sudo 1.8.5. |
| |
|
| |
* Fixed a problem reading the sudoers file when the file mode is |
| |
more restrictive than the expected mode. For example, when the |
| |
expected sudoers file mode is 0440 but the actual mode is 0400. |
| |
|
| |
What's new in Sudo 1.8.5p1? |
| |
|
| |
* Fixed a bug that prevented files in an include directory from |
| |
being evaluated. |
| |
|
| |
What's new in Sudo 1.8.5? |
| |
|
| |
* When "noexec" is enabled, sudo_noexec.so will now be prepended |
| |
to any existing LD_PRELOAD variable instead of replacing it. |
| |
|
| |
* The sudo_noexec.so shared library now wraps the execvpe(), |
| |
exect(), posix_spawn() and posix_spawnp() functions. |
| |
|
| |
* The user/group/mode checks on sudoers files have been relaxed. |
| |
As long as the file is owned by the sudoers uid, not world-writable |
| |
and not writable by a group other than the sudoers gid, the file |
| |
is considered OK. Note that visudo will still set the mode to |
| |
the value specified at configure time. |
| |
|
| |
* It is now possible to specify the sudoers path, uid, gid and |
| |
file mode as options to the plugin in the sudo.conf file. |
| |
|
| |
* Croatian, Galician, German, Lithuanian, Swedish and Vietnamese |
| |
translations from translationproject.org. |
| |
|
| |
* /etc/environment is no longer read directly on Linux systems |
| |
when PAM is used. Sudo now merges the PAM environment into the |
| |
user's environment which is typically set by the pam_env module. |
| |
|
| |
* The initial evironment created when env_reset is in effect now |
| |
includes the contents of /etc/environment on AIX systems and the |
| |
"setenv" and "path" entries from /etc/login.conf on BSD systems. |
| |
|
| |
* The plugin API has been extended in three ways. First, options |
| |
specified in sudo.conf after the plugin pathname are passed to |
| |
the plugin's open function. Second, sudo has limited support |
| |
for hooks that can be used by plugins. Currently, the hooks are |
| |
limited to environment handling functions. Third, the init_session |
| |
policy plugin function is passed a pointer to the user environment |
| |
which can be updated during session setup. The plugin API version |
| |
has been incremented to version 1.2. See the sudo_plugin manual |
| |
for more information. |
| |
|
| |
* The policy plugin's init_session function is now called by the |
| |
parent sudo process, not the child process that executes the |
| |
command. This allows the PAM session to be open and closed in |
| |
the same process, which some PAM modules require. |
| |
|
| |
* Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf, |
| |
which was broken in version 1.8.4. |
| |
|
| |
* On systems with an SVR4-style /proc file system, the /proc/pid/psinfo |
| |
file is now uses to determine the controlling terminal, if possible. |
| |
This allows tty-based tickets to work properly even when, e.g. |
| |
standard input, output and error are redirected to /dev/null. |
| |
|
| |
* The output of "sudoreplay -l" is now sorted by file name (or |
| |
sequence number). Previously, entries were displayed in the |
| |
order in which they were found on the file system. |
| |
|
| |
* Sudo now behaves properly when I/O logging is enabled and the |
| |
controlling terminal is revoked (e.g. the running sshd is killed). |
| |
Previously, sudo may have exited without calling the I/O plugin's |
| |
close function which can lead to an incomplete I/O log. |
| |
|
| |
* Sudo can now detect when a user has logged out and back in again |
| |
on Solaris 11, just like it can on Solaris 10. |
| |
|
| |
* The built-in zlib included with Sudo has been upgraded to version |
| |
1.2.6. |
| |
|
| |
* Setting the SSL parameter to start_tls in ldap.conf now works |
| |
properly when using Mozilla-based SDKs that support the |
| |
ldap_start_tls_s() function. |
| |
|
| |
* The TLS_CHECKPEER parameter in ldap.conf now works when the |
| |
Mozilla NSS crypto backend is used with OpenLDAP. |
| |
|
| |
* A new group provider plugin, system_group, is included which |
| |
performs group look ups by name using the system groups database. |
| |
This can be used to restore the pre-1.7.3 sudo group lookup |
| |
behavior. |
| |
|
| |
What's new in Sudo 1.8.4p5? |
| |
|
| |
* Fixed a bug when matching against an IP address with an associated |
| |
netmask in the sudoers file. In certain circumstances, this |
| |
could allow users to run commands on hosts they are not authorized |
| |
for. |
| |
|
| |
What's new in Sudo 1.8.4p4? |
| |
|
| |
* Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v" |
| |
from working. |
| |
|
| |
What's new in Sudo 1.8.4p3? |
| |
|
| |
* Fixed a crash on FreeBSD when no tty is present. |
| |
|
| |
* Fixed a bug introduced in Sudo 1.8.4 that allowed users to |
| |
specify environment variables to set on the command line without |
| |
having sudo "ALL" permissions or the "SETENV" tag. |
| |
|
| |
* When visudo is run with the -c (check) option, the sudoers |
| |
file(s) owner and mode are now also checked unless the -f option |
| |
was specified. |
| |
|
| |
What's new in Sudo 1.8.4p2? |
| |
|
| |
* Fixed a bug introduced in Sudo 1.8.4 where insufficient space |
| |
was allocated for group IDs in the LDAP filter. |
| |
|
| |
* Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf |
| |
was "/sudo.conf" instead of "/etc/sudo.conf". |
| |
|
| |
* Fixed a bug introduced in Sudo 1.8.4 which could cause a hang |
| |
when I/O logging is enabled and input is from a pipe or file. |
| |
|
| |
What's new in Sudo 1.8.4p1? |
| |
|
| |
* Fixed a bug introduced in sudo 1.8.4 that broke adding to or |
| |
deleting from the env_keep, env_check and env_delete lists in |
| |
sudoers on some platforms. |
| |
|
| |
What's new in Sudo 1.8.4? |
| |
|
| |
* The -D flag in sudo has been replaced with a more general debugging |
| |
framework that is configured in sudo.conf. |
| |
|
| |
* Fixed a false positive in visudo strict mode when aliases are |
| |
in use. |
| |
|
| |
* Fixed a crash with "sudo -i" when a runas group was specified |
| |
without a runas user. |
| |
|
| |
* The line on which a syntax error is reported in the sudoers file |
| |
is now more accurate. Previously it was often off by a line. |
| |
|
| |
* Fixed a bug where stack garbage could be printed at the end of |
| |
the lecture when the "lecture_file" option was enabled. |
| |
|
| |
* "make install" now honors the LINGUAS environment variable. |
| |
|
| |
* The #include and #includedir directives in sudoers now support |
| |
relative paths. If the path is not fully qualified it is expected |
| |
to be located in the same directory of the sudoers file that is |
| |
including it. |
| |
|
| |
* Serbian and Spanish translations for sudo from translationproject.org. |
| |
|
| |
* LDAP-based sudoers may now access by group ID in addition to |
| |
group name. |
| |
|
| |
* visudo will now fix the mode on the sudoers file even if no changes |
| |
are made unless the -f option is specified. |
| |
|
| |
* The "use_loginclass" sudoers option works properly again. |
| |
|
| |
* On systems that use login.conf, "sudo -i" now sets environment |
| |
variables based on login.conf. |
| |
|
| |
* For LDAP-based sudoers, values in the search expression are now |
| |
escaped as per RFC 4515. |
| |
|
| |
* The plugin close function is now properly called when a login |
| |
session is killed (as opposed to the actual command being killed). |
| |
This can happen when an ssh session is disconnected or the |
| |
terminal window is closed. |
| |
|
| |
* The deprecated "noexec_file" sudoers option is no longer supported. |
| |
|
| |
* Fixed a race condition when I/O logging is not enabled that could |
| |
result in tty-generated signals (e.g. control-C) being received |
| |
by the command twice. |
| |
|
| |
* If none of the standard input, output or error are connected to |
| |
a tty device, sudo will now check its parent's standard input, |
| |
output or error for the tty name on systems with /proc and BSD |
| |
systems that support the KERN_PROC_PID sysctl. This allows |
| |
tty-based tickets to work properly even when, e.g. standard |
| |
input, output and error are redirected to /dev/null. |
| |
|
| |
* Added the --enable-kerb5-instance configure option to allow |
| |
people using Kerberos V authentication to specify a custom |
| |
instance so the principal name can be, e.g. "username/sudo" |
| |
similar to how ksu uses "username/root". |
| |
|
| |
* Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in |
| |
the results, which would be incorrectly be interpreted as if the |
| |
sudoers file had specified a directory. |
| |
|
| |
* "visudo -c" will now list any include files that were checked |
| |
in addition to the main sudoers file when everything parses OK. |
| |
|
| |
* Users that only have read-only access to the sudoers file may |
| |
now run "visudo -c". Previously, write permissions were required |
| |
even though no writing is down in check-only mode. |
| |
|
| |
* It is now possible to prevent the disabling of core dumps from |
| |
within sudo itself by adding a line to the sudo.conf file like |
| |
"Set disable_coredump false". |
| |
|
| What's new in Sudo 1.8.3p2? |
What's new in Sudo 1.8.3p2? |
| |
|
| * Fixed a format string vulnerability when the sudo binary (or a |
* Fixed a format string vulnerability when the sudo binary (or a |
|
Line 80 What's new in Sudo 1.8.2?
|
Line 391 What's new in Sudo 1.8.2?
|
| * Visudo now checks the contents of an alias and warns about cycles |
* Visudo now checks the contents of an alias and warns about cycles |
| when the alias is expanded. |
when the alias is expanded. |
| |
|
| * If the user specifes a group via sudo's -g option that matches | * If the user specifies a group via sudo's -g option that matches |
| the target user's group in the password database, it is now |
the target user's group in the password database, it is now |
| allowed even if no groups are present in the Runas_Spec. |
allowed even if no groups are present in the Runas_Spec. |
| |
|
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to NEWS CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo