embedaddon/sudo/NEWS - view

File: [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / NEWS
Revision 1.1.1.5 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Mon Oct 14 07:56:33 2013 UTC (10 years, 8 months ago) by misho
Branches: sudo, MAIN
CVS tags: v1_8_8p0, v1_8_8, HEAD

v 1.8.8

1: What's new in Sudo 1.8.8? 2: 3: * Removed a warning on PAM systems with stacked auth modules 4: where the first module on the stack does not succeed. 5: 6: * Sudo, sudoreplay and visudo now support GNU-style long options. 7: 8: * The -h (--host) option may now be used to specify a host name. 9: This is currently only used by the sudoers plugin in conjunction 10: with the -l (--list) option. 11: 12: * Program usage messages and manual SYNOPSIS sections have been 13: simplified. 14: 15: * Sudo's LDAP SASL support now works properly with Kerberos. 16: Previously, the SASL library was unable to locate the user's 17: credential cache. 18: 19: * It is now possible to set the nproc resource limit to unlimited 20: via pam_limits on Linux (bug #565). 21: 22: * New "pam_service" and "pam_login_service" sudoers options 23: that can be used to specify the PAM service name to use. 24: 25: * New "pam_session" and "pam_setcred" sudoers options that 26: can be used to disable PAM session and credential support. 27: 28: * The sudoers plugin now properly supports UIDs and GIDs 29: that are larger than 0x7fffffff on 32-bit platforms. 30: 31: * Fixed a visudo bug introduced in sudo 1.8.7 where per-group 32: Defaults entries would cause an internal error. 33: 34: * If the "tty_tickets" sudoers option is enabled (the default), 35: but there is no tty present, sudo will now use a ticket file 36: based on the parent process ID. This makes it possible to support 37: the normal timeout behavior for the session. 38: 39: * Fixed a problem running commands that change their process 40: group and then attempt to change the terminal settings when not 41: running the command in a pseudo-terminal. Previously, the process 42: would receive SIGTTOU since it was effectively a background 43: process. Sudo will now grant the child the controlling tty and 44: continue it when this happens. 45: 46: * The "closefrom_override" sudoers option may now be used in 47: a command-specified Defaults entry (bug #610). 48: 49: * Sudo's BSM audit support now works on Solaris 11. 50: 51: * Brazilian Portuguese translation for sudo and sudoers from 52: translationproject.org. 53: 54: * Czech translation for sudo from translationproject.org. 55: 56: * French translation for sudo from translationproject.org. 57: 58: * Sudo's noexec support on Mac OS X 10.4 and above now uses dynamic 59: symbol interposition instead of setting DYLD_FORCE_FLAT_NAMESPACE=1 60: which causes issues with some programs. 61: 62: * Fixed visudo's -q (--quiet) flag, broken in sudo 1.8.6. 63: 64: * Root may no longer change its SELinux role without entering 65: a password. 66: 67: * Fixed a bug introduced in Sudo 1.8.7 where the indexes written 68: to the I/O log timing file are two greater than they should be. 69: Sudoreplay now contains a work-around to parse those files. 70: 71: * In sudoreplay's list mode, the "this" qualifier in "fromdate" 72: or "todate" expressions now behaves more sensibly. Previously, 73: it would often match a date that was "one more" than expected. 74: For example, "this week" now matches the current week instead 75: of the following week. 76: 77: What's new in Sudo 1.8.7? 78: 79: * The non-Unix group plugin is now supported when sudoers data 80: is stored in LDAP. 81: 82: * Sudo now uses a workaround for a locale bug on Solaris 11.0 83: that prevents setuid programs like sudo from fully using locales. 84: 85: * User messages are now always displayed in the user's locale, 86: even when the same message is being logged or mailed in a 87: different locale. 88: 89: * Log files created by sudo now explicitly have the group set 90: to group ID 0 rather than relying on BSD group semantics (which 91: may not be the default). 92: 93: * A new "exec_background" sudoers option can be used to initially 94: run the command without read access to the terminal when running 95: a command in a pseudo-tty. If the command tries to read from 96: the terminal it will be stopped by the kernel (via SIGTTIN or 97: SIGTTOU) and sudo will immediately restart it as the foreground 98: process (if possible). This allows sudo to only pass terminal 99: input to the program if the program actually is expecting it. 100: Unfortunately, a few poorly-behaved programs (like "su" on most 101: Linux systems) do not handle SIGTTIN and SIGTTOU properly. 102: 103: * Sudo now uses an efficient group query to get all the groups 104: for a user instead of iterating over every record in the group 105: database on HP-UX and Solaris. 106: 107: * Sudo now produces better error messages when there is an error 108: in the sudo.conf file. 109: 110: * Two new settings have been added to sudo.conf to give the admin 111: better control of how group database queries are performed. The 112: "group_source" specifies how the group list for a user will be 113: determined. Legal values are "static" (use the kernel groups 114: list), "dynamic" (perform a group database query) and "adaptive" 115: (only perform a group database query if the kernel list is full). 116: The "max_groups" setting specifies the maximum number of groups 117: a user may belong to when performing a group database query. 118: 119: * The sudo.conf file now supports line continuation by using a 120: backslash as the last character on the line. 121: 122: * There is now a standalone sudo.conf manual page. 123: 124: * Sudo now stores its libexec files in a "sudo" sub-directory instead 125: of in libexec itself. For backwards compatibility, if the plugin 126: is not found in the default plugin directory, sudo will check 127: the parent directory if the default directory ends in "/sudo". 128: 129: * The sudoers I/O logging plugin now logs the terminal size. 130: 131: * A new sudoers option "maxseq" can be used to limit the number of 132: I/O log entries that are stored. 133: 134: * The "system_group" and "group_file" sudoers group provider plugins 135: are now installed by default. 136: 137: * The list output (sudo -l) output from the sudoers plugin is now 138: less ambiguous when an entry includes different runas users. 139: The long list output (sudo -ll) for file-based sudoers is now 140: more consistent with the format of LDAP-based sudoers. 141: 142: * A uid may now be used in the sudoRunAsUser attributes for LDAP 143: sudoers. 144: 145: * Minor plugin API change: the close and version functions are now 146: optional. If the policy plugin does not provide a close function 147: and the command is not being run in a new pseudo-tty, sudo may 148: now execute the command directly instead of in a child process. 