"Fossies" - the Fresh Open Source Software Archive 
Member "sudo-1.9.11p3/NEWS" (20 Jun 2022, 162838 Bytes) of package /linux/misc/sudo-1.9.11p3.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style:
standard) with prefixed line numbers.
Alternatively you can here
view or
download the uninterpreted source code file.
See also the latest
Fossies "Diffs" side-by-side code changes report for "NEWS":
1.9.11p2_vs_1.9.11p3.
1 What's new in Sudo 1.9.11p3
2
3 * Fixed "connection reset" errors on AIX when running shell scripts
4 with the "intercept" or "log_subcmds" sudoers options enabled.
5 Bug #1034.
6
7 * Fixed very slow execution of shell scripts when the "intercept"
8 or "log_subcmds" sudoers options are set on systems that enable
9 Nagle's algorithm on the loopback device, such as AIX.
10 Bug #1034.
11
12 What's new in Sudo 1.9.11p2
13
14 * Fixed a compilation error on Linux/x86_64 with the x32 ABI.
15
16 * Fixed a regression introduced in 1.9.11p1 that caused a warning
17 when logging to sudo_logsrvd if the command returned no output.
18
19 What's new in Sudo 1.9.11p1
20
21 * Correctly handle EAGAIN in the I/O read/right events. This fixes
22 a hang seen on some systems when piping a large amount of data
23 through sudo, such as via rsync. Bug #963.
24
25 * Changes to avoid implementation or unspecified behavior when
26 bit shifting signed values in the protobuf library.
27
28 * Fixed a compilation error on Linux/aarch64.
29
30 * Fixed the configure check for seccomp(2) support on Linux.
31
32 * Corrected the EBNF specification for tags in the sudoers manual
33 page. GitHub issue #153.
34
35 What's new in Sudo 1.9.11
36
37 * Fixed a crash in the Python module with Python 3.9.10 on some
38 systems. Additionally, "make check" now passes for Python 3.9.10.
39
40 * Error messages sent via email now include more details, including
41 the file name and the line number and column of the error.
42 Multiple errors are sent in a single message. Previously, only
43 the first error was included.
44
45 * Fixed logging of parse errors in JSON format. Previously,
46 the JSON logger would not write entries unless the command and
47 runuser were set. These may not be known at the time a parse
48 error is encountered.
49
50 * Fixed a potential crash parsing sudoers lines larger than twice
51 the value of LINE_MAX on systems that lack the getdelim() function.
52
53 * The tests run by "make check" now unset the LANGUAGE environment
54 variable. Otherwise, localization strings will not match if
55 LANGUAGE is set to a non-English locale. Bug #1025.
56
57 * The "starttime" test now passed when run under Debian faketime.
58 Bug #1026.
59
60 * The Kerberos authentication module now honors the custom password
61 prompt if one has been specified.
62
63 * The embedded copy of zlib has been updated to version 1.2.12.
64
65 * Updated the version of libtool used by sudo to version 2.4.7.
66
67 * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
68 in the header files (currently only GNU libc). This is required
69 to allow the use of 64-bit time values on some 32-bit systems.
70
71 * Sudo's "intercept" and "log_subcmds" options no longer force the
72 command to run in its own pseudo-terminal. It is now also
73 possible to intercept the system(3) function.
74
75 * Fixed a bug in sudo_logsrvd when run in store-first relay mode
76 where the commit point messages sent by the server were incorrect
77 if the command was suspended or received a window size change
78 event.
79
80 * Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
81 configuration setting was used.
82
83 * The "intercept" and "log_subcmds" functionality can now use
84 ptrace(2) on Linux systems that support seccomp(2) filtering.
85 This has the advantage of working for both static and dynamic
86 binaries and can work with sudo's SELinux RBAC mode. The following
87 architectures are currently supported: i386, x86_64, aarch64,
88 arm, mips (log_subcmds only), powerpc, riscv, and s390x. The
89 default is to use ptrace(2) where possible; the new "intercept_type"
90 sudoers setting can be used to explicitly set the type.
91
92 * New Georgian translation from translationproject.org.
93
94 * Fixed creating packages on CentOS Stream.
95
96 * Fixed a bug in the intercept and log_subcmds support where
97 the execve(2) wrapper was using the current environment instead
98 of the passed environment pointer. Bug #1030.
99
100 * Added AppArmor integration for Linux. A sudoers rule can now
101 specify an APPARMOR_PROFILE option to run a command confined by
102 the named AppArmor profile.
103
104 * Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
105 Non-paths were being treated as paths and an actual path was
106 treated as an error.
107
108 What's new in Sudo 1.9.10
109
110 * Added new "log_passwords" and "passprompt_regex" sudoers options.
111 If "log_passwords" is disabled, sudo will attempt to prevent passwords
112 from being logged. If sudo detects any of the regular expressions in
113 the "passprompt_regex" list in the terminal output, sudo will log '*'
114 characters instead of the terminal input until a newline or carriage
115 return is found in the input or an output character is received.
116
117 * Added new "log_passwords" and "passprompt_regex" settings to
118 sudo_logsrvd that operate like the sudoers options when logging
119 terminal input.
120
121 * Fixed several few bugs in the cvtsudoers utility when merging
122 multiple sudoers sources.
123
124 * Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf
125 file, where the "retry_interval" in the [relay] section was not
126 being recognized.
127
128 * Restored the pre-1.9.9 behavior of not performing authentication
129 when sudo's -n option is specified. A new "noninteractive_auth"
130 sudoers option has been added to enable PAM authentication in
131 non-interactive mode. GitHub issue #131.
132
133 * On systems with /proc, if the /proc/self/stat (Linux) or
134 /proc/pid/psinfo (other systems) file is missing or invalid,
135 sudo will now check file descriptors 0-2 to determine the user's
136 terminal. Bug #1020.
137
138 * Fixed a compilation problem on Debian kFreeBSD. Bug #1021.
139
140 * Fixed a crash in sudo_logsrvd when running in relay mode if
141 an alert message is received.
142
143 * Fixed an issue that resulting in "problem with defaults entries"
144 email to be sent if a user ran sudo when the sudoers entry in
145 the nsswitch.conf file includes "sss" but no sudo provider is
146 configured in /etc/sssd/sssd.conf. Bug #1022.
147
148 * Updated the warning displayed when the invoking user is not
149 allowed to run sudo. If sudo has been configured to send mail
150 on failed attempts (see the mail_* flags in sudoers), it will
151 now print "This incident has been reported to the administrator."
152 If the "mailto" or "mailerpath" sudoers settings are disabled,
153 the message will not be printed and no mail will be sent.
154 GitHub issue #48.
155
156 * Fixed a bug where the user-specified command timeout was not
157 being honored if the sudoers rule did not also specify a timeout.
158
159 * Added support for using POSIX extended regular expressions in
160 sudoers rules. A command and/or arguments in sudoers are treated
161 as a regular expression if they start with a '^' character and
162 end with a '$'. The command and arguments are matched separately,
163 either one (or both) may be a regular expression.
164 Bug #578, GitHub issue #15.
165
166 * A user may now only run "sudo -U otheruser -l" if they have a
167 "sudo ALL" privilege where the RunAs user contains either "root"
168 or "otheruser". Previously, having "sudo ALL" was sufficient,
169 regardless of the RunAs user. GitHub issue #134.
170
171 * The sudo lecture is now displayed immediately before the password
172 prompt. As a result, sudo will no longer display the lecture
173 unless the user needs to enter a password. Authentication methods
174 that don't interact with the user via a terminal do not trigger
175 the lecture.
176
177 * Sudo now uses its own closefrom() emulation on Linux systems.
178 The glibc version may not work in a chroot jail where /proc is
179 not available. If close_range(2) is present, it will be used
180 in preference to /proc/self/fd.
181
182 What's new in Sudo 1.9.9
183
184 * Sudo can now be built with OpenSSL 3.0 without generating warnings
185 about deprecated OpenSSL APIs.
186
187 * A digest can now be specified along with the "ALL" command in
188 the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for
189 this in the sudoers file but did not include corresponding changes
190 for the other back-ends.
191
192 * visudo now only warns about an undefined alias or a cycle in an
193 alias once for each alias.
194
195 * The sudoRole cn was truncated by a single character in warning messages.
196 GitHub issue #115.
197
198 * The cvtsudoers utility has new --group-file and --passwd-file options
199 to use a custom passwd or group file when the --match-local option is
200 also used.
201
202 * The cvtsudoers utility can now filter or match based on a command.
203
204 * The cvtsudoers utility can now produce output in csv (comma-separated
205 value) format. This can be used to help generate entitlement reports.
206
207 * Fixed a bug in sudo_logsrvd that could result in the connection being
208 dropped for very long command lines.
209
210 * Fixed a bug where sudo_logsrvd would not accept a restore point
211 of zero.
212
213 * Fixed a bug in visudo where the value of the "editor" setting was not
214 used if it did not match the user's EDITOR environment variable.
215 This was only a problem if the "env_editor" setting was not enabled.
216 Bug #1000.
217
218 * Sudo now builds with the -fcf-protection compiler option and the
219 "-z now" linker option if supported.
220
221 * The output of "sudoreplay -l" now more closely matches the
222 traditional sudo log format.
223
224 * The sudo_sendlog utility will now use the full contents of the log.json
225 file, if present. This makes it possible to send sudo-format I/O logs
226 that use the newer log.json format to sudo_logsrvd without losing any
227 information.
228
229 * Fixed compilation of the arc4random_buf() replacement on systems with
230 arc4random() but no arc4random_buf(). Bug #1008.
231
232 * Sudo now uses its own getentropy() by default on Linux. The GNU libc
233 version of getentropy() will fail on older kernels that don't support
234 the getrandom() system call.
235
236 * It is now possible to build sudo with WolfSSL's OpenSSL compatibility
237 layer by using the --enable-wolfssl configure option.
238
239 * Fixed a bug related to Daylight Saving Time when parsing timestamps
240 in Generalized Time format. This affected the NOTBEFORE and
241 NOTAFTER options in sudoers. Bug #1006
242
243 * Added the -O and -P options to visudo, which can be used to check
244 or set the owner and permissions. This can be used in conjunction
245 with the -c option to check that the sudoers file ownership and
246 permissions are correct. Bug #1007.
247
248 * It is now possible to set resource limits in the sudoers file itself.
249 The special values "default" and "user" refer to the default system
250 limit and invoking user limit respectively. The core dump size limit
251 is now set to 0 by default unless overridden by the sudoers file.
252
253 * The cvtsudoers utility can now merge multiple sudoers sources into
254 a single, combined sudoers file. If there are conflicting entries,
255 cvtsudoers will attempt to resolve them but manual intervention
256 may be required. The merging of sudoers rules is currently fairly
257 simplistic but will be improved in a future release.
258
259 * Sudo was parsing but not applying the "deref" and "tls_reqcert"
260 ldap.conf settings. This meant the options were effectively
261 ignored which broke dereferencing of aliases in LDAP. Bug #1013.
262
263 * Clarified in the sudo man page that the security policy may
264 override the user's PATH environment variable. Bug #1014.
265
266 * When sudo is run in non-interactive mode (with the -n option), it
267 will now attempt PAM authentication and only exit with an error
268 if user interaction is required. This allows PAM modules that
269 don't interact with the user to succeed. Previously, sudo
270 would not attempt authentication if the -n option was specified.
271 Bug #956 and GitHub issue #83.
272
273 * Fixed a regression introduced in version 1.9.1 when sudo is
274 built with the --with-fqdn configure option. The local host
275 name was being resolved before the sudoers file was processed,
276 making it impossible to disable DNS lookups by negating the
277 "fqdn" sudoers option. Bug #1016.
278
279 * Added support for negated sudoUser attributes in the LDAP and
280 SSSD sudoers back ends. A matching sudoUser that is negated
281 will cause the sudoRole containing it to be ignored.
282
283 * Fixed a bug where the stack resource limit could be set to a
284 value smaller than that of the invoking user and not be reset
285 before the command was run. Bug #1017.
286
287 What's new in Sudo 1.9.8p2
288
289 * Fixed a potential out-of-bounds read with "sudo -i" when the
290 target user's shell is bash. This is a regression introduced
291 in sudo 1.9.8. Bug #998.
292
293 * sudo_logsrvd now only sends a log ID for first command of a session.
294 There is no need to send the log ID for each sub-command.
295
296 * Fixed a few minor memory leaks in intercept mode.
297
298 * Fixed a problem with sudo_logsrvd in relay mode if "store_first"
299 was enabled when handling sub-commands. A new zero-length journal
300 file was created for each sub-command instead of simply using
301 the existing journal file.
302
303 * Fixed a bug where sudoedit would fail if one of the directories
304 in the path to be edited had the immutable flag set (BSD, Linux
305 or macOS). GitHub issue #122.
306
307 What's new in Sudo 1.9.8p1
308
309 * Fixed support for passing a prompt (sudo -p) or a login class
310 (sudo -c) on the command line. This is a regression introduced
311 in sudo 1.9.8. Bug #993.
312
313 * Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
314 This is a regression introduced in sudo 1.9.8. Bug #994.
315
316 * Fixed a compilation error when the --enable-static-sudoers configure
317 option was specified. This is a regression introduced in sudo
318 1.9.8 caused by a symbol clash with the intercept and log server
319 protobuf functions.
320
321 What's new in Sudo 1.9.8
322
323 * It is now possible to transparently intercepting sub-commands
324 executed by the original command run via sudo. Intercept support
325 is implemented using LD_PRELOAD (or the equivalent supported by
326 the system) and so has some limitations. The two main limitations
327 are that only dynamic executables are supported and only the
328 execl, execle, execlp, execv, execve, execvp, and execvpe library
329 functions are currently intercepted. Its main use case is to
330 support restricting privileged shells run via sudo.
331
332 To support this, there is a new "intercept" Defaults setting and
333 an INTERCEPT command tag that can be used in sudoers. For example:
334
335 Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
336 Defaults!SHELLS intercept
337
338 would cause sudo to run the listed shells in intercept mode.
339 This can also be set on a per-rule basis. For example:
340
341 Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
342 chuck ALL = INTERCEPT: SHELLS
343
344 would only apply intercept mode to user "chuck" when running one
345 of the listed shells.
346
347 In intercept mode, sudo will not prompt for a password before
348 running a sub-command and will not allow a set-user-ID or
349 set-group-ID program to be run by default. The new
350 intercept_authenticate and intercept_allow_setid sudoers settings
351 can be used to change this behavior.
352
353 * The new "log_subcmds" sudoers setting can be used to log additional
354 commands run in a privileged shell. It uses the same mechanism as
355 the intercept support described above and has the same limitations.
356
357 * The new "log_exit_status" sudoers setting can be used to log
358 the exit status commands run via sudo. This is also a corresponding
359 "log_exit" setting in the sudo_logsrvd.conf eventlog stanza.
360
361 * Support for logging sudo_logsrvd errors via syslog or to a file.
362 Previously, most sudo_logsrvd errors were only visible in the
363 debug log.
364
365 * Better diagnostics when there is a TLS certificate validation error.
366
367 * Using the "+=" or "-=" operators in a Defaults setting that takes
368 a string, not a list, now produces a warning from sudo and a
369 syntax error from inside visudo.
370
371 * Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
372 had no effect when creating I/O log parent directories if the I/O log
373 file name ended with the string "XXXXXX".
374
375 * Fixed a bug in the sudoers custom prompt code where the size
376 parameter that was passed to the strlcpy() function was incorrect.
377 No overflow was possible since the correct amount of memory was
378 already pre-allocated.
379
380 * The mksigname and mksiglist helper programs are now built with
381 the host compiler, not the target compiler, when cross-compiling.
382 Bug #989.
383
384 * Fixed compilation error when the --enable-static-sudoers configure
385 option was specified. This was due to a typo introduced in sudo
386 1.9.7. GitHub PR #113.
387
388 What's new in Sudo 1.9.7p2
389
390 * When formatting JSON output, octal numbers are now stored as
391 strings, not numbers. The JSON spec does not actually support
392 octal numbers with a '0' prefix.
393
394 * Fixed a compilation issue on Solaris 9.
395
396 * Sudo now can handle the getgroups() function returning a different
397 number of groups for subsequent invocations. GitHub PR #106.
398
399 * When loading a Python plugin, python_plugin.so now verifies
400 that the module loaded matches the one we tried to load. This
401 allows sudo to display a more useful error message when trying
402 to load a plugin with a name that conflicts with a Python module
403 installed in the system location.
404
405 * Sudo no longer sets the the open files resource limit to "unlimited"
406 while it runs. This avoids a problem where sudo's closefrom()
407 emulation would need to close a very large number of descriptors
408 on systems without a way to determine which ones are actually open.
409
410 * Sudo now includes a configure check for va_copy or __va_copy and
411 only defines its own version if the configure test fails.
412
413 * Fixed a bug in sudo's utmp file handling which prevented old
414 entries from being reused. As a result, the utmp (or utmpx)
415 file was appended to unnecessarily. GitHub PR #108.
416
417 * Fixed a bug introduced in sudo 1.9.7 that prevented sudo_logsrvd
418 from accepting TLS connections when OpenSSL is used. Bug #988.
419
420 What's new in Sudo 1.9.7p1
421
422 * Fixed an SELinux sudoedit bug when the edited temporary file
423 could not be opened. The sesh helper would still be run even
424 when there are no temporary files available to install.
425
426 * Fixed a compilation problem on FreeBSD.
427
428 * The sudo_noexec.so file is now built as a module on all systems
429 other than macOS. This makes it possible to use other libtool
430 implementations such as slibtool. On macOS shared libraries and
431 modules are not interchangeable and the version of libtool shipped
432 with sudo must be used.
433
434 * Fixed a few bugs in the getgrouplist() emulation on Solaris when
435 reading from the local group file.
436
437 * Fixed a bug in sudo_logsrvd that prevented periodic relay server
438 connection retries from occurring in "store_first" mode.
439
440 * Disabled the nss_search()-based getgrouplist() emulation on HP-UX
441 due to a crash when the group source is set to "compat" in
442 /etc/nsswitch.conf. This is probably due to a mismatch between
443 include/compat/nss_dbdefs.h and what HP-UX uses internally. On
444 HP-UX we now just cycle through groups the slow way using
445 getgrent(). Bug #978.
446
447 What's new in Sudo 1.9.7
448
449 * The "fuzz" Makefile target now runs all the fuzzers for 8192
450 passes (can be overridden via the FUZZ_RUNS variable). This makes
451 it easier to run the fuzzers in-tree. To run a fuzzer indefinitely,
452 set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz".
453
454 * Fixed fuzzing on FreeBSD where the ld.lld linker returns an
455 error by default when a symbol is multiply-defined.
456
457 * Added support for determining local IPv6 addresses on systems
458 that lack the getifaddrs() function. This now works on AIX,
459 HP-UX and Solaris (at least). Bug #969.
460
461 * Fixed a bug introduced in sudo 1.9.6 that caused "sudo -V" to
462 report a usage error. Also, when invoked as sudoedit, sudo now
463 allows a more restricted set of options that matches the usage
464 statement and documentation. GitHub issue #95.
465
466 * Fixed a crash in sudo_sendlog when the specified certificate
467 or key does not exist or is invalid. Bug #970
468
469 * Fixed a compilation error when sudo is configured with the
470 --disable-log-client option.
471
472 * Sudo's limited support for SUCCESS=return entries in nsswitch.conf
473 is now documented. Bug #971.
474
475 * Sudo now requires autoconf 2.70 or higher to regenerate the
476 configure script. Bug #972.
477
478 * sudo_logsrvd now has a relay mode which can be used to create
479 a hierarchy of log servers. By default, when a relay server is
480 defined, messages from the client are forwarded immediately to
481 the relay. However, if the "store_first" setting is enabled,
482 the log will be stored locally until the command completes and
483 then relayed. Bug #965.
484
485 * Sudo now links with OpenSSL by default if it is available unless
486 the --disable-openssl configure option is used or both the
487 --disable-log-client and --disable-log-server configure options
488 are specified.
489
490 * Fixed configure's Python version detection when the version minor
491 number is more than a single digit, for example Python 3.10.
492
493 * The sudo Python module tests now pass for Python 3.10.
