Annotation of embedaddon/sudo/NEWS, revision 1.1
1.1 ! misho 1: What's new in Sudo 1.8.3p2?
! 2:
! 3: * Fixed a format string vulnerability when the sudo binary (or a
! 4: symbolic link to the sudo binary) contains printf format escapes
! 5: and the -D (debugging) flag is used.
! 6:
! 7: What's new in Sudo 1.8.3p1?
! 8:
! 9: * Fixed a crash in the monitor process on Solaris when NOPASSWD
! 10: was specified or when authentication was disabled.
! 11:
! 12: * Fixed matching of a Runas_Alias in the group section of a
! 13: Runas_Spec.
! 14:
! 15: What's new in Sudo 1.8.3?
! 16:
! 17: * Fixed expansion of strftime() escape sequences in the "log_dir"
! 18: sudoers setting.
! 19:
! 20: * Esperanto, Italian and Japanese translations from translationproject.org.
! 21:
! 22: * Sudo will now use PAM by default on AIX 6 and higher.
! 23:
! 24: * Added --enable-werror configure option for gcc's -Werror flag.
! 25:
! 26: * Visudo no longer assumes all editors support the +linenumber
! 27: command line argument. It now uses a whitelist of editors known
! 28: to support the option.
! 29:
! 30: * Fixed matching of network addresses when a netmask is specified
! 31: but the address is not the first one in the CIDR block.
! 32:
! 33: * The configure script now check whether or not errno.h declares
! 34: the errno variable. Previously, sudo would always declare errno
! 35: itself for older systems that don't declare it in errno.h.
! 36:
! 37: * The NOPASSWD tag is now honored for denied commands too, which
! 38: matches historic sudo behavior (prior to sudo 1.7.0).
! 39:
! 40: * Sudo now honors the "DEREF" setting in ldap.conf which controls
! 41: how alias dereferencing is done during an LDAP search.
! 42:
! 43: * A symbol conflict with the pam_ssh_agent_auth PAM module that
! 44: would cause a crash been resolved.
! 45:
! 46: * The inability to load a group provider plugin is no longer
! 47: a fatal error.
! 48:
! 49: * A potential crash in the utmp handling code has been fixed.
! 50:
! 51: * Two PAM session issues have been resolved. In previous versions
! 52: of sudo, the PAM session was opened as one user and closed as
! 53: another. Additionally, if no authentication was performed, the
! 54: PAM session would never be closed.
! 55:
! 56: * Sudo will now work correctly with LDAP-based sudoers using TLS
! 57: or SSL on Debian systems.
! 58:
! 59: * The LOGNAME, USER and USERNAME environment variables are preserved
! 60: correctly again in sudoedit mode.
! 61:
! 62: What's new in Sudo 1.8.2?
! 63:
! 64: * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural
! 65: language support (NLS). This can be disabled by passing configure
! 66: the --disable-nls option. Sudo will use gettext(), if available,
! 67: to display translated messages. All translations are coordinated
! 68: via The Translation Project, http://translationproject.org/.
! 69:
! 70: * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of
! 71: RTLD_LOCAL. This fixes missing symbol problems in PAM modules
! 72: on certain platforms, such as FreeBSD and SuSE Linux Enterprise.
! 73:
! 74: * I/O logging is now supported for commands run in background mode
! 75: (using sudo's -b flag).
! 76:
! 77: * Group ownership of the sudoers file is now only enforced when
! 78: the file mode on sudoers allows group readability or writability.
! 79:
! 80: * Visudo now checks the contents of an alias and warns about cycles
! 81: when the alias is expanded.
! 82:
! 83: * If the user specifes a group via sudo's -g option that matches
! 84: the target user's group in the password database, it is now
! 85: allowed even if no groups are present in the Runas_Spec.
! 86:
! 87: * The sudo Makefiles now have more complete dependencies which are
! 88: automatically generated instead of being maintained manually.
! 89:
! 90: * The "use_pty" sudoers option is now correctly passed back to the
! 91: sudo front end. This was missing in previous versions of sudo
! 92: 1.8 which prevented "use_pty" from being honored.