149: 150: * A new sudoers option "pam_session" can be used to disable sudo's 151: PAM session support. 152: 153: * On HP-UX systems, sudo will now use the pstat() function to 154: determine the tty instead of ttyname(). 155: 156: * Turkish translation for sudo and sudoers from translationproject.org. 157: 158: * Dutch translation for sudo and sudoers from translationproject.org. 159: 160: * Tivoli Directory Server client libraries may now be used with 161: HP-UX where libibmldap has a hidden dependency on libCsup. 162: 163: * The sudoers plugin will now ignore invalid domain names when 164: checking netgroup membership. Most Linux systems use the string 165: "(none)" for the NIS-style domain name instead of an empty string. 166: 167: * New support for specifying a SHA-2 digest along with the command 168: in sudoers. Supported hash types are sha224, sha256, sha384 and 169: sha512. See the description of Digest_Spec in the sudoers manual 170: or the description of sudoCommand in the sudoers.ldap manual for 171: details. 172: 173: * The paths to ldap.conf and ldap.secret may now be specified as 174: arguments to the sudoers plugin in the sudo.conf file. 175: 176: * Fixed potential false positives in visudo's alias cycle detection. 177: 178: * Fixed a problem where the time stamp file was being treated 179: as out of date on Linux systems where the change time on the 180: pseudo-tty device node can change after it is allocated. 181: 182: * Sudo now only builds Position Independent Executables (PIE) 183: by default on Linux systems and verifies that a trivial test 184: program builds and runs. 185: 186: * On Solaris 11.1 and higher, sudo binaries will now have the 187: ASLR tag enabled if supported by the linker. 188: 189: What's new in Sudo 1.8.6p8? 190: 191: * Terminal detection now works properly on 64-bit AIX kernels. 192: This was broken by the removal of the ttyname() fallback in Sudo 193: 1.8.6p6. Sudo is now able to map an AIX 64-bit device number 194: to the corresponding device file in /dev. 195: 196: * Sudo now checks for crypt() returning NULL when performing 197: passwd-based authentication. 198: 199: What's new in Sudo 1.8.6p7? 200: 201: * A time stamp file with the date set to the epoch by "sudo -k" 202: is now completely ignored regardless of what the local clock is 203: set to. Previously, if the local clock was set to a value between 204: the epoch and the time stamp timeout value, a time stamp reset 205: by "sudo -k" would be considered current. 206: 207: * The tty-specific time stamp file now includes the session ID 208: of the sudo process that created it. If a process with the same 209: tty but a different session ID runs sudo, the user will now be 210: prompted for a password (assuming authentication is required for 211: the command). 212: 213: What's new in Sudo 1.8.6p6? 214: 215: * On systems where the controlling tty can be determined via /proc 216: or sysctl(), sudo will no longer fall back to using ttyname() 217: if the process has no controlling tty. This prevents sudo from 218: using a non-controlling tty for logging and time stamp purposes. 219: 220: What's new in Sudo 1.8.6p5? 221: 222: * Fixed a potential crash in visudo's alias cycle detection. 223: 224: * Improved performance on Solaris when retrieving the group list 225: for the target user. On systems with a large number of groups 226: where the group database is not local (NIS, LDAP, AD), fetching 227: the group list could take a minute or more. 228: 229: What's new in Sudo 1.8.6p4? 230: 231: * The -fstack-protector is now used when linking visudo, sudoreplay 232: and testsudoers. 233: 234: * Avoid building PIE binaries on FreeBSD/ia64 as they don't run 235: properly. 236: 237: * Fixed a crash in visudo strict mode when an unknown Defaults 238: setting is encountered. 239: 240: * Do not inform the user that the command was not permitted by the 241: policy if they do not successfully authenticate. This is a 242: regression introduced in sudo 1.8.6. 243: 244: * Allow sudo to be build with sss support without also including 245: ldap support. 246: 247: * Fix running commands that need the terminal in the background 248: when I/O logging is enabled. E.g. "sudo vi &". When the command 249: is foregrounded, it will now resume properly. 250: 251: What's new in Sudo 1.8.6p3? 252: 253: * Fixed post-processing of the man pages on systems with legacy 254: versions of sed. 255: 256: * Fixed "sudoreplay -l" on Linux systems with file systems that 257: set DT_UNKNOWN in the d_type field of struct dirent. 258: 259: What's new in Sudo 1.8.6p2? 260: 261: * Fixed suspending a command after it has already been resumed 262: once when I/O logging (or use_pty) is not enabled. 263: This was a regression introduced in version 1.8.6. 264: 265: What's new in Sudo 1.8.6p1? 266: 267: * Fixed the setting of LOGNAME, USER and USERNAME variables in the 268: command's environment when env_reset is enabled (the default). 269: This was a regression introduced in version 1.8.6. 270: 271: * Sudo now honors SUCCESS=return in /etc/nsswitch.conf. 272: 273: What's new in Sudo 1.8.6? 274: 275: * Sudo is now built with the -fstack-protector flag if the the 276: compiler supports it. Also, the -zrelro linker flag is used if 277: supported. The --disable-hardening configure option can be used 278: to build sudo without stack smashing protection. 279: 280: * Sudo is now built as a Position Independent Executable (PIE) 281: if supported by the compiler and linker. 282: 283: * If the user is a member of the "exempt" group in sudoers, they 284: will no longer be prompted for a password even if the -k flag 285: is specified with the command. This makes "sudo -k command" 286: consistent with the behavior one would get if the user ran "sudo 287: -k" immediately before running the command. 288: 289: * The sudoers file may now be a symbolic link. Previously, sudo 290: would refuse to read sudoers unless it was a regular file. 291: 292: * The sudoreplay command can now properly replay sessions where 293: no tty was present. 294: 295: * The sudoers plugin now takes advantage of symbol visibility 296: controls when supported by the compiler or linker. As a result, 297: only a small number of symbols are exported which significantly 298: reduces the chances of a conflict with other shared objects. 299: 300: * Improved support for the Tivoli Directory Server LDAP client 301: libraries. This includes support for using LDAP over SSL (ldaps) 302: as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS 303: ldap.conf options. A new ldap.conf option, TLS_KEYPW can be 304: used to specify a password to decrypt the key database. 