494
495 * Sudo will now avoid changing the datasize resource limit
496 as long as the existing value is at least 1GB. This works around
497 a problem on 64-bit HP-UX where it is not possible to exactly
498 restore the original datasize limit. Bug #973.
499
500 * Fixed a race condition that could result in a hang when sudo is
501 executed by a process where the SIGCHLD handler is set to SIG_IGN.
502 This fixes the bug described by GitHub PR #98.
503
504 * Fixed an out-of-bounds read in sudoedit and visudo when the
505 EDITOR, VISUAL or SUDO_EDITOR environment variables end in an
506 unescaped backslash. Also fixed the handling of quote characters
507 that are escaped by a backslash. GitHub issue #99.
508
509 * Fixed a bug that prevented the "log_server_verify" sudoers option
510 from taking effect.
511
512 * The sudo_sendlog utility has a new -s option to cause it to stop
513 sending I/O records after a user-specified elapsed time. This
514 can be used to test the I/O log restart functionality of sudo_logsrvd.
515
516 * Fixed a crash introduced in sudo 1.9.4 in sudo_logsrvd when
517 attempting to restart an interrupted I/O log transfer.
518
519 * The TLS connection timeout in the sudoers log client was previously
520 hard-coded to 10 seconds. It now uses the value of log_server_timeout.
521
522 * The configure script now outputs a summary of the user-configurable
523 options at the end, separate from output of configure script tests.
524 Bug #820.
525
526 * Corrected the description of which groups may be specified via the
527 -g option in the Runas_Spec section. Bug #975.
528
529 What's new in Sudo 1.9.6p1
530
531 * Fixed a regression introduced in sudo 1.9.6 that resulted in an
532 error message instead of a usage message when sudo is run with
533 no arguments.
534
535 What's new in Sudo 1.9.6
536
537 * Fixed a sudo_sendlog compilation problem with the AIX xlC compiler.
538
539 * Fixed a regression introduced in sudo 1.9.4 where the
540 --disable-root-mailer configure option had no effect.
541
542 * Added a --disable-leaks configure option that avoids some
543 memory leaks on exit that would otherwise occur. This is intended
544 to be used with development tools that measure memory leaks. It
545 is not safe to use in production at this time.
546
547 * Plugged some memory leaks identified by oss-fuzz and ASAN.
548
549 * Fixed the handling of sudoOptions for an LDAP sudoRole that
550 contains multiple sudoCommands. Previously, some of the options
551 would only be applied to the first sudoCommand.
552
553 * Fixed a potential out of bounds read in the parsing of NOTBEFORE
554 and NOTAFTER sudoers command options (and their LDAP equivalents).
555
556 * The parser used for reading I/O log JSON files is now more
557 resilient when processing invalid JSON.
558
559 * Fixed typos that prevented "make uninstall" from working.
560 GitHub issue #87.
561
562 * Fixed a regression introduced in sudo 1.9.4 where the last line
563 in a sudoers file might not have a terminating NUL character
564 added if no newline was present.
565
566 * Integrated oss-fuzz and LLVM's libFuzzer with sudo. The new
567 --enable-fuzzer configure option can be combined with the
568 --enable-sanitizer option to build sudo with fuzzing support.
569 Multiple fuzz targets are available for fuzzing different parts
570 of sudo. Fuzzers are built and tested via "make fuzz" or as part
571 of "make check" (even when sudo is not built with fuzzing support).
572 Fuzzing support currently requires the LLVM clang compiler (not gcc).
573
574 * Fixed the --enable-static-sudoers configure option.
575 GitHub issue #92.
576
577 * Fixed a potential out of bounds read sudo when is run by a user
578 with more groups than the value of "max_groups" in sudo.conf.
579
580 * Added an "admin_flag" sudoers option to make the use of the
581 ~/.sudo_as_admin_successful file configurable on systems where
582 sudo is build with the --enable-admin-flag configure option.
583 This mostly affects Ubuntu and its derivatives. GitHub issue #56.
584
585 * The "max_groups" setting in sudo.conf is now limited to 1024.
586 This setting is obsolete and should no longer be needed.
587
588 * Fixed a bug in the tilde expansion of "CHROOT=dir" and "CWD=dir"
589 sudoers command options. A path "~/foo" was expanded to
590 "/home/userfoo" instead of "/home/user/foo". This also affects
591 the runchroot and runcwd Defaults settings.
592
593 * Fixed a bug on systems without a native getdelim(3) function
594 where very long lines could cause parsing of the sudoers file
595 to end prematurely. Bug #960.
596
597 * Fixed a potential integer overflow when converting the
598 timestamp_timeout and passwd_timeout sudoers settings to a
599 timespec struct.
600
601 * The default for the "group_source" setting in sudo.conf is now
602 "dynamic" on macOS. Recent versions of macOS do not reliably
603 return all of a user's non-local groups via getgroups(2), even
604 when _DARWIN_UNLIMITED_GETGROUPS is defined. Bug #946.
605
606 * Fixed a potential use-after-free in the PAM conversation function.
607 Bug #967.
608
609 * Fixed potential redefinition of sys/stat.h macros in sudo_compat.h.
610 Bug #968.
611
612 What's new in Sudo 1.9.5p2
613
614 * Fixed sudo's setprogname(3) emulation on systems that don't
615 provide it.
616
617 * Fixed a problem with the sudoers log server client where a partial
618 write to the server could result the sudo process consuming large
619 amounts of CPU time due to a cycle in the buffer queue. Bug #954.
620
621 * Added a missing dependency on libsudo_util in libsudo_eventlog.
622 Fixes a link error when building sudo statically.
623
624 * The user's KRB5CCNAME environment variable is now preserved when
625 performing PAM authentication. This fixes GSSAPI authentication
626 when the user has a non-default ccache.
627
628 * When invoked as sudoedit, the same set of command line options
629 are now accepted as for "sudo -e". The -H and -P options are
630 now rejected for sudoedit and "sudo -e" which matches the sudo
631 1.7 behavior. This is part of the fix for CVE-2021-3156.
632
633 * Fixed a potential buffer overflow when unescaping backslashes
634 in the command's arguments. Normally, sudo escapes special
635 characters when running a command via a shell (sudo -s or sudo
636 -i). However, it was also possible to run sudoedit with the -s
637 or -i flags in which case no escaping had actually been done,
638 making a buffer overflow possible. This fixes CVE-2021-3156.
639
640 What's new in Sudo 1.9.5p1
641
642 * Fixed a regression introduced in sudo 1.9.5 where the editor run
643 by sudoedit was set-user-ID root unless SELinux RBAC was in use.
644 The editor is now run with the user's real and effective user-IDs.
645
646 What's new in Sudo 1.9.5
647
648 * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
649 unknown user. This is related to but distinct from Bug #948.
650
651 * If the "lecture_file" setting is enabled in sudoers, it must now
652 refer to a regular file or a symbolic link to a regular file.
653
654 * Fixed a potential use-after-free bug in sudo_logsrvd when the
655 server shuts down if there are existing connections from clients
656 that are only logging events and not session I/O data.
657
658 * Fixed a buffer size mismatch when serializing the list of IP
659 addresses for configured network interfaces. This bug is not
660 actually exploitable since the allocated buffer is large enough
661 to hold the list of addresses.
662
663 * If sudo is executed with a name other than "sudo" or "sudoedit",
664 it will now fall back to "sudo" as the program name. This affects
665 warning, help and usage messages as well as the matching of Debug
666 lines in the /etc/sudo.conf file. Previously, it was possible
667 for the invoking user to manipulate the program name by setting
668 argv[0] to an arbitrary value when executing sudo.
669
670 * Sudo now checks for failure when setting the close-on-exec flag
671 on open file descriptors. This should never fail but, if it
672 were to, there is the possibility of a file descriptor leak to
673 a child process (such as the command sudo runs).
674
675 * Fixed CVE-2021-23239, a potential information leak in sudoedit
676 that could be used to test for the existence of directories not
677 normally accessible to the user in certain circumstances. When
678 creating a new file, sudoedit checks to make sure the parent
679 directory of the new file exists before running the editor.
680 However, a race condition exists if the invoking user can replace
681 (or create) the parent directory. If a symbolic link is created
682 in place of the parent directory, sudoedit will run the editor
683 as long as the target of the link exists. If the target of the
684 link does not exist, an error message will be displayed. The
685 race condition can be used to test for the existence of an
686 arbitrary directory. However, it _cannot_ be used to write to
687 an arbitrary location.
688
689 * Fixed CVE-2021-23240, a flaw in the temporary file handling of
690 sudoedit's SELinux RBAC support. On systems where SELinux is
691 enabled, a user with sudoedit permissions may be able to set the
692 owner of an arbitrary file to the user-ID of the target user.
693 On Linux kernels that support "protected symlinks", setting
694 /proc/sys/fs/protected_symlinks to 1 will prevent the bug from
695 being exploited. For more information see
696 https://www.sudo.ws/alerts/sudoedit_selinux.html.
697
698 * Added writability checks for sudoedit when SELinux RBAC is in use.
699 This makes sudoedit behavior consistent regardless of whether
700 or not SELinux RBAC is in use. Previously, the "sudoedit_checkdir"
701 setting had no effect for RBAC entries.
702
703 * A new sudoers option "selinux" can be used to disable sudo's
704 SELinux RBAC support.
705
706 * Quieted warnings from PVS Studio, clang analyzer, and cppcheck.
707 Added suppression annotations for PVS Studio false positives.
708
709 What's new in Sudo 1.9.4p2
710
711 * Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash
712 if the sudoers file contains a runas user-specific Defaults entry.
713 Bug #951.
714
715 What's new in Sudo 1.9.4p1
716
717 * Sudo on macOS now supports users with more than 16 groups without
718 needing to set "group_source" to "dynamic" in /etc/sudo.conf.
719 Previously, only the first 15 were used when matching group-based
720 rules in sudoers. Bug #946.
721
722 * Fixed a regression introduced in version 1.9.4 where sudo would
723 not build when configured using the --without-sendmail option.
724 Bug #947.
725
726 * Fixed a problem where if I/O logging was disabled and sudo was
727 unable to connect to sudo_logsrvd, the command would still be
728 allowed to run even when the "ignore_logfile_errors" sudoers
729 option was enabled.
730
731 * Fixed a crash introduced in version 1.9.4 when attempting to run
732 a command as a non-existent user. Bug #948.
733
734 * The installed sudo.conf file now has the default sudoers Plugin
735 lines commented out. This fixes a potential conflict when there
736 is both a system-installed version of sudo and a user-installed
737 version. GitHub issue #75.
738
739 * Fixed a regression introduced in sudo 1.9.4 where sudo would run
740 the command as a child process even when a pseudo-terminal was
741 not in use and the "pam_session" and "pam_setcred" options were
742 disabled. GitHub issue #76.
743
744 * Fixed a regression introduced in sudo 1.8.9 where the "closefrom"
745 sudoers option could not be set to a value of 3. Bug #950.
746
747 What's new in Sudo 1.9.4
748
749 * The sudoers parser will now detect when an upper-case reserved
750 word is used when declaring an alias. Now instead of "syntax
751 error, unexpected CHROOT, expecting ALIAS" the message will be
752 "syntax error, reserved word CHROOT used as an alias name".
753 Bug #941.
754
755 * Better handling of sudoers files without a final newline.
756 The parser now adds a newline at end-of-file automatically which
757 removes the need for special cases in the parser.
758
759 * Fixed a regression introduced in sudo 1.9.1 in the sssd back-end
760 where an uninitialized pointer could be freed on an error path.
761 GitHub issue #67.
762
763 * The core logging code is now shared between sudo_logsrvd and
764 the sudoers plugin.
765
766 * JSON log entries sent to syslog now use "minimal" JSON which
767 skips all non-essential white space.
768
769 * The sudoers plugin can now produce JSON-formatted logs. The
770 "log_format" sudoers option can be used to select sudo or json
771 format logs. The default is sudo format logs.
772
773 * The sudoers plugin and visudo now display the column number in
774 syntax error messages in addition to the line number. Bug #841.
775
776 * If I/O logging is not enabled but "log_servers" is set, the
777 sudoers plugin will now log accept events to sudo_logsrvd.
778 Previously, the accept event was only sent when I/O logging was
779 enabled. The sudoers plugin now sends reject and alert events too.
780
781 * The sudo logsrv protocol has been extended to allow an AlertMessage
782 to contain an optional array of InfoMessage, as AcceptMessage
783 and RejectMessage already do.
784
785 * Fixed a bug in sudo_logsrvd where receipt of SIGHUP would result
786 in duplicate entries in the debug log when debugging was enabled.
787
788 * The visudo utility now supports EDITOR environment variables
789 that use single or double quotes in the command arguments.
790 Bug #942.
791
792 * The PAM session modules now run when sudo is set-user-ID root,
793 which allows a module to determine the original user-ID.
794 Bug #944.
795
796 * Fixed a regression introduced in sudo 1.8.24 in the LDAP back-end
797 where sudoNotBefore and sudoNotAfter were applied even when the
798 SUDOERS_TIMED setting was not present in ldap.conf. Bug #945.
799
800 * Sudo packages for macOS 11 now contain universal binaries that
801 support both Intel and Apple Silicon CPUs.
802
803 * For sudo_logsrvd, an empty value for the "pid_file" setting in
804 sudo_logsrvd.conf will now disable the process ID file.
805
806 What's new in Sudo 1.9.3p1
807
808 * Fixed a regression introduced in sudo 1.9.3 where the configure
809 script would not detect the crypt(3) function if it was present
810 in the C library, not an additional library.
811
812 * Fixed a regression introduced in sudo 1.8.23 with shadow passwd
813 file authentication on OpenBSD. BSD authentication was not
814 affected.
815
816 * Sudo now logs when a user-specified command-line option is
817 rejected by a sudoers rule. Previously, these conditions were
818 written to the audit log, but the default sudo log file. Affected
819 command line arguments include -C (--close-from), -D (--chdir),
820 -R (--chroot), -g (--group) and -u (--user).
821
822 What's new in Sudo 1.9.3
823
824 * sudoedit will now prompt the user before overwriting an existing
825 file with one that is zero-length after editing. Bug #922.
826
827 * Fixed building the Python plugin on systems with a compiler that
828 doesn't support symbol hiding.
829
830 * Sudo now uses a linker script to hide symbols even when the
831 compiler supports symbol hiding. This should make it easier to
832 detect omissions in the symbol exports file, regardless of the
833 platform.
834
835 * Fixed the libssl dependency in Debian packages for older releases
836 that use libssl1.0.0.
837
838 * Sudo and visudo now provide more detailed messages when a syntax
839 error is detected in sudoers. The offending line and token are
840 now displayed. If the parser was generated by GNU bison,
841 additional information about what token was expected is also
842 displayed. Bug #841.
843
844 * Sudoers rules must now end in either a newline or the end-of-file.
845 Previously, it was possible to have multiple rules on a single
846 line, separated by white space. The use of an end-of-line
847 terminator makes it possible to display accurate error messages.
848
849 * Sudo no longer refuses to run if a syntax error in the sudoers
850 file is encountered. The entry with the syntax error will be
851 discarded and sudo will continue to parse the file. This makes
852 recovery from a syntax error less painful on systems where sudo
853 is the primary method of superuser access. The historic behavior
854 can be restored by add "error_recovery=false" to the sudoers
855 plugin's optional arguments in sudo.conf. Bug #618.
856
857 * Fixed the sample_approval plugin's symbol exports file for systems
858 where the compiler doesn't support symbol hiding.
859
860 * Fixed a regression introduced in sudo 1.9.1 where arguments to
861 the "sudoers_policy" plugin in sudo.conf were not being applied.
862 The sudoers file is now parsed by the "sudoers_audit" plugin,
863 which is loaded implicitly when "sudoers_policy" is listed in
864 sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments
865 for "sudoers_policy" but "sudoers_audit" is not listed, those
866 arguments will be applied to "sudoers_audit" instead.
867
868 * The user's resource limits are now passed to sudo plugins in
869 the user_info[] list. A plugin cannot determine the limits
870 itself because sudo changes the limits while it runs to prevent
871 resource starvation.
872
873 * It is now possible to set the working directory or change the
874 root directory on a per-command basis using the CWD and CHROOT
875 options. CWD and CHROOT are now reserved words in sudoers--they
876 can no longer be used as alias names. There are also new Defaults
877 settings, runchroot and runcwd, that can be used to set the
878 working directory or root directory on a more global basis.
879
880 * New -D (--chdir) and -R (--chroot) command line options can be
881 used to set the working directory or root directory if the sudoers
882 file allows it. This functionality is not enabled by default
883 and must be explicitly enabled in the sudoers file.
884
885 * Fixed a regression introduced in sudo 1.9.1 where the sudoers_audit
886 symbol could not be resolved when sudo is configured with the
887 --enable-static-sudoers option. Bug #936 and GitHub issue #61.
888
889 What's new in Sudo 1.9.2
890
891 * Fixed package builds on RedHat Enterprise Linux 8.
892
893 * The configure script now uses pkg-config to find the openssl
894 cflags and libs where possible.
895
896 * The contents of the log.json I/O log file is now documented in
897 the sudoers manual.
898
899 * The sudoers plugin now properly exports the sudoers_audit symbol
900 on systems where the compiler lacks symbol visibility controls.
901 This caused a regression in 1.9.1 where a successful sudo command
902 was not logged due to the missing audit plugin. Bug #931.
903
904 * Fixed a regression introduced in 1.9.1 that can result in crash
905 when there is a syntax error in the sudoers file. Bug #934.
906
907 What's new in Sudo 1.9.1
908
909 * Fixed an AIX-specific problem when I/O logging was enabled.
910 The terminal device was not being properly set to raw mode.
911 Bug #927.
912
913 * Corrected handling of sudo_logsrvd connections without associated
914 I/O log data. This fixes support for RejectMessage as well as
915 AcceptMessage when the expect_iobufs flag is not set.
916
917 * Added an "iolog_path" entry to the JSON-format event log produced
918 by sudo_logsrvd. Previously, it was only possible to determine
919 the I/O log file an event belonged to using sudo-format logs.
920
921 * Fixed the bundle IDs for sudo-logsrvd and sudo-python macOS packages.
922
923 * I/O log files produced by the sudoers plugin now clear the write
924 bits on the I/O log timing file when the log is complete. This
925 is consistent with how sudo_logsrvd indicates that a log is
926 complete.
927
928 * The sudoreplay utility has a new "-F" (follow) command line
929 option to allow replaying a session that is still in progress,
930 similar to "tail -f".
931
932 * The @include and @includedir directives can be used in sudoers
933 instead of #include and #includedir. In addition, include paths
934 may now have embedded white space by either using a double-quoted
935 string or escaping the space characters with a backslash.
936
937 * Fixed some Solaris 11.4 compilation errors.
938
939 * When running a command in a pty, sudo will no longer try to
940 suspend itself if the user's tty has been revoked (for instance
941 when the parent ssh daemon is killed). This fixes a bug where
942 sudo would continuously suspend the command (which would succeed),
943 then suspend itself (which would fail due to the missing tty)
944 and then resume the command.
945
946 * If sudo's event loop fails due to the tty being revoked, remove
947 the user's tty events and restart the event loop (once). This
948 fixes a problem when running "sudo reboot" in a pty on some
949 systems. When the event loop exited unexpectedly, sudo would
950 kill the command running in the pty, which in the case of "reboot",
951 could lead to the system being in a half-rebooted state.
952
953 * Fixed a regression introduced in sudo 1.8.23 in the LDAP and
954 SSSD back-ends where a missing sudoHost attribute was treated
955 as an "ALL" wildcard value. A sudoRole with no sudoHost attribute
956 is now ignored as it was prior to version 1.8.23.
957
958 * The audit plugin API has been changed slightly. The sudo front-end
959 now audits an accept event itself after all approval plugins are
960 run and the I/O logging plugins (if any) are opened. This makes
961 it possible for an audit plugin to only log a single overall
962 accept event if desired.
963
964 * The sudoers plugin can now be loaded as an audit plugin. Logging
965 of successful commands is now performed in the audit plugin's
966 accept function. As a result, commands are now only logged if
967 allowed by sudoers and all approval plugins. Commands rejected
968 by an approval plugin are now also logged by the sudoers plugin.