! 93:
! 94: * "sudo -i command" now works correctly with the bash version
! 95: 2.0 and higher. Previously, the .bash_profile would not be
! 96: sourced prior to running the command unless bash was built with
! 97: NON_INTERACTIVE_LOGIN_SHELLS defined.
! 98:
! 99: * When matching groups in the sudoers file, sudo will now match
! 100: based on the name of the group instead of the group ID. This can
! 101: substantially reduce the number of group lookups for sudoers
! 102: files that contain a large number of groups.
! 103:
! 104: * Multi-factor authentication is now supported on AIX.
! 105:
! 106: * Added support for non-RFC 4517 compliant LDAP servers that require
! 107: that seconds be present in a timestamp, such as Tivoli Directory Server.
! 108:
! 109: * If the group vector is to be preserved, the PATH search for the
! 110: command is now done with the user's original group vector.
! 111:
! 112: * For LDAP-based sudoers, the "runas_default" sudoOption now works
! 113: properly in a sudoRole that contains a sudoCommand.
! 114:
! 115: * Spaces in command line arguments for "sudo -s" and "sudo -i" are
! 116: now escaped with a backslash when checking the security policy.
! 117:
! 118: What's new in Sudo 1.8.1p2?
! 119:
! 120: * Two-character CIDR-style IPv4 netmasks are now matched correctly
! 121: in the sudoers file.
! 122:
! 123: * A build error with MIT Kerberos V has been resolved.
! 124:
! 125: * A crash on HP-UX in the sudoers plugin when wildcards are
! 126: present in the sudoers file has been resolved.
! 127:
! 128: * Sudo now works correctly on Tru64 Unix again.
! 129:
! 130: What's new in Sudo 1.8.1p1?
! 131:
! 132: * Fixed a problem on AIX where sudo was unable to set the final
! 133: uid if the PAM module modified the effective uid.
! 134:
! 135: * A non-existent includedir is now treated the same as an empty
! 136: directory and not reported as an error.
! 137:
! 138: * Removed extraneous parens in LDAP filter when sudoers_search_filter
! 139: is enabled that can cause an LDAP search error.
! 140:
! 141: * Fixed a "make -j" problem for "make install".
! 142:
! 143: What's new in Sudo 1.8.1?
! 144:
! 145: * A new LDAP setting, sudoers_search_filter, has been added to
! 146: ldap.conf. This setting can be used to restrict the set of
! 147: records returned by the LDAP query. Based on changes from Matthew
! 148: Thomas.
! 149:
! 150: * White space is now permitted within a User_List when used in
! 151: conjunction with a per-user Defaults definition.
! 152:
! 153: * A group ID (%#gid) may now be specified in a User_List or Runas_List.
! 154: Likewise, for non-Unix groups the syntax is %:#gid.
! 155:
! 156: * Support for double-quoted words in the sudoers file has been fixed.
! 157: The change in 1.7.5 for escaping the double quote character
! 158: caused the double quoting to only be available at the beginning
! 159: of an entry.
! 160:
! 161: * The fix for resuming a suspended shell in 1.7.5 caused problems
! 162: with resuming non-shells on Linux. Sudo will now save the process
! 163: group ID of the program it is running on suspend and restore it
! 164: when resuming, which fixes both problems.
! 165:
! 166: * A bug that could result in corrupted output in "sudo -l" has been
! 167: fixed.
! 168:
! 169: * Sudo will now create an entry in the utmp (or utmpx) file when
! 170: allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp"
! 171: and "utmp_runas" sudoers file options can be used to control this.
! 172: Other policy plugins may use the "set_utmp" and "utmp_user"
! 173: entries in the command_info list.
! 174:
! 175: * The sudoers policy now stores the TSID field in the logs
! 176: even when the "iolog_file" sudoers option is defined to a value
! 177: other than %{sessid}. Previously, the TSID field was only
! 178: included in the log file when the "iolog_file" option was set
! 179: to its default value.
! 180:
! 181: * The sudoreplay utility now supports arbitrary session IDs.
! 182: Previously, it would only work with the base-36 session IDs
! 183: that the sudoers plugin uses by default.
! 184:
! 185: * Sudo now passes "run_shell=true" to the policy plugin in the
! 186: settings list when sudo's -s command line option is specified.
! 187: The sudoers policy plugin uses this to implement the "set_home"
! 188: sudoers option which was missing from sudo 1.8.0.
! 189:
! 190: * The "noexec" functionality has been moved out of the sudoers
! 191: policy plugin and into the sudo front-end, which matches the
! 192: behavior documented in the plugin writer's guide. As a result,
! 193: the path to the noexec file is now specified in the sudo.conf
! 194: file instead of the sudoers file.
! 195:
! 196: * On Solaris 10, the PRIV_PROC_EXEC privilege is now used to
! 197: implement the "noexec" feature. Previously, this was implemented
! 198: via the LD_PRELOAD environment variable.
! 199:
! 200: * The exit values for "sudo -l", "sudo -v" and "sudo -l command"
! 201: have been fixed in the sudoers policy plugin.
! 202:
! 203: * The sudoers policy plugin now passes the login class, if any,
! 204: back to the sudo front-end.
! 205:
! 206: * The sudoers policy plugin was not being linked with requisite
! 207: libraries in certain configurations.
! 208:
! 209: * Sudo now parses command line arguments before loading any plugins.
! 210: This allows "sudo -V" or "sudo -h" to work even if there is a problem
! 211: with sudo.conf
! 212:
! 213: * Plugins are now linked with the static version of libgcc to allow
! 214: the plugin to run on a system where no shared libgcc is installed,
! 215: or where it is installed in a different location.
! 216:
! 217: What's new in Sudo 1.8.0?
! 218:
! 219: * Sudo has been refactored to use a modular framework that can
! 220: support third-party policy and I/O logging plugins. The default
! 221: plugin is "sudoers" which provides the traditional sudo functionality.
! 222: See the sudo_plugin manual for details on the plugin API and the
! 223: sample in the plugins directory for a simple example.
! 224:
! 225: What's new in Sudo 1.7.5?
! 226:
! 227: * When using visudo in check mode, a file named "-" may be used to
! 228: check sudoers data on the standard input.
! 229:
! 230: * Sudo now only fetches shadow password entries when using the
! 231: password database directly for authentication.
! 232:
! 233: * Password and group entries are now cached using the same key
! 234: that was used to look them up. This fixes a problem when looking
! 235: up entries by name if the name in the retrieved entry does not
! 236: match the name used to look it up. This may happen on some systems
! 237: that do case insensitive lookups or that truncate long names.
! 238:
! 239: * GCC will no longer display warnings on glibc systems that use
! 240: the warn_unused_result attribute for write(2) and other system calls.
! 241:
! 242: * If a PAM account management module denies access, sudo now prints
! 243: a more useful error message and stops trying to validate the user.
! 244:
! 245: * Fixed a potential hang on idle systems when the sudo-run process
! 246: exits immediately.
! 247:
! 248: * Sudo now includes a copy of zlib that will be used on systems
! 249: that do not have zlib installed.
! 250:
! 251: * The --with-umask-override configure flag has been added to enable
! 252: the "umask_override" sudoers Defaults option at build time.
! 253:
! 254: * Sudo now unblocks all signals on startup to avoid problems caused
! 255: by the parent process changing the default signal mask.
! 256:
! 257: * LDAP Sudoers entries may now specify a time period for which
! 258: the entry is valid. This requires an updated sudoers schema
! 259: that includes the sudoNotBefore and sudoNotAfter attributes.
! 260: Support for timed entries must be explicitly enabled in the
! 261: ldap.conf file. Based on changes from Andreas Mueller.
! 262:
! 263: * LDAP Sudoers entries may now specify a sudoOrder attribute that
! 264: determines the order in which matching entries are applied. The
! 265: last matching entry is used, just like file-based sudoers. This
! 266: requires an updated sudoers schema that includes the sudoOrder
! 267: attribute. Based on changes from Andreas Mueller.
! 268:
! 269: * When run as sudoedit, or when given the -e flag, sudo now treats
! 270: command line arguments as pathnames. This means that slashes
! 271: in the sudoers file entry must explicitly match slashes in
! 272: the command line arguments. As a result, and entry such as:
! 273: user ALL = sudoedit /etc/*
! 274: will allow editing of /etc/motd but not /etc/security/default.
