Annotation of embedaddon/sudo/NEWS, revision 1.1.1.5
1.1.1.5 ! misho 1: What's new in Sudo 1.8.8?
! 2:
! 3: * Removed a warning on PAM systems with stacked auth modules
! 4: where the first module on the stack does not succeed.
! 5:
! 6: * Sudo, sudoreplay and visudo now support GNU-style long options.
! 7:
! 8: * The -h (--host) option may now be used to specify a host name.
! 9: This is currently only used by the sudoers plugin in conjunction
! 10: with the -l (--list) option.
! 11:
! 12: * Program usage messages and manual SYNOPSIS sections have been
! 13: simplified.
! 14:
! 15: * Sudo's LDAP SASL support now works properly with Kerberos.
! 16: Previously, the SASL library was unable to locate the user's
! 17: credential cache.
! 18:
! 19: * It is now possible to set the nproc resource limit to unlimited
! 20: via pam_limits on Linux (bug #565).
! 21:
! 22: * New "pam_service" and "pam_login_service" sudoers options
! 23: that can be used to specify the PAM service name to use.
! 24:
! 25: * New "pam_session" and "pam_setcred" sudoers options that
! 26: can be used to disable PAM session and credential support.
! 27:
! 28: * The sudoers plugin now properly supports UIDs and GIDs
! 29: that are larger than 0x7fffffff on 32-bit platforms.
! 30:
! 31: * Fixed a visudo bug introduced in sudo 1.8.7 where per-group
! 32: Defaults entries would cause an internal error.
! 33:
! 34: * If the "tty_tickets" sudoers option is enabled (the default),
! 35: but there is no tty present, sudo will now use a ticket file
! 36: based on the parent process ID. This makes it possible to support
! 37: the normal timeout behavior for the session.
! 38:
! 39: * Fixed a problem running commands that change their process
! 40: group and then attempt to change the terminal settings when not
! 41: running the command in a pseudo-terminal. Previously, the process
! 42: would receive SIGTTOU since it was effectively a background
! 43: process. Sudo will now grant the child the controlling tty and
! 44: continue it when this happens.
! 45:
! 46: * The "closefrom_override" sudoers option may now be used in
! 47: a command-specified Defaults entry (bug #610).
! 48:
! 49: * Sudo's BSM audit support now works on Solaris 11.
! 50:
! 51: * Brazilian Portuguese translation for sudo and sudoers from
! 52: translationproject.org.
! 53:
! 54: * Czech translation for sudo from translationproject.org.
! 55:
! 56: * French translation for sudo from translationproject.org.
! 57:
! 58: * Sudo's noexec support on Mac OS X 10.4 and above now uses dynamic
! 59: symbol interposition instead of setting DYLD_FORCE_FLAT_NAMESPACE=1
! 60: which causes issues with some programs.
! 61:
! 62: * Fixed visudo's -q (--quiet) flag, broken in sudo 1.8.6.
! 63:
! 64: * Root may no longer change its SELinux role without entering
! 65: a password.
! 66:
! 67: * Fixed a bug introduced in Sudo 1.8.7 where the indexes written
! 68: to the I/O log timing file are two greater than they should be.
! 69: Sudoreplay now contains a work-around to parse those files.
! 70:
! 71: * In sudoreplay's list mode, the "this" qualifier in "fromdate"
! 72: or "todate" expressions now behaves more sensibly. Previously,
! 73: it would often match a date that was "one more" than expected.
! 74: For example, "this week" now matches the current week instead
! 75: of the following week.
! 76:
1.1.1.4 misho 77: What's new in Sudo 1.8.7?
78:
79: * The non-Unix group plugin is now supported when sudoers data
80: is stored in LDAP.
81:
82: * Sudo now uses a workaround for a locale bug on Solaris 11.0
83: that prevents setuid programs like sudo from fully using locales.
84:
85: * User messages are now always displayed in the user's locale,
86: even when the same message is being logged or mailed in a
87: different locale.
88:
89: * Log files created by sudo now explicitly have the group set
90: to group ID 0 rather than relying on BSD group semantics (which
91: may not be the default).
92:
93: * A new "exec_background" sudoers option can be used to initially
94: run the command without read access to the terminal when running
95: a command in a pseudo-tty. If the command tries to read from
96: the terminal it will be stopped by the kernel (via SIGTTIN or
1.1.1.5 ! misho 97: SIGTTOU) and sudo will immediately restart it as the foreground
1.1.1.4 misho 98: process (if possible). This allows sudo to only pass terminal
99: input to the program if the program actually is expecting it.
100: Unfortunately, a few poorly-behaved programs (like "su" on most
101: Linux systems) do not handle SIGTTIN and SIGTTOU properly.
102:
103: * Sudo now uses an efficient group query to get all the groups
104: for a user instead of iterating over every record in the group
105: database on HP-UX and Solaris.
106:
107: * Sudo now produces better error messages when there is an error
108: in the sudo.conf file.
109:
110: * Two new settings have been added to sudo.conf to give the admin
111: better control of how group database queries are performed. The
112: "group_source" specifies how the group list for a user will be
113: determined. Legal values are "static" (use the kernel groups
114: list), "dynamic" (perform a group database query) and "adaptive"
115: (only perform a group database query if the kernel list is full).
1.1.1.5 ! misho 116: The "max_groups" setting specifies the maximum number of groups
! 117: a user may belong to when performing a group database query.
1.1.1.4 misho 118:
119: * The sudo.conf file now supports line continuation by using a
120: backslash as the last character on the line.
121:
122: * There is now a standalone sudo.conf manual page.
123:
1.1.1.5 ! misho 124: * Sudo now stores its libexec files in a "sudo" sub-directory instead
1.1.1.4 misho 125: of in libexec itself. For backwards compatibility, if the plugin
126: is not found in the default plugin directory, sudo will check
127: the parent directory if the default directory ends in "/sudo".
128:
129: * The sudoers I/O logging plugin now logs the terminal size.
130:
131: * A new sudoers option "maxseq" can be used to limit the number of
132: I/O log entries that are stored.
133:
134: * The "system_group" and "group_file" sudoers group provider plugins
135: are now installed by default.
136:
137: * The list output (sudo -l) output from the sudoers plugin is now
138: less ambiguous when an entry includes different runas users.
139: The long list output (sudo -ll) for file-based sudoers is now
140: more consistent with the format of LDAP-based sudoers.
141:
142: * A uid may now be used in the sudoRunAsUser attributes for LDAP
143: sudoers.
144:
145: * Minor plugin API change: the close and version functions are now
146: optional. If the policy plugin does not provide a close function
147: and the command is not being run in a new pseudo-tty, sudo may
148: now execute the command directly instead of in a child process.
149:
150: * A new sudoers option "pam_session" can be used to disable sudo's
151: PAM session support.
152:
153: * On HP-UX systems, sudo will now use the pstat() function to
154: determine the tty instead of ttyname().
155:
156: * Turkish translation for sudo and sudoers from translationproject.org.
157:
158: * Dutch translation for sudo and sudoers from translationproject.org.
159:
160: * Tivoli Directory Server client libraries may now be used with
161: HP-UX where libibmldap has a hidden dependency on libCsup.
162:
163: * The sudoers plugin will now ignore invalid domain names when
164: checking netgroup membership. Most Linux systems use the string
165: "(none)" for the NIS-style domain name instead of an empty string.
166:
167: * New support for specifying a SHA-2 digest along with the command
168: in sudoers. Supported hash types are sha224, sha256, sha384 and
169: sha512. See the description of Digest_Spec in the sudoers manual
170: or the description of sudoCommand in the sudoers.ldap manual for
171: details.
172:
173: * The paths to ldap.conf and ldap.secret may now be specified as
174: arguments to the sudoers plugin in the sudo.conf file.
175:
176: * Fixed potential false positives in visudo's alias cycle detection.
177:
178: * Fixed a problem where the time stamp file was being treated
179: as out of date on Linux systems where the change time on the
180: pseudo-tty device node can change after it is allocated.
181:
182: * Sudo now only builds Position Independent Executables (PIE)
183: by default on Linux systems and verifies that a trivial test
184: program builds and runs.
185:
186: * On Solaris 11.1 and higher, sudo binaries will now have the
187: ASLR tag enabled if supported by the linker.
188:
189: What's new in Sudo 1.8.6p8?
190:
191: * Terminal detection now works properly on 64-bit AIX kernels.
192: This was broken by the removal of the ttyname() fallback in Sudo
193: 1.8.6p6. Sudo is now able to map an AIX 64-bit device number
194: to the corresponding device file in /dev.
195:
196: * Sudo now checks for crypt() returning NULL when performing
197: passwd-based authentication.
198:
199: What's new in Sudo 1.8.6p7?
200:
201: * A time stamp file with the date set to the epoch by "sudo -k"
202: is now completely ignored regardless of what the local clock is
203: set to. Previously, if the local clock was set to a value between
204: the epoch and the time stamp timeout value, a time stamp reset
205: by "sudo -k" would be considered current.
206:
207: * The tty-specific time stamp file now includes the session ID
208: of the sudo process that created it. If a process with the same
209: tty but a different session ID runs sudo, the user will now be
210: prompted for a password (assuming authentication is required for
211: the command).
212:
213: What's new in Sudo 1.8.6p6?
214:
215: * On systems where the controlling tty can be determined via /proc
216: or sysctl(), sudo will no longer fall back to using ttyname()
217: if the process has no controlling tty. This prevents sudo from
218: using a non-controlling tty for logging and time stamp purposes.
219:
220: What's new in Sudo 1.8.6p5?
221:
222: * Fixed a potential crash in visudo's alias cycle detection.
223:
224: * Improved performance on Solaris when retrieving the group list
225: for the target user. On systems with a large number of groups
226: where the group database is not local (NIS, LDAP, AD), fetching
227: the group list could take a minute or more.
228:
229: What's new in Sudo 1.8.6p4?
230:
231: * The -fstack-protector is now used when linking visudo, sudoreplay
232: and testsudoers.
233:
234: * Avoid building PIE binaries on FreeBSD/ia64 as they don't run
235: properly.
236:
237: * Fixed a crash in visudo strict mode when an unknown Defaults
238: setting is encountered.
239:
240: * Do not inform the user that the command was not permitted by the
241: policy if they do not successfully authenticate. This is a
242: regression introduced in sudo 1.8.6.
243:
244: * Allow sudo to be build with sss support without also including
245: ldap support.
246:
247: * Fix running commands that need the terminal in the background
248: when I/O logging is enabled. E.g. "sudo vi &". When the command
249: is foregrounded, it will now resume properly.
250:
1.1.1.3 misho 251: What's new in Sudo 1.8.6p3?
252:
253: * Fixed post-processing of the man pages on systems with legacy
254: versions of sed.
255:
256: * Fixed "sudoreplay -l" on Linux systems with file systems that
257: set DT_UNKNOWN in the d_type field of struct dirent.
258:
259: What's new in Sudo 1.8.6p2?
260:
261: * Fixed suspending a command after it has already been resumed
262: once when I/O logging (or use_pty) is not enabled.
263: This was a regression introduced in version 1.8.6.
264:
265: What's new in Sudo 1.8.6p1?
266:
267: * Fixed the setting of LOGNAME, USER and USERNAME variables in the
268: command's environment when env_reset is enabled (the default).
269: This was a regression introduced in version 1.8.6.
270:
271: * Sudo now honors SUCCESS=return in /etc/nsswitch.conf.
272:
273: What's new in Sudo 1.8.6?
274:
275: * Sudo is now built with the -fstack-protector flag if the the
276: compiler supports it. Also, the -zrelro linker flag is used if
277: supported. The --disable-hardening configure option can be used
278: to build sudo without stack smashing protection.
279:
280: * Sudo is now built as a Position Independent Executable (PIE)
281: if supported by the compiler and linker.
282:
283: * If the user is a member of the "exempt" group in sudoers, they
284: will no longer be prompted for a password even if the -k flag
285: is specified with the command. This makes "sudo -k command"
286: consistent with the behavior one would get if the user ran "sudo
287: -k" immediately before running the command.
288:
289: * The sudoers file may now be a symbolic link. Previously, sudo
290: would refuse to read sudoers unless it was a regular file.
291:
292: * The sudoreplay command can now properly replay sessions where
293: no tty was present.
294:
295: * The sudoers plugin now takes advantage of symbol visibility
296: controls when supported by the compiler or linker. As a result,
297: only a small number of symbols are exported which significantly
298: reduces the chances of a conflict with other shared objects.
299:
300: * Improved support for the Tivoli Directory Server LDAP client
301: libraries. This includes support for using LDAP over SSL (ldaps)
302: as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS
303: ldap.conf options. A new ldap.conf option, TLS_KEYPW can be
304: used to specify a password to decrypt the key database.
305:
1.1.1.4 misho 306: * When constructing a time filter for use with LDAP sudoNotBefore
1.1.1.3 misho 307: and sudoNotAfter attributes, the current time now includes tenths
308: of a second. This fixes a problem with timed entries on Active
309: Directory.
310:
311: * If a user fails to authenticate and the command would be rejected
312: by sudoers, it is now logged with "command not allowed" instead
313: of "N incorrect password attempts". Likewise, the "mail_no_perms"
314: sudoers option now takes precedence over "mail_badpass".
315:
316: * The sudo manuals are now formatted using the mdoc macros. Versions
317: using the legacy man macros are provided for systems that lack mdoc.
318:
319: * New support for Solaris privilege sets. This makes it possible
320: to specify fine-grained privileges in the sudoers file on Solaris
321: 10 and above. A Runas_Spec that contains no Runas_Lists can be
322: used to give a user the ability to run a command as themselves
323: but with an expanded privilege set.
324:
325: * Fixed a problem with the reboot and shutdown commands on some
326: systems (such as HP-UX and BSD). On these systems, reboot sends
327: all processes (except itself) SIGTERM. When sudo received
328: SIGTERM, it would relay it to the reboot process, thus killing
329: reboot before it had a chance to actually reboot the system.
330:
331: * Support for using the System Security Services Daemon (SSSD) as
332: a source of sudoers data.
333:
334: * Slovenian translation for sudo and sudoers from translationproject.org.
335:
336: * Visudo will now warn about unknown Defaults entries that are
337: per-host, per-user, per-runas or per-command.
338:
339: * Fixed a race condition that could cause sudo to receive SIGTTOU
340: (and stop) when resuming a shell that was run via sudo when I/O
341: logging (and use_pty) is not enabled.
342:
343: * Sending SIGTSTP directly to the sudo process will now suspend the
344: running command when I/O logging (and use_pty) is not enabled.
345:
346: What's new in Sudo 1.8.5p3?
347:
348: * Fixed the loading of I/O plugins that conform to a plugin API
349: version older than 1.2.
350:
351: What's new in Sudo 1.8.5p2?
352:
353: * Fixed use of the SUDO_ASKPASS environment variable which was
354: broken in Sudo 1.8.5.
355:
356: * Fixed a problem reading the sudoers file when the file mode is
357: more restrictive than the expected mode. For example, when the
358: expected sudoers file mode is 0440 but the actual mode is 0400.
359:
1.1.1.2 misho 360: What's new in Sudo 1.8.5p1?
361:
362: * Fixed a bug that prevented files in an include directory from
363: being evaluated.
364:
365: What's new in Sudo 1.8.5?
366:
367: * When "noexec" is enabled, sudo_noexec.so will now be prepended
368: to any existing LD_PRELOAD variable instead of replacing it.
369:
370: * The sudo_noexec.so shared library now wraps the execvpe(),
371: exect(), posix_spawn() and posix_spawnp() functions.
372:
373: * The user/group/mode checks on sudoers files have been relaxed.
374: As long as the file is owned by the sudoers uid, not world-writable
375: and not writable by a group other than the sudoers gid, the file
376: is considered OK. Note that visudo will still set the mode to
377: the value specified at configure time.
378:
379: * It is now possible to specify the sudoers path, uid, gid and
380: file mode as options to the plugin in the sudo.conf file.
381:
382: * Croatian, Galician, German, Lithuanian, Swedish and Vietnamese
383: translations from translationproject.org.
384:
385: * /etc/environment is no longer read directly on Linux systems
386: when PAM is used. Sudo now merges the PAM environment into the
387: user's environment which is typically set by the pam_env module.
388:
389: * The initial evironment created when env_reset is in effect now
390: includes the contents of /etc/environment on AIX systems and the
391: "setenv" and "path" entries from /etc/login.conf on BSD systems.
392:
393: * The plugin API has been extended in three ways. First, options
394: specified in sudo.conf after the plugin pathname are passed to
395: the plugin's open function. Second, sudo has limited support
396: for hooks that can be used by plugins. Currently, the hooks are
397: limited to environment handling functions. Third, the init_session
398: policy plugin function is passed a pointer to the user environment
399: which can be updated during session setup. The plugin API version
400: has been incremented to version 1.2. See the sudo_plugin manual
401: for more information.
402:
403: * The policy plugin's init_session function is now called by the
404: parent sudo process, not the child process that executes the
405: command. This allows the PAM session to be open and closed in
406: the same process, which some PAM modules require.
407:
408: * Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf,
409: which was broken in version 1.8.4.
410:
411: * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
412: file is now uses to determine the controlling terminal, if possible.
413: This allows tty-based tickets to work properly even when, e.g.
414: standard input, output and error are redirected to /dev/null.
415:
416: * The output of "sudoreplay -l" is now sorted by file name (or
417: sequence number). Previously, entries were displayed in the
418: order in which they were found on the file system.
419:
420: * Sudo now behaves properly when I/O logging is enabled and the
421: controlling terminal is revoked (e.g. the running sshd is killed).
422: Previously, sudo may have exited without calling the I/O plugin's
423: close function which can lead to an incomplete I/O log.
424:
425: * Sudo can now detect when a user has logged out and back in again
426: on Solaris 11, just like it can on Solaris 10.
427:
428: * The built-in zlib included with Sudo has been upgraded to version
429: 1.2.6.
430:
431: * Setting the SSL parameter to start_tls in ldap.conf now works
432: properly when using Mozilla-based SDKs that support the
433: ldap_start_tls_s() function.