969
970 * Romanian translation for sudo and sudoers from translationproject.org.
971
972 * Fixed a regression introduced in sudo 1.9.0 where sudoedit did
973 not remove its temporary files after installing them. Bug #929.
974
975 * Fixed a regression introduced in sudo 1.9.0 where the iolog_file
976 setting in sudoers and sudo_logsrvd.conf caused an error if the
977 file name ended in six or more X's.
978
979 What's new in Sudo 1.9.0
980
981 * Fixed a test failure in the strsig_test regress test on FreeBSD.
982
983 * The maximum length of a conversation reply has been increased
984 from 255 to 1023 characters. This allows for longer user passwords.
985 Bug #860.
986
987 * Sudo now includes a logging daemon, sudo_logsrvd, which can be
988 used to implement centralized logging of I/O logs. TLS connections
989 are supported when sudo is configured with the --enable-openssl
990 option. For more information, see the sudo_logsrvd, logsrvd.conf
991 and sudo_logsrv.proto manuals as well as the log_servers setting
992 in the sudoers manual.
993
994 The --disable-log-server and --disable-log-client configure
995 options can be used to disable building the I/O log server and/or
996 remote I/O log support in the sudoers plugin.
997
998 * The new sudo_sendlog utility can be used to test sudo_logsrvd
999 or send existing sudo I/O logs to a centralized server.
1000
1001 * It is now possible to write sudo plugins in Python 3 when sudo
1002 is configured with the --enable-python option. See the
1003 sudo_plugin_python manual for details.
1004
1005 Sudo 1.9.0 comes with several Python example plugins that get
1006 installed sudo's examples directory.
1007
1008 The sudo blog article "What's new in sudo 1.9: Python"
1009 (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
1010 includes a simple tutorial on writing python plugins.
1011
1012 * Sudo now supports an "audit" plugin type. An audit plugin
1013 receives accept, reject, exit and error messages and can be used
1014 to implement custom logging that is independent of the underlying
1015 security policy. Multiple audit plugins may be specified in
1016 the sudo.conf file. A sample audit plugin is included that
1017 writes logs in JSON format.
1018
1019 * Sudo now supports an "approval" plugin type. An approval plugin
1020 is run only after the main security policy (such as sudoers) accepts
1021 a command to be run. The approval policy may perform additional
1022 checks, potentially interacting with the user. Multiple approval
1023 plugins may be specified in the sudo.conf file. Only if all
1024 approval plugins succeed will the command be allowed.
1025
1026 * Sudo's -S command line option now causes the sudo conversation
1027 function to write to the standard output or standard error instead
1028 of the terminal device.
1029
1030 * Fixed a bug where if a #include or #includedir directive was the
1031 last line in sudoers and there was no final newline character, it
1032 was silently ignored. Bug #917.
1033
1034 * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" for
1035 people who find the former more natural.
1036
1037 * The new "pam_ruser" and "pam_rhost" sudoers settings can be used
1038 to enable or disable setting the PAM remote user and/or host
1039 values during PAM session setup.
1040
1041 * More than one SHA-2 digest may now be specified for a single
1042 command. Multiple digests must be separated by a comma.
1043
1044 * It is now possible to specify a SHA-2 digest in conjunction with
1045 the "ALL" reserved word in a command specification. This allows
1046 one to give permission to run any command that matches the
1047 specified digest, regardless of its path.
1048
1049 * Sudo and sudo_logsrvd now create an extended I/O log info file
1050 in JSON format that contains additional information about the
1051 command that was run, such as the host name. The sudoreplay
1052 utility uses this file in preference to the legacy log file.
1053
1054 * The sudoreplay utility can now match on a host name in list mode.
1055 The list output also now includes the host name if one is present
1056 in the log file.
1057
1058 * For "sudo -i", if the target user's home directory does not
1059 exist, sudo will now warn about the problem but run the command
1060 in the current working directory. Previously, this was a fatal
1061 error. Debian bug #598519.
1062
1063 * The command line arguments in the SUDO_COMMAND environment
1064 variable are now truncated at 4096 characters. This avoids an
1065 "Argument list too long" error when executing a command with a
1066 large number of arguments. Bug #923 (Debian bug #596631).
1067
1068 * Sudo now properly ends the PAM transaction when the user
1069 authenticates successfully but sudoers denies the command.
1070 Debian bug #669687.
1071
1072 * The sudoers grammar in the manual now indicates that "sudoedit"
1073 requires one or more arguments. Debian bug #571621.
1074
1075 * When copying the edited files to the original path, sudoedit now
1076 allocates any additional space needed before writing. Previously,
1077 it could truncate the destination file if the file system was
1078 full. Bug #922.
1079
1080 * Fixed an issue where PAM session modules could be called with
1081 the wrong user name when multiple users in the passwd database
1082 share the the same user-ID. Debian bug #734752.
1083
1084 * Sudo command line options that take a value may only be specified
1085 once. This is to help guard against problems caused by poorly
1086 written scripts that invoke sudo with user-controlled input.
1087 Bug #924.
1088
1089 What's new in Sudo 1.8.31p1
1090
1091 * Sudo once again ignores a failure to restore the RLIMIT_CORE
1092 resource limit, as it did prior to version 1.8.29. Linux
1093 containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
1094 if we set the limit to zero, even for root, which resulted in a
1095 warning from sudo.
1096
1097 What's new in Sudo 1.8.31
1098
1099 * Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback"
1100 sudoers option is enabled on systems with uni-directional pipes.
1101
1102 * The "sudoedit_checkdir" option now treats a user-owned directory
1103 as writable, even if it does not have the write bit set at the
1104 time of check. Symbolic links will no longer be followed by
1105 sudoedit in any user-owned directory. Bug #912
1106
1107 * Fixed sudoedit on macOS 10.15 and above where the root file system
1108 is mounted read-only. Bug #913.
1109
1110 * Fixed a crash introduced in sudo 1.8.30 when suspending sudo
1111 at the password prompt. Bug #914.
1112
1113 * Fixed compilation on systems where the mmap MAP_ANON flag
1114 is not available. Bug #915.
1115
1116 What's new in Sudo 1.8.30
1117
1118 * Fixed a warning on macOS introduced in sudo 1.8.29 when sudo
1119 attempts to set the open file limit to unlimited. Bug #904.
1120
1121 * Sudo now closes file descriptors before changing uids. This
1122 prevents a non-root process from interfering with sudo's ability
1123 to close file descriptors on systems that support the prlimit(2)
1124 system call.
1125
1126 * Sudo now treats an attempt to run "sudo sudoedit" as simply
1127 "sudoedit". If the sudoers file contains a fully-qualified path
1128 to sudoedit, sudo will now treat it simply as "sudoedit" (with
1129 no path). Visudo will will now treat a fully-qualified path
1130 to sudoedit as an error. Bug #871.
1131
1132 * Fixed a bug introduced in sudo 1.8.28 where sudo would warn about
1133 a missing /etc/environment file on AIX and Linux when PAM is not
1134 enabled. Bug #907
1135
1136 * Fixed a bug on Linux introduced in sudo 1.8.29 that prevented
1137 the askpass program from running due to an unlimited stack size
1138 resource limit. Bug #908.
1139
1140 * If a group provider plugin has optional arguments, the argument list
1141 passed to the plugin is now NULL terminated as per the documentation.
1142
1143 * The user's time stamp file is now only updated if both authentication
1144 and approval phases succeed. This is consistent with the behavior
1145 of sudo prior to version 1.8.23. Bug #910
1146
1147 * The new allow_unknown_runas_id sudoers setting can be used to
1148 enable or disable the use of unknown user or group IDs. Previously,
1149 sudo would always allow unknown user or group IDs if the sudoers
1150 entry permitted it, including via the "ALL" alias. As of sudo
1151 1.8.30, the admin must explicitly enable support for unknown IDs.
1152
1153 * The new runas_check_shell sudoers setting can be used to require
1154 that the runas user have a shell listed in the /etc/shells file.
1155 On many systems, users such as "bin", do not have a valid shell
1156 and this flag can be used to prevent commands from being run as
1157 those users.
1158
1159 * Fixed a problem restoring the SELinux tty context during reboot
1160 if mctransd is killed before sudo finishes. GitHub issue #17.
1161
1162 * Fixed an intermittent warning on NetBSD when sudo restores the
1163 initial stack size limit.
1164
1165 What's new in Sudo 1.8.29
1166
1167 * The cvtsudoers command will now reject non-LDIF input when converting
1168 from LDIF format to sudoers or JSON formats.
1169
1170 * The new log_allowed and log_denied sudoers settings make it possible
1171 to disable logging and auditing of allowed and/or denied commands.
1172
1173 * The umask is now handled differently on systems with PAM or login.conf.
1174 If the umask is explicitly set in sudoers, that value is used regardless
1175 of what PAM or login.conf may specify. However, if the umask is not
1176 explicitly set in sudoers, PAM or login.conf may now override the default
1177 sudoers umask. Bug #900.
1178
1179 * For "make install", the sudoers file is no longer checked for syntax
1180 errors when DESTDIR is set. The default sudoers file includes the
1181 contents of /etc/sudoers.d which may not be readable as non-root.
1182 Bug #902.
1183
1184 * Sudo now sets most resource limits to their maximum value to avoid
1185 problems caused by insufficient resources, such as an inability to
1186 allocate memory or open files and pipes.
1187
1188 * Fixed a regression introduced in sudo 1.8.28 where sudo would refuse
1189 to run if the parent process was not associated with a session.
1190 This was due to sudo passing a session ID of -1 to the plugin.
1191
1192 What's new in Sudo 1.8.28p1
1193
1194 * The fix for Bug #869 caused "sudo -v" to prompt for a password
1195 when "verifypw" is set to "all" (the default) and all of the
1196 user's sudoers entries are marked with NOPASSWD. Bug #901.
1197
1198 What's new in Sudo 1.8.28
1199
1200 * Sudo will now only set PAM_TTY to the empty string when no
1201 terminal is present on Solaris and Linux. This workaround is
1202 only needed on those systems which may have PAM modules that
1203 misbehave when PAM_TTY is not set.
1204
1205 * The mailerflags sudoers option now has a default value even if
1206 sendmail support was disabled at configure time. Fixes a crash
1207 when the mailerpath sudoers option is set but mailerflags is not.
1208 Bug #878.
1209
1210 * Sudo will now filter out last login messages on HP-UX unless it
1211 a shell is being run via "sudo -s" or "sudo -i". Otherwise,
1212 when trusted mode is enabled, these messages will be displayed
1213 for each command.
1214
1215 * On AIX, when the user's password has expired and PAM is not in use,
1216 sudo will now allow the user to change their password.
1217 Bug #883.
1218
1219 * Sudo has a new -B command line option that will ring the terminal
1220 bell when prompting for a password.
1221
1222 * Sudo no longer refuses to prompt for a password when it cannot
1223 determine the user's terminal as long as it can open /dev/tty.
1224 This allows sudo to function on systems where /proc is unavailable,
1225 such as when running in a chroot environment.
1226
1227 * The "env_editor" sudoers flag is now on by default. This makes
1228 source builds more consistent with the packages generated by
1229 sudo's mkpkg script.
1230
1231 * Sudo no longer ships with pre-formatted copies of the manual pages.
1232 These were included for systems like IRIX that don't ship with an
1233 nroff utility. There are now multiple Open Source nroff replacements
1234 so this should no longer be an issue.
1235
1236 * Fixed a bad interaction with configure's --prefix and
1237 --disable-shared options. Bug #886.
1238
1239 * More verbose error message when a password is required and no terminal
1240 is present. Bug #828.
1241
1242 * Command tags, such as NOPASSWD, are honored when a user tries to run a
1243 command that is allowed by sudoers but which does not actually
1244 exist on the file system. Bug #888.
1245
1246 * Asturian translation for sudoers from translationproject.org.
1247
1248 * I/O log timing files now store signal suspend and resume information
1249 in the form of a signal name instead of a number.
1250
1251 * Fixed a bug introduced in 1.8.24 that prevented sudo from honoring
1252 the value of "ipa_hostname" from sssd.conf, if specified, when
1253 matching the host name.
1254
1255 * Fixed a bug introduced in 1.8.21 that prevented the core dump
1256 resource limit set in the pam_limits module from taking effect.
1257 Bug #894.
1258
1259 * Fixed parsing of double-quoted Defaults group and netgroup bindings.
1260
1261 * The user ID is now used when matching sudoUser attributes in LDAP.
1262 Previously, the user name, group name and group IDs were used
1263 when matching but not the user ID.
1264
1265 * Sudo now writes PAM messages to the user's terminal, if available,
1266 instead of the standard output or standard error. This prevents
1267 PAM output from being intermixed with that of the command when
1268 output is sent to a file or pipe. Bug #895.
1269
1270 * Sudoedit now honors the umask and umask_override settings in sudoers.
1271 Previously, the user's umask was used as-is.
1272
1273 * Fixed a bug where the terminal's file context was not restored
1274 when using SELinux RBAC. Bug #898.
1275
1276 * Fixed CVE-2019-14287, a bug where a sudo user may be able to
1277 run a command as root when the Runas specification explicitly
1278 disallows root access as long as the ALL keyword is listed first.
1279
1280 What's new in Sudo 1.8.27
1281
1282 * On HP-UX, sudo will now update the utmps file when running a command
1283 in a pseudo-tty. Previously, only the utmp and utmpx files were
1284 updated.
1285
1286 * Nanosecond precision file time stamps are now supported in HP-UX.
1287
1288 * Fixes and clarifications to the sudo plugin documentation.
1289
1290 * The sudo manuals no longer require extensive post-processing to
1291 hide system-specific features. Conditionals in the roff source
1292 are now used instead. This fixes corruption of the sudo manual
1293 on systems without BSD login classes. Bug #861.
1294
1295 * If an I/O logging plugin is configured but the plugin does not
1296 actually log any I/O, sudo will no longer force the command to
1297 be run in a pseudo-tty.
1298
1299 * The fix for bug #843 in sudo 1.8.24 was incomplete. If the
1300 user's password was expired or needed to be updated, but no sudo
1301 password was required, the PAM handle was freed too early,
1302 resulting in a failure when processing PAM session modules.
1303
1304 * In visudo, it is now possible to specify the path to sudoers
1305 without using the -f option. Bug #864.
1306
1307 * Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx)
1308 file would not be updated when a command was run in a pseudo-tty.
1309 Bug #865.
1310
1311 * Sudo now sets the silent flag when opening the PAM session except
1312 when running a shell via "sudo -s" or "sudo -i". This prevents
1313 the pam_lastlog module from printing the last login information
1314 for each sudo command. Bug #867.
1315
1316 * Fixed the default AIX hard resource limit for the maximum number
1317 of files a user may have open. If no hard limit for "nofiles"
1318 is explicitly set in /etc/security/limits, the default should
1319 be "unlimited". Previously, the default hard limit was 8196.
1320
1321 What's new in Sudo 1.8.26
1322
1323 * Fixed a bug in cvtsudoers when converting to JSON format when
1324 alias expansion is enabled. Bug #853.
1325
1326 * Sudo no long sets the USERNAME environment variable when running
1327 commands. This is a non-standard environment variable that was
1328 set on some older Linux systems.
1329
1330 * Sudo now treats the LOGNAME and USER environment variables (as
1331 well as the LOGIN variable on AIX) as a single unit. If one is
1332 preserved or removed from the environment using env_keep, env_check
1333 or env_delete, so is the other.
1334
1335 * Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf.
1336
1337 * Sudo now logs when the command was suspended and resumed in the
1338 I/O logs. This information is used by sudoreplay to skip the
1339 time suspended when replaying the session unless the new -S flag
1340 is used.
1341
1342 * Fixed documentation problems found by the igor utility. Bug #854.
1343
1344 * Sudo now prints a warning message when there is an error or end
1345 of file while reading the password instead of exiting silently.
1346
1347 * Fixed a bug in the sudoers LDAP back-end parsing the command_timeout,
1348 role, type, privs and limitprivs sudoOptions. This also affected
1349 cvtsudoers conversion from LDIF to sudoers or JSON.
1350
1351 * Fixed a bug that prevented timeout settings in sudoers from
1352 functioning unless a timeout was also specified on the command
1353 line.
1354
1355 * Asturian translation for sudo from translationproject.org.
1356
1357 * When generating LDIF output, cvtsudoers can now be configured
1358 to pad the sudoOrder increment such that the start order is used
1359 as a prefix. Bug #856.
1360
1361 * Fixed a bug introduced in sudo 1.8.25 that prevented sudo from
1362 properly setting the user's groups on AIX. Bug #857.
1363
1364 * If the user specifies a group via sudo's -g option that matches
1365 any of the target user's groups, it is now allowed even if no
1366 groups are present in the Runas_Spec. Previously, it was only
1367 allowed if it matched the target user's primary group.
1368
1369 * The sudoers LDAP back-end now supports negated sudoRunAsUser and
1370 sudoRunAsGroup entries.
1371
1372 * Sudo now provides a proper error message when the "fqdn" sudoers
1373 option is set and it is unable to resolve the local host name.
1374 Bug #859.
1375
1376 * Portuguese translation for sudo and sudoers from translationproject.org.
1377
1378 * Sudo now includes sudoers LDAP schema for the on-line configuration
1379 supported by OpenLDAP.
1380
1381 What's new in Sudo 1.8.25p1
1382
1383 * Fixed a bug introduced in sudo 1.8.25 that caused a crash on
1384 systems that have the poll() function but not the ppoll() function.
1385 Bug #851.
1386
1387 What's new in Sudo 1.8.25
1388
1389 * Fixed a bug introduced in sudo 1.8.20 that broke formatting of
1390 I/O log timing file entries on systems without a C99-compatible
1391 snprintf() function. Our replacement snprintf() doesn't support
1392 floating point so we can't use the "%f" format directive.
1393
1394 * I/O log timing file entries now use a monotonic timer and include
1395 nanosecond precision. A monotonic timer that does not increment
1396 while the system is sleeping is used where available.
1397
1398 * Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP
1399 back-end was not being properly parsed. Bug #845.
1400
1401 * When sudo runs a command in a pseudo-terminal, the follower
1402 device is now closed in the main process immediately after
1403 starting the monitor process. This removes the need for an
1404 AIX-specific workaround that was added in sudo 1.8.24.
1405
1406 * Added support for monotonic timers on HP-UX.
1407
1408 * Fixed a bug displaying timeout values the "sudo -V" output.
1409 The value displayed was 3600 times the actual value. Bug #846.
1410
1411 * Fixed a build issue on AIX 7.1 BOS levels that include memset_s()
1412 and define rsize_t in string.h. Bug #847.
1413
1414 * The testsudoers utility now supports querying an LDIF-format
1415 policy.
1416
1417 * Sudo now sets the LOGIN environment variable to the same value as
1418 LOGNAME on AIX systems. Bug #848.
1419
1420 * Fixed a regression introduced in sudo 1.8.24 where the LDAP and
1421 SSSD back-ends evaluated the rules in reverse sudoOrder. Bug #849.
1422
1423 What's new in Sudo 1.8.24
1424
1425 * The LDAP and SSS back-ends now use the same rule evaluation code
1426 as the sudoers file back-end. This builds on the work in sudo
1427 1.8.23 where the formatting functions for "sudo -l" output were
1428 shared. The handling of negated commands in SSS and LDAP is
1429 unchanged.
1430
1431 * Fixed a regression introduced in 1.8.23 where "sudo -i" could
1432 not be used in conjunction with --preserve-env=VARIABLE. Bug #835.
1433
1434 * cvtsudoers can now parse base64-encoded attributes in LDIF files.
1435
1436 * Random insults are now more random.
1437
1438 * Fixed the noexec wordexp(3) test on FreeBSD.
1439
1440 * Added SUDO_CONV_PREFER_TTY flag for conversation function to
1441 tell sudo to try writing to /dev/tty first. Can be used in
1442 conjunction with SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG.
1443
1444 * Sudo now supports an arbitrary number of groups per user on
1445 Solaris. Previously, only the first 64 groups were found.
1446 This should remove the need to set "max_groups" in sudo.conf.
1447
1448 * Fixed typos in the OpenLDAP sudo schema. Bugs #839 and #840.
1449
1450 * Fixed a race condition when building with parallel make.
1451 Bug #842.
1452
1453 * Fixed a duplicate free when netgroup_base in ldap.conf is set
1454 to an invalid value.
1455
1456 * Fixed a bug introduced in sudo 1.8.23 on AIX that could prevent
1457 local users and groups from being resolved properly on systems
1458 that have users stored in NIS, LDAP or AD.
1459
1460 * Added a workaround for an AIX bug exposed by a change in sudo
1461 1.8.23 that prevents the terminal mode from being restored when
1462 I/O logging is enabled.
1463
1464 * On systems using PAM, sudo now ignores the PAM_NEW_AUTHTOK_REQD
1465 and PAM_AUTHTOK_EXPIRED errors from PAM account management if
1466 authentication is disabled for the user. This fixes a regression
1467 introduced in sudo 1.8.23. Bug #843.
1468
1469 * Fixed an ambiguity in the sudoers manual in the description and
1470 definition of User, Runas, Host, and Cmnd Aliases. Bug #834.
1471
1472 * Fixed a bug that resulted in only the first window size change
1473 event being logged.
1474
1475 * Fixed a bug on HP-UX systems introduced in sudo 1.8.22 that
1476 caused sudo to prompt for a password every time when tty-based
1477 time stamp files were in use.
1478
1479 * Fixed a compilation problem on systems that define O_PATH or
1480 O_SEARCH in fnctl.h but do not define O_DIRECTORY. Bug #844.
1481
1482 What's new in Sudo 1.8.23
1483
1484 * PAM account management modules and BSD auth approval modules are
1485 now run even when no password is required.
1486
1487 * For kernel-based time stamps, if no terminal is present, fall
1488 back to parent-pid style time stamps.
1489
1490 * The new cvtsudoers utility replaces both the "sudoers2ldif" script
1491 and the "visudo -x" functionality. It can read a file in either
1492 sudoers or LDIF format and produce JSON, LDIF or sudoers output.
1493 It is also possible to filter the generated output file by user,
1494 group or host name.
1495
1496 * The file, ldap and sss sudoers back-ends now share a common set
1497 of formatting functions for "sudo -l" output, which is also used
1498 by the cvtsudoers utility.
1499
1500 * The /run directory is now used in preference to /var/run if it
1501 exists. Bug #822.
1502
1503 * More accurate descriptions of the --with-rundir and --with-vardir
1504 configure options. Bug #823.
1505
1506 * The setpassent() and setgroupent() functions are now used on systems
1507 that support them to keep the passwd and group database open.
1508 Sudo performs a lot of passwd and group lookups so it can be
1509 beneficial to avoid opening and closing the files each time.
1510
1511 * The new case_insensitive_user and case_insensitive_group sudoers
1512 options can be used to control whether sudo does case-sensitive
1513 matching of users and groups in sudoers. Case insensitive
1514 matching is now the default.
1515
1516 * Fixed a bug on some systems where sudo could hang on command
1517 exit when I/O logging was enabled. Bug #826.
1518
1519 * Fixed the build-time process start time test on Linux when the
1520 test is run from within a container. Bug #829.
1521
1522 * When determining which temporary directory to use, sudoedit now
1523 checks the directory for writability before using it. Previously,
1524 sudoedit only performed an existence check. Bug #827.
1525
1526 * Sudo now includes an optional set of Monty Python-inspired insults.
1527
1528 * Fixed the execution of scripts with an associated digest (checksum)
1529 in sudoers on FreeBSD systems. FreeBSD does not have a proper
1530 /dev/fd directory mounted by default and its fexecve(2) is not
1531 fully POSIX compliant when executing scripts. Bug #831.
1532
1533 * Chinese (Taiwan) translation for sudo from translationproject.org.
1534
1535 What's new in Sudo 1.8.22
1536
1537 * Commands run in the background from a script run via sudo will
1538 no longer receive SIGHUP when the parent exits and I/O logging
1539 is enabled. Bug #502
1540
1541 * A particularly offensive insult is now disabled by default.
1542 Bug #804
1543
1544 * The description of "sudo -i" now correctly documents that
1545 the "env_keep" and "env_check" sudoers options are applied to
1546 the environment. Bug #806
1547
1548 * Fixed a crash when the system's host name is not set.
1549 Bug #807
1550
1551 * The sudoers2ldif script now handles #include and #includedir
1552 directives.
1553
1554 * Fixed a bug where sudo would silently exit when the command was
1555 not allowed by sudoers and the "passwd_tries" sudoers option
1556 was set to a value less than one.
1557
1558 * Fixed a bug with the "listpw" and "verifypw" sudoers options and
1559 multiple sudoers sources. If the option is set to "all", a
1560 password should be required unless none of a user's sudoers
1561 entries from any source require authentication.
1562
1563 * Fixed a bug with the "listpw" and "verifypw" sudoers options in
1564 the LDAP and SSSD back-ends. If the option is set to "any", and
1565 the entry contained multiple rules, only the first matching rule
1566 was checked. If an entry contained more than one matching rule
1567 and the first rule required authentication but a subsequent rule
1568 did not, sudo would prompt for a password when it should not have.
1569
1570 * When running a command as the invoking user (not root), sudo
1571 would execute the command with the same group vector it was
1572 started with. Sudo now executes the command with a new group
1573 vector based on the group database which is consistent with
1574 how su(1) operates.
1575
1576 * Fixed a double free in the SSSD back-end that could occur when
1577 ipa_hostname is present in sssd.conf and is set to an unqualified
1578 host name.
1579
1580 * When I/O logging is enabled, sudo will now write to the terminal
1581 even when it is a background process. Previously, sudo would
1582 only write to the tty when it was the foreground process when
1583 I/O logging was enabled. If the TOSTOP terminal flag is set,
1584 sudo will suspend the command (and then itself) with the SIGTTOU
1585 signal.
1586
1587 * A new "authfail_message" sudoers option that overrides the
1588 default "N incorrect password attempt(s)".
1589
1590 * An empty sudoRunAsUser attribute in the LDAP and SSSD back-ends
1591 will now match the invoking user. This is more consistent with
1592 how an empty runas user in the sudoers file is treated.
1593
1594 * Documented that in check mode, visudo does not check the owner/mode
1595 on files specified with the -f flag. Bug #809.
1596
1597 * It is now an error to specify the runas user as an empty string
1598 on the command line. Previously, an empty runas user was treated
1599 the same as an unspecified runas user. Bug #817.
1600
1601 * When "timestamp_type" option is set to "tty" and a terminal is
1602 present, the time stamp record will now include the start time
1603 of the session leader. When the "timestamp_type" option is set
1604 to "ppid" or when no terminal is available, the start time of
1605 the parent process is used instead. This significantly reduces
1606 the likelihood of a time stamp record being re-used when a user
1607 logs out and back in again. Bug #818.
1608
1609 * The sudoers time stamp file format is now documented in the new
1610 sudoers_timestamp manual.
1611
1612 * The "timestamp_type" option now takes a "kernel" value on OpenBSD
1613 systems. This causes the tty-based time stamp to be stored in
1614 the kernel instead of on the file system. If no tty is present,
1615 the time stamp is considered to be invalid.
1616
1617 * Visudo will now use the SUDO_EDITOR environment variable (if
1618 present) in addition to VISUAL and EDITOR.
1619
1620 What's new in Sudo 1.8.21p2
1621
1622 * Fixed a bug introduced in version 1.8.21 which prevented sudo
1623 from using the PAM-supplied prompt. Bug #799
1624
1625 * Fixed a bug introduced in version 1.8.21 which could result in
1626 sudo hanging when running commands that exit quickly. Bug #800
1627
1628 * Fixed a bug introduced in version 1.8.21 which prevented the
1629 command from being run when the password was read via an external
1630 program using the askpass interface. Bug #801
1631
1632 What's new in Sudo 1.8.21p1
1633
1634 * On systems that support both PAM and SIGINFO, the main sudo
1635 process will no longer forward SIGINFO to the command if the
1636 signal was generated from the keyboard. The command will have
1637 already received SIGINFO since it is part of the same process
1638 group so there's no need for sudo to forward it. This is
1639 consistent with the handling of SIGINT, SIGQUIT and SIGTSTP.
1640 Bug #796
1641
1642 * If SUDOERS_SEARCH_FILTER in ldap.conf does not specify a value,
1643 the LDAP search expression used when looking up netgroups and
1644 non-Unix groups had a syntax error if a group plugin was not
1645 specified.
1646
1647 * "sudo -U otheruser -l" will now have an exit value of 0 even
1648 if "otheruser" has no sudo privileges. The exit value when a
1649 user attempts to lists their own privileges or when a command
1650 is specified is unchanged.
1651
1652 * Fixed a regression introduced in sudo 1.8.21 where sudoreplay
1653 playback would hang for I/O logs that contain terminal input.
1654
1655 * Sudo 1.8.18 contained an incomplete fix for the matching of
1656 entries in the LDAP and SSSD back-ends when a sudoRunAsGroup is
1657 specified but no sudoRunAsUser is present in the sudoRole.
1658
1659 What's new in Sudo 1.8.21
1660
1661 * The path that sudo uses to search for terminal devices can now
1662 be configured via the new "devsearch" Path setting in sudo.conf.
1663
1664 * It is now possible to preserve bash shell functions in the
1665 environment when the "env_reset" sudoers setting is disabled by
1666 removing the "*=()*" pattern from the env_delete list.
1667
1668 * A change made in sudo 1.8.15 inadvertently caused sudoedit to
1669 send itself SIGHUP instead of exiting when the editor returns
1670 an error or the file was not modified.
1671
1672 * Sudoedit now uses an exit code of zero if the file was not
1673 actually modified. Previously, sudoedit treated a lack of
1674 modifications as an error.
1675
1676 * When running a command in a pseudo-tty (pty), sudo now copies a
1677 subset of the terminal flags to the new pty. Previously, all
1678 flags were copied, even those not appropriate for a pty.
1679
1680 * Fixed a problem with debug logging in the sudoers I/O logging
1681 plugin.
1682
1683 * Window size change events are now logged to the policy plugin.
1684 On xterm and compatible terminals, sudoreplay is now capable of
1685 resizing the terminal to match the size of the terminal the
1686 command was run on. The new -R option can be used to disable
1687 terminal resizing.
1688
1689 * Fixed a bug in visudo where a newly added file was not checked
1690 for syntax errors. Bug #791.
1691
1692 * Fixed a bug in visudo where if a syntax error in an include
1693 directory (like /etc/sudoers.d) was detected, the edited version
1694 was left as a temporary file instead of being installed.
1695
1696 * On PAM systems, sudo will now treat "username's Password:" as
1697 a standard password prompt. As a result, the SUDO_PROMPT
1698 environment variable will now override "username's Password:"
1699 as well as the more common "Password:". Previously, the
1700 "passprompt_override" Defaults setting would need to be set for
1701 SUDO_PROMPT to override a prompt of "username's Password:".
1702
1703 * A new "syslog_pid" sudoers setting has been added to include
1704 sudo's process ID along with the process name when logging via
1705 syslog. Bug #792.
1706
1707 * Fixed a bug introduced in sudo 1.8.18 where a command would
1708 not be terminated when the I/O logging plugin returned an error
1709 to the sudo front-end.
1710
1711 * A new "timestamp_type" sudoers setting has been added that replaces
1712 the "tty_tickets" option. In addition to tty and global time stamp
1713 records, it is now possible to use the parent process ID to restrict
1714 the time stamp to commands run by the same process, usually the shell.
1715 Bug #793.
1716
1717 * The --preserve-env command line option has been extended to accept
1718 a comma-separated list of environment variables to preserve.
1719 Bug #279.
1720
1721 * Friulian translation for sudo from translationproject.org.
1722
1723 What's new in Sudo 1.8.20p2
1724
1725 * Fixed a bug parsing /proc/pid/stat on Linux when the process
1726 name contains newlines. This is not exploitable due to the /dev
1727 traversal changes in sudo 1.8.20p1.
1728
1729 What's new in Sudo 1.8.20p1
1730
1731 * Fixed "make check" when using OpenSSL or GNU crypt.
1732 Bug #787.
1733
1734 * Fixed CVE-2017-1000367, a bug parsing /proc/pid/stat on Linux
1735 when the process name contains spaces. Since the user has control
1736 over the command name, this could potentially be used by a user
1737 with sudo access to overwrite an arbitrary file on systems with
1738 SELinux enabled. Also stop performing a breadth-first traversal
1739 of /dev when looking for the device; only a hard-coded list of
1740 directories are checked,
1741
1742 What's new in Sudo 1.8.20
1743
1744 * Added support for SASL_MECH in ldap.conf. Bug #764
1745
1746 * Added support for digest matching when the command is a glob-style
1747 pattern or a directory. Previously, only explicit path matches
1748 supported digest checks.
1749
1750 * New "fdexec" Defaults option to control whether a command
1751 is executed by path or by open file descriptor.
1752
1753 * The embedded copy of zlib has been upgraded to version 1.2.11.
1754
1755 * Fixed a bug that prevented sudoers include files with a relative
1756 path starting with the letter 'i' from being opened. Bug #776.
1757
1758 * Added support for command timeouts in sudoers. The command will
1759 be terminated if the timeout expires.
1760
1761 * The SELinux role and type are now displayed in the "sudo -l"
1762 output for the LDAP and SSSD back-ends, just as they are in the
1763 sudoers back-end.
1764
1765 * A new command line option, -T, can be used to specify a command
1766 timeout as long as the user-specified timeout is not longer than
1767 the timeout specified in sudoers. This option may only be
1768 used when the "user_command_timeouts" flag is enabled in sudoers.
1769
1770 * Added NOTBEFORE and NOTAFTER command options to the sudoers
1771 back-end similar to what is already available in the LDAP back-end.
1772
1773 * Sudo can now optionally use the SHA2 functions in OpenSSL or GNU
1774 crypt instead of the SHA2 implementation bundled with sudo.
1775
1776 * Fixed a compilation error on systems without the stdbool.h header
1777 file. Bug #778.
1778
1779 * Fixed a compilation error in the standalone Kerberos V authentication
1780 module. Bug #777.
1781
1782 * Added the iolog_flush flag to sudoers which causes I/O log data
1783 to be written immediately to disk instead of being buffered.
1784
1785 * I/O log files are now created with group ID 0 by default unless
1786 the "iolog_user" or "iolog_group" options are set in sudoers.
1787
1788 * It is now possible to store I/O log files on an NFS-mounted
1789 file system where uid 0 is remapped to an unprivileged user.
1790 The "iolog_user" option must be set to a non-root user and the
1791 top-level I/O log directory must exist and be owned by that user.
1792
1793 * Added the restricted_env_file setting to sudoers which is similar
1794 to env_file but its contents are subject to the same restrictions
1795 as variables in the invoking user's environment.
1796
1797 * Fixed a use after free bug in the SSSD back-end when the fqdn
1798 sudoOption is enabled and no hostname value is present in
1799 /etc/sssd/sssd.conf.
1800
1801 * Fixed a typo that resulted in a compilation error on systems
1802 where the killpg() function is not found by configure.
1803
1804 * Fixed a compilation error with the included version of zlib
1805 when sudo was built outside the source tree.
1806
1807 * Fixed the exit value of sudo when the command is terminated by
1808 a signal other than SIGINT. This was broken in sudo 1.8.15 by
1809 the fix for Bug #722. Bug #784.
1810
1811 * Fixed a regression introduced in sudo 1.8.18 where the "lecture"
1812 option could not be used in a positive boolean context, only
1813 a negative one.
1814
1815 * Fixed an issue where sudo would consume stdin if it was not
1816 connected to a tty even if log_input is not enabled in sudoers.
1817 Bug #786.
1818
1819 * Clarify in the sudoers manual that the #includedir directive
1820 diverts control to the files in the specified directory and,
1821 when parsing of those files is complete, returns control to the
1822 original file. Bug #775.
1823
1824 What's new in Sudo 1.8.19p2
1825
1826 * Fixed a crash in visudo introduced in sudo 1.8.9 when an IP address
1827 or network is used in a host-based Defaults entry. Bug #766
1828
1829 * Added a missing check for the ignore_iolog_errors flag when
1830 the sudoers plugin generates the I/O log file path name.
1831
1832 * Fixed a typo in sudo's vsyslog() replacement that resulted in
1833 garbage being logged to syslog.
1834
1835 What's new in Sudo 1.8.19p1
1836
1837 * Fixed a bug introduced in sudo 1.8.19 that resulted in the wrong
1838 syslog priority and facility being used.
1839
1840 What's new in Sudo 1.8.19
1841
1842 * New "syslog_maxlen" Defaults option to control the maximum size of
1843 syslog messages generated by sudo.
1844
1845 * Sudo has been run against PVS-Studio and any issues that were
1846 not false positives have been addressed.
1847
1848 * I/O log files are now created with the same group ID as the
1849 parent directory and not the invoking user's group ID.
1850
1851 * I/O log permissions and ownership are now configurable via the
1852 "iolog_mode", "iolog_user" and "iolog_group" sudoers Defaults
1853 variables.
1854
1855 * Fixed configuration of the sudoers I/O log plugin debug subsystem.
1856 Previously, I/O log information was not being written to the
1857 sudoers debug log.
1858
1859 * Fixed a bug in visudo that broke editing of files in an include
1860 dir that have a syntax error. Normally, visudo does not edit
1861 those files, but if a syntax error is detected in one, the user
1862 should get a chance to fix it.
1863
1864 * Warnings about unknown or unparsable sudoers Defaults entries now
1865 include the file and line number of the problem.
1866
1867 * Visudo will now use the file and line number information about an
1868 unknown or unparsable Defaults entry to go directly to the file
1869 with the problem.
1870
1871 * Fixed a bug in the sudoers LDAP back-end where a negated sudoHost
1872 entry would prevent other sudoHost entries following it from matching.
1873
1874 * Warnings from visudo about a cycle in an Alias entry now include the
1875 file and line number of the problem.
1876
1877 * In strict mode, visudo will now use the file and line number
1878 information about a cycle in an Alias entry to go directly to the
1879 file with the problem.
1880
1881 * The sudo_noexec.so file is now linked with -ldl on systems that
1882 require it for the wordexp() wrapper.
1883
1884 * Fixed linking of sudo_noexec.so on macOS systems where it must be
1885 a dynamic library and not a module.
1886
1887 * Sudo's "make check" now includes a test for sudo_noexec.so
1888 working.
1889
1890 * The sudo front-end now passes the user's umask to the plugin.
1891 Previously the plugin had to determine this itself.
1892
1893 * Sudoreplay can now display the stdin and ttyin streams when they
1894 are explicitly added to the filter list.
1895
1896 * Fixed a bug introduced in sudo 1.8.17 where the "all" setting
1897 for verifypw and listpw was not being honored. Bug #762.
1898
1899 * The syslog priority (syslog_goodpri and syslog_badpri) can now
1900 be negated or set to "none" to disable logging of successful or
1901 unsuccessful sudo attempts via syslog.
1902
1903 What's new in Sudo 1.8.18p1
1904
1905 * When sudo_noexec.so is used, the WRDE_NOCMD flag is now added
1906 if the wordexp() function is called. This prevents commands
1907 from being run via wordexp() without disabling it entirely.
1908
1909 * On Linux systems, sudo_noexec.so now uses a seccomp filter to
1910 disable execute access if the kernel supports seccomp. This is
1911 more robust than the traditional method of using stub functions
1912 that return an error.
1913
1914 What's new in Sudo 1.8.18
1915
1916 * The sudoers locale is now set before parsing the sudoers file.
1917 If sudoers_locale is set in sudoers, it is applied before
1918 evaluating other Defaults entries. Previously, sudoers_locale
1919 was used when evaluating sudoers but not during the initial parse.
1920 Bug #748.
1921
1922 * A missing or otherwise invalid #includedir is now ignored instead
1923 of causing a parse error.
1924
1925 * During "make install", backup files are only used on HP-UX where
1926 it is not possible to unlink a shared object that is in use.
1927 This works around a bug in ldconfig on Linux which could create
1928 links to the backup shared library file instead of the current
1929 one.
1930
1931 * Fixed a bug introduced in 1.8.17 where sudoers entries with long
1932 commands lines could be truncated, preventing a match. Bug #752.
1933
1934 * The fqdn, runas_default and sudoers_locale Defaults settings are
1935 now applied before any other Defaults settings since they can
1936 change how other Defaults settings are parsed.
1937
1938 * On systems without the O_NOFOLLOW open(2) flag, when the NOFOLLOW
1939 flag is set, sudoedit now checks whether the file is a symbolic link
1940 before opening it as well as after the open. Bug #753.
1941
1942 * Sudo will now only resolve a user's group IDs to group names
1943 when sudoers includes group-based permissions. Group lookups
1944 can be expensive on some systems where the group database is
1945 not local.
1946
1947 * If the file system holding the sudo log file is full, allow
1948 the command to run unless the new ignore_logfile_errors Defaults
1949 option is disabled. Bug #751.
1950
1951 * The ignore_audit_errors and ignore_iolog_errors Defaults options
1952 have been added to control sudo's behavior when it is unable to
1953 write to the audit and I/O logs.
1954
1955 * Fixed a bug introduced in 1.8.17 where the SIGPIPE signal handler
1956 was not being restored when sudo directly executes the command.
1957
1958 * Fixed a bug where "sudo -l command" would indicate that a command
1959 was runnable even when denied by sudoers when using the LDAP or
1960 SSSD back-ends.
1961
1962 * The match_group_by_gid Defaults option has been added to allow
1963 sites where group name resolution is slow and where sudoers only
1964 contains a small number of groups to match groups by group ID
1965 instead of by group name.
1966
1967 * Fixed a bug on Linux where a 32-bit sudo binary could fail with
1968 an "unable to allocate memory" error when run on a 64-bit system.
1969 Bug #755
1970
1971 * When parsing ldap.conf, sudo will now only treat a '#' character
1972 as the start of a comment when it is at the beginning of the
1973 line.
1974
1975 * Fixed a potential crash when auditing is enabled and the audit
1976 function fails with an error. Bug #756
1977
1978 * Norwegian Nynorsk translation for sudo from translationproject.org.
1979
1980 * Fixed a typo that broke short host name matching when the fqdn
1981 flag is enabled in sudoers. Bug #757
1982
1983 * Negated sudoHost attributes are now supported by the LDAP and
1984 SSSD back-ends.
1985
1986 * Fixed matching entries in the LDAP and SSSD back-ends when a
1987 RunAsGroup is specified but no RunAsUser is present.
1988
1989 * Fixed "sudo -l" output in the LDAP and SSSD back-ends when a
1990 RunAsGroup is specified but no RunAsUser is present.
1991
1992 What's new in Sudo 1.8.17p1
1993
1994 * Fixed a bug introduced in 1.8.17 where the user's groups were
1995 not set on systems that don't use PAM. Bug #749.
1996
1997 What's new in Sudo 1.8.17
1998
1999 * On AIX, if /etc/security/login.cfg has auth_type set to PAM_AUTH
2000 but pam_start(3) fails, fall back to AIX authentication.
2001 Bug #740.
2002
2003 * Sudo now takes all sudoers sources into account when determining
2004 whether or not "sudo -l" or "sudo -v" should prompt for a password.
2005 In other words, if both file and ldap sudoers sources are in
2006 specified in /etc/nsswitch.conf, "sudo -v" will now require that
2007 all entries in both sources be have NOPASSWD (file) or !authenticate
2008 (ldap) in the entries.
2009
2010 * Sudo now ignores SIGPIPE until the command is executed. Previously,
2011 SIGPIPE was only ignored in a few select places. Bug #739.
2012
2013 * Fixed a bug introduced in sudo 1.8.14 where (non-syslog) log
2014 file entries were missing the newline when loglinelen is set to
2015 a non-positive number. Bug #742.
2016
2017 * Unix groups are now set before the plugin session initialization
2018 code is run. This makes it possible to use dynamic groups with
2019 the Linux-PAM pam_group module.
2020
2021 * Fixed a bug where a debugging statement could dereference a NULL
2022 pointer when looking up a group that doesn't exist. Bug #743.
2023
2024 * Sudo has been run through the Coverity code scanner. A number of
2025 minor bugs have been fixed as a result. None were security issues.
2026
2027 * SELinux support, which was broken in 1.8.16, has been repaired.
2028
2029 * Fixed a bug when logging I/O where all output buffers might not
2030 get flushed at exit.
2031
2032 * Forward slashes are no longer escaped in the JSON output of
2033 "visudo -x". This was never required by the standard and not
2034 escaping them improves readability of the output.
2035
2036 * Sudo no longer treats PAM_SESSION_ERR as a fatal error when
2037 opening the PAM session. Other errors from pam_open_session()
2038 are still treated as fatal. This avoids the "policy plugin
2039 failed session initialization" error message seen on some systems.
2040
2041 * Korean translation for sudo and sudoers from translationproject.org.
2042
2043 * Fixed a bug on AIX where the stack size hard resource limit was
2044 being set to 2GB instead of 4GB on 64-bit systems.
2045
2046 * The SSSD back-end now properly supports "sudo -U otheruser -l".
2047
2048 * The SSSD back-end now uses the value of "ipa_hostname"
2049 from sssd.conf, if specified, when matching the host name.
2050
2051 * Fixed a hang on some systems when the command is being run in
2052 a pty and it failed to execute.
2053
2054 * When performing a wildcard match in sudoers, check for an exact
2055 string match if the user command was fully-qualified (or resolved
2056 via the PATH). This fixes an issue executing scripts on Linux
2057 when there are multiple wildcard matches with the same base name.
2058 Bug #746.
2059
2060 What's new in Sudo 1.8.16
2061
2062 * Fixed a compilation error on Solaris 10 with Stun Studio 12.
2063 Bug #727.
2064
2065 * When preserving variables from the invoking user's environment, if
2066 there are duplicates sudo now only keeps the first instance.
2067
2068 * Fixed a bug that could cause warning mail to be sent in list
2069 mode (sudo -l) for users without sudo privileges when the
2070 LDAP and sssd back-ends are used.
2071
2072 * Fixed a bug that prevented the "mail_no_user" option from working
2073 properly with the LDAP back-end.
2074
2075 * In the LDAP and sssd back-ends, white space is now ignored between
2076 an operator (!, +, +=, -=) when parsing a sudoOption.
2077
2078 * It is now possible to disable Path settings in sudo.conf
2079 by omitting the path name.
2080
2081 * The sudoedit_checkdir Defaults option is now enabled by default
2082 and has been extended. When editing files with sudoedit, each
2083 directory in the path to be edited is now checked. If a directory
2084 is writable by the invoking user, symbolic links will not be
2085 followed. If the parent directory of the file to be edited is
2086 writable, sudoedit will refuse to edit it.
2087 Bug #707.
2088
2089 * The netgroup_tuple Defaults option has been added to enable matching
2090 of the entire netgroup tuple, not just the host or user portion.
2091 Bug #717.
2092
2093 * When matching commands based on the SHA2 digest, sudo will now
2094 use fexecve(2) to execute the command if it is available. This
2095 fixes a time of check versus time of use race condition when the
2096 directory holding the command is writable by the invoking user.
2097
2098 * On AIX systems, sudo now caches the auth registry string along
2099 with password and group information. This fixes a potential
2100 problem when a user or group of the same name exists in multiple
2101 auth registries. For example, local and LDAP.
2102
2103 * Fixed a crash in the SSSD back-end when the invoking user is not
2104 found. Bug #732.
2105
2106 * Added the --enable-asan configure flag to enable address sanitizer
2107 support. A few minor memory leaks have been plugged to quiet
2108 the ASAN leak detector.
2109
2110 * The value of _PATH_SUDO_CONF may once again be overridden via
2111 the Makefile. Bug #735.
2112
2113 * The sudoers2ldif script now handles multiple roles with same name.
2114
2115 * Fixed a compilation error on systems that have the posix_spawn()
2116 and posix_spawnp() functions but an unusable spawn.h header.
2117 Bug #730.
2118
2119 * Fixed support for negating character classes in sudo's version
2120 of the fnmatch() function.
2121
2122 * Fixed a bug in the LDAP and SSSD back-ends that could allow an
2123 unauthorized user to list another user's privileges. Bug #738.
2124
2125 * The PAM conversation function now works around an ambiguity in the
2126 PAM spec with respect to multiple messages. Bug #726.
2127
2128 What's new in Sudo 1.8.15
2129
2130 * Fixed a bug that prevented sudo from building outside the source tree
2131 on some platforms. Bug #708.
2132
2133 * Fixed the location of the sssd library in the RHEL/Centos packages.
2134 Bug #710.
2135
2136 * Fixed a build problem on systems that don't implicitly include
2137 sys/types.h from other header files. Bug #711.
2138
2139 * Fixed a problem on Linux using containers where sudo would ignore
2140 signals sent by a process in a different container.
2141
2142 * Sudo now refuses to run a command if the PAM session module
2143 returns an error.
2144
2145 * When editing files with sudoedit, symbolic links will no longer
2146 be followed by default. The old behavior can be restored by
2147 enabling the sudoedit_follow option in sudoers or on a per-command
2148 basis with the FOLLOW and NOFOLLOW tags. Bug #707.
2149
2150 * Fixed a bug introduced in version 1.8.14 that caused the last
2151 valid editor in the sudoers "editor" list to be used by visudo
2152 and sudoedit instead of the first. Bug #714.
2153
2154 * Fixed a bug in visudo that prevented the addition of a final
2155 newline to edited files without one.
2156
2157 * Fixed a bug decoding certain base64 digests in sudoers when the
2158 intermediate format included a '=' character.
2159
2160 * Individual records are now locked in the time stamp file instead
2161 of the entire file. This allows sudo to avoid prompting for a
2162 password multiple times on the same terminal when used in a
2163 pipeline. In other words, "sudo cat foo | sudo grep bar" now
2164 only prompts for the password once. Previously, both sudo
2165 processes would prompt for a password, often making it impossible
2166 to enter.
2167
2168 * Fixed a bug where sudo would fail to run commands as a non-root
2169 user on systems that lack both setresuid() and setreuid().
2170 Bug #713.
2171
2172 * Fixed a bug introduced in sudo 1.8.14 that prevented visudo from
2173 re-editing the correct file when a syntax error was detected.
2174
2175 * Fixed a bug where sudo would not relay a SIGHUP signal to the
2176 command when the terminal is closed and the command is not run
2177 in its own pseudo-tty. Bug #719
2178
2179 * If some, but not all, of the LOGNAME, USER or USERNAME environment
2180 variables have been preserved from the invoking user's environment,
2181 sudo will now use the preserved value to set the remaining variables
2182 instead of using the runas user. This ensures that if, for example,
2183 only LOGNAME is present in the env_keep list, that sudo will not
2184 set USER and USERNAME to the runas user.
2185
2186 * When the command sudo is running dies due to a signal, sudo will
2187 now send itself that same signal with the default signal handler
2188 installed instead of exiting. The bash shell appears to ignore
2189 some signals, e.g. SIGINT, unless the command being run is killed
2190 by that signal. This makes the behavior of commands run under
2191 sudo the same as without sudo when bash is the shell. Bug #722
2192
2193 * Slovak translation for sudo from translationproject.org.
2194
2195 * Hungarian and Slovak translations for sudoers from translationproject.org.
2196
2197 * Previously, when env_reset was enabled (the default) and the -s
2198 option was not used, the SHELL environment variable was set to the
2199 shell of the invoking user. Now, when env_reset is enabled and
2200 the -s option is not used, SHELL is set based on the target user.
2201
2202 * Fixed challenge/response style BSD authentication.
2203
2204 * Added the sudoedit_checkdir Defaults option to prevent sudoedit
2205 from editing files located in a directory that is writable by
2206 the invoking user.
2207
2208 * Added the always_query_group_plugin Defaults option to control
2209 whether groups not found in the system group database are passed
2210 to the group plugin. Previously, unknown system groups were
2211 always passed to the group plugin.
2212
2213 * When creating a new file, sudoedit will now check that the file's
2214 parent directory exists before running the editor.
2215
2216 * Fixed the compiler stack protector test in configure for compilers
2217 that support -fstack-protector but don't actually have the ssp
2218 library available.
2219
2220 What's new in Sudo 1.8.14p3
2221
2222 * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo
2223 from working when no tty was present.
2224
2225 * Fixed tty detection on newer AIX systems where dev_t is 64-bit.
2226
2227 What's new in Sudo 1.8.14p2
2228
2229 * Fixed a bug introduced in sudo 1.8.14 that prevented the lecture
2230 file from being created. Bug #704.
2231
2232 What's new in Sudo 1.8.14p1
2233
2234 * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd
2235 back-end from working. Bug #703.
2236
2237 What's new in Sudo 1.8.14
2238
2239 * Log messages on Mac OS X now respect sudoers_locale when sudo
2240 is build with NLS support.
2241
2242 * The sudo manual pages now pass "mandoc -Tlint" with no warnings.
2243
2244 * Fixed a compilation problem on systems with the sig2str() function
2245 that do not define SIG2STR_MAX in signal.h.
2246
2247 * Worked around a compiler bug that resulted in unexpected behavior
2248 when returning an int from a function declared to return bool
2249 without an explicit cast.
2250
2251 * Worked around a bug in Mac OS X 10.10 BSD auditing where the
2252 au_preselect() fails for AUE_sudo events but succeeds for
2253 AUE_DARWIN_sudo.
2254
2255 * Fixed a hang on Linux systems with glibc when sudo is linked with
2256 jemalloc.
2257
2258 * When the user runs a command as a user ID that is not present in
2259 the password database via the -u flag, the command is now run
2260 with the group ID of the invoking user instead of group ID 0.
2261
2262 * Fixed a compilation problem on systems that don't pull in
2263 definitions of uid_t and gid_t without sys/types.h or unistd.h.
2264
2265 * Fixed a compilation problem on newer AIX systems which use a
2266 struct st_timespec for time stamps in struct stat that differs
2267 from struct timespec. Bug #702.
2268
2269 * The example directory is now configurable via --with-exampledir
2270 and defaults to DATAROOTDIR/examples/sudo on BSD systems.
2271
2272 * The /usr/lib/tmpfiles.d/sudo.conf file is now installed as part
2273 of "make install" when systemd is in use.
2274
2275 * Fixed a linker problem on some systems with libintl. Bug #690.
2276
2277 * Fixed compilation with compilers that don't support __func__
2278 or __FUNCTION__.
2279
2280 * Sudo no longer needs to uses weak symbols to support localization
2281 in the warning functions. A registration function is used instead.
2282
2283 * Fixed a setresuid() failure in sudoers on Linux kernels where
2284 uid changes take the nproc resource limit into account.
2285
2286 * Fixed LDAP netgroup queries on AIX.
2287
2288 * Sudo will now display the custom prompt on Linux systems with PAM
2289 even if the "Password: " prompt is not localized by the PAM module.
2290 Bug #701.
2291
2292 * Double-quoted values in an LDAP sudoOption are now supported
2293 for consistency with file-based sudoers.
2294
2295 * Fixed a bug that prevented the btime entry in /proc/stat from
2296 being parsed on Linux.
2297
2298 What's new in Sudo 1.8.13
2299
2300 * The examples directory is now a subdirectory of the doc dir to
2301 conform to Debian guidelines. Bug #682.
2302
2303 * Fixed a compilation error for siglist.c and signame.c on some
2304 systems. Bug #686
2305
2306 * Weak symbols are now used for sudo_warn_gettext() and
2307 sudo_warn_strerror() in libsudo_util to avoid link errors when
2308 -Wl,--no-undefined is used in LDFLAGS. The --disable-weak-symbols
2309 configure option can be used to disable the user of weak symbols.
2310
2311 * Fixed a bug in sudo's mkstemps() replacement function that
2312 prevented the file extension from being preserved in sudoedit.
2313
2314 * A new mail_all_cmnds sudoers flag will send mail when a user runs
2315 a command (or tries to). The behavior of the mail_always flag has
2316 been restored to always send mail when sudo is run.
2317
2318 * New "MAIL" and "NOMAIL" command tags have been added to toggle
2319 mail sending behavior on a per-command (or Cmnd_Alias) basis.
2320
2321 * Fixed matching of empty passwords when sudo is configured to
2322 use passwd (or shadow) file authentication on systems where the
2323 crypt() function returns NULL for invalid salts.
2324
2325 * On AIX, sudo now uses the value of the auth_type setting in
2326 /etc/security/login.cfg to determine whether to use LAM or PAM
2327 for user authentication.
2328
2329 * The "all" setting for listpw and verifypw now works correctly
2330 with LDAP and sssd sudoers.
2331
2332 * The sudo timestamp directory is now created at boot time on
2333 platforms that use systemd.
2334
2335 * Sudo will now restore the value of the SIGPIPE handler before
2336 executing the command.
2337
2338 * Sudo now uses "struct timespec" instead of "struct timeval" for
2339 time keeping when possible. If supported, sudoedit and visudo
2340 now use nanosecond granularity time stamps.
2341
2342 * Fixed a symbol name collision with systems that have their own
2343 SHA2 implementation. This fixes a problem where PAM could use
2344 the wrong SHA2 implementation on Solaris 10 systems configured
2345 to use SHA512 for passwords.
2346
2347 * The editor invoked by sudoedit once again uses an unmodified
2348 copy of the user's environment as per the documentation. This
2349 was inadvertently changed in sudo 1.8.0. Bug #688.
2350
2351 What's new in Sudo 1.8.12
2352
2353 * The embedded copy of zlib has been upgraded to version 1.2.8 and
2354 is now installed as a shared library where supported.
2355
2356 * Debug settings for the sudo front end and sudoers plugin are now
2357 configured separately.
2358
2359 * Multiple sudo.conf Debug entries may now be specified per program
2360 (or plugin).
2361
2362 * The plugin API has been extended such that the path to the plugin
2363 that was loaded is now included in the settings array. This
2364 path can be used to register with the debugging subsystem. The
2365 debug_flags setting is now prefixed with a file name and may be
2366 specified multiple times if there is more than one matching Debug
2367 setting in sudo.conf.
2368
2369 * The sudoers regression tests now run with the locale set to C
2370 since some of the tests compare output that includes locale-specific
2371 messages. Bug #672
2372
2373 * Fixed a bug where sudo would not run commands on Linux when
2374 compiled with audit support if audit is disabled. Bug #671
2375
2376 * Added __BASH_FUNC<* to the environment blacklist to match
2377 Apple's syntax for newer-style bash functions.
2378
2379 * The default password prompt now includes a trailing space after
2380 "Password:" for consistency with su(1) on most systems.
2381 Bug #663
2382
2383 * Fixed a problem on DragonFly BSD where SIGCHLD could be ignored,
2384 preventing sudo from exiting. Bug #676
2385
2386 * Visudo will now use the optional sudoers_file, sudoers_mode,
2387 sudoers_uid and sudoers_gid arguments if specified on the
2388 sudoers.so Plugin line in the sudo.conf file.
2389
2390 * Fixed a problem introduced in sudo 1.8.8 that prevented the full
2391 host name from being used when the "fqdn" sudoers option is used.
2392 Bug #678
2393
2394 * French and Russian translations for sudoers from translationproject.org.
2395
2396 * Sudo now installs a handler for SIGCHLD signal handler immediately
2397 before stating the process that will execute the command (or
2398 start the monitor). The handler used to be installed earlier
2399 but this causes problems with poorly behaved PAM modules that
2400 install their own SIGCHLD signal handler and neglect to restore
2401 sudo's original handler. Bug #657
2402
2403 * Removed a limit on the length of command line arguments expanded
2404 by a wild card using sudo's version of the fnmatch() function.
2405 This limit was introduced when sudo's version of fnmatch()
2406 was replaced in sudo 1.8.4.
2407
2408 * LDAP-based sudoers can now query an LDAP server for a user's
2409 netgroups directly. This is often much faster than fetching
2410 every sudoRole object containing a sudoUser that begins with a
2411 `+' prefix and checking whether the user is a member of any of
2412 the returned netgroups.