! 275:
! 276: * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
! 277: compatibility with OpenLDAP configuration files.
! 278:
! 279: * The LDAP API TIMEOUT parameter is now honored in ldap.conf.
! 280:
! 281: * The I/O log directory may now be specified in the sudoers file.
! 282:
! 283: * Sudo will no longer refuse to run if the sudoers file is writable
! 284: by root.
! 285:
! 286: * Sudo now performs command line escaping for "sudo -s" and "sudo -i"
! 287: after validating the command so the sudoers entries do not need
! 288: to include the backslashes.
! 289:
! 290: * Logging and email sending are now done in the locale specified
! 291: by the "sudoers_locale" setting ("C" by default). Email send by
! 292: sudo now includes MIME headers when "sudoers_locale" is not "C".
! 293:
! 294: * The configure script has a new option, --disable-env-reset, to
! 295: allow one to change the default for the sudoers Default setting
! 296: "env_reset" at compile time.
! 297:
! 298: * When logging "sudo -l command", sudo will now prepend "list "
! 299: to the command in the log line to distinguish between an
! 300: actual command invocation in the logs.
! 301:
! 302: * Double-quoted group and user names may now include escaped double
! 303: quotes as part of the name. Previously this was a parse error.
! 304:
! 305: * Sudo once again restores the state of the signal handlers it
! 306: modifies before executing the command. This allows sudo to be
! 307: used with the nohup command.
! 308:
! 309: * Resuming a suspended shell now works properly when I/O logging
! 310: is not enabled (the I/O logging case was already correct).
! 311:
! 312: What's new in Sudo 1.7.4p6?
! 313:
! 314: * A bug has been fixed in the I/O logging support that could cause
! 315: visual artifacts in full-screen programs such as text editors.
! 316:
! 317: What's new in Sudo 1.7.4p5?
! 318:
! 319: * A bug has been fixed that would allow a command to be run without the
! 320: user entering a password when sudo's -g flag is used without the -u flag.
! 321:
! 322: * If user has no supplementary groups, sudo will now fall back on checking
! 323: the group file explicitly, which restores historic sudo behavior.
! 324:
! 325: * A crash has been fixed when sudo's -g flag is used without the -u flag
! 326: and the sudoers file contains an entry with no runas user or group listed.
! 327:
! 328: * A crash has been fixed when the Solaris project support is enabled
! 329: and sudo's -g flag is used without the -u flag.
! 330:
! 331: * Sudo no longer exits with an error when support for auditing is
! 332: compiled in but auditing is not enabled.
! 333:
! 334: * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
! 335: being honored when the "targetpw" sudoers Defaults option was enabled.
! 336:
! 337: * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.
! 338:
! 339: * A crash has been fixed in "sudo -l" when sudo is built with auditing
! 340: support and the user is not allowed to run any commands on the host.
! 341:
! 342: What's new in Sudo 1.7.4p4?
! 343:
! 344: * A potential security issue has been fixed with respect to the handling
! 345: of sudo's -g command line option when -u is also specified. The flaw
! 346: may allow an attacker to run commands as a user that is not authorized
! 347: by the sudoers file.
! 348:
! 349: * A bug has been fixed where "sudo -l" output was incomplete if multiple
! 350: sudoers sources were defined in nsswitch.conf and there was an error
! 351: querying one of the sources.
! 352:
! 353: * The log_input, log_output, and use_pty sudoers options now work correctly
! 354: on AIX. Previously, sudo would hang if they were enabled.
! 355:
! 356: * The "make install" target now works correctly when sudo is built in a
! 357: directory other than the source directory.
! 358:
! 359: * The "runas_default" sudoers setting now works properly in a per-command
! 360: Defaults line.
! 361:
! 362: * Suspending and resuming the bash shell when PAM is in use now works
! 363: correctly. The SIGCONT signal was not propagated to the child process.
! 364:
! 365: What's new in Sudo 1.7.4p3?
! 366:
! 367: * A bug has been fixed where duplicate HOME environment variables could be
! 368: present when the env_reset setting was disabled and the always_set_home
! 369: setting was enabled in sudoers.