434:
435: * The TLS_CHECKPEER parameter in ldap.conf now works when the
436: Mozilla NSS crypto backend is used with OpenLDAP.
437:
438: * A new group provider plugin, system_group, is included which
439: performs group look ups by name using the system groups database.
440: This can be used to restore the pre-1.7.3 sudo group lookup
441: behavior.
442:
443: What's new in Sudo 1.8.4p5?
444:
445: * Fixed a bug when matching against an IP address with an associated
446: netmask in the sudoers file. In certain circumstances, this
447: could allow users to run commands on hosts they are not authorized
448: for.
449:
450: What's new in Sudo 1.8.4p4?
451:
452: * Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v"
453: from working.
454:
455: What's new in Sudo 1.8.4p3?
456:
457: * Fixed a crash on FreeBSD when no tty is present.
458:
459: * Fixed a bug introduced in Sudo 1.8.4 that allowed users to
460: specify environment variables to set on the command line without
461: having sudo "ALL" permissions or the "SETENV" tag.
462:
463: * When visudo is run with the -c (check) option, the sudoers
464: file(s) owner and mode are now also checked unless the -f option
465: was specified.
466:
467: What's new in Sudo 1.8.4p2?
468:
469: * Fixed a bug introduced in Sudo 1.8.4 where insufficient space
470: was allocated for group IDs in the LDAP filter.
471:
472: * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf
473: was "/sudo.conf" instead of "/etc/sudo.conf".
474:
475: * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang
476: when I/O logging is enabled and input is from a pipe or file.
477:
478: What's new in Sudo 1.8.4p1?
479:
480: * Fixed a bug introduced in sudo 1.8.4 that broke adding to or
481: deleting from the env_keep, env_check and env_delete lists in
482: sudoers on some platforms.
483:
484: What's new in Sudo 1.8.4?
485:
486: * The -D flag in sudo has been replaced with a more general debugging
487: framework that is configured in sudo.conf.
488:
489: * Fixed a false positive in visudo strict mode when aliases are
490: in use.
491:
492: * Fixed a crash with "sudo -i" when a runas group was specified
493: without a runas user.
494:
495: * The line on which a syntax error is reported in the sudoers file
496: is now more accurate. Previously it was often off by a line.
497:
498: * Fixed a bug where stack garbage could be printed at the end of
499: the lecture when the "lecture_file" option was enabled.
500:
501: * "make install" now honors the LINGUAS environment variable.
502:
503: * The #include and #includedir directives in sudoers now support
504: relative paths. If the path is not fully qualified it is expected
505: to be located in the same directory of the sudoers file that is
506: including it.
507:
508: * Serbian and Spanish translations for sudo from translationproject.org.
509:
510: * LDAP-based sudoers may now access by group ID in addition to
511: group name.
512:
513: * visudo will now fix the mode on the sudoers file even if no changes
514: are made unless the -f option is specified.
515:
516: * The "use_loginclass" sudoers option works properly again.
517:
518: * On systems that use login.conf, "sudo -i" now sets environment
519: variables based on login.conf.
520:
521: * For LDAP-based sudoers, values in the search expression are now
522: escaped as per RFC 4515.
523:
524: * The plugin close function is now properly called when a login
525: session is killed (as opposed to the actual command being killed).
526: This can happen when an ssh session is disconnected or the
527: terminal window is closed.
528:
529: * The deprecated "noexec_file" sudoers option is no longer supported.
530:
531: * Fixed a race condition when I/O logging is not enabled that could
532: result in tty-generated signals (e.g. control-C) being received
533: by the command twice.
534:
535: * If none of the standard input, output or error are connected to
536: a tty device, sudo will now check its parent's standard input,
537: output or error for the tty name on systems with /proc and BSD
538: systems that support the KERN_PROC_PID sysctl. This allows
539: tty-based tickets to work properly even when, e.g. standard
540: input, output and error are redirected to /dev/null.
541:
542: * Added the --enable-kerb5-instance configure option to allow
543: people using Kerberos V authentication to specify a custom
544: instance so the principal name can be, e.g. "username/sudo"
545: similar to how ksu uses "username/root".
546:
547: * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
548: the results, which would be incorrectly be interpreted as if the
549: sudoers file had specified a directory.
550:
551: * "visudo -c" will now list any include files that were checked
552: in addition to the main sudoers file when everything parses OK.
553:
554: * Users that only have read-only access to the sudoers file may
555: now run "visudo -c". Previously, write permissions were required
556: even though no writing is down in check-only mode.
557:
558: * It is now possible to prevent the disabling of core dumps from
559: within sudo itself by adding a line to the sudo.conf file like
560: "Set disable_coredump false".
561:
1.1 misho 562: What's new in Sudo 1.8.3p2?
563:
564: * Fixed a format string vulnerability when the sudo binary (or a
565: symbolic link to the sudo binary) contains printf format escapes
566: and the -D (debugging) flag is used.
567:
568: What's new in Sudo 1.8.3p1?
569:
570: * Fixed a crash in the monitor process on Solaris when NOPASSWD
571: was specified or when authentication was disabled.
1.1.1.4 misho 572:
1.1 misho 573: * Fixed matching of a Runas_Alias in the group section of a
574: Runas_Spec.
575:
576: What's new in Sudo 1.8.3?
577:
578: * Fixed expansion of strftime() escape sequences in the "log_dir"
579: sudoers setting.
580:
581: * Esperanto, Italian and Japanese translations from translationproject.org.
582:
583: * Sudo will now use PAM by default on AIX 6 and higher.
584:
585: * Added --enable-werror configure option for gcc's -Werror flag.
586:
587: * Visudo no longer assumes all editors support the +linenumber
588: command line argument. It now uses a whitelist of editors known
589: to support the option.
590:
591: * Fixed matching of network addresses when a netmask is specified
592: but the address is not the first one in the CIDR block.
593:
594: * The configure script now check whether or not errno.h declares
595: the errno variable. Previously, sudo would always declare errno
596: itself for older systems that don't declare it in errno.h.
597:
598: * The NOPASSWD tag is now honored for denied commands too, which
599: matches historic sudo behavior (prior to sudo 1.7.0).