2413
2414 * The mail_always sudoers option no longer sends mail for "sudo -l"
2415 or "sudo -v" unless the user is unable to authenticate themselves.
2416
2417 * Fixed a crash when sudo is run with an empty argument vector.
2418
2419 * Fixed two potential crashes when sudo is run with very low
2420 resource limits.
2421
2422 * The TZ environment variable is now checked for safety instead
2423 of simply being copied to the environment of the command.
2424
2425 What's new in Sudo 1.8.11p2
2426
2427 * Fixed a bug where dynamic shared objects loaded from a plugin
2428 could use the hooked version of getenv() but not the hooked
2429 versions of putenv(), setenv() or unsetenv(). This can cause
2430 problems for PAM modules that use those functions.
2431
2432 What's new in Sudo 1.8.11p1
2433
2434 * Fixed a compilation problem on some systems when the
2435 --disable-shared-libutil configure option was specified.
2436
2437 * The user can no longer interrupt the sleep after an incorrect
2438 password on PAM systems using pam_unix.
2439 Bug #666
2440
2441 * Fixed a compilation problem on Linux systems that do not use PAM.
2442 Bug #667
2443
2444 * "make install" will now work with the stock GNU autotools
2445 install-sh script. Bug #669
2446
2447 * Fixed a crash with "sudo -i" when the current working directory
2448 does not exist. Bug #670
2449
2450 * Fixed a potential crash in the debug subsystem when logging a message
2451 larger that 1024 bytes.
2452
2453 * Fixed a "make check" failure for ttyname when stdin is closed and
2454 stdout and stderr are redirected to a different tty. Bug #643
2455
2456 * Added BASH_FUNC_* to the environment blacklist to match newer-style
2457 bash functions.
2458
2459 What's new in Sudo 1.8.11
2460
2461 * The sudoers plugin no longer uses setjmp/longjmp to recover
2462 from fatal errors. All errors are now propagated to the caller
2463 via return codes.
2464
2465 * When running a command in the background, sudo will now forward
2466 SIGINFO to the command (if supported).
2467
2468 * Sudo will now use the system versions of the sha2 functions from
2469 libc or libmd if available.
2470
2471 * Visudo now works correctly on GNU Hurd. Bug #647
2472
2473 * Fixed suspend and resume of curses programs on some system when
2474 the command is not being run in a pseudo-terminal. Bug #649
2475
2476 * Fixed a crash with LDAP-based sudoers on some systems when
2477 Kerberos was enabled.
2478
2479 * Sudo now includes optional Solaris audit support.
2480
2481 * Catalan translation for sudoers from translationproject.org.
2482
2483 * Norwegian Bokmaal translation for sudo from translationproject.org.
2484
2485 * Greek translation for sudoers from translationproject.org
2486
2487 * The sudo source tree has been reorganized to more closely resemble
2488 that of other gettext-enabled packages.
2489
2490 * Sudo and its associated programs now link against a shared version
2491 of libsudo_util. The --disable-shared-libutil configure option
2492 may be used to force static linking if the --enable-static-sudoers
2493 option is also specified.
2494
2495 * The passwords in ldap.conf and ldap.secret may now be encoded
2496 in base64.
2497
2498 * Audit updates. SELinux role changes are now audited. For
2499 sudoedit, we now audit the actual editor being run, instead of
2500 just the sudoedit command.
2501
2502 * Fixed bugs in the man page post-processing that could cause
2503 portions of the manuals to be removed.
2504
2505 * Fixed a crash in the system_group plugin. Bug #653.
2506
2507 * Fixed sudoedit on platforms without a system version of the
2508 getprogname() function. Bug #654.
2509
2510 * Fixed compilation problems with some pre-C99 compilers.
2511
2512 * Fixed sudo's -C option which was broken in version 1.8.9.
2513
2514 * It is now possible to match an environment variable's value as
2515 well as its name using env_keep and env_check. This can be used
2516 to preserve bash functions which would otherwise be removed from
2517 the environment.
2518
2519 * New files created via sudoedit as a non-root user now have the
2520 proper group id. Bug #656
2521
2522 * Sudoedit now works correctly in conjunction with sudo's SELinux
2523 RBAC support. Temporary files are now created with the proper
2524 security context.
2525
2526 * The sudo I/O logging plugin API has been updated. If a logging
2527 function returns an error, the command will be terminated and
2528 all of the plugin's logging functions will be disabled. If a
2529 logging function rejects the command's output it will no longer
2530 be displayed to the user's terminal.
2531
2532 * Fixed a compilation error on systems that lack openpty(), _getpty()
2533 and grantpt(). Bug #660
2534
2535 * Fixed a hang when a sudoers source is listed more than once in
2536 a single sudoers nsswitch.conf entry.
2537
2538 * On AIX, shell scripts without a #! magic number are now passed to
2539 /usr/bin/sh, not /usr/bin/bsh. This is consistent with what the
2540 execvp() function on AIX does and matches historic sudo behavior.
2541 Bug #661
2542
2543 * Fixed a cross-compilation problem building mksiglist and mksigname.
2544 Bug #662
2545
2546 What's new in Sudo 1.8.10p3?
2547
2548 * Fixed expansion of %p in the prompt for "sudo -l" when rootpw,
2549 runaspw or targetpw is set. Bug #639
2550
2551 * Fixed matching of UIDs and GIDs which was broken in version 1.8.9.
2552 Bug #640
2553
2554 * PAM credential initialization has been re-enabled. It was
2555 unintentionally disabled by default in version 1.8.8. The way
2556 credentials are initialized has also been fixed. Bug #642.
2557
2558 * Fixed a descriptor leak on Linux when determining boot time. Sudo
2559 normally closes extra descriptors before running a command so
2560 the impact is limited. Bug #645
2561
2562 * Fixed flushing of the last buffer of data when I/O logging is
2563 enabled. This bug, introduced in version 1.8.9, could cause
2564 incomplete command output on some systems. Bug #646
2565
2566 What's new in Sudo 1.8.10p2?
2567
2568 * Fixed a hang introduced in sudo 1.8.10 when timestamp_timeout
2569 is set to zero.
2570
2571 What's new in Sudo 1.8.10p1?
2572
2573 * Fixed a bug introduced in sudo 1.8.10 that prevented the disabling
2574 of tty-based tickets.
2575
2576 * Fixed a bug with negated commands in "sudo -l command" that
2577 could cause the command to be listed even when it was explicitly
2578 denied. This only affected list mode when a command was specified.
2579 Bug #636
2580
2581 What's new in Sudo 1.8.10?
2582
2583 * It is now possible to disable network interface probing in
2584 sudo.conf by changing the value of the probe_interfaces
2585 setting.
2586
2587 * When listing a user's privileges (sudo -l), the sudoers plugin
2588 will now prompt for the user's password even if the targetpw,
2589 rootpw or runaspw options are set.
2590
2591 * The sudoers plugin uses a new format for its time stamp files.
2592 Each user now has a single file which may contain multiple records
2593 when per-tty time stamps are in use (the default). The time
2594 stamps use a monotonic timer where available and are once again
2595 located in a directory under /var/run. The lecture status is
2596 now stored separately from the time stamps in a different directory.
2597 Bug #616
2598
2599 * sudo's -K option will now remove all of the user's time stamps,
2600 not just the time stamp for the current terminal. The -k option
2601 can be used to only disable time stamps for the current terminal.
2602
2603 * If sudo was started in the background and needed to prompt for
2604 a password, it was not possible to suspend it at the password
2605 prompt. This now works properly.
2606
2607 * LDAP-based sudoers now uses a default search filter of
2608 (objectClass=sudoRole) for more efficient queries. The netgroup
2609 query has been modified to avoid falling below the minimum length
2610 for OpenLDAP substring indices.
2611
2612 * The new "use_netgroups" sudoers option can be used to explicitly
2613 enable or disable netgroups support. For LDAP-based sudoers,
2614 netgroup support requires an expensive substring match on the
2615 server. If netgroups are not needed, this option can be disabled
2616 to reduce the load on the LDAP server.
2617
2618 * Sudo is once again able to open the sudoers file when the group
2619 on sudoers doesn't match the expected value, so long as the file
2620 is not group writable.
2621
2622 * Sudo now installs an init.d script to clear the time stamp
2623 directory at boot time on AIX and HP-UX systems. These systems
2624 either lack /var/run or do not clear it on boot.
2625
2626 * The JSON format used by "visudo -x" now properly supports the
2627 negation operator. In addition, the Options object is now the
2628 same for both Defaults and Cmnd_Specs.
2629
2630 * Czech and Serbian translations for sudoers from translationproject.org.
2631
2632 * Catalan translation for sudo from translationproject.org.
2633
2634 What's new in Sudo 1.8.9p5?
2635
2636 * Fixed a compilation error on AIX when LDAP support is enabled.
2637
2638 * Fixed parsing of the "umask" defaults setting in sudoers. Bug #632.
2639
2640 * Fixed a failed assertion when the "closefrom_override" defaults
2641 setting is enabled in sudoers and sudo's -C flag is used. Bug #633.
2642
2643 What's new in Sudo 1.8.9p4?
2644
2645 * Fixed a bug where sudo could consume large amounts of CPU while
2646 the command was running when I/O logging is not enabled. Bug #631
2647
2648 * Fixed a bug where sudo would exit with an error when the debug
2649 level is set to util@debug or all@debug and I/O logging is not
2650 enabled. The command would continue running after sudo exited.
2651
2652 What's new in Sudo 1.8.9p3?
2653
2654 * Fixed a bug introduced in sudo 1.8.9 that prevented the tty name
2655 from being resolved properly on Linux systems. Bug #630.
2656
2657 What's new in Sudo 1.8.9p2?
2658
2659 * Updated config.guess, config.sub and libtool to support the ppc64le
2660 architecture (IBM PowerPC Little Endian).
2661
2662 What's new in Sudo 1.8.9p1?
2663
2664 * Fixed a problem with gcc 4.8's handling of bit fields that could
2665 lead to the noexec flag being enabled even when it was not
2666 explicitly set.
2667
2668 What's new in Sudo 1.8.9?
2669
2670 * Reworked sudo's main event loop to use a simple event subsystem
2671 using poll(2) or select(2) as the back end.
2672
2673 * It is now possible to statically compile the sudoers plugin into
2674 the sudo binary without disabling shared library support. The
2675 sudo.conf file may still be used to configure other plugins.
2676
2677 * Sudo can now be compiled again with a C preprocessor that does
2678 not support variadic macros.
2679
2680 * Visudo can now export a sudoers file in JSON format using the
2681 new -x flag.
2682
2683 * The locale is now set correctly again for visudo and sudoreplay.
2684
2685 * The plugin API has been extended to allow the plugin to exclude
2686 specific file descriptors from the "closefrom" range.
2687
2688 * There is now a workaround for a Solaris-specific problem where
2689 NOEXEC was overriding traditional root DAC behavior.
2690
2691 * Add user netgroup filtering for SSSD. Previously, rules for
2692 a netgroup were applied to all even when they did not belong
2693 to the specified netgroup.
2694
2695 * On systems with BSD login classes, if the user specified a group
2696 (not a user) to run the command as, it was possible to specify
2697 a different login class even when the command was not run as the
2698 super user.
2699
2700 * The closefrom() emulation on Mac OS X now uses /dev/fd if possible.
2701
2702 * Fixed a bug where sudoedit would not update the original file
2703 from the temporary when PAM or I/O logging is not enabled.
2704
2705 * When recycling I/O logs, the log files are now truncated properly.
2706
2707 * Fixes bugs #617, #621, #622, #623, #624, #625, #626
2708
2709 What's new in Sudo 1.8.8?
2710
2711 * Removed a warning on PAM systems with stacked auth modules
2712 where the first module on the stack does not succeed.
2713
2714 * Sudo, sudoreplay and visudo now support GNU-style long options.
2715
2716 * The -h (--host) option may now be used to specify a host name.
2717 This is currently only used by the sudoers plugin in conjunction
2718 with the -l (--list) option.
2719
2720 * Program usage messages and manual SYNOPSIS sections have been
2721 simplified.
2722
2723 * Sudo's LDAP SASL support now works properly with Kerberos.
2724 Previously, the SASL library was unable to locate the user's
2725 credential cache.
2726
2727 * It is now possible to set the nproc resource limit to unlimited
2728 via pam_limits on Linux (bug #565).
2729
2730 * New "pam_service" and "pam_login_service" sudoers options
2731 that can be used to specify the PAM service name to use.
2732
2733 * New "pam_session" and "pam_setcred" sudoers options that
2734 can be used to disable PAM session and credential support.
2735
2736 * The sudoers plugin now properly supports UIDs and GIDs
2737 that are larger than 0x7fffffff on 32-bit platforms.
2738
2739 * Fixed a visudo bug introduced in sudo 1.8.7 where per-group
2740 Defaults entries would cause an internal error.
2741
2742 * If the "tty_tickets" sudoers option is enabled (the default),
2743 but there is no tty present, sudo will now use a ticket file
2744 based on the parent process ID. This makes it possible to support
2745 the normal timeout behavior for the session.
2746
2747 * Fixed a problem running commands that change their process
2748 group and then attempt to change the terminal settings when not
2749 running the command in a pseudo-terminal. Previously, the process
2750 would receive SIGTTOU since it was effectively a background
2751 process. Sudo will now grant the child the controlling tty and
2752 continue it when this happens.
2753
2754 * The "closefrom_override" sudoers option may now be used in
2755 a command-specified Defaults entry (bug #610).
2756
2757 * Sudo's BSM audit support now works on Solaris 11.
2758
2759 * Brazilian Portuguese translation for sudo and sudoers from
2760 translationproject.org.
2761
2762 * Czech translation for sudo from translationproject.org.
2763
2764 * French translation for sudo from translationproject.org.
2765
2766 * Sudo's noexec support on Mac OS X 10.4 and above now uses dynamic
2767 symbol interposition instead of setting DYLD_FORCE_FLAT_NAMESPACE=1
2768 which causes issues with some programs.
2769
2770 * Fixed visudo's -q (--quiet) flag, broken in sudo 1.8.6.
2771
2772 * Root may no longer change its SELinux role without entering
2773 a password.
2774
2775 * Fixed a bug introduced in Sudo 1.8.7 where the indexes written
2776 to the I/O log timing file are two greater than they should be.
2777 Sudoreplay now contains a work-around to parse those files.
2778
2779 * In sudoreplay's list mode, the "this" qualifier in "fromdate"
2780 or "todate" expressions now behaves more sensibly. Previously,
2781 it would often match a date that was "one more" than expected.
2782 For example, "this week" now matches the current week instead
2783 of the following week.
2784
2785 What's new in Sudo 1.8.7?
2786
2787 * The non-Unix group plugin is now supported when sudoers data
2788 is stored in LDAP.
2789
2790 * Sudo now uses a workaround for a locale bug on Solaris 11.0
2791 that prevents setuid programs like sudo from fully using locales.
2792
2793 * User messages are now always displayed in the user's locale,
2794 even when the same message is being logged or mailed in a
2795 different locale.
2796
2797 * Log files created by sudo now explicitly have the group set
2798 to group ID 0 rather than relying on BSD group semantics (which
2799 may not be the default).
2800
2801 * A new "exec_background" sudoers option can be used to initially
2802 run the command without read access to the terminal when running
2803 a command in a pseudo-tty. If the command tries to read from
2804 the terminal it will be stopped by the kernel (via SIGTTIN or
2805 SIGTTOU) and sudo will immediately restart it as the foreground
2806 process (if possible). This allows sudo to only pass terminal
2807 input to the program if the program actually is expecting it.
2808 Unfortunately, a few poorly-behaved programs (like "su" on most
2809 Linux systems) do not handle SIGTTIN and SIGTTOU properly.
2810
2811 * Sudo now uses an efficient group query to get all the groups
2812 for a user instead of iterating over every record in the group
2813 database on HP-UX and Solaris.
2814
2815 * Sudo now produces better error messages when there is an error
2816 in the sudo.conf file.
2817
2818 * Two new settings have been added to sudo.conf to give the admin
2819 better control of how group database queries are performed. The
2820 "group_source" specifies how the group list for a user will be
2821 determined. Legal values are "static" (use the kernel groups
2822 list), "dynamic" (perform a group database query) and "adaptive"
2823 (only perform a group database query if the kernel list is full).
2824 The "max_groups" setting specifies the maximum number of groups
2825 a user may belong to when performing a group database query.
2826
2827 * The sudo.conf file now supports line continuation by using a
2828 backslash as the last character on the line.
2829
2830 * There is now a standalone sudo.conf manual page.
2831
2832 * Sudo now stores its libexec files in a "sudo" sub-directory instead
2833 of in libexec itself. For backward compatibility, if the plugin
2834 is not found in the default plugin directory, sudo will check
2835 the parent directory if the default directory ends in "/sudo".
2836
2837 * The sudoers I/O logging plugin now logs the terminal size.
2838
2839 * A new sudoers option "maxseq" can be used to limit the number of
2840 I/O log entries that are stored.
2841
2842 * The "system_group" and "group_file" sudoers group provider plugins
2843 are now installed by default.
2844
2845 * The list output (sudo -l) output from the sudoers plugin is now
2846 less ambiguous when an entry includes different runas users.
2847 The long list output (sudo -ll) for file-based sudoers is now
2848 more consistent with the format of LDAP-based sudoers.
2849
2850 * A UID may now be used in the sudoRunAsUser attributes for LDAP
2851 sudoers.
2852
2853 * Minor plugin API change: the close and version functions are now
2854 optional. If the policy plugin does not provide a close function
2855 and the command is not being run in a new pseudo-tty, sudo may
2856 now execute the command directly instead of in a child process.
2857
2858 * A new sudoers option "pam_session" can be used to disable sudo's
2859 PAM session support.
2860
2861 * On HP-UX systems, sudo will now use the pstat() function to
2862 determine the tty instead of ttyname().
2863
2864 * Turkish translation for sudo and sudoers from translationproject.org.
2865
2866 * Dutch translation for sudo and sudoers from translationproject.org.
2867
2868 * Tivoli Directory Server client libraries may now be used with
2869 HP-UX where libibmldap has a hidden dependency on libCsup.
2870
2871 * The sudoers plugin will now ignore invalid domain names when
2872 checking netgroup membership. Most Linux systems use the string
2873 "(none)" for the NIS-style domain name instead of an empty string.
2874
2875 * New support for specifying a SHA-2 digest along with the command
2876 in sudoers. Supported hash types are sha224, sha256, sha384 and
2877 sha512. See the description of Digest_Spec in the sudoers manual
2878 or the description of sudoCommand in the sudoers.ldap manual for
2879 details.
2880
2881 * The paths to ldap.conf and ldap.secret may now be specified as
2882 arguments to the sudoers plugin in the sudo.conf file.
2883
2884 * Fixed potential false positives in visudo's alias cycle detection.
2885
2886 * Fixed a problem where the time stamp file was being treated
2887 as out of date on Linux systems where the change time on the
2888 pseudo-tty device node can change after it is allocated.
2889
2890 * Sudo now only builds Position Independent Executables (PIE)
2891 by default on Linux systems and verifies that a trivial test
2892 program builds and runs.
2893
2894 * On Solaris 11.1 and higher, sudo binaries will now have the
2895 ASLR tag enabled if supported by the linker.
2896
2897 What's new in Sudo 1.8.6p8?
2898
2899 * Terminal detection now works properly on 64-bit AIX kernels.
2900 This was broken by the removal of the ttyname() fallback in Sudo
2901 1.8.6p6. Sudo is now able to map an AIX 64-bit device number
2902 to the corresponding device file in /dev.
2903
2904 * Sudo now checks for crypt() returning NULL when performing
2905 passwd-based authentication.
2906
2907 What's new in Sudo 1.8.6p7?
2908
2909 * A time stamp file with the date set to the epoch by "sudo -k"
2910 is now completely ignored regardless of what the local clock is
2911 set to. Previously, if the local clock was set to a value between
2912 the epoch and the time stamp timeout value, a time stamp reset
2913 by "sudo -k" would be considered current.
2914
2915 * The tty-specific time stamp file now includes the session ID
2916 of the sudo process that created it. If a process with the same
2917 tty but a different session ID runs sudo, the user will now be
2918 prompted for a password (assuming authentication is required for
2919 the command).
2920
2921 What's new in Sudo 1.8.6p6?
2922
2923 * On systems where the controlling tty can be determined via /proc
2924 or sysctl(), sudo will no longer fall back to using ttyname()
2925 if the process has no controlling tty. This prevents sudo from
2926 using a non-controlling tty for logging and time stamp purposes.
2927
2928 What's new in Sudo 1.8.6p5?
2929
2930 * Fixed a potential crash in visudo's alias cycle detection.
2931
2932 * Improved performance on Solaris when retrieving the group list
2933 for the target user. On systems with a large number of groups
2934 where the group database is not local (NIS, LDAP, AD), fetching
2935 the group list could take a minute or more.
2936
2937 What's new in Sudo 1.8.6p4?
2938
2939 * The -fstack-protector is now used when linking visudo, sudoreplay
2940 and testsudoers.
2941
2942 * Avoid building PIE binaries on FreeBSD/ia64 as they don't run
2943 properly.
2944
2945 * Fixed a crash in visudo strict mode when an unknown Defaults
2946 setting is encountered.
2947
2948 * Do not inform the user that the command was not permitted by the
2949 policy if they do not successfully authenticate. This is a
2950 regression introduced in sudo 1.8.6.
2951
2952 * Allow sudo to be build with sss support without also including
2953 ldap support.
2954
2955 * Fixed running commands that need the terminal in the background
2956 when I/O logging is enabled. E.g. "sudo vi &". When the command
2957 is foregrounded, it will now resume properly.
2958
2959 What's new in Sudo 1.8.6p3?
2960
2961 * Fixed post-processing of the man pages on systems with legacy
2962 versions of sed.
2963
2964 * Fixed "sudoreplay -l" on Linux systems with file systems that
2965 set DT_UNKNOWN in the d_type field of struct dirent.
2966
2967 What's new in Sudo 1.8.6p2?
2968
2969 * Fixed suspending a command after it has already been resumed
2970 once when I/O logging (or use_pty) is not enabled.
2971 This was a regression introduced in version 1.8.6.
2972
2973 What's new in Sudo 1.8.6p1?
2974
2975 * Fixed the setting of LOGNAME, USER and USERNAME variables in the
2976 command's environment when env_reset is enabled (the default).
2977 This was a regression introduced in version 1.8.6.
2978
2979 * Sudo now honors SUCCESS=return in /etc/nsswitch.conf.
2980
2981 What's new in Sudo 1.8.6?
2982
2983 * Sudo is now built with the -fstack-protector flag if the the
2984 compiler supports it. Also, the -zrelro linker flag is used if
2985 supported. The --disable-hardening configure option can be used
2986 to build sudo without stack smashing protection.
2987
2988 * Sudo is now built as a Position Independent Executable (PIE)
2989 if supported by the compiler and linker.
2990
2991 * If the user is a member of the "exempt" group in sudoers, they
2992 will no longer be prompted for a password even if the -k flag
2993 is specified with the command. This makes "sudo -k command"
2994 consistent with the behavior one would get if the user ran "sudo
2995 -k" immediately before running the command.
2996
2997 * The sudoers file may now be a symbolic link. Previously, sudo
2998 would refuse to read sudoers unless it was a regular file.
2999
3000 * The sudoreplay command can now properly replay sessions where
3001 no tty was present.
3002
3003 * The sudoers plugin now takes advantage of symbol visibility
3004 controls when supported by the compiler or linker. As a result,
3005 only a small number of symbols are exported which significantly
3006 reduces the chances of a conflict with other shared objects.
3007
3008 * Improved support for the Tivoli Directory Server LDAP client
3009 libraries. This includes support for using LDAP over SSL (ldaps)
3010 as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS
3011 ldap.conf options. A new ldap.conf option, TLS_KEYPW can be
3012 used to specify a password to decrypt the key database.
3013
3014 * When constructing a time filter for use with LDAP sudoNotBefore
3015 and sudoNotAfter attributes, the current time now includes tenths
3016 of a second. This fixes a problem with timed entries on Active
3017 Directory.
3018
3019 * If a user fails to authenticate and the command would be rejected
3020 by sudoers, it is now logged with "command not allowed" instead
3021 of "N incorrect password attempts". Likewise, the "mail_no_perms"
3022 sudoers option now takes precedence over "mail_badpass".
3023
3024 * The sudo manuals are now formatted using the mdoc macros. Versions
3025 using the legacy man macros are provided for systems that lack mdoc.
3026
3027 * New support for Solaris privilege sets. This makes it possible
3028 to specify fine-grained privileges in the sudoers file on Solaris
3029 10 and above. A Runas_Spec that contains no Runas_Lists can be
3030 used to give a user the ability to run a command as themselves
3031 but with an expanded privilege set.
3032
3033 * Fixed a problem with the reboot and shutdown commands on some
3034 systems (such as HP-UX and BSD). On these systems, reboot sends
3035 all processes (except itself) SIGTERM. When sudo received
3036 SIGTERM, it would relay it to the reboot process, thus killing
3037 reboot before it had a chance to actually reboot the system.
3038
3039 * Support for using the System Security Services Daemon (SSSD) as
3040 a source of sudoers data.
3041
3042 * Slovenian translation for sudo and sudoers from translationproject.org.
3043
3044 * Visudo will now warn about unknown Defaults entries that are
3045 per-host, per-user, per-runas or per-command.
3046
3047 * Fixed a race condition that could cause sudo to receive SIGTTOU
3048 (and stop) when resuming a shell that was run via sudo when I/O
3049 logging (and use_pty) is not enabled.
3050
3051 * Sending SIGTSTP directly to the sudo process will now suspend the
3052 running command when I/O logging (and use_pty) is not enabled.
3053
3054 What's new in Sudo 1.8.5p3?
3055
3056 * Fixed the loading of I/O plugins that conform to a plugin API
3057 version older than 1.2.
3058
3059 What's new in Sudo 1.8.5p2?
3060
3061 * Fixed use of the SUDO_ASKPASS environment variable which was
3062 broken in Sudo 1.8.5.
3063
3064 * Fixed a problem reading the sudoers file when the file mode is
3065 more restrictive than the expected mode. For example, when the
3066 expected sudoers file mode is 0440 but the actual mode is 0400.
3067
3068 What's new in Sudo 1.8.5p1?
3069
3070 * Fixed a bug that prevented files in an include directory from
3071 being evaluated.
3072
3073 What's new in Sudo 1.8.5?
3074
3075 * When "noexec" is enabled, sudo_noexec.so will now be prepended
3076 to any existing LD_PRELOAD variable instead of replacing it.
3077
3078 * The sudo_noexec.so shared library now wraps the execvpe(),
3079 exect(), posix_spawn() and posix_spawnp() functions.
3080
3081 * The user/group/mode checks on sudoers files have been relaxed.
3082 As long as the file is owned by the sudoers UID, not world-writable
3083 and not writable by a group other than the sudoers GID, the file
3084 is considered OK. Note that visudo will still set the mode to
3085 the value specified at configure time.
3086
3087 * It is now possible to specify the sudoers path, UID, GID and
3088 file mode as options to the plugin in the sudo.conf file.
3089
3090 * Croatian, Galician, German, Lithuanian, Swedish and Vietnamese
3091 translations from translationproject.org.
3092
3093 * /etc/environment is no longer read directly on Linux systems
3094 when PAM is used. Sudo now merges the PAM environment into the
3095 user's environment which is typically set by the pam_env module.
3096
3097 * The initial environment created when env_reset is in effect now
3098 includes the contents of /etc/environment on AIX systems and the
3099 "setenv" and "path" entries from /etc/login.conf on BSD systems.
3100
3101 * The plugin API has been extended in three ways. First, options
3102 specified in sudo.conf after the plugin pathname are passed to
3103 the plugin's open function. Second, sudo has limited support
3104 for hooks that can be used by plugins. Currently, the hooks are
3105 limited to environment handling functions. Third, the init_session
3106 policy plugin function is passed a pointer to the user environment
3107 which can be updated during session setup. The plugin API version
3108 has been incremented to version 1.2. See the sudo_plugin manual
3109 for more information.
3110
3111 * The policy plugin's init_session function is now called by the
3112 parent sudo process, not the child process that executes the
3113 command. This allows the PAM session to be open and closed in
3114 the same process, which some PAM modules require.
3115
3116 * Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf,
3117 which was broken in version 1.8.4.
3118
3119 * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
3120 file is now uses to determine the controlling terminal, if possible.
3121 This allows tty-based tickets to work properly even when, e.g.
3122 standard input, output and error are redirected to /dev/null.
3123
3124 * The output of "sudoreplay -l" is now sorted by file name (or
3125 sequence number). Previously, entries were displayed in the
3126 order in which they were found on the file system.
3127
3128 * Sudo now behaves properly when I/O logging is enabled and the
3129 controlling terminal is revoked (e.g. the running sshd is killed).
3130 Previously, sudo may have exited without calling the I/O plugin's
3131 close function which can lead to an incomplete I/O log.
3132
3133 * Sudo can now detect when a user has logged out and back in again
3134 on Solaris 11, just like it can on Solaris 10.
3135
3136 * The built-in zlib included with Sudo has been upgraded to version
3137 1.2.6.
3138
3139 * Setting the SSL parameter to start_tls in ldap.conf now works
3140 properly when using Mozilla-based SDKs that support the
3141 ldap_start_tls_s() function.
3142
3143 * The TLS_CHECKPEER parameter in ldap.conf now works when the
3144 Mozilla NSS crypto back-end is used with OpenLDAP.
3145
3146 * A new group provider plugin, system_group, is included which
3147 performs group look ups by name using the system groups database.
3148 This can be used to restore the pre-1.7.3 sudo group lookup
3149 behavior.
3150
3151 What's new in Sudo 1.8.4p5?
3152
3153 * Fixed a bug when matching against an IP address with an associated
3154 netmask in the sudoers file. In certain circumstances, this
3155 could allow users to run commands on hosts they are not authorized
3156 for.
3157
3158 What's new in Sudo 1.8.4p4?
3159
3160 * Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v"
3161 from working.
3162
3163 What's new in Sudo 1.8.4p3?
3164
3165 * Fixed a crash on FreeBSD when no tty is present.
3166
3167 * Fixed a bug introduced in Sudo 1.8.4 that allowed users to
3168 specify environment variables to set on the command line without
3169 having sudo "ALL" permissions or the "SETENV" tag.
3170
3171 * When visudo is run with the -c (check) option, the sudoers
3172 file(s) owner and mode are now also checked unless the -f option
3173 was specified.
3174
3175 What's new in Sudo 1.8.4p2?
3176
3177 * Fixed a bug introduced in Sudo 1.8.4 where insufficient space
3178 was allocated for group IDs in the LDAP filter.
3179
3180 * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf
3181 was "/sudo.conf" instead of "/etc/sudo.conf".
3182
3183 * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang
3184 when I/O logging is enabled and input is from a pipe or file.
3185
3186 What's new in Sudo 1.8.4p1?
3187
3188 * Fixed a bug introduced in sudo 1.8.4 that broke adding to or
3189 deleting from the env_keep, env_check and env_delete lists in
3190 sudoers on some platforms.
3191
3192 What's new in Sudo 1.8.4?
3193
3194 * The -D flag in sudo has been replaced with a more general debugging
3195 framework that is configured in sudo.conf.
3196
3197 * Fixed a false positive in visudo strict mode when aliases are
3198 in use.
3199
3200 * Fixed a crash with "sudo -i" when a runas group was specified
3201 without a runas user.
3202
3203 * The line on which a syntax error is reported in the sudoers file
3204 is now more accurate. Previously it was often off by a line.
3205
3206 * Fixed a bug where stack garbage could be printed at the end of
3207 the lecture when the "lecture_file" option was enabled.
3208
3209 * "make install" now honors the LINGUAS environment variable.
3210
3211 * The #include and #includedir directives in sudoers now support
3212 relative paths. If the path is not fully qualified it is expected
3213 to be located in the same directory of the sudoers file that is
3214 including it.
3215
3216 * Serbian and Spanish translations for sudo from translationproject.org.
3217
3218 * LDAP-based sudoers may now access by group ID in addition to
3219 group name.
3220
3221 * visudo will now fix the mode on the sudoers file even if no changes
3222 are made unless the -f option is specified.
3223
3224 * The "use_loginclass" sudoers option works properly again.
3225
3226 * On systems that use login.conf, "sudo -i" now sets environment
3227 variables based on login.conf.
3228
3229 * For LDAP-based sudoers, values in the search expression are now
3230 escaped as per RFC 4515.
3231
3232 * The plugin close function is now properly called when a login
3233 session is killed (as opposed to the actual command being killed).
3234 This can happen when an ssh session is disconnected or the
3235 terminal window is closed.
3236
3237 * The deprecated "noexec_file" sudoers option is no longer supported.
3238
3239 * Fixed a race condition when I/O logging is not enabled that could
3240 result in tty-generated signals (e.g. control-C) being received
3241 by the command twice.
3242
3243 * If none of the standard input, output or error are connected to
3244 a tty device, sudo will now check its parent's standard input,
3245 output or error for the tty name on systems with /proc and BSD
3246 systems that support the KERN_PROC_PID sysctl. This allows
3247 tty-based tickets to work properly even when, e.g. standard
3248 input, output and error are redirected to /dev/null.
3249
3250 * Added the --enable-kerb5-instance configure option to allow
3251 people using Kerberos V authentication to specify a custom
3252 instance so the principal name can be, e.g. "username/sudo"
3253 similar to how ksu uses "username/root".
3254
3255 * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
3256 the results, which would be incorrectly be interpreted as if the
3257 sudoers file had specified a directory.
3258
3259 * "visudo -c" will now list any include files that were checked
3260 in addition to the main sudoers file when everything parses OK.
3261
3262 * Users that only have read-only access to the sudoers file may
3263 now run "visudo -c". Previously, write permissions were required
3264 even though no writing is down in check-only mode.
3265
3266 * It is now possible to prevent the disabling of core dumps from
3267 within sudo itself by adding a line to the sudo.conf file like
3268 "Set disable_coredump false".
3269
3270 What's new in Sudo 1.8.3p2?
3271
3272 * Fixed a format string vulnerability when the sudo binary (or a
3273 symbolic link to the sudo binary) contains printf format escapes
3274 and the -D (debugging) flag is used.
3275
3276 What's new in Sudo 1.8.3p1?
3277
3278 * Fixed a crash in the monitor process on Solaris when NOPASSWD
3279 was specified or when authentication was disabled.
3280
3281 * Fixed matching of a Runas_Alias in the group section of a
3282 Runas_Spec.
3283
3284 What's new in Sudo 1.8.3?
3285
3286 * Fixed expansion of strftime() escape sequences in the "log_dir"
3287 sudoers setting.
3288
3289 * Esperanto, Italian and Japanese translations from translationproject.org.
3290
3291 * Sudo will now use PAM by default on AIX 6 and higher.
3292
3293 * Added --enable-werror configure option for gcc's -Werror flag.
3294
3295 * Visudo no longer assumes all editors support the +linenumber
3296 command line argument. It now uses a allowlist of editors known
3297 to support the option.
3298
3299 * Fixed matching of network addresses when a netmask is specified
3300 but the address is not the first one in the CIDR block.
3301
3302 * The configure script now check whether or not errno.h declares
3303 the errno variable. Previously, sudo would always declare errno
3304 itself for older systems that don't declare it in errno.h.
3305
3306 * The NOPASSWD tag is now honored for denied commands too, which
3307 matches historic sudo behavior (prior to sudo 1.7.0).
3308
3309 * Sudo now honors the "DEREF" setting in ldap.conf which controls
3310 how alias dereferencing is done during an LDAP search.
3311
3312 * A symbol conflict with the pam_ssh_agent_auth PAM module that
3313 would cause a crash been resolved.
3314
3315 * The inability to load a group provider plugin is no longer
3316 a fatal error.
3317
3318 * A potential crash in the utmp handling code has been fixed.
3319
3320 * Two PAM session issues have been resolved. In previous versions
3321 of sudo, the PAM session was opened as one user and closed as
3322 another. Additionally, if no authentication was performed, the
3323 PAM session would never be closed.
3324
3325 * Sudo will now work correctly with LDAP-based sudoers using TLS
3326 or SSL on Debian systems.
3327
3328 * The LOGNAME, USER and USERNAME environment variables are preserved
3329 correctly again in sudoedit mode.
3330
3331 What's new in Sudo 1.8.2?
3332
3333 * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural
3334 language support (NLS). This can be disabled by passing configure
3335 the --disable-nls option. Sudo will use gettext(), if available,
3336 to display translated messages. All translations are coordinated
3337 via The Translation Project, https://translationproject.org/.
3338
3339 * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of
3340 RTLD_LOCAL. This fixes missing symbol problems in PAM modules
3341 on certain platforms, such as FreeBSD and SuSE Linux Enterprise.
3342
3343 * I/O logging is now supported for commands run in background mode
3344 (using sudo's -b flag).
3345
3346 * Group ownership of the sudoers file is now only enforced when
3347 the file mode on sudoers allows group readability or writability.
3348
3349 * Visudo now checks the contents of an alias and warns about cycles
3350 when the alias is expanded.
3351
3352 * If the user specifies a group via sudo's -g option that matches
3353 the target user's group in the password database, it is now
3354 allowed even if no groups are present in the Runas_Spec.
3355
3356 * The sudo Makefiles now have more complete dependencies which are
3357 automatically generated instead of being maintained manually.
3358
3359 * The "use_pty" sudoers option is now correctly passed back to the
3360 sudo front end. This was missing in previous versions of sudo
3361 1.8 which prevented "use_pty" from being honored.
3362
3363 * "sudo -i command" now works correctly with the bash version
3364 2.0 and higher. Previously, the .bash_profile would not be
3365 sourced prior to running the command unless bash was built with
3366 NON_INTERACTIVE_LOGIN_SHELLS defined.
3367
3368 * When matching groups in the sudoers file, sudo will now match
3369 based on the name of the group instead of the group ID. This can
3370 substantially reduce the number of group lookups for sudoers
3371 files that contain a large number of groups.
3372
3373 * Multi-factor authentication is now supported on AIX.
3374
3375 * Added support for non-RFC 4517 compliant LDAP servers that require
3376 that seconds be present in a timestamp, such as Tivoli Directory Server.
3377
3378 * If the group vector is to be preserved, the PATH search for the
3379 command is now done with the user's original group vector.
3380
3381 * For LDAP-based sudoers, the "runas_default" sudoOption now works
3382 properly in a sudoRole that contains a sudoCommand.
3383
3384 * Spaces in command line arguments for "sudo -s" and "sudo -i" are
3385 now escaped with a backslash when checking the security policy.
3386
3387 What's new in Sudo 1.8.1p2?
3388
3389 * Two-character CIDR-style IPv4 netmasks are now matched correctly
3390 in the sudoers file.
3391
3392 * A build error with MIT Kerberos V has been resolved.
3393
3394 * A crash on HP-UX in the sudoers plugin when wildcards are
3395 present in the sudoers file has been resolved.
3396
3397 * Sudo now works correctly on Tru64 Unix again.
3398
3399 What's new in Sudo 1.8.1p1?
3400
3401 * Fixed a problem on AIX where sudo was unable to set the final
3402 UID if the PAM module modified the effective UID.
3403
3404 * A non-existent includedir is now treated the same as an empty
3405 directory and not reported as an error.
3406
3407 * Removed extraneous parens in LDAP filter when sudoers_search_filter
3408 is enabled that can cause an LDAP search error.
3409
3410 * Fixed a "make -j" problem for "make install".
3411
3412 What's new in Sudo 1.8.1?
3413
3414 * A new LDAP setting, sudoers_search_filter, has been added to
3415 ldap.conf. This setting can be used to restrict the set of
3416 records returned by the LDAP query. Based on changes from Matthew
3417 Thomas.
3418
3419 * White space is now permitted within a User_List when used in
3420 conjunction with a per-user Defaults definition.
3421
3422 * A group ID (%#GID) may now be specified in a User_List or Runas_List.
3423 Likewise, for non-Unix groups the syntax is %:#GID.
3424
3425 * Support for double-quoted words in the sudoers file has been fixed.
3426 The change in 1.7.5 for escaping the double quote character
3427 caused the double quoting to only be available at the beginning
3428 of an entry.
3429
3430 * The fix for resuming a suspended shell in 1.7.5 caused problems
3431 with resuming non-shells on Linux. Sudo will now save the process
3432 group ID of the program it is running on suspend and restore it
3433 when resuming, which fixes both problems.
3434
3435 * A bug that could result in corrupted output in "sudo -l" has been
3436 fixed.
3437
3438 * Sudo will now create an entry in the utmp (or utmpx) file when
3439 allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp"
3440 and "utmp_runas" sudoers file options can be used to control this.
3441 Other policy plugins may use the "set_utmp" and "utmp_user"
3442 entries in the command_info list.
3443
3444 * The sudoers policy now stores the TSID field in the logs
3445 even when the "iolog_file" sudoers option is defined to a value
3446 other than %{sessid}. Previously, the TSID field was only
3447 included in the log file when the "iolog_file" option was set
3448 to its default value.
3449
3450 * The sudoreplay utility now supports arbitrary session IDs.
3451 Previously, it would only work with the base-36 session IDs
3452 that the sudoers plugin uses by default.
3453
3454 * Sudo now passes "run_shell=true" to the policy plugin in the
3455 settings list when sudo's -s command line option is specified.
3456 The sudoers policy plugin uses this to implement the "set_home"
3457 sudoers option which was missing from sudo 1.8.0.
3458
3459 * The "noexec" functionality has been moved out of the sudoers
3460 policy plugin and into the sudo front-end, which matches the
3461 behavior documented in the plugin writer's guide. As a result,
3462 the path to the noexec file is now specified in the sudo.conf
3463 file instead of the sudoers file.
3464
3465 * On Solaris 10, the PRIV_PROC_EXEC privilege is now used to
3466 implement the "noexec" feature. Previously, this was implemented
3467 via the LD_PRELOAD environment variable.
3468
3469 * The exit values for "sudo -l", "sudo -v" and "sudo -l command"
3470 have been fixed in the sudoers policy plugin.
3471
3472 * The sudoers policy plugin now passes the login class, if any,
3473 back to the sudo front-end.
3474
3475 * The sudoers policy plugin was not being linked with requisite
3476 libraries in certain configurations.
3477
3478 * Sudo now parses command line arguments before loading any plugins.
3479 This allows "sudo -V" or "sudo -h" to work even if there is a problem
3480 with sudo.conf
3481
3482 * Plugins are now linked with the static version of libgcc to allow
3483 the plugin to run on a system where no shared libgcc is installed,
3484 or where it is installed in a different location.
3485
3486 What's new in Sudo 1.8.0?
3487
3488 * Sudo has been refactored to use a modular framework that can
3489 support third-party policy and I/O logging plugins. The default
3490 plugin is "sudoers" which provides the traditional sudo functionality.
3491 See the sudo_plugin manual for details on the plugin API and the
3492 sample in the plugins directory for a simple example.
3493
3494 What's new in Sudo 1.7.5?
3495
3496 * When using visudo in check mode, a file named "-" may be used to
3497 check sudoers data on the standard input.
3498
3499 * Sudo now only fetches shadow password entries when using the
3500 password database directly for authentication.
3501
3502 * Password and group entries are now cached using the same key
3503 that was used to look them up. This fixes a problem when looking
3504 up entries by name if the name in the retrieved entry does not
3505 match the name used to look it up. This may happen on some systems
3506 that do case insensitive lookups or that truncate long names.
3507
3508 * GCC will no longer display warnings on glibc systems that use
3509 the warn_unused_result attribute for write(2) and other system calls.
3510
3511 * If a PAM account management module denies access, sudo now prints
3512 a more useful error message and stops trying to validate the user.
3513
3514 * Fixed a potential hang on idle systems when the sudo-run process
3515 exits immediately.
3516
3517 * Sudo now includes a copy of zlib that will be used on systems
3518 that do not have zlib installed.
3519
3520 * The --with-umask-override configure flag has been added to enable
3521 the "umask_override" sudoers Defaults option at build time.
3522
3523 * Sudo now unblocks all signals on startup to avoid problems caused
3524 by the parent process changing the default signal mask.
3525
3526 * LDAP Sudoers entries may now specify a time period for which
3527 the entry is valid. This requires an updated sudoers schema
3528 that includes the sudoNotBefore and sudoNotAfter attributes.
3529 Support for timed entries must be explicitly enabled in the
3530 ldap.conf file. Based on changes from Andreas Mueller.
3531
3532 * LDAP Sudoers entries may now specify a sudoOrder attribute that
3533 determines the order in which matching entries are applied. The
3534 last matching entry is used, just like file-based sudoers. This
3535 requires an updated sudoers schema that includes the sudoOrder
3536 attribute. Based on changes from Andreas Mueller.
3537
3538 * When run as sudoedit, or when given the -e flag, sudo now treats
3539 command line arguments as pathnames. This means that slashes
3540 in the sudoers file entry must explicitly match slashes in
3541 the command line arguments. As a result, and entry such as:
3542 user ALL = sudoedit /etc/*
3543 will allow editing of /etc/motd but not /etc/security/default.
3544
3545 * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
3546 compatibility with OpenLDAP configuration files.
3547
3548 * The LDAP API TIMEOUT parameter is now honored in ldap.conf.
3549
3550 * The I/O log directory may now be specified in the sudoers file.
3551
3552 * Sudo will no longer refuse to run if the sudoers file is writable
3553 by root.
3554
3555 * Sudo now performs command line escaping for "sudo -s" and "sudo -i"
3556 after validating the command so the sudoers entries do not need
3557 to include the backslashes.
3558
3559 * Logging and email sending are now done in the locale specified
3560 by the "sudoers_locale" setting ("C" by default). Email send by
3561 sudo now includes MIME headers when "sudoers_locale" is not "C".
3562
3563 * The configure script has a new option, --disable-env-reset, to
3564 allow one to change the default for the sudoers Default setting
3565 "env_reset" at compile time.
3566
3567 * When logging "sudo -l command", sudo will now prepend "list "
3568 to the command in the log line to distinguish between an
3569 actual command invocation in the logs.
3570
3571 * Double-quoted group and user names may now include escaped double
3572 quotes as part of the name. Previously this was a parse error.
3573
3574 * Sudo once again restores the state of the signal handlers it
3575 modifies before executing the command. This allows sudo to be
3576 used with the nohup command.
3577
3578 * Resuming a suspended shell now works properly when I/O logging
3579 is not enabled (the I/O logging case was already correct).
3580
3581 What's new in Sudo 1.7.4p6?
3582
3583 * A bug has been fixed in the I/O logging support that could cause
3584 visual artifacts in full-screen programs such as text editors.
3585
3586 What's new in Sudo 1.7.4p5?
3587
3588 * A bug has been fixed that would allow a command to be run without the
3589 user entering a password when sudo's -g flag is used without the -u flag.
3590
3591 * If user has no supplementary groups, sudo will now fall back on checking
3592 the group file explicitly, which restores historic sudo behavior.
3593
3594 * A crash has been fixed when sudo's -g flag is used without the -u flag
3595 and the sudoers file contains an entry with no runas user or group listed.
3596
3597 * A crash has been fixed when the Solaris project support is enabled
3598 and sudo's -g flag is used without the -u flag.
3599
3600 * Sudo no longer exits with an error when support for auditing is
3601 compiled in but auditing is not enabled.
3602
3603 * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
3604 being honored when the "targetpw" sudoers Defaults option was enabled.
3605
3606 * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.
3607
3608 * A crash has been fixed in "sudo -l" when sudo is built with auditing
3609 support and the user is not allowed to run any commands on the host.
3610
3611 What's new in Sudo 1.7.4p4?
3612
3613 * A potential security issue has been fixed with respect to the handling
3614 of sudo's -g command line option when -u is also specified. The flaw
3615 may allow an attacker to run commands as a user that is not authorized
3616 by the sudoers file.
3617
3618 * A bug has been fixed where "sudo -l" output was incomplete if multiple
3619 sudoers sources were defined in nsswitch.conf and there was an error
3620 querying one of the sources.
3621
3622 * The log_input, log_output, and use_pty sudoers options now work correctly
3623 on AIX. Previously, sudo would hang if they were enabled.
3624
3625 * The "make install" target now works correctly when sudo is built in a
3626 directory other than the source directory.
3627
3628 * The "runas_default" sudoers setting now works properly in a per-command
3629 Defaults line.
3630
3631 * Suspending and resuming the bash shell when PAM is in use now works
3632 correctly. The SIGCONT signal was not propagated to the child process.
3633
3634 What's new in Sudo 1.7.4p3?
3635
3636 * A bug has been fixed where duplicate HOME environment variables could be
3637 present when the env_reset setting was disabled and the always_set_home
3638 setting was enabled in sudoers.
3639
3640 * The value of sysconfdir is now substituted into the path to the sudoers.d
3641 directory in the installed sudoers file.
3642
3643 * Compilation problems on IRIX and other platforms have been fixed.
3644
3645 * If multiple PAM "auth" actions are specified and the user enters ^C at
3646 the password prompt, sudo will no longer prompt for a password for any
3647 subsequent "auth" actions. Previously it was necessary to enter ^C for
3648 each "auth" action.
3649
3650 What's new in Sudo 1.7.4p2?
3651
3652 * A bug where sudo could spin in a busy loop waiting for the child process
3653 has been fixed.
3654
3655 What's new in Sudo 1.7.4p1?
3656
3657 * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from
3658 functioning when the tty_tickets sudoers option is enabled has been fixed.
3659
3660 * Sudo no longer prints a warning when the -k or -K options are specified
3661 and the ticket file does not exist.
3662
3663 * It is now easier to cross-compile sudo.
3664
3665 What's new in Sudo 1.7.4?
3666
3667 * Sudoedit will now preserve the file extension in the name of the
3668 temporary file being edited. The extension is used by some
3669 editors (such as emacs) to choose the editing mode.
3670
3671 * Time stamp files have moved from /var/run/sudo to either /var/db/sudo,
3672 /var/lib/sudo or /var/adm/sudo. The directories are checked for
3673 existence in that order. This prevents users from receiving the
3674 sudo lecture every time the system reboots. Time stamp files older
3675 than the boot time are ignored on systems where it is possible to
3676 determine this.
3677
3678 * The tty_tickets sudoers option is now enabled by default.
3679
3680 * Ancillary documentation (README files, LICENSE, etc) is now installed
3681 in a sudo documentation directory.
3682
3683 * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
3684 in ldap.conf.
3685
3686 * Defaults settings that are tied to a user, host or command may
3687 now include the negation operator. For example:
3688 Defaults:!millert lecture
3689 will match any user but millert.
3690
3691 * The default PATH environment variable, used when no PATH variable
3692 exists, now includes /usr/sbin and /sbin.
3693
3694 * Sudo now uses polypkg (https://github.com/OneIdentity/Polypkg)
3695 for cross-platform packing.
3696
3697 * On Linux, sudo will now restore the nproc resource limit before
3698 executing a command, unless the limit appears to have been modified
3699 by pam_limits. This avoids a problem with bash scripts that open
3700 more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
3701 will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).
3702
3703 * The HOME and MAIL environment variables are now reset based on the
3704 target user's password database entry when the env_reset sudoers option
3705 is enabled (which is the case in the default configuration). Users
3706 wishing to preserve the original values should use a sudoers entry like:
3707 Defaults env_keep += HOME
3708 to preserve the old value of HOME and
3709 Defaults env_keep += MAIL
3710 to preserve the old value of MAIL.
3711
3712 * Fixed a problem in the restoration of the AIX authdb registry setting.
3713
3714 * Sudo will now fork(2) and wait until the command has completed before
3715 calling pam_close_session().
3716
3717 * The default syslog facility is now "authpriv" if the operating system
3718 supports it, else "auth".
3719
3720 What's new in Sudo 1.7.3?
3721
3722 * Support for logging I/O for the command being run.
3723 For more information, see the documentation for the "log_input"
3724 and "log_output" Defaults options in the sudoers manual. Also
3725 see the sudoreplay manual for how to replay I/O log sessions.
3726
3727 * The use_pty sudoers option can be used to force a command to be
3728 run in a pseudo-pty, even when I/O logging is not enabled.
3729
3730 * On some systems, sudo can now detect when a user has logged out
3731 and back in again when tty-based time stamps are in use. Supported
3732 systems include Solaris systems with the devices file system,
3733 Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys
3734 only).
3735
3736 * On AIX systems, the registry setting in /etc/security/user is
3737 now taken into account when looking up users and groups. Sudo
3738 now applies the correct the user and group ids when running a
3739 command as a user whose account details come from a different
3740 source (e.g. LDAP or DCE vs. local files).
3741
3742 * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf.
3743 When multiple entries are listed, sudo will try each one in the
3744 order in which they are specified.
3745
3746 * Sudo's SELinux support should now function correctly when running
3747 commands as a non-root user and when one of stdin, stdout or stderr
3748 is not a terminal.
3749
3750 * Sudo will now use the Linux audit system with configure with
3751 the --with-linux-audit flag.
3752
3753 * Sudo now uses mbr_check_membership() on systems that support it
3754 to determine group membership. Currently, only Darwin (Mac OS X)
3755 supports this.
3756
3757 * When the tty_tickets sudoers option is enabled but there is no
3758 terminal device, sudo will no longer use or create a tty-based
3759 ticket file. Previously, sudo would use a tty name of "unknown".
3760 As a consequence, if a user has no terminal device, sudo will
3761 now always prompt for a password.
3762
3763 * The passwd_timeout and timestamp_timeout options may now be
3764 specified as floating point numbers for more granular timeout
3765 values.
3766
3767 * Negating the fqdn option in sudoers now works correctly when sudo
3768 is configured with the --with-fqdn option. In previous versions
3769 of sudo the fqdn was set before sudoers was parsed.
3770
3771 What's new in Sudo 1.7.2?
3772
3773 * A new #includedir directive is available in sudoers. This can be
3774 used to implement an /etc/sudo.d directory. Files in an includedir
3775 are not edited by visudo unless they contain a syntax error.
3776
3777 * The -g option did not work properly when only setting the group
3778 (and not the user). Also, in -l mode the wrong user was displayed
3779 for sudoers entries where only the group was allowed to be set.
3780
3781 * Fixed a problem with the alias checking in visudo which
3782 could prevent visudo from exiting.
3783
3784 * Sudo will now correctly parse the shell-style /etc/environment
3785 file format used by pam_env on Linux.
3786
3787 * When doing password and group database lookups, sudo will only
3788 cache an entry by name or by id, depending on how the entry was
3789 looked up. Previously, sudo would cache by both name and id
3790 from a single lookup, but this breaks sites that have multiple
3791 password or group database names that map to the same UID or
3792 GID.
3793
3794 * User and group names in sudoers may now be enclosed in double
3795 quotes to avoid having to escape special characters.
3796
3797 * BSM audit fixes when changing to a non-root UID.
3798
3799 * Experimental non-Unix group support. Currently only works with
3800 Quest Authorization Services and allows Active Directory groups
3801 fixes for Minix-3.
3802
3803 * For Netscape/Mozilla-derived LDAP SDKs the certificate and key
3804 paths may be specified as a directory or a file. However, version
3805 5.0 of the SDK only appears to support using a directory (despite
3806 documentation to the contrary). If SSL client initialization
3807 fails and the certificate or key paths look like they could be
3808 default file name, strip off the last path element and try again.
3809
3810 * A setenv() compatibility fix for Linux systems, where a NULL
3811 value is treated the same as an empty string and the variable
3812 name is checked against the NULL pointer.
3813
3814 What's new in Sudo 1.7.1?
3815
3816 * A new Defaults option "pwfeedback" will cause sudo to provide visual
3817 feedback when the user is entering a password.
3818
3819 * A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
3820 function for file name globbing instead of glob(). When this option
3821 is enabled, sudo will not check the file system when expanding wildcards.
3822 This is faster but a side effect is that relative paths with wildcard
3823 will no longer work.
3824
3825 * New BSM audit support for systems that support it such as FreeBSD
3826 and Mac OS X.
3827
3828 * The file name specified with the #include directive may now include
3829 a %h escape which is expanded to the short form of hostname.
3830
3831 * The -k flag may now be specified along with a command, causing the
3832 user's timestamp file to be ignored.
3833
3834 * New support for Tivoli-based LDAP START_TLS, present in AIX.
3835
3836 * New support for /etc/netsvc.conf on AIX.
3837
3838 * The unused alias checks in visudo now handle the case of an alias
3839 referring to another alias.
3840
3841 What's new in Sudo 1.7.0?
3842
3843 * Rewritten parser that converts sudoers into a set of data structures.
3844 This eliminates a number of ordering issues and makes it possible to
3845 apply sudoers Defaults entries before searching for the command.
3846 It also adds support for per-command Defaults specifications.
3847
3848 * Sudoers now supports a #include facility to allow the inclusion of other
3849 sudoers-format files.
3850
3851 * Sudo's -l (list) flag has been enhanced:
3852 o applicable Defaults options are now listed
3853 o a command argument can be specified for testing whether a user
3854 may run a specific command.
3855 o a new -U flag can be used in conjunction with "sudo -l" to allow
3856 root (or a user with "sudo ALL") list another user's privileges.
3857
3858 * A new -g flag has been added to allow the user to specify a
3859 primary group to run the command as. The sudoers syntax has been
3860 extended to include a group section in the Runas specification.
3861
3862 * A UID may now be used anywhere a username is valid.
3863
3864 * The "secure_path" run-time Defaults option has been restored.
3865
3866 * Password and group data is now cached for fast lookups.
3867
3868 * The file descriptor at which sudo starts closing all open files is now
3869 configurable via sudoers and, optionally, the command line.
3870
3871 * Visudo will now warn about aliases that are defined but not used.
3872
3873 * The -i and -s command line flags now take an optional command
3874 to be run via the shell. Previously, the argument was passed
3875 to the shell as a script to run.
3876
3877 * Improved LDAP support. SASL authentication may now be used in
3878 conjunction when connecting to an LDAP server. The krb5_ccname
3879 parameter in ldap.conf may be used to enable Kerberos.
3880
3881 * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
3882 to specify the sudoers order. E.g.:
3883 sudoers: ldap files
3884 to check LDAP, then /etc/sudoers. The default is "files", even
3885 when LDAP support is compiled in. This differs from sudo 1.6
3886 where LDAP was always consulted first.
3887
3888 * Support for /etc/environment on AIX and Linux. If sudo is run
3889 with the -i flag, the contents of /etc/environment are used to
3890 populate the new environment that is passed to the command being
3891 run.
3892
3893 * If no terminal is available or if the new -A flag is specified,
3894 sudo will use a helper program to read the password if one is
3895 configured. Typically, this is a graphical password prompter
3896 such as ssh-askpass.
3897
3898 * A new Defaults option, "mailfrom" that sets the value of the
3899 "From:" field in the warning/error mail. If unspecified, the
3900 login name of the invoking user is used.
3901
3902 * A new Defaults option, "env_file" that refers to a file containing
3903 environment variables to be set in the command being run.
3904
3905 * A new flag, -n, may be used to indicate that sudo should not
3906 prompt the user for a password and, instead, exit with an error
3907 if authentication is required.
3908
3909 * If sudo needs to prompt for a password and it is unable to disable
3910 echo (and no askpass program is defined), it will refuse to run
3911 unless the "visiblepw" Defaults option has been specified.
3912
3913 * Prior to version 1.7.0, hitting enter/return at the Password: prompt
3914 would exit sudo. In sudo 1.7.0 and beyond, this is treated as
3915 an empty password. To exit sudo, the user must press ^C or ^D
3916 at the prompt.
3917
3918 * visudo will now check the sudoers file owner and mode in -c (check)
3919 mode when the -s (strict) flag is specified.
3920
3921 * A new Defaults option "umask_override" will cause sudo to set the
3922 umask specified in sudoers even if it is more permissive than the
3923 invoking user's umask.