! 370:
! 371: * The value of sysconfdir is now substituted into the path to the sudoers.d
! 372: directory in the installed sudoers file.
! 373:
! 374: * Compilation problems on IRIX and other platforms have been fixed.
! 375:
! 376: * If multiple PAM "auth" actions are specified and the user enters ^C at
! 377: the password prompt, sudo will no longer prompt for a password for any
! 378: subsequent "auth" actions. Previously it was necessary to enter ^C for
! 379: each "auth" action.
! 380:
! 381: What's new in Sudo 1.7.4p2?
! 382:
! 383: * A bug where sudo could spin in a busy loop waiting for the child process
! 384: has been fixed.
! 385:
! 386: What's new in Sudo 1.7.4p1?
! 387:
! 388: * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from
! 389: functioning when the tty_tickets sudoers option is enabled has been fixed.
! 390:
! 391: * Sudo no longer prints a warning when the -k or -K options are specified
! 392: and the ticket file does not exist.
! 393:
! 394: * It is now easier to cross-compile sudo.
! 395:
! 396: What's new in Sudo 1.7.4?
! 397:
! 398: * Sudoedit will now preserve the file extension in the name of the
! 399: temporary file being edited. The extension is used by some
! 400: editors (such as emacs) to choose the editing mode.
! 401:
! 402: * Time stamp files have moved from /var/run/sudo to either /var/db/sudo,
! 403: /var/lib/sudo or /var/adm/sudo. The directories are checked for
! 404: existence in that order. This prevents users from receiving the
! 405: sudo lecture every time the system reboots. Time stamp files older
! 406: than the boot time are ignored on systems where it is possible to
! 407: determine this.
! 408:
! 409: * The tty_tickets sudoers option is now enabled by default.
! 410:
! 411: * Ancillary documentation (README files, LICENSE, etc) is now installed
! 412: in a sudo documentation directory.
! 413:
! 414: * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
! 415: in ldap.conf.
! 416:
! 417: * Defaults settings that are tied to a user, host or command may
! 418: now include the negation operator. For example:
! 419: Defaults:!millert lecture
! 420: will match any user but millert.
! 421:
! 422: * The default PATH environment variable, used when no PATH variable
! 423: exists, now includes /usr/sbin and /sbin.
! 424:
! 425: * Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/)
! 426: for cross-platform packing.
! 427:
! 428: * On Linux, sudo will now restore the nproc resource limit before
! 429: executing a command, unless the limit appears to have been modified
! 430: by pam_limits. This avoids a problem with bash scripts that open
! 431: more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
! 432: will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).
! 433:
! 434: * The HOME and MAIL environment variables are now reset based on the
! 435: target user's password database entry when the env_reset sudoers option
! 436: is enabled (which is the case in the default configuration). Users
! 437: wishing to preserve the original values should use a sudoers entry like:
! 438: Defaults env_keep += HOME
! 439: to preserve the old value of HOME and
! 440: Defaults env_keep += MAIL
! 441: to preserve the old value of MAIL.
! 442:
! 443: * Fixed a problem in the restoration of the AIX authdb registry setting.
! 444:
! 445: * Sudo will now fork(2) and wait until the command has completed before
! 446: calling pam_close_session().
! 447:
! 448: * The default syslog facility is now "authpriv" if the operating system
! 449: supports it, else "auth".
! 450:
! 451: What's new in Sudo 1.7.3?
! 452:
! 453: * Support for logging I/O for the command being run.
! 454: For more information, see the documentation for the "log_input"
! 455: and "log_output" Defaults options in the sudoers manual. Also
! 456: see the sudoreplay manual for how to replay I/O log sessions.
! 457:
! 458: * The use_pty sudoers option can be used to force a command to be
! 459: run in a pseudo-pty, even when I/O logging is not enabled.
! 460:
! 461: * On some systems, sudo can now detect when a user has logged out
! 462: and back in again when tty-based time stamps are in use. Supported
! 463: systems include Solaris systems with the devices file system,
! 464: Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys
! 465: only).