600:
601: * Sudo now honors the "DEREF" setting in ldap.conf which controls
602: how alias dereferencing is done during an LDAP search.
603:
604: * A symbol conflict with the pam_ssh_agent_auth PAM module that
605: would cause a crash been resolved.
606:
607: * The inability to load a group provider plugin is no longer
608: a fatal error.
609:
610: * A potential crash in the utmp handling code has been fixed.
611:
612: * Two PAM session issues have been resolved. In previous versions
613: of sudo, the PAM session was opened as one user and closed as
614: another. Additionally, if no authentication was performed, the
615: PAM session would never be closed.
616:
617: * Sudo will now work correctly with LDAP-based sudoers using TLS
618: or SSL on Debian systems.
619:
620: * The LOGNAME, USER and USERNAME environment variables are preserved
621: correctly again in sudoedit mode.
622:
623: What's new in Sudo 1.8.2?
624:
625: * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural
626: language support (NLS). This can be disabled by passing configure
627: the --disable-nls option. Sudo will use gettext(), if available,
628: to display translated messages. All translations are coordinated
629: via The Translation Project, http://translationproject.org/.
630:
631: * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of
632: RTLD_LOCAL. This fixes missing symbol problems in PAM modules
633: on certain platforms, such as FreeBSD and SuSE Linux Enterprise.
634:
635: * I/O logging is now supported for commands run in background mode
636: (using sudo's -b flag).
637:
638: * Group ownership of the sudoers file is now only enforced when
639: the file mode on sudoers allows group readability or writability.
640:
641: * Visudo now checks the contents of an alias and warns about cycles
642: when the alias is expanded.
643:
1.1.1.2 misho 644: * If the user specifies a group via sudo's -g option that matches
1.1 misho 645: the target user's group in the password database, it is now
646: allowed even if no groups are present in the Runas_Spec.
647:
648: * The sudo Makefiles now have more complete dependencies which are
649: automatically generated instead of being maintained manually.
650:
651: * The "use_pty" sudoers option is now correctly passed back to the
652: sudo front end. This was missing in previous versions of sudo
653: 1.8 which prevented "use_pty" from being honored.
654:
655: * "sudo -i command" now works correctly with the bash version
656: 2.0 and higher. Previously, the .bash_profile would not be
657: sourced prior to running the command unless bash was built with
658: NON_INTERACTIVE_LOGIN_SHELLS defined.
659:
660: * When matching groups in the sudoers file, sudo will now match
661: based on the name of the group instead of the group ID. This can
662: substantially reduce the number of group lookups for sudoers
663: files that contain a large number of groups.
664:
665: * Multi-factor authentication is now supported on AIX.
666:
667: * Added support for non-RFC 4517 compliant LDAP servers that require
668: that seconds be present in a timestamp, such as Tivoli Directory Server.
669:
670: * If the group vector is to be preserved, the PATH search for the
671: command is now done with the user's original group vector.
672:
673: * For LDAP-based sudoers, the "runas_default" sudoOption now works
674: properly in a sudoRole that contains a sudoCommand.
675:
676: * Spaces in command line arguments for "sudo -s" and "sudo -i" are
677: now escaped with a backslash when checking the security policy.
678:
679: What's new in Sudo 1.8.1p2?
680:
681: * Two-character CIDR-style IPv4 netmasks are now matched correctly
682: in the sudoers file.
683:
684: * A build error with MIT Kerberos V has been resolved.
685:
686: * A crash on HP-UX in the sudoers plugin when wildcards are
687: present in the sudoers file has been resolved.
688:
689: * Sudo now works correctly on Tru64 Unix again.
690:
691: What's new in Sudo 1.8.1p1?
692:
693: * Fixed a problem on AIX where sudo was unable to set the final
694: uid if the PAM module modified the effective uid.
695:
696: * A non-existent includedir is now treated the same as an empty
697: directory and not reported as an error.
698:
699: * Removed extraneous parens in LDAP filter when sudoers_search_filter
700: is enabled that can cause an LDAP search error.
701:
702: * Fixed a "make -j" problem for "make install".
703:
704: What's new in Sudo 1.8.1?
705:
706: * A new LDAP setting, sudoers_search_filter, has been added to
707: ldap.conf. This setting can be used to restrict the set of
708: records returned by the LDAP query. Based on changes from Matthew
709: Thomas.
710:
711: * White space is now permitted within a User_List when used in
712: conjunction with a per-user Defaults definition.
713:
714: * A group ID (%#gid) may now be specified in a User_List or Runas_List.
715: Likewise, for non-Unix groups the syntax is %:#gid.
716:
717: * Support for double-quoted words in the sudoers file has been fixed.
718: The change in 1.7.5 for escaping the double quote character
719: caused the double quoting to only be available at the beginning
720: of an entry.
721:
722: * The fix for resuming a suspended shell in 1.7.5 caused problems
723: with resuming non-shells on Linux. Sudo will now save the process
724: group ID of the program it is running on suspend and restore it
725: when resuming, which fixes both problems.
726:
727: * A bug that could result in corrupted output in "sudo -l" has been
728: fixed.
729:
730: * Sudo will now create an entry in the utmp (or utmpx) file when
731: allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp"
732: and "utmp_runas" sudoers file options can be used to control this.
733: Other policy plugins may use the "set_utmp" and "utmp_user"
734: entries in the command_info list.
735:
736: * The sudoers policy now stores the TSID field in the logs
737: even when the "iolog_file" sudoers option is defined to a value
738: other than %{sessid}. Previously, the TSID field was only
739: included in the log file when the "iolog_file" option was set
740: to its default value.
741:
742: * The sudoreplay utility now supports arbitrary session IDs.
743: Previously, it would only work with the base-36 session IDs
744: that the sudoers plugin uses by default.
745:
746: * Sudo now passes "run_shell=true" to the policy plugin in the
747: settings list when sudo's -s command line option is specified.
748: The sudoers policy plugin uses this to implement the "set_home"
749: sudoers option which was missing from sudo 1.8.0.
750:
751: * The "noexec" functionality has been moved out of the sudoers
752: policy plugin and into the sudo front-end, which matches the
753: behavior documented in the plugin writer's guide. As a result,
754: the path to the noexec file is now specified in the sudo.conf
755: file instead of the sudoers file.
756:
757: * On Solaris 10, the PRIV_PROC_EXEC privilege is now used to
758: implement the "noexec" feature. Previously, this was implemented
759: via the LD_PRELOAD environment variable.
760:
761: * The exit values for "sudo -l", "sudo -v" and "sudo -l command"
762: have been fixed in the sudoers policy plugin.
763:
764: * The sudoers policy plugin now passes the login class, if any,
765: back to the sudo front-end.
766:
767: * The sudoers policy plugin was not being linked with requisite
768: libraries in certain configurations.
769:
770: * Sudo now parses command line arguments before loading any plugins.
771: This allows "sudo -V" or "sudo -h" to work even if there is a problem
772: with sudo.conf
773:
774: * Plugins are now linked with the static version of libgcc to allow
775: the plugin to run on a system where no shared libgcc is installed,
776: or where it is installed in a different location.
777:
778: What's new in Sudo 1.8.0?
779:
780: * Sudo has been refactored to use a modular framework that can
781: support third-party policy and I/O logging plugins. The default
782: plugin is "sudoers" which provides the traditional sudo functionality.
783: See the sudo_plugin manual for details on the plugin API and the
784: sample in the plugins directory for a simple example.
785:
786: What's new in Sudo 1.7.5?
787:
788: * When using visudo in check mode, a file named "-" may be used to
789: check sudoers data on the standard input.
790:
791: * Sudo now only fetches shadow password entries when using the
792: password database directly for authentication.
793:
794: * Password and group entries are now cached using the same key
795: that was used to look them up. This fixes a problem when looking
796: up entries by name if the name in the retrieved entry does not
797: match the name used to look it up. This may happen on some systems
798: that do case insensitive lookups or that truncate long names.
799:
800: * GCC will no longer display warnings on glibc systems that use
801: the warn_unused_result attribute for write(2) and other system calls.
802:
803: * If a PAM account management module denies access, sudo now prints
804: a more useful error message and stops trying to validate the user.
805:
806: * Fixed a potential hang on idle systems when the sudo-run process
807: exits immediately.
808:
809: * Sudo now includes a copy of zlib that will be used on systems
810: that do not have zlib installed.
811:
812: * The --with-umask-override configure flag has been added to enable
813: the "umask_override" sudoers Defaults option at build time.
814:
815: * Sudo now unblocks all signals on startup to avoid problems caused
816: by the parent process changing the default signal mask.
817:
818: * LDAP Sudoers entries may now specify a time period for which
819: the entry is valid. This requires an updated sudoers schema
820: that includes the sudoNotBefore and sudoNotAfter attributes.
821: Support for timed entries must be explicitly enabled in the
822: ldap.conf file. Based on changes from Andreas Mueller.
823:
824: * LDAP Sudoers entries may now specify a sudoOrder attribute that
825: determines the order in which matching entries are applied. The
826: last matching entry is used, just like file-based sudoers. This
827: requires an updated sudoers schema that includes the sudoOrder
828: attribute. Based on changes from Andreas Mueller.
829:
830: * When run as sudoedit, or when given the -e flag, sudo now treats
831: command line arguments as pathnames. This means that slashes
832: in the sudoers file entry must explicitly match slashes in
833: the command line arguments. As a result, and entry such as:
834: user ALL = sudoedit /etc/*
835: will allow editing of /etc/motd but not /etc/security/default.
836:
837: * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
838: compatibility with OpenLDAP configuration files.
839:
840: * The LDAP API TIMEOUT parameter is now honored in ldap.conf.
841:
842: * The I/O log directory may now be specified in the sudoers file.
843:
844: * Sudo will no longer refuse to run if the sudoers file is writable
845: by root.
846:
847: * Sudo now performs command line escaping for "sudo -s" and "sudo -i"
848: after validating the command so the sudoers entries do not need
849: to include the backslashes.
850:
851: * Logging and email sending are now done in the locale specified
852: by the "sudoers_locale" setting ("C" by default). Email send by
853: sudo now includes MIME headers when "sudoers_locale" is not "C".
854:
855: * The configure script has a new option, --disable-env-reset, to
856: allow one to change the default for the sudoers Default setting
857: "env_reset" at compile time.
858:
859: * When logging "sudo -l command", sudo will now prepend "list "
860: to the command in the log line to distinguish between an
861: actual command invocation in the logs.
862:
863: * Double-quoted group and user names may now include escaped double
864: quotes as part of the name. Previously this was a parse error.
865:
866: * Sudo once again restores the state of the signal handlers it
867: modifies before executing the command. This allows sudo to be
868: used with the nohup command.
869:
870: * Resuming a suspended shell now works properly when I/O logging
871: is not enabled (the I/O logging case was already correct).
872:
873: What's new in Sudo 1.7.4p6?
874:
875: * A bug has been fixed in the I/O logging support that could cause
876: visual artifacts in full-screen programs such as text editors.
877:
878: What's new in Sudo 1.7.4p5?
879:
880: * A bug has been fixed that would allow a command to be run without the
881: user entering a password when sudo's -g flag is used without the -u flag.
882:
883: * If user has no supplementary groups, sudo will now fall back on checking
884: the group file explicitly, which restores historic sudo behavior.
885:
886: * A crash has been fixed when sudo's -g flag is used without the -u flag
887: and the sudoers file contains an entry with no runas user or group listed.
888:
889: * A crash has been fixed when the Solaris project support is enabled
890: and sudo's -g flag is used without the -u flag.
891:
892: * Sudo no longer exits with an error when support for auditing is
893: compiled in but auditing is not enabled.
894:
895: * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
896: being honored when the "targetpw" sudoers Defaults option was enabled.
897:
898: * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.
899:
900: * A crash has been fixed in "sudo -l" when sudo is built with auditing
901: support and the user is not allowed to run any commands on the host.
902:
903: What's new in Sudo 1.7.4p4?
904:
905: * A potential security issue has been fixed with respect to the handling
906: of sudo's -g command line option when -u is also specified. The flaw
907: may allow an attacker to run commands as a user that is not authorized
908: by the sudoers file.
909:
910: * A bug has been fixed where "sudo -l" output was incomplete if multiple
911: sudoers sources were defined in nsswitch.conf and there was an error
912: querying one of the sources.
913:
914: * The log_input, log_output, and use_pty sudoers options now work correctly
915: on AIX. Previously, sudo would hang if they were enabled.
916:
917: * The "make install" target now works correctly when sudo is built in a
918: directory other than the source directory.
919:
920: * The "runas_default" sudoers setting now works properly in a per-command
921: Defaults line.
922:
923: * Suspending and resuming the bash shell when PAM is in use now works
924: correctly. The SIGCONT signal was not propagated to the child process.
925:
926: What's new in Sudo 1.7.4p3?
927:
928: * A bug has been fixed where duplicate HOME environment variables could be
929: present when the env_reset setting was disabled and the always_set_home
930: setting was enabled in sudoers.
931:
932: * The value of sysconfdir is now substituted into the path to the sudoers.d
933: directory in the installed sudoers file.
934:
935: * Compilation problems on IRIX and other platforms have been fixed.
936:
937: * If multiple PAM "auth" actions are specified and the user enters ^C at
938: the password prompt, sudo will no longer prompt for a password for any
939: subsequent "auth" actions. Previously it was necessary to enter ^C for
940: each "auth" action.
941:
942: What's new in Sudo 1.7.4p2?
943:
944: * A bug where sudo could spin in a busy loop waiting for the child process
945: has been fixed.
946:
947: What's new in Sudo 1.7.4p1?
948:
949: * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from
950: functioning when the tty_tickets sudoers option is enabled has been fixed.
951:
952: * Sudo no longer prints a warning when the -k or -K options are specified
953: and the ticket file does not exist.
954:
955: * It is now easier to cross-compile sudo.
956:
957: What's new in Sudo 1.7.4?
958:
959: * Sudoedit will now preserve the file extension in the name of the
960: temporary file being edited. The extension is used by some
961: editors (such as emacs) to choose the editing mode.
962:
963: * Time stamp files have moved from /var/run/sudo to either /var/db/sudo,
964: /var/lib/sudo or /var/adm/sudo. The directories are checked for
965: existence in that order. This prevents users from receiving the
966: sudo lecture every time the system reboots. Time stamp files older
967: than the boot time are ignored on systems where it is possible to
968: determine this.
969:
970: * The tty_tickets sudoers option is now enabled by default.
971:
972: * Ancillary documentation (README files, LICENSE, etc) is now installed
973: in a sudo documentation directory.
974:
975: * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
976: in ldap.conf.
977:
978: * Defaults settings that are tied to a user, host or command may
979: now include the negation operator. For example:
980: Defaults:!millert lecture
981: will match any user but millert.
982:
983: * The default PATH environment variable, used when no PATH variable
984: exists, now includes /usr/sbin and /sbin.
985:
986: * Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/)
987: for cross-platform packing.
988:
989: * On Linux, sudo will now restore the nproc resource limit before
990: executing a command, unless the limit appears to have been modified
991: by pam_limits. This avoids a problem with bash scripts that open
992: more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
993: will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).
994:
995: * The HOME and MAIL environment variables are now reset based on the
996: target user's password database entry when the env_reset sudoers option
997: is enabled (which is the case in the default configuration). Users
998: wishing to preserve the original values should use a sudoers entry like:
999: Defaults env_keep += HOME
1000: to preserve the old value of HOME and
1001: Defaults env_keep += MAIL
1002: to preserve the old value of MAIL.
1003:
1004: * Fixed a problem in the restoration of the AIX authdb registry setting.
1005:
1006: * Sudo will now fork(2) and wait until the command has completed before
1007: calling pam_close_session().
1008:
1009: * The default syslog facility is now "authpriv" if the operating system
1010: supports it, else "auth".
1011:
1012: What's new in Sudo 1.7.3?
1013:
1014: * Support for logging I/O for the command being run.
1015: For more information, see the documentation for the "log_input"
1016: and "log_output" Defaults options in the sudoers manual. Also
1017: see the sudoreplay manual for how to replay I/O log sessions.
1018:
1019: * The use_pty sudoers option can be used to force a command to be
1020: run in a pseudo-pty, even when I/O logging is not enabled.
1021:
1022: * On some systems, sudo can now detect when a user has logged out
1023: and back in again when tty-based time stamps are in use. Supported
1024: systems include Solaris systems with the devices file system,
1025: Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys
1026: only).
1027:
1028: * On AIX systems, the registry setting in /etc/security/user is
1029: now taken into account when looking up users and groups. Sudo
1030: now applies the correct the user and group ids when running a
1031: command as a user whose account details come from a different
1032: source (e.g. LDAP or DCE vs. local files).
1033:
1034: * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf.
1035: When multiple entries are listed, sudo will try each one in the
1036: order in which they are specified.
1037:
1038: * Sudo's SELinux support should now function correctly when running
1039: commands as a non-root user and when one of stdin, stdout or stderr
1040: is not a terminal.
1041:
1042: * Sudo will now use the Linux audit system with configure with
1043: the --with-linux-audit flag.
1044:
1045: * Sudo now uses mbr_check_membership() on systems that support it
1046: to determine group membership. Currently, only Darwin (Mac OS X)
1047: supports this.
1048:
1049: * When the tty_tickets sudoers option is enabled but there is no
1050: terminal device, sudo will no longer use or create a tty-based
1051: ticket file. Previously, sudo would use a tty name of "unknown".
1052: As a consequence, if a user has no terminal device, sudo will
1053: now always prompt for a password.
1054:
1055: * The passwd_timeout and timestamp_timeout options may now be
1056: specified as floating point numbers for more granular timeout
1057: values.
1058:
1059: * Negating the fqdn option in sudoers now works correctly when sudo
1060: is configured with the --with-fqdn option. In previous versions
1061: of sudo the fqdn was set before sudoers was parsed.
1062:
1063: What's new in Sudo 1.7.2?
1064:
1065: * A new #includedir directive is available in sudoers. This can be
1066: used to implement an /etc/sudo.d directory. Files in an includedir
1067: are not edited by visudo unless they contain a syntax error.