305: 306: * When constructing a time filter for use with LDAP sudoNotBefore 307: and sudoNotAfter attributes, the current time now includes tenths 308: of a second. This fixes a problem with timed entries on Active 309: Directory. 310: 311: * If a user fails to authenticate and the command would be rejected 312: by sudoers, it is now logged with "command not allowed" instead 313: of "N incorrect password attempts". Likewise, the "mail_no_perms" 314: sudoers option now takes precedence over "mail_badpass". 315: 316: * The sudo manuals are now formatted using the mdoc macros. Versions 317: using the legacy man macros are provided for systems that lack mdoc. 318: 319: * New support for Solaris privilege sets. This makes it possible 320: to specify fine-grained privileges in the sudoers file on Solaris 321: 10 and above. A Runas_Spec that contains no Runas_Lists can be 322: used to give a user the ability to run a command as themselves 323: but with an expanded privilege set. 324: 325: * Fixed a problem with the reboot and shutdown commands on some 326: systems (such as HP-UX and BSD). On these systems, reboot sends 327: all processes (except itself) SIGTERM. When sudo received 328: SIGTERM, it would relay it to the reboot process, thus killing 329: reboot before it had a chance to actually reboot the system. 330: 331: * Support for using the System Security Services Daemon (SSSD) as 332: a source of sudoers data. 333: 334: * Slovenian translation for sudo and sudoers from translationproject.org. 335: 336: * Visudo will now warn about unknown Defaults entries that are 337: per-host, per-user, per-runas or per-command. 338: 339: * Fixed a race condition that could cause sudo to receive SIGTTOU 340: (and stop) when resuming a shell that was run via sudo when I/O 341: logging (and use_pty) is not enabled. 342: 343: * Sending SIGTSTP directly to the sudo process will now suspend the 344: running command when I/O logging (and use_pty) is not enabled. 345: 346: What's new in Sudo 1.8.5p3? 347: 348: * Fixed the loading of I/O plugins that conform to a plugin API 349: version older than 1.2. 350: 351: What's new in Sudo 1.8.5p2? 352: 353: * Fixed use of the SUDO_ASKPASS environment variable which was 354: broken in Sudo 1.8.5. 355: 356: * Fixed a problem reading the sudoers file when the file mode is 357: more restrictive than the expected mode. For example, when the 358: expected sudoers file mode is 0440 but the actual mode is 0400. 359: 360: What's new in Sudo 1.8.5p1? 361: 362: * Fixed a bug that prevented files in an include directory from 363: being evaluated. 364: 365: What's new in Sudo 1.8.5? 366: 367: * When "noexec" is enabled, sudo_noexec.so will now be prepended 368: to any existing LD_PRELOAD variable instead of replacing it. 369: 370: * The sudo_noexec.so shared library now wraps the execvpe(), 371: exect(), posix_spawn() and posix_spawnp() functions. 372: 373: * The user/group/mode checks on sudoers files have been relaxed. 374: As long as the file is owned by the sudoers uid, not world-writable 375: and not writable by a group other than the sudoers gid, the file 376: is considered OK. Note that visudo will still set the mode to 377: the value specified at configure time. 378: 379: * It is now possible to specify the sudoers path, uid, gid and 380: file mode as options to the plugin in the sudo.conf file. 381: 382: * Croatian, Galician, German, Lithuanian, Swedish and Vietnamese 383: translations from translationproject.org. 384: 385: * /etc/environment is no longer read directly on Linux systems 386: when PAM is used. Sudo now merges the PAM environment into the 387: user's environment which is typically set by the pam_env module. 388: 389: * The initial evironment created when env_reset is in effect now 390: includes the contents of /etc/environment on AIX systems and the 391: "setenv" and "path" entries from /etc/login.conf on BSD systems. 392: 393: * The plugin API has been extended in three ways. First, options 394: specified in sudo.conf after the plugin pathname are passed to 395: the plugin's open function. Second, sudo has limited support 396: for hooks that can be used by plugins. Currently, the hooks are 397: limited to environment handling functions. Third, the init_session 398: policy plugin function is passed a pointer to the user environment 399: which can be updated during session setup. The plugin API version 400: has been incremented to version 1.2. See the sudo_plugin manual 401: for more information. 402: 403: * The policy plugin's init_session function is now called by the 404: parent sudo process, not the child process that executes the 405: command. This allows the PAM session to be open and closed in 406: the same process, which some PAM modules require. 407: 408: * Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf, 409: which was broken in version 1.8.4. 410: 411: * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo 412: file is now uses to determine the controlling terminal, if possible. 413: This allows tty-based tickets to work properly even when, e.g. 414: standard input, output and error are redirected to /dev/null. 415: 416: * The output of "sudoreplay -l" is now sorted by file name (or 417: sequence number). Previously, entries were displayed in the 418: order in which they were found on the file system. 419: 420: * Sudo now behaves properly when I/O logging is enabled and the 421: controlling terminal is revoked (e.g. the running sshd is killed). 422: Previously, sudo may have exited without calling the I/O plugin's 423: close function which can lead to an incomplete I/O log. 424: 425: * Sudo can now detect when a user has logged out and back in again 426: on Solaris 11, just like it can on Solaris 10. 427: 428: * The built-in zlib included with Sudo has been upgraded to version 429: 1.2.6. 430: 431: * Setting the SSL parameter to start_tls in ldap.conf now works 432: properly when using Mozilla-based SDKs that support the 433: ldap_start_tls_s() function. 434: 435: * The TLS_CHECKPEER parameter in ldap.conf now works when the 436: Mozilla NSS crypto backend is used with OpenLDAP. 437: 438: * A new group provider plugin, system_group, is included which 439: performs group look ups by name using the system groups database. 440: This can be used to restore the pre-1.7.3 sudo group lookup 441: behavior. 442: 443: What's new in Sudo 1.8.4p5? 444: 445: * Fixed a bug when matching against an IP address with an associated 446: netmask in the sudoers file. In certain circumstances, this 447: could allow users to run commands on hosts they are not authorized 448: for. 449: 450: What's new in Sudo 1.8.4p4? 451: 452: * Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v" 453: from working. 454: 455: What's new in Sudo 1.8.4p3? 456: 457: * Fixed a crash on FreeBSD when no tty is present. 458: 459: * Fixed a bug introduced in Sudo 1.8.4 that allowed users to 460: specify environment variables to set on the command line without 461: having sudo "ALL" permissions or the "SETENV" tag. 462: 463: * When visudo is run with the -c (check) option, the sudoers 464: file(s) owner and mode are now also checked unless the -f option 465: was specified. 466: 467: What's new in Sudo 1.8.4p2? 468: 469: * Fixed a bug introduced in Sudo 1.8.4 where insufficient space 470: was allocated for group IDs in the LDAP filter. 471: 472: * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf 473: was "/sudo.conf" instead of "/etc/sudo.conf". 474: 475: * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang 476: when I/O logging is enabled and input is from a pipe or file. 477: 478: What's new in Sudo 1.8.4p1? 479: 480: * Fixed a bug introduced in sudo 1.8.4 that broke adding to or 481: deleting from the env_keep, env_check and env_delete lists in 482: sudoers on some platforms. 483: 484: What's new in Sudo 1.8.4? 485: 486: * The -D flag in sudo has been replaced with a more general debugging 487: framework that is configured in sudo.conf. 488: 489: * Fixed a false positive in visudo strict mode when aliases are 490: in use. 491: 492: * Fixed a crash with "sudo -i" when a runas group was specified 493: without a runas user. 494: 495: * The line on which a syntax error is reported in the sudoers file 496: is now more accurate. Previously it was often off by a line. 497: 498: * Fixed a bug where stack garbage could be printed at the end of 499: the lecture when the "lecture_file" option was enabled. 500: 501: * "make install" now honors the LINGUAS environment variable. 502: 503: * The #include and #includedir directives in sudoers now support 504: relative paths. If the path is not fully qualified it is expected 505: to be located in the same directory of the sudoers file that is 506: including it. 507: 508: * Serbian and Spanish translations for sudo from translationproject.org. 509: 510: * LDAP-based sudoers may now access by group ID in addition to 511: group name. 512: 513: * visudo will now fix the mode on the sudoers file even if no changes 514: are made unless the -f option is specified. 515: 516: * The "use_loginclass" sudoers option works properly again. 517: 518: * On systems that use login.conf, "sudo -i" now sets environment 519: variables based on login.conf. 520: 521: * For LDAP-based sudoers, values in the search expression are now 522: escaped as per RFC 4515. 523: 524: * The plugin close function is now properly called when a login 525: session is killed (as opposed to the actual command being killed). 526: This can happen when an ssh session is disconnected or the 527: terminal window is closed. 528: 529: * The deprecated "noexec_file" sudoers option is no longer supported. 530: 531: * Fixed a race condition when I/O logging is not enabled that could 532: result in tty-generated signals (e.g. control-C) being received 533: by the command twice. 534: 535: * If none of the standard input, output or error are connected to 536: a tty device, sudo will now check its parent's standard input, 537: output or error for the tty name on systems with /proc and BSD 538: systems that support the KERN_PROC_PID sysctl. This allows 539: tty-based tickets to work properly even when, e.g. standard 540: input, output and error are redirected to /dev/null. 541: 542: * Added the --enable-kerb5-instance configure option to allow 543: people using Kerberos V authentication to specify a custom 544: instance so the principal name can be, e.g. "username/sudo" 545: similar to how ksu uses "username/root". 546: 547: * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in 548: the results, which would be incorrectly be interpreted as if the 549: sudoers file had specified a directory. 550: 551: * "visudo -c" will now list any include files that were checked 552: in addition to the main sudoers file when everything parses OK. 553: 554: * Users that only have read-only access to the sudoers file may 555: now run "visudo -c". Previously, write permissions were required 556: even though no writing is down in check-only mode. 557: 558: * It is now possible to prevent the disabling of core dumps from 559: within sudo itself by adding a line to the sudo.conf file like 560: "Set disable_coredump false". 561: 562: What's new in Sudo 1.8.3p2? 563: 564: * Fixed a format string vulnerability when the sudo binary (or a 565: symbolic link to the sudo binary) contains printf format escapes 566: and the -D (debugging) flag is used. 567: 568: What's new in Sudo 1.8.3p1? 569: 570: * Fixed a crash in the monitor process on Solaris when NOPASSWD 571: was specified or when authentication was disabled. 572: 573: * Fixed matching of a Runas_Alias in the group section of a 574: Runas_Spec. 575: 576: What's new in Sudo 1.8.3? 577: 578: * Fixed expansion of strftime() escape sequences in the "log_dir" 579: sudoers setting. 580: 581: * Esperanto, Italian and Japanese translations from translationproject.org. 582: 583: * Sudo will now use PAM by default on AIX 6 and higher. 584: 585: * Added --enable-werror configure option for gcc's -Werror flag. 586: 587: * Visudo no longer assumes all editors support the +linenumber 588: command line argument. It now uses a whitelist of editors known 589: to support the option. 590: 591: * Fixed matching of network addresses when a netmask is specified 592: but the address is not the first one in the CIDR block. 593: 594: * The configure script now check whether or not errno.h declares 595: the errno variable. Previously, sudo would always declare errno 596: itself for older systems that don't declare it in errno.h. 597: 598: * The NOPASSWD tag is now honored for denied commands too, which 599: matches historic sudo behavior (prior to sudo 1.7.0). 600: 601: * Sudo now honors the "DEREF" setting in ldap.conf which controls 602: how alias dereferencing is done during an LDAP search. 603: 604: * A symbol conflict with the pam_ssh_agent_auth PAM module that 605: would cause a crash been resolved. 606: 607: * The inability to load a group provider plugin is no longer 608: a fatal error. 609: 610: * A potential crash in the utmp handling code has been fixed. 611: 612: * Two PAM session issues have been resolved. In previous versions 613: of sudo, the PAM session was opened as one user and closed as 614: another. Additionally, if no authentication was performed, the 615: PAM session would never be closed. 616: 617: * Sudo will now work correctly with LDAP-based sudoers using TLS 618: or SSL on Debian systems. 619: 620: * The LOGNAME, USER and USERNAME environment variables are preserved 621: correctly again in sudoedit mode. 622: 623: What's new in Sudo 1.8.2? 624: 625: * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural 626: language support (NLS). This can be disabled by passing configure 627: the --disable-nls option. Sudo will use gettext(), if available, 628: to display translated messages. All translations are coordinated 629: via The Translation Project, http://translationproject.org/. 630: 631: * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of 632: RTLD_LOCAL. This fixes missing symbol problems in PAM modules 633: on certain platforms, such as FreeBSD and SuSE Linux Enterprise. 634: 635: * I/O logging is now supported for commands run in background mode 636: (using sudo's -b flag). 637: 638: * Group ownership of the sudoers file is now only enforced when 639: the file mode on sudoers allows group readability or writability. 640: 641: * Visudo now checks the contents of an alias and warns about cycles 642: when the alias is expanded. 643: 644: * If the user specifies a group via sudo's -g option that matches 645: the target user's group in the password database, it is now 646: allowed even if no groups are present in the Runas_Spec. 647: 648: * The sudo Makefiles now have more complete dependencies which are 649: automatically generated instead of being maintained manually. 650: 651: * The "use_pty" sudoers option is now correctly passed back to the 652: sudo front end. This was missing in previous versions of sudo 653: 1.8 which prevented "use_pty" from being honored. 654: 655: * "sudo -i command" now works correctly with the bash version 656: 2.0 and higher. Previously, the .bash_profile would not be 657: sourced prior to running the command unless bash was built with 658: NON_INTERACTIVE_LOGIN_SHELLS defined. 659: 660: * When matching groups in the sudoers file, sudo will now match 661: based on the name of the group instead of the group ID. This can 662: substantially reduce the number of group lookups for sudoers 663: files that contain a large number of groups. 664: 665: * Multi-factor authentication is now supported on AIX. 666: 667: * Added support for non-RFC 4517 compliant LDAP servers that require 668: that seconds be present in a timestamp, such as Tivoli Directory Server. 669: 670: * If the group vector is to be preserved, the PATH search for the 671: command is now done with the user's original group vector. 672: 673: * For LDAP-based sudoers, the "runas_default" sudoOption now works 674: properly in a sudoRole that contains a sudoCommand. 675: 676: * Spaces in command line arguments for "sudo -s" and "sudo -i" are 677: now escaped with a backslash when checking the security policy. 678: 679: What's new in Sudo 1.8.1p2? 680: 681: * Two-character CIDR-style IPv4 netmasks are now matched correctly 682: in the sudoers file. 683: 684: * A build error with MIT Kerberos V has been resolved. 685: 686: * A crash on HP-UX in the sudoers plugin when wildcards are 687: present in the sudoers file has been resolved. 688: 689: * Sudo now works correctly on Tru64 Unix again. 690: 691: What's new in Sudo 1.8.1p1? 692: 693: * Fixed a problem on AIX where sudo was unable to set the final 694: uid if the PAM module modified the effective uid. 695: 696: * A non-existent includedir is now treated the same as an empty 697: directory and not reported as an error. 698: 699: * Removed extraneous parens in LDAP filter when sudoers_search_filter 700: is enabled that can cause an LDAP search error. 701: 702: * Fixed a "make -j" problem for "make install". 703: 704: What's new in Sudo 1.8.1? 705: 706: * A new LDAP setting, sudoers_search_filter, has been added to 707: ldap.conf. This setting can be used to restrict the set of 708: records returned by the LDAP query. Based on changes from Matthew 709: Thomas. 710: 711: * White space is now permitted within a User_List when used in 712: conjunction with a per-user Defaults definition. 713: 714: * A group ID (%#gid) may now be specified in a User_List or Runas_List. 715: Likewise, for non-Unix groups the syntax is %:#gid. 716: 717: * Support for double-quoted words in the sudoers file has been fixed. 718: The change in 1.7.5 for escaping the double quote character 719: caused the double quoting to only be available at the beginning 720: of an entry. 721: 722: * The fix for resuming a suspended shell in 1.7.5 caused problems 723: with resuming non-shells on Linux. Sudo will now save the process 724: group ID of the program it is running on suspend and restore it 725: when resuming, which fixes both problems. 726: 727: * A bug that could result in corrupted output in "sudo -l" has been 728: fixed. 729: 730: * Sudo will now create an entry in the utmp (or utmpx) file when 731: allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp" 732: and "utmp_runas" sudoers file options can be used to control this. 733: Other policy plugins may use the "set_utmp" and "utmp_user" 734: entries in the command_info list. 735: 736: * The sudoers policy now stores the TSID field in the logs 737: even when the "iolog_file" sudoers option is defined to a value 738: other than %{sessid}. Previously, the TSID field was only 739: included in the log file when the "iolog_file" option was set 740: to its default value. 741: 742: * The sudoreplay utility now supports arbitrary session IDs. 743: Previously, it would only work with the base-36 session IDs 744: that the sudoers plugin uses by default. 745: 746: * Sudo now passes "run_shell=true" to the policy plugin in the 747: settings list when sudo's -s command line option is specified. 748: The sudoers policy plugin uses this to implement the "set_home" 749: sudoers option which was missing from sudo 1.8.0. 750: 751: * The "noexec" functionality has been moved out of the sudoers 752: policy plugin and into the sudo front-end, which matches the 753: behavior documented in the plugin writer's guide. As a result, 754: the path to the noexec file is now specified in the sudo.conf 755: file instead of the sudoers file. 756: 757: * On Solaris 10, the PRIV_PROC_EXEC privilege is now used to 758: implement the "noexec" feature. Previously, this was implemented 759: via the LD_PRELOAD environment variable. 760: 761: * The exit values for "sudo -l", "sudo -v" and "sudo -l command" 762: have been fixed in the sudoers policy plugin. 763: 764: * The sudoers policy plugin now passes the login class, if any, 765: back to the sudo front-end. 766: 767: * The sudoers policy plugin was not being linked with requisite 768: libraries in certain configurations. 769: 770: * Sudo now parses command line arguments before loading any plugins. 771: This allows "sudo -V" or "sudo -h" to work even if there is a problem 772: with sudo.conf 773: 774: * Plugins are now linked with the static version of libgcc to allow 775: the plugin to run on a system where no shared libgcc is installed, 776: or where it is installed in a different location. 777: 778: What's new in Sudo 1.8.0? 779: 780: * Sudo has been refactored to use a modular framework that can 781: support third-party policy and I/O logging plugins. The default 782: plugin is "sudoers" which provides the traditional sudo functionality. 783: See the sudo_plugin manual for details on the plugin API and the 784: sample in the plugins directory for a simple example. 785: 786: What's new in Sudo 1.7.5? 787: 788: * When using visudo in check mode, a file named "-" may be used to 789: check sudoers data on the standard input. 790: 791: * Sudo now only fetches shadow password entries when using the 792: password database directly for authentication. 793: 794: * Password and group entries are now cached using the same key 795: that was used to look them up. This fixes a problem when looking 796: up entries by name if the name in the retrieved entry does not 797: match the name used to look it up. This may happen on some systems 798: that do case insensitive lookups or that truncate long names. 799: 800: * GCC will no longer display warnings on glibc systems that use 801: the warn_unused_result attribute for write(2) and other system calls. 802: 803: * If a PAM account management module denies access, sudo now prints 804: a more useful error message and stops trying to validate the user. 805: 806: * Fixed a potential hang on idle systems when the sudo-run process 807: exits immediately. 808: 809: * Sudo now includes a copy of zlib that will be used on systems 810: that do not have zlib installed. 811: 812: * The --with-umask-override configure flag has been added to enable 813: the "umask_override" sudoers Defaults option at build time. 814: 815: * Sudo now unblocks all signals on startup to avoid problems caused 816: by the parent process changing the default signal mask. 817: 818: * LDAP Sudoers entries may now specify a time period for which 819: the entry is valid. This requires an updated sudoers schema 820: that includes the sudoNotBefore and sudoNotAfter attributes. 821: Support for timed entries must be explicitly enabled in the 822: ldap.conf file. Based on changes from Andreas Mueller. 823: 824: * LDAP Sudoers entries may now specify a sudoOrder attribute that 825: determines the order in which matching entries are applied. The 826: last matching entry is used, just like file-based sudoers. This 827: requires an updated sudoers schema that includes the sudoOrder 828: attribute. Based on changes from Andreas Mueller. 829: 830: * When run as sudoedit, or when given the -e flag, sudo now treats 831: command line arguments as pathnames. This means that slashes 832: in the sudoers file entry must explicitly match slashes in 833: the command line arguments. As a result, and entry such as: 834: user ALL = sudoedit /etc/* 835: will allow editing of /etc/motd but not /etc/security/default. 836: 837: * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for 838: compatibility with OpenLDAP configuration files. 839: 840: * The LDAP API TIMEOUT parameter is now honored in ldap.conf. 841: 842: * The I/O log directory may now be specified in the sudoers file. 843: 844: * Sudo will no longer refuse to run if the sudoers file is writable 845: by root. 846: 847: * Sudo now performs command line escaping for "sudo -s" and "sudo -i" 848: after validating the command so the sudoers entries do not need 849: to include the backslashes. 850: 851: * Logging and email sending are now done in the locale specified 852: by the "sudoers_locale" setting ("C" by default). Email send by 853: sudo now includes MIME headers when "sudoers_locale" is not "C". 854: 855: * The configure script has a new option, --disable-env-reset, to 856: allow one to change the default for the sudoers Default setting 857: "env_reset" at compile time. 858: 859: * When logging "sudo -l command", sudo will now prepend "list " 860: to the command in the log line to distinguish between an 861: actual command invocation in the logs. 862: 863: * Double-quoted group and user names may now include escaped double 864: quotes as part of the name. Previously this was a parse error. 865: 866: * Sudo once again restores the state of the signal handlers it 867: modifies before executing the command. This allows sudo to be 868: used with the nohup command. 869: 870: * Resuming a suspended shell now works properly when I/O logging 871: is not enabled (the I/O logging case was already correct). 872: 873: What's new in Sudo 1.7.4p6? 874: 875: * A bug has been fixed in the I/O logging support that could cause 876: visual artifacts in full-screen programs such as text editors. 877: 878: What's new in Sudo 1.7.4p5? 879: 880: * A bug has been fixed that would allow a command to be run without the 881: user entering a password when sudo's -g flag is used without the -u flag. 882: 883: * If user has no supplementary groups, sudo will now fall back on checking 884: the group file explicitly, which restores historic sudo behavior. 885: 886: * A crash has been fixed when sudo's -g flag is used without the -u flag 887: and the sudoers file contains an entry with no runas user or group listed. 888: 889: * A crash has been fixed when the Solaris project support is enabled 890: and sudo's -g flag is used without the -u flag. 891: 892: * Sudo no longer exits with an error when support for auditing is 893: compiled in but auditing is not enabled. 894: 895: * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not 896: being honored when the "targetpw" sudoers Defaults option was enabled. 897: 898: * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly. 899: 900: * A crash has been fixed in "sudo -l" when sudo is built with auditing 901: support and the user is not allowed to run any commands on the host. 902: 903: What's new in Sudo 1.7.4p4? 904: 905: * A potential security issue has been fixed with respect to the handling 906: of sudo's -g command line option when -u is also specified. The flaw 907: may allow an attacker to run commands as a user that is not authorized 908: by the sudoers file. 909: 910: * A bug has been fixed where "sudo -l" output was incomplete if multiple 911: sudoers sources were defined in nsswitch.conf and there was an error 912: querying one of the sources. 913: 914: * The log_input, log_output, and use_pty sudoers options now work correctly 915: on AIX. Previously, sudo would hang if they were enabled. 916: 917: * The "make install" target now works correctly when sudo is built in a 918: directory other than the source directory. 919: 920: * The "runas_default" sudoers setting now works properly in a per-command 921: Defaults line. 922: 923: * Suspending and resuming the bash shell when PAM is in use now works 924: correctly. The SIGCONT signal was not propagated to the child process. 925: 926: What's new in Sudo 1.7.4p3? 927: 928: * A bug has been fixed where duplicate HOME environment variables could be 929: present when the env_reset setting was disabled and the always_set_home 930: setting was enabled in sudoers. 931: 932: * The value of sysconfdir is now substituted into the path to the sudoers.d 933: directory in the installed sudoers file. 934: 935: * Compilation problems on IRIX and other platforms have been fixed. 936: 937: * If multiple PAM "auth" actions are specified and the user enters ^C at 938: the password prompt, sudo will no longer prompt for a password for any 939: subsequent "auth" actions. Previously it was necessary to enter ^C for 940: each "auth" action. 941: 942: What's new in Sudo 1.7.4p2? 943: 944: * A bug where sudo could spin in a busy loop waiting for the child process 945: has been fixed. 946: 947: What's new in Sudo 1.7.4p1? 948: 949: * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from 950: functioning when the tty_tickets sudoers option is enabled has been fixed. 951: 952: * Sudo no longer prints a warning when the -k or -K options are specified 953: and the ticket file does not exist. 954: 955: * It is now easier to cross-compile sudo. 956: 957: What's new in Sudo 1.7.4? 958: 959: * Sudoedit will now preserve the file extension in the name of the 960: temporary file being edited. The extension is used by some 961: editors (such as emacs) to choose the editing mode. 962: 963: * Time stamp files have moved from /var/run/sudo to either /var/db/sudo, 964: /var/lib/sudo or /var/adm/sudo. The directories are checked for 965: existence in that order. This prevents users from receiving the 966: sudo lecture every time the system reboots. Time stamp files older 967: than the boot time are ignored on systems where it is possible to 968: determine this. 969: 970: * The tty_tickets sudoers option is now enabled by default. 971: 972: * Ancillary documentation (README files, LICENSE, etc) is now installed 973: in a sudo documentation directory. 974: 975: * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile" 976: in ldap.conf. 977: 978: * Defaults settings that are tied to a user, host or command may 979: now include the negation operator. For example: 980: Defaults:!millert lecture 981: will match any user but millert. 982: 983: * The default PATH environment variable, used when no PATH variable 984: exists, now includes /usr/sbin and /sbin. 985: 986: * Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/) 987: for cross-platform packing. 988: 989: * On Linux, sudo will now restore the nproc resource limit before 990: executing a command, unless the limit appears to have been modified 991: by pam_limits. This avoids a problem with bash scripts that open 992: more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX) 993: will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1). 994: 995: * The HOME and MAIL environment variables are now reset based on the 996: target user's password database entry when the env_reset sudoers option 997: is enabled (which is the case in the default configuration). Users 998: wishing to preserve the original values should use a sudoers entry like: 999: Defaults env_keep += HOME 1000: to preserve the old value of HOME and 1001: Defaults env_keep += MAIL 1002: to preserve the old value of MAIL. 1003: 1004: * Fixed a problem in the restoration of the AIX authdb registry setting. 1005: 1006: * Sudo will now fork(2) and wait until the command has completed before 1007: calling pam_close_session(). 1008: 1009: * The default syslog facility is now "authpriv" if the operating system 1010: supports it, else "auth". 1011: 1012: What's new in Sudo 1.7.3? 1013: 1014: * Support for logging I/O for the command being run. 1015: For more information, see the documentation for the "log_input" 1016: and "log_output" Defaults options in the sudoers manual. Also 1017: see the sudoreplay manual for how to replay I/O log sessions. 1018: 1019: * The use_pty sudoers option can be used to force a command to be 1020: run in a pseudo-pty, even when I/O logging is not enabled. 1021: 1022: * On some systems, sudo can now detect when a user has logged out 1023: and back in again when tty-based time stamps are in use. Supported 1024: systems include Solaris systems with the devices file system, 1025: Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys 1026: only). 1027: 1028: * On AIX systems, the registry setting in /etc/security/user is 1029: now taken into account when looking up users and groups. Sudo 1030: now applies the correct the user and group ids when running a 1031: command as a user whose account details come from a different 1032: source (e.g. LDAP or DCE vs. local files). 1033: 1034: * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf. 1035: When multiple entries are listed, sudo will try each one in the 1036: order in which they are specified. 1037: 1038: * Sudo's SELinux support should now function correctly when running 1039: commands as a non-root user and when one of stdin, stdout or stderr 1040: is not a terminal. 1041: 1042: * Sudo will now use the Linux audit system with configure with 1043: the --with-linux-audit flag. 1044: 1045: * Sudo now uses mbr_check_membership() on systems that support it 1046: to determine group membership. Currently, only Darwin (Mac OS X) 1047: supports this. 1048: 1049: * When the tty_tickets sudoers option is enabled but there is no 1050: terminal device, sudo will no longer use or create a tty-based 1051: ticket file. Previously, sudo would use a tty name of "unknown". 1052: As a consequence, if a user has no terminal device, sudo will 1053: now always prompt for a password. 1054: 1055: * The passwd_timeout and timestamp_timeout options may now be 1056: specified as floating point numbers for more granular timeout 1057: values. 1058: 1059: * Negating the fqdn option in sudoers now works correctly when sudo 1060: is configured with the --with-fqdn option. In previous versions 1061: of sudo the fqdn was set before sudoers was parsed. 1062: 1063: What's new in Sudo 1.7.2? 1064: 1065: * A new #includedir directive is available in sudoers. This can be 1066: used to implement an /etc/sudo.d directory. Files in an includedir 1067: are not edited by visudo unless they contain a syntax error. 1068: 1069: * The -g option did not work properly when only setting the group 1070: (and not the user). Also, in -l mode the wrong user was displayed 1071: for sudoers entries where only the group was allowed to be set. 1072: 1073: * Fixed a problem with the alias checking in visudo which 1074: could prevent visudo from exiting. 1075: 1076: * Sudo will now correctly parse the shell-style /etc/environment 1077: file format used by pam_env on Linux. 1078: 1079: * When doing password and group database lookups, sudo will only 1080: cache an entry by name or by id, depending on how the entry was 1081: looked up. Previously, sudo would cache by both name and id 1082: from a single lookup, but this breaks sites that have multiple 1083: password or group database names that map to the same uid or 1084: gid. 1085: 1086: * User and group names in sudoers may now be enclosed in double 1087: quotes to avoid having to escape special characters. 1088: 1089: * BSM audit fixes when changing to a non-root uid. 1090: 1091: * Experimental non-Unix group support. Currently only works with 1092: Quest Authorization Services and allows Active Directory groups 1093: fixes for Minix-3. 1094: 1095: * For Netscape/Mozilla-derived LDAP SDKs the certificate and key 1096: paths may be specified as a directory or a file. However, version 1097: 5.0 of the SDK only appears to support using a directory (despite 1098: documentation to the contrary). If SSL client initialization 1099: fails and the certificate or key paths look like they could be 1100: default file name, strip off the last path element and try again. 1101: 1102: * A setenv() compatibility fix for Linux systems, where a NULL 1103: value is treated the same as an empty string and the variable 1104: name is checked against the NULL pointer. 1105: 1106: What's new in Sudo 1.7.1? 1107: 1108: * A new Defaults option "pwfeedback" will cause sudo to provide visual 1109: feedback when the user is entering a password. 1110: 1111: * A new Defaults option "fast_glob" will cause sudo to use the fnmatch() 1112: function for file name globbing instead of glob(). When this option 1113: is enabled, sudo will not check the file system when expanding wildcards. 1114: This is faster but a side effect is that relative paths with wildcard 1115: will no longer work. 1116: 1117: * New BSM audit support for systems that support it such as FreeBSD 1118: and Mac OS X. 1119: 1120: * The file name specified with the #include directive may now include 1121: a %h escape which is expanded to the short form of hostname. 1122: 1123: * The -k flag may now be specified along with a command, causing the 1124: user's timestamp file to be ignored. 1125: 1126: * New support for Tivoli-based LDAP START_TLS, present in AIX. 1127: 1128: * New support for /etc/netsvc.conf on AIX. 1129: 1130: * The unused alias checks in visudo now handle the case of an alias 1131: referring to another alias. 1132: 1133: What's new in Sudo 1.7.0? 1134: 1135: * Rewritten parser that converts sudoers into a set of data structures. 1136: This eliminates a number of ordering issues and makes it possible to 1137: apply sudoers Defaults entries before searching for the command. 1138: It also adds support for per-command Defaults specifications. 1139: 1140: * Sudoers now supports a #include facility to allow the inclusion of other 1141: sudoers-format files. 1142: 1143: * Sudo's -l (list) flag has been enhanced: 1144: o applicable Defaults options are now listed 1145: o a command argument can be specified for testing whether a user 1146: may run a specific command. 1147: o a new -U flag can be used in conjunction with "sudo -l" to allow 1148: root (or a user with "sudo ALL") list another user's privileges. 1149: 1150: * A new -g flag has been added to allow the user to specify a 1151: primary group to run the command as. The sudoers syntax has been 1152: extended to include a group section in the Runas specification. 1153: 1154: * A uid may now be used anywhere a username is valid. 1155: 1156: * The "secure_path" run-time Defaults option has been restored. 1157: 1158: * Password and group data is now cached for fast lookups. 1159: 1160: * The file descriptor at which sudo starts closing all open files is now 1161: configurable via sudoers and, optionally, the command line. 1162: 1163: * Visudo will now warn about aliases that are defined but not used. 1164: 1165: * The -i and -s command line flags now take an optional command 1166: to be run via the shell. Previously, the argument was passed 1167: to the shell as a script to run. 1168: 1169: * Improved LDAP support. SASL authentication may now be used in 1170: conjunction when connecting to an LDAP server. The krb5_ccname 1171: parameter in ldap.conf may be used to enable Kerberos. 1172: 1173: * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf 1174: to specify the sudoers order. E.g.: 1175: sudoers: ldap files 1176: to check LDAP, then /etc/sudoers. The default is "files", even 1177: when LDAP support is compiled in. This differs from sudo 1.6 1178: where LDAP was always consulted first. 1179: 1180: * Support for /etc/environment on AIX and Linux. If sudo is run 1181: with the -i flag, the contents of /etc/environment are used to 1182: populate the new environment that is passed to the command being 1183: run. 1184: 1185: * If no terminal is available or if the new -A flag is specified, 1186: sudo will use a helper program to read the password if one is 1187: configured. Typically, this is a graphical password prompter 1188: such as ssh-askpass. 1189: 1190: * A new Defaults option, "mailfrom" that sets the value of the 1191: "From:" field in the warning/error mail. If unspecified, the 1192: login name of the invoking user is used. 1193: 1194: * A new Defaults option, "env_file" that refers to a file containing 1195: environment variables to be set in the command being run. 1196: 1197: * A new flag, -n, may be used to indicate that sudo should not 1198: prompt the user for a password and, instead, exit with an error 1199: if authentication is required. 1200: 1201: * If sudo needs to prompt for a password and it is unable to disable 1202: echo (and no askpass program is defined), it will refuse to run 1203: unless the "visiblepw" Defaults option has been specified. 1204: 1205: * Prior to version 1.7.0, hitting enter/return at the Password: prompt 1206: would exit sudo. In sudo 1.7.0 and beyond, this is treated as 1207: an empty password. To exit sudo, the user must press ^C or ^D 1208: at the prompt. 1209: 1210: * visudo will now check the sudoers file owner and mode in -c (check) 1211: mode when the -s (strict) flag is specified. 1212: 1213: * A new Defaults option "umask_override" will cause sudo to set the 1214: umask specified in sudoers even if it is more permissive than the 1215: invoking user's umask.