! 466:
! 467: * On AIX systems, the registry setting in /etc/security/user is
! 468: now taken into account when looking up users and groups. Sudo
! 469: now applies the correct the user and group ids when running a
! 470: command as a user whose account details come from a different
! 471: source (e.g. LDAP or DCE vs. local files).
! 472:
! 473: * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf.
! 474: When multiple entries are listed, sudo will try each one in the
! 475: order in which they are specified.
! 476:
! 477: * Sudo's SELinux support should now function correctly when running
! 478: commands as a non-root user and when one of stdin, stdout or stderr
! 479: is not a terminal.
! 480:
! 481: * Sudo will now use the Linux audit system with configure with
! 482: the --with-linux-audit flag.
! 483:
! 484: * Sudo now uses mbr_check_membership() on systems that support it
! 485: to determine group membership. Currently, only Darwin (Mac OS X)
! 486: supports this.
! 487:
! 488: * When the tty_tickets sudoers option is enabled but there is no
! 489: terminal device, sudo will no longer use or create a tty-based
! 490: ticket file. Previously, sudo would use a tty name of "unknown".
! 491: As a consequence, if a user has no terminal device, sudo will
! 492: now always prompt for a password.
! 493:
! 494: * The passwd_timeout and timestamp_timeout options may now be
! 495: specified as floating point numbers for more granular timeout
! 496: values.
! 497:
! 498: * Negating the fqdn option in sudoers now works correctly when sudo
! 499: is configured with the --with-fqdn option. In previous versions
! 500: of sudo the fqdn was set before sudoers was parsed.
! 501:
! 502: What's new in Sudo 1.7.2?
! 503:
! 504: * A new #includedir directive is available in sudoers. This can be
! 505: used to implement an /etc/sudo.d directory. Files in an includedir
! 506: are not edited by visudo unless they contain a syntax error.
! 507:
! 508: * The -g option did not work properly when only setting the group
! 509: (and not the user). Also, in -l mode the wrong user was displayed
! 510: for sudoers entries where only the group was allowed to be set.
! 511:
! 512: * Fixed a problem with the alias checking in visudo which
! 513: could prevent visudo from exiting.
! 514:
! 515: * Sudo will now correctly parse the shell-style /etc/environment
! 516: file format used by pam_env on Linux.
! 517:
! 518: * When doing password and group database lookups, sudo will only
! 519: cache an entry by name or by id, depending on how the entry was
! 520: looked up. Previously, sudo would cache by both name and id
! 521: from a single lookup, but this breaks sites that have multiple
! 522: password or group database names that map to the same uid or
! 523: gid.
! 524:
! 525: * User and group names in sudoers may now be enclosed in double
! 526: quotes to avoid having to escape special characters.
! 527:
! 528: * BSM audit fixes when changing to a non-root uid.
! 529:
! 530: * Experimental non-Unix group support. Currently only works with
! 531: Quest Authorization Services and allows Active Directory groups
! 532: fixes for Minix-3.
! 533:
! 534: * For Netscape/Mozilla-derived LDAP SDKs the certificate and key
! 535: paths may be specified as a directory or a file. However, version
! 536: 5.0 of the SDK only appears to support using a directory (despite
! 537: documentation to the contrary). If SSL client initialization
! 538: fails and the certificate or key paths look like they could be
! 539: default file name, strip off the last path element and try again.
! 540:
! 541: * A setenv() compatibility fix for Linux systems, where a NULL
! 542: value is treated the same as an empty string and the variable
! 543: name is checked against the NULL pointer.
! 544:
! 545: What's new in Sudo 1.7.1?
! 546:
! 547: * A new Defaults option "pwfeedback" will cause sudo to provide visual
! 548: feedback when the user is entering a password.
! 549:
! 550: * A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
! 551: function for file name globbing instead of glob(). When this option
! 552: is enabled, sudo will not check the file system when expanding wildcards.
! 553: This is faster but a side effect is that relative paths with wildcard
! 554: will no longer work.
! 555:
! 556: * New BSM audit support for systems that support it such as FreeBSD
! 557: and Mac OS X.
! 558:
! 559: * The file name specified with the #include directive may now include
! 560: a %h escape which is expanded to the short form of hostname.
! 561:
! 562: * The -k flag may now be specified along with a command, causing the
! 563: user's timestamp file to be ignored.
