Diff for /embedaddon/sudo/NEWS between versions 1.1.1.3 and 1.1.1.4

version 1.1.1.3, 2012/10/09 09:29:52 version 1.1.1.4, 2013/07/22 10:46:10
Line 1 Line 1
   What's new in Sudo 1.8.7?
   
    * The non-Unix group plugin is now supported when sudoers data
      is stored in LDAP.
   
    * Sudo now uses a workaround for a locale bug on Solaris 11.0
      that prevents setuid programs like sudo from fully using locales.
   
    * User messages are now always displayed in the user's locale,
      even when the same message is being logged or mailed in a
      different locale.
   
    * Log files created by sudo now explicitly have the group set
      to group ID 0 rather than relying on BSD group semantics (which
      may not be the default).
   
    * A new "exec_background" sudoers option can be used to initially
      run the command without read access to the terminal when running
      a command in a pseudo-tty.  If the command tries to read from
      the terminal it will be stopped by the kernel (via SIGTTIN or
      SIGTTOU) and sudo will immediately restart it as the forground
      process (if possible).  This allows sudo to only pass terminal
      input to the program if the program actually is expecting it.
      Unfortunately, a few poorly-behaved programs (like "su" on most
      Linux systems) do not handle SIGTTIN and SIGTTOU properly.
   
    * Sudo now uses an efficient group query to get all the groups
      for a user instead of iterating over every record in the group
      database on HP-UX and Solaris.
   
    * Sudo now produces better error messages when there is an error
      in the sudo.conf file.
   
    * Two new settings have been added to sudo.conf to give the admin
      better control of how group database queries are performed.  The
      "group_source" specifies how the group list for a user will be
      determined.  Legal values are "static" (use the kernel groups
      list), "dynamic" (perform a group database query) and "adaptive"
      (only perform a group database query if the kernel list is full).
      The "max_groups" specifies the maximum number of groups a user may
      belong to when performing a group database query.
   
    * The sudo.conf file now supports line continuation by using a
      backslash as the last character on the line.
   
    * There is now a standalone sudo.conf manual page.
   
    * Sudo now stores its libexec files in a "sudo" subdirectory instead
      of in libexec itself. For backwards compatibility, if the plugin
      is not found in the default plugin directory, sudo will check
      the parent directory if the default directory ends in "/sudo".
   
    * The sudoers I/O logging plugin now logs the terminal size.
   
    * A new sudoers option "maxseq" can be used to limit the number of
      I/O log entries that are stored.
   
    * The "system_group" and "group_file" sudoers group provider plugins
      are now installed by default.
   
    * The list output (sudo -l) output from the sudoers plugin is now
      less ambiguous when an entry includes different runas users.
      The long list output (sudo -ll) for file-based sudoers is now
      more consistent with the format of LDAP-based sudoers.
   
    * A uid may now be used in the sudoRunAsUser attributes for LDAP
      sudoers.
   
    * Minor plugin API change: the close and version functions are now
      optional.  If the policy plugin does not provide a close function
      and the command is not being run in a new pseudo-tty, sudo may
      now execute the command directly instead of in a child process.
   
    * A new sudoers option "pam_session" can be used to disable sudo's
      PAM session support.
   
    * On HP-UX systems, sudo will now use the pstat() function to
      determine the tty instead of ttyname().
   
    * Turkish translation for sudo and sudoers from translationproject.org.
   
    * Dutch translation for sudo and sudoers from translationproject.org.
   
    * Tivoli Directory Server client libraries may now be used with
      HP-UX where libibmldap has a hidden dependency on libCsup.
   
    * The sudoers plugin will now ignore invalid domain names when
      checking netgroup membership.  Most Linux systems use the string
      "(none)" for the NIS-style domain name instead of an empty string.
   
    * New support for specifying a SHA-2 digest along with the command
      in sudoers.  Supported hash types are sha224, sha256, sha384 and
      sha512.  See the description of Digest_Spec in the sudoers manual
      or the description of sudoCommand in the sudoers.ldap manual for
      details.
   
    * The paths to ldap.conf and ldap.secret may now be specified as
      arguments to the sudoers plugin in the sudo.conf file.
   
    * Fixed potential false positives in visudo's alias cycle detection.
   
    * Fixed a problem where the time stamp file was being treated
      as out of date on Linux systems where the change time on the
      pseudo-tty device node can change after it is allocated.
   
    * Sudo now only builds Position Independent Executables (PIE)
      by default on Linux systems and verifies that a trivial test
      program builds and runs.
   
    * On Solaris 11.1 and higher, sudo binaries will now have the
      ASLR tag enabled if supported by the linker.
   
   What's new in Sudo 1.8.6p8?
   
    * Terminal detection now works properly on 64-bit AIX kernels.
      This was broken by the removal of the ttyname() fallback in Sudo
      1.8.6p6.  Sudo is now able to map an AIX 64-bit device number
      to the corresponding device file in /dev.
   
    * Sudo now checks for crypt() returning NULL when performing
      passwd-based authentication.
   
   What's new in Sudo 1.8.6p7?
   
    * A time stamp file with the date set to the epoch by "sudo -k"
      is now completely ignored regardless of what the local clock is
      set to.  Previously, if the local clock was set to a value between
      the epoch and the time stamp timeout value, a time stamp reset
      by "sudo -k" would be considered current.
   
    * The tty-specific time stamp file now includes the session ID
      of the sudo process that created it.  If a process with the same
      tty but a different session ID runs sudo, the user will now be
      prompted for a password (assuming authentication is required for
      the command).
   
   What's new in Sudo 1.8.6p6?
   
    * On systems where the controlling tty can be determined via /proc
      or sysctl(), sudo will no longer fall back to using ttyname()
      if the process has no controlling tty.  This prevents sudo from
      using a non-controlling tty for logging and time stamp purposes.
   
   What's new in Sudo 1.8.6p5?
   
    * Fixed a potential crash in visudo's alias cycle detection.
   
    * Improved performance on Solaris when retrieving the group list
      for the target user.  On systems with a large number of groups
      where the group database is not local (NIS, LDAP, AD), fetching
      the group list could take a minute or more.
   
   What's new in Sudo 1.8.6p4?
   
    * The -fstack-protector is now used when linking visudo, sudoreplay
      and testsudoers.
   
    * Avoid building PIE binaries on FreeBSD/ia64 as they don't run
      properly.
   
    * Fixed a crash in visudo strict mode when an unknown Defaults
      setting is encountered.
   
    * Do not inform the user that the command was not permitted by the
      policy if they do not successfully authenticate. This is a
      regression introduced in sudo 1.8.6.
   
    * Allow sudo to be build with sss support without also including
      ldap support.
   
    * Fix running commands that need the terminal in the background
      when I/O logging is enabled. E.g. "sudo vi &". When the command
      is foregrounded, it will now resume properly.
   
 What's new in Sudo 1.8.6p3?  What's new in Sudo 1.8.6p3?
   
  * Fixed post-processing of the man pages on systems with legacy   * Fixed post-processing of the man pages on systems with legacy
Line 53  What's new in Sudo 1.8.6? Line 227  What's new in Sudo 1.8.6?
    ldap.conf options.  A new ldap.conf option, TLS_KEYPW can be     ldap.conf options.  A new ldap.conf option, TLS_KEYPW can be
    used to specify a password to decrypt the key database.     used to specify a password to decrypt the key database.
   
 * When constructing a time filter for use with LDAP sudoNotBefore     * When constructing a time filter for use with LDAP sudoNotBefore
    and sudoNotAfter attributes, the current time now includes tenths     and sudoNotAfter attributes, the current time now includes tenths
    of a second.  This fixes a problem with timed entries on Active     of a second.  This fixes a problem with timed entries on Active
    Directory.     Directory.
Line 319  What's new in Sudo 1.8.3p1? Line 493  What's new in Sudo 1.8.3p1?
   
  * Fixed a crash in the monitor process on Solaris when NOPASSWD   * Fixed a crash in the monitor process on Solaris when NOPASSWD
    was specified or when authentication was disabled.     was specified or when authentication was disabled.
 
  * Fixed matching of a Runas_Alias in the group section of a   * Fixed matching of a Runas_Alias in the group section of a
    Runas_Spec.     Runas_Spec.
   

Removed from v.1.1.1.3  
changed lines
  Added in v.1.1.1.4


FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>