1068:
1069: * The -g option did not work properly when only setting the group
1070: (and not the user). Also, in -l mode the wrong user was displayed
1071: for sudoers entries where only the group was allowed to be set.
1072:
1073: * Fixed a problem with the alias checking in visudo which
1074: could prevent visudo from exiting.
1075:
1076: * Sudo will now correctly parse the shell-style /etc/environment
1077: file format used by pam_env on Linux.
1078:
1079: * When doing password and group database lookups, sudo will only
1080: cache an entry by name or by id, depending on how the entry was
1081: looked up. Previously, sudo would cache by both name and id
1082: from a single lookup, but this breaks sites that have multiple
1083: password or group database names that map to the same uid or
1084: gid.
1085:
1086: * User and group names in sudoers may now be enclosed in double
1087: quotes to avoid having to escape special characters.
1088:
1089: * BSM audit fixes when changing to a non-root uid.
1090:
1091: * Experimental non-Unix group support. Currently only works with
1092: Quest Authorization Services and allows Active Directory groups
1093: fixes for Minix-3.
1094:
1095: * For Netscape/Mozilla-derived LDAP SDKs the certificate and key
1096: paths may be specified as a directory or a file. However, version
1097: 5.0 of the SDK only appears to support using a directory (despite
1098: documentation to the contrary). If SSL client initialization
1099: fails and the certificate or key paths look like they could be
1100: default file name, strip off the last path element and try again.
1101:
1102: * A setenv() compatibility fix for Linux systems, where a NULL
1103: value is treated the same as an empty string and the variable
1104: name is checked against the NULL pointer.
1105:
1106: What's new in Sudo 1.7.1?
1107:
1108: * A new Defaults option "pwfeedback" will cause sudo to provide visual
1109: feedback when the user is entering a password.
1110:
1111: * A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
1112: function for file name globbing instead of glob(). When this option
1113: is enabled, sudo will not check the file system when expanding wildcards.
1114: This is faster but a side effect is that relative paths with wildcard
1115: will no longer work.
1116:
1117: * New BSM audit support for systems that support it such as FreeBSD
1118: and Mac OS X.
1119:
1120: * The file name specified with the #include directive may now include
1121: a %h escape which is expanded to the short form of hostname.
1122:
1123: * The -k flag may now be specified along with a command, causing the
1124: user's timestamp file to be ignored.
1125:
1126: * New support for Tivoli-based LDAP START_TLS, present in AIX.
1127:
1128: * New support for /etc/netsvc.conf on AIX.
1129:
1130: * The unused alias checks in visudo now handle the case of an alias
1131: referring to another alias.
1132:
1133: What's new in Sudo 1.7.0?
1134:
1135: * Rewritten parser that converts sudoers into a set of data structures.
1136: This eliminates a number of ordering issues and makes it possible to
1137: apply sudoers Defaults entries before searching for the command.
1138: It also adds support for per-command Defaults specifications.
1139:
1140: * Sudoers now supports a #include facility to allow the inclusion of other
1141: sudoers-format files.
1142:
1143: * Sudo's -l (list) flag has been enhanced:
1144: o applicable Defaults options are now listed
1145: o a command argument can be specified for testing whether a user
1146: may run a specific command.
1147: o a new -U flag can be used in conjunction with "sudo -l" to allow
1148: root (or a user with "sudo ALL") list another user's privileges.
1149:
1150: * A new -g flag has been added to allow the user to specify a
1151: primary group to run the command as. The sudoers syntax has been
1152: extended to include a group section in the Runas specification.
1153:
1154: * A uid may now be used anywhere a username is valid.
1155:
1156: * The "secure_path" run-time Defaults option has been restored.
1157:
1158: * Password and group data is now cached for fast lookups.
1159:
1160: * The file descriptor at which sudo starts closing all open files is now
1161: configurable via sudoers and, optionally, the command line.
1162:
1163: * Visudo will now warn about aliases that are defined but not used.
1164:
1165: * The -i and -s command line flags now take an optional command
1166: to be run via the shell. Previously, the argument was passed
1167: to the shell as a script to run.
1168:
1169: * Improved LDAP support. SASL authentication may now be used in
1170: conjunction when connecting to an LDAP server. The krb5_ccname
1171: parameter in ldap.conf may be used to enable Kerberos.
1172:
1173: * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
1174: to specify the sudoers order. E.g.:
1175: sudoers: ldap files
1176: to check LDAP, then /etc/sudoers. The default is "files", even
1177: when LDAP support is compiled in. This differs from sudo 1.6
1178: where LDAP was always consulted first.
1179:
1180: * Support for /etc/environment on AIX and Linux. If sudo is run
1181: with the -i flag, the contents of /etc/environment are used to
1182: populate the new environment that is passed to the command being
1183: run.
1184:
1185: * If no terminal is available or if the new -A flag is specified,
1186: sudo will use a helper program to read the password if one is
1187: configured. Typically, this is a graphical password prompter
1188: such as ssh-askpass.
1189:
1190: * A new Defaults option, "mailfrom" that sets the value of the
1191: "From:" field in the warning/error mail. If unspecified, the
1192: login name of the invoking user is used.
1193:
1194: * A new Defaults option, "env_file" that refers to a file containing
1195: environment variables to be set in the command being run.
1196:
1197: * A new flag, -n, may be used to indicate that sudo should not
1198: prompt the user for a password and, instead, exit with an error
1199: if authentication is required.
1200:
1201: * If sudo needs to prompt for a password and it is unable to disable
1202: echo (and no askpass program is defined), it will refuse to run
1203: unless the "visiblepw" Defaults option has been specified.
1204:
1205: * Prior to version 1.7.0, hitting enter/return at the Password: prompt
1206: would exit sudo. In sudo 1.7.0 and beyond, this is treated as
1207: an empty password. To exit sudo, the user must press ^C or ^D
1208: at the prompt.
1209:
1210: * visudo will now check the sudoers file owner and mode in -c (check)
1211: mode when the -s (strict) flag is specified.
1212:
1213: * A new Defaults option "umask_override" will cause sudo to set the
1214: umask specified in sudoers even if it is more permissive than the
1215: invoking user's umask.
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>