! 564:
! 565: * New support for Tivoli-based LDAP START_TLS, present in AIX.
! 566:
! 567: * New support for /etc/netsvc.conf on AIX.
! 568:
! 569: * The unused alias checks in visudo now handle the case of an alias
! 570: referring to another alias.
! 571:
! 572: What's new in Sudo 1.7.0?
! 573:
! 574: * Rewritten parser that converts sudoers into a set of data structures.
! 575: This eliminates a number of ordering issues and makes it possible to
! 576: apply sudoers Defaults entries before searching for the command.
! 577: It also adds support for per-command Defaults specifications.
! 578:
! 579: * Sudoers now supports a #include facility to allow the inclusion of other
! 580: sudoers-format files.
! 581:
! 582: * Sudo's -l (list) flag has been enhanced:
! 583: o applicable Defaults options are now listed
! 584: o a command argument can be specified for testing whether a user
! 585: may run a specific command.
! 586: o a new -U flag can be used in conjunction with "sudo -l" to allow
! 587: root (or a user with "sudo ALL") list another user's privileges.
! 588:
! 589: * A new -g flag has been added to allow the user to specify a
! 590: primary group to run the command as. The sudoers syntax has been
! 591: extended to include a group section in the Runas specification.
! 592:
! 593: * A uid may now be used anywhere a username is valid.
! 594:
! 595: * The "secure_path" run-time Defaults option has been restored.
! 596:
! 597: * Password and group data is now cached for fast lookups.
! 598:
! 599: * The file descriptor at which sudo starts closing all open files is now
! 600: configurable via sudoers and, optionally, the command line.
! 601:
! 602: * Visudo will now warn about aliases that are defined but not used.
! 603:
! 604: * The -i and -s command line flags now take an optional command
! 605: to be run via the shell. Previously, the argument was passed
! 606: to the shell as a script to run.
! 607:
! 608: * Improved LDAP support. SASL authentication may now be used in
! 609: conjunction when connecting to an LDAP server. The krb5_ccname
! 610: parameter in ldap.conf may be used to enable Kerberos.
! 611:
! 612: * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
! 613: to specify the sudoers order. E.g.:
! 614: sudoers: ldap files
! 615: to check LDAP, then /etc/sudoers. The default is "files", even
! 616: when LDAP support is compiled in. This differs from sudo 1.6
! 617: where LDAP was always consulted first.
! 618:
! 619: * Support for /etc/environment on AIX and Linux. If sudo is run
! 620: with the -i flag, the contents of /etc/environment are used to
! 621: populate the new environment that is passed to the command being
! 622: run.
! 623:
! 624: * If no terminal is available or if the new -A flag is specified,
! 625: sudo will use a helper program to read the password if one is
! 626: configured. Typically, this is a graphical password prompter
! 627: such as ssh-askpass.
! 628:
! 629: * A new Defaults option, "mailfrom" that sets the value of the
! 630: "From:" field in the warning/error mail. If unspecified, the
! 631: login name of the invoking user is used.
! 632:
! 633: * A new Defaults option, "env_file" that refers to a file containing
! 634: environment variables to be set in the command being run.
! 635:
! 636: * A new flag, -n, may be used to indicate that sudo should not
! 637: prompt the user for a password and, instead, exit with an error
! 638: if authentication is required.
! 639:
! 640: * If sudo needs to prompt for a password and it is unable to disable
! 641: echo (and no askpass program is defined), it will refuse to run
! 642: unless the "visiblepw" Defaults option has been specified.
! 643:
! 644: * Prior to version 1.7.0, hitting enter/return at the Password: prompt
! 645: would exit sudo. In sudo 1.7.0 and beyond, this is treated as
! 646: an empty password. To exit sudo, the user must press ^C or ^D
! 647: at the prompt.
! 648:
! 649: * visudo will now check the sudoers file owner and mode in -c (check)
! 650: mode when the -s (strict) flag is specified.
! 651:
! 652: * A new Defaults option "umask_override" will cause sudo to set the
! 653: umask specified in sudoers even if it is more permissive than the
! 654: invoking user's umask.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to NEWS CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo