"Fossies" - the Fresh Open Source Software Archive

Member "sudo-1.9.11p3/NEWS" (20 Jun 2022, 162838 Bytes) of package /linux/misc/sudo-1.9.11p3.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "NEWS": 1.9.11p2_vs_1.9.11p3.

    1 What's new in Sudo 1.9.11p3
    3  * Fixed "connection reset" errors on AIX when running shell scripts
    4    with the "intercept" or "log_subcmds" sudoers options enabled.
    5    Bug #1034.
    7  * Fixed very slow execution of shell scripts when the "intercept"
    8    or "log_subcmds" sudoers options are set on systems that enable
    9    Nagle's algorithm on the loopback device, such as AIX.
   10    Bug #1034.
   12 What's new in Sudo 1.9.11p2
   14  * Fixed a compilation error on Linux/x86_64 with the x32 ABI.
   16  * Fixed a regression introduced in 1.9.11p1 that caused a warning
   17    when logging to sudo_logsrvd if the command returned no output.
   19 What's new in Sudo 1.9.11p1
   21  * Correctly handle EAGAIN in the I/O read/right events.  This fixes
   22    a hang seen on some systems when piping a large amount of data
   23    through sudo, such as via rsync.  Bug #963.
   25  * Changes to avoid implementation or unspecified behavior when
   26    bit shifting signed values in the protobuf library.
   28  * Fixed a compilation error on Linux/aarch64.
   30  * Fixed the configure check for seccomp(2) support on Linux.
   32  * Corrected the EBNF specification for tags in the sudoers manual
   33    page.  GitHub issue #153.
   35 What's new in Sudo 1.9.11
   37  * Fixed a crash in the Python module with Python 3.9.10 on some
   38    systems.  Additionally, "make check" now passes for Python 3.9.10.
   40  * Error messages sent via email now include more details, including
   41    the file name and the line number and column of the error.
   42    Multiple errors are sent in a single message.  Previously, only
   43    the first error was included.
   45  * Fixed logging of parse errors in JSON format.  Previously,
   46    the JSON logger would not write entries unless the command and
   47    runuser were set.  These may not be known at the time a parse
   48    error is encountered.
   50  * Fixed a potential crash parsing sudoers lines larger than twice
   51    the value of LINE_MAX on systems that lack the getdelim() function.
   53  * The tests run by "make check" now unset the LANGUAGE environment
   54    variable.  Otherwise, localization strings will not match if
   55    LANGUAGE is set to a non-English locale.  Bug #1025.
   57  * The "starttime" test now passed when run under Debian faketime.
   58    Bug #1026.
   60  * The Kerberos authentication module now honors the custom password
   61    prompt if one has been specified.
   63  * The embedded copy of zlib has been updated to version 1.2.12.
   65  * Updated the version of libtool used by sudo to version 2.4.7.
   67  * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
   68    in the header files (currently only GNU libc).  This is required
   69    to allow the use of 64-bit time values on some 32-bit systems.
   71  * Sudo's "intercept" and "log_subcmds" options no longer force the
   72    command to run in its own pseudo-terminal.  It is now also
   73    possible to intercept the system(3) function.
   75  * Fixed a bug in sudo_logsrvd when run in store-first relay mode
   76    where the commit point messages sent by the server were incorrect
   77    if the command was suspended or received a window size change
   78    event.
   80  * Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
   81    configuration setting was used.
   83  * The "intercept" and "log_subcmds" functionality can now use
   84    ptrace(2) on Linux systems that support seccomp(2) filtering.
   85    This has the advantage of working for both static and dynamic
   86    binaries and can work with sudo's SELinux RBAC mode.  The following
   87    architectures are currently supported: i386, x86_64, aarch64,
   88    arm, mips (log_subcmds only), powerpc, riscv, and s390x.  The
   89    default is to use ptrace(2) where possible; the new "intercept_type"
   90    sudoers setting can be used to explicitly set the type.
   92  * New Georgian translation from translationproject.org.
   94  * Fixed creating packages on CentOS Stream.
   96  * Fixed a bug in the intercept and log_subcmds support where
   97    the execve(2) wrapper was using the current environment instead
   98    of the passed environment pointer.  Bug #1030.
  100  * Added AppArmor integration for Linux.  A sudoers rule can now
  101    specify an APPARMOR_PROFILE option to run a command confined by
  102    the named AppArmor profile.
  104  * Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
  105    Non-paths were being treated as paths and an actual path was
  106    treated as an error.
  108 What's new in Sudo 1.9.10
  110  * Added new "log_passwords" and "passprompt_regex" sudoers options.
  111    If "log_passwords" is disabled, sudo will attempt to prevent passwords
  112    from being logged.  If sudo detects any of the regular expressions in
  113    the "passprompt_regex" list in the terminal output, sudo will log '*'
  114    characters instead of the terminal input until a newline or carriage
  115    return is found in the input or an output character is received.
  117  * Added new "log_passwords" and "passprompt_regex" settings to
  118    sudo_logsrvd that operate like the sudoers options when logging
  119    terminal input.
  121  * Fixed several few bugs in the cvtsudoers utility when merging
  122    multiple sudoers sources.
  124  * Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf
  125    file, where the "retry_interval" in the [relay] section was not
  126    being recognized.
  128  * Restored the pre-1.9.9 behavior of not performing authentication
  129    when sudo's -n option is specified.  A new "noninteractive_auth"
  130    sudoers option has been added to enable PAM authentication in
  131    non-interactive mode.  GitHub issue #131.
  133  * On systems with /proc, if the /proc/self/stat (Linux) or
  134    /proc/pid/psinfo (other systems) file is missing or invalid,
  135    sudo will now check file descriptors 0-2 to determine the user's
  136    terminal.  Bug #1020.
  138  * Fixed a compilation problem on Debian kFreeBSD.  Bug #1021.
  140  * Fixed a crash in sudo_logsrvd when running in relay mode if
  141    an alert message is received.
  143  * Fixed an issue that resulting in "problem with defaults entries"
  144    email to be sent if a user ran sudo when the sudoers entry in
  145    the nsswitch.conf file includes "sss" but no sudo provider is
  146    configured in /etc/sssd/sssd.conf.  Bug #1022.
  148  * Updated the warning displayed when the invoking user is not
  149    allowed to run sudo.  If sudo has been configured to send mail
  150    on failed attempts (see the mail_* flags in sudoers), it will
  151    now print "This incident has been reported to the administrator."
  152    If the "mailto" or "mailerpath" sudoers settings are disabled,
  153    the message will not be printed and no mail will be sent.
  154    GitHub issue #48.
  156  * Fixed a bug where the user-specified command timeout was not
  157    being honored if the sudoers rule did not also specify a timeout.
  159  * Added support for using POSIX extended regular expressions in
  160    sudoers rules.  A command and/or arguments in sudoers are treated
  161    as a regular expression if they start with a '^' character and
  162    end with a '$'.  The command and arguments are matched separately,
  163    either one (or both) may be a regular expression.
  164    Bug #578, GitHub issue #15.
  166  * A user may now only run "sudo -U otheruser -l" if they have a
  167    "sudo ALL" privilege where the RunAs user contains either "root"
  168    or "otheruser".  Previously, having "sudo ALL" was sufficient,
  169    regardless of the RunAs user.  GitHub issue #134.
  171  * The sudo lecture is now displayed immediately before the password
  172    prompt.  As a result, sudo will no longer display the lecture
  173    unless the user needs to enter a password.  Authentication methods
  174    that don't interact with the user via a terminal do not trigger
  175    the lecture.
  177  * Sudo now uses its own closefrom() emulation on Linux systems.
  178    The glibc version may not work in a chroot jail where /proc is
  179    not available.  If close_range(2) is present, it will be used
  180    in preference to /proc/self/fd.
  182 What's new in Sudo 1.9.9
  184  * Sudo can now be built with OpenSSL 3.0 without generating warnings
  185    about deprecated OpenSSL APIs.
  187  * A digest can now be specified along with the "ALL" command in
  188    the LDAP and SSSD back-ends.  Sudo 1.9.0 introduced support for
  189    this in the sudoers file but did not include corresponding changes
  190    for the other back-ends.
  192  * visudo now only warns about an undefined alias or a cycle in an
  193    alias once for each alias.
  195  * The sudoRole cn was truncated by a single character in warning messages.
  196    GitHub issue #115.
  198  * The cvtsudoers utility has new --group-file and --passwd-file options
  199    to use a custom passwd or group file when the --match-local option is
  200    also used.
  202  * The cvtsudoers utility can now filter or match based on a command.
  204  * The cvtsudoers utility can now produce output in csv (comma-separated
  205    value) format.  This can be used to help generate entitlement reports.
  207  * Fixed a bug in sudo_logsrvd that could result in the connection being
  208    dropped for very long command lines.
  210  * Fixed a bug where sudo_logsrvd would not accept a restore point
  211    of zero.
  213  * Fixed a bug in visudo where the value of the "editor" setting was not
  214    used if it did not match the user's EDITOR environment variable.
  215    This was only a problem if the "env_editor" setting was not enabled.
  216    Bug #1000.
  218  * Sudo now builds with the -fcf-protection compiler option and the
  219    "-z now" linker option if supported.
  221  * The output of "sudoreplay -l" now more closely matches the
  222    traditional sudo log format.
  224  * The sudo_sendlog utility will now use the full contents of the log.json
  225    file, if present.  This makes it possible to send sudo-format I/O logs
  226    that use the newer log.json format to sudo_logsrvd without losing any
  227    information.
  229  * Fixed compilation of the arc4random_buf() replacement on systems with
  230    arc4random() but no arc4random_buf().  Bug #1008.
  232  * Sudo now uses its own getentropy() by default on Linux.  The GNU libc
  233    version of getentropy() will fail on older kernels that don't support
  234    the getrandom() system call.
  236  * It is now possible to build sudo with WolfSSL's OpenSSL compatibility
  237    layer by using the --enable-wolfssl configure option.
  239  * Fixed a bug related to Daylight Saving Time when parsing timestamps
  240    in Generalized Time format.  This affected the NOTBEFORE and
  241    NOTAFTER options in sudoers.  Bug #1006
  243  * Added the -O and -P options to visudo, which can be used to check
  244    or set the owner and permissions.  This can be used in conjunction
  245    with the -c option to check that the sudoers file ownership and
  246    permissions are correct.  Bug #1007.
  248  * It is now possible to set resource limits in the sudoers file itself.
  249    The special values "default" and "user" refer to the default system
  250    limit and invoking user limit respectively.  The core dump size limit
  251    is now set to 0 by default unless overridden by the sudoers file.
  253  * The cvtsudoers utility can now merge multiple sudoers sources into
  254    a single, combined sudoers file.  If there are conflicting entries,
  255    cvtsudoers will attempt to resolve them but manual intervention
  256    may be required.  The merging of sudoers rules is currently fairly
  257    simplistic but will be improved in a future release.
  259  * Sudo was parsing but not applying the "deref" and "tls_reqcert"
  260    ldap.conf settings.  This meant the options were effectively
  261    ignored which broke dereferencing of aliases in LDAP.  Bug #1013.
  263  * Clarified in the sudo man page that the security policy may
  264    override the user's PATH environment variable.  Bug #1014.
  266  * When sudo is run in non-interactive mode (with the -n option), it
  267    will now attempt PAM authentication and only exit with an error
  268    if user interaction is required.  This allows PAM modules that
  269    don't interact with the user to succeed.  Previously, sudo
  270    would not attempt authentication if the -n option was specified.
  271    Bug #956 and GitHub issue #83.
  273  * Fixed a regression introduced in version 1.9.1 when sudo is
  274    built with the --with-fqdn configure option.  The local host
  275    name was being resolved before the sudoers file was processed,
  276    making it impossible to disable DNS lookups by negating the
  277    "fqdn" sudoers option.  Bug #1016.
  279  * Added support for negated sudoUser attributes in the LDAP and
  280    SSSD sudoers back ends.  A matching sudoUser that is negated
  281    will cause the sudoRole containing it to be ignored.
  283  * Fixed a bug where the stack resource limit could be set to a
  284    value smaller than that of the invoking user and not be reset
  285    before the command was run.  Bug #1017.
  287 What's new in Sudo 1.9.8p2
  289  * Fixed a potential out-of-bounds read with "sudo -i" when the
  290    target user's shell is bash.  This is a regression introduced
  291    in sudo 1.9.8.  Bug #998.
  293  * sudo_logsrvd now only sends a log ID for first command of a session.
  294    There is no need to send the log ID for each sub-command.
  296  * Fixed a few minor memory leaks in intercept mode.
  298  * Fixed a problem with sudo_logsrvd in relay mode if "store_first"
  299    was enabled when handling sub-commands.  A new zero-length journal
  300    file was created for each sub-command instead of simply using
  301    the existing journal file.
  303  * Fixed a bug where sudoedit would fail if one of the directories
  304    in the path to be edited had the immutable flag set (BSD, Linux
  305    or macOS).  GitHub issue #122.
  307 What's new in Sudo 1.9.8p1
  309  * Fixed support for passing a prompt (sudo -p) or a login class
  310    (sudo -c) on the command line.  This is a regression introduced
  311    in sudo 1.9.8.  Bug #993.
  313  * Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
  314    This is a regression introduced in sudo 1.9.8.  Bug #994.
  316  * Fixed a compilation error when the --enable-static-sudoers configure
  317    option was specified.  This is a regression introduced in sudo
  318    1.9.8 caused by a symbol clash with the intercept and log server
  319    protobuf functions.
  321 What's new in Sudo 1.9.8
  323  * It is now possible to transparently intercepting sub-commands
  324    executed by the original command run via sudo.  Intercept support
  325    is implemented using LD_PRELOAD (or the equivalent supported by
  326    the system) and so has some limitations.  The two main limitations
  327    are that only dynamic executables are supported and only the
  328    execl, execle, execlp, execv, execve, execvp, and execvpe library
  329    functions are currently intercepted. Its main use case is to
  330    support restricting privileged shells run via sudo.
  332    To support this, there is a new "intercept" Defaults setting and
  333    an INTERCEPT command tag that can be used in sudoers.  For example:
  335     Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
  336     Defaults!SHELLS intercept
  338    would cause sudo to run the listed shells in intercept mode.
  339    This can also be set on a per-rule basis.  For example:
  341     Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
  342     chuck ALL = INTERCEPT: SHELLS
  344    would only apply intercept mode to user "chuck" when running one
  345    of the listed shells.
  347    In intercept mode, sudo will not prompt for a password before
  348    running a sub-command and will not allow a set-user-ID or
  349    set-group-ID program to be run by default.  The new
  350    intercept_authenticate and intercept_allow_setid sudoers settings
  351    can be used to change this behavior.
  353  * The new "log_subcmds" sudoers setting can be used to log additional
  354    commands run in a privileged shell.  It uses the same mechanism as
  355    the intercept support described above and has the same limitations.
  357  * The new "log_exit_status" sudoers setting can be used to log
  358    the exit status commands run via sudo.  This is also a corresponding
  359    "log_exit" setting in the sudo_logsrvd.conf eventlog stanza.
  361  * Support for logging sudo_logsrvd errors via syslog or to a file.
  362    Previously, most sudo_logsrvd errors were only visible in the
  363    debug log.
  365  * Better diagnostics when there is a TLS certificate validation error.
  367  * Using the "+=" or "-=" operators in a Defaults setting that takes
  368    a string, not a list, now produces a warning from sudo and a
  369    syntax error from inside visudo.
  371  * Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
  372    had no effect when creating I/O log parent directories if the I/O log
  373    file name ended with the string "XXXXXX".
  375  * Fixed a bug in the sudoers custom prompt code where the size
  376    parameter that was passed to the strlcpy() function was incorrect.
  377    No overflow was possible since the correct amount of memory was
  378    already pre-allocated.
  380  * The mksigname and mksiglist helper programs are now built with
  381    the host compiler, not the target compiler, when cross-compiling.
  382    Bug #989.
  384  * Fixed compilation error when the --enable-static-sudoers configure
  385    option was specified.  This was due to a typo introduced in sudo
  386    1.9.7.  GitHub PR #113.
  388 What's new in Sudo 1.9.7p2
  390  * When formatting JSON output, octal numbers are now stored as
  391    strings, not numbers.  The JSON spec does not actually support
  392    octal numbers with a '0' prefix.
  394  * Fixed a compilation issue on Solaris 9.
  396  * Sudo now can handle the getgroups() function returning a different
  397    number of groups for subsequent invocations.  GitHub PR #106.
  399  * When loading a Python plugin, python_plugin.so now verifies
  400    that the module loaded matches the one we tried to load.  This
  401    allows sudo to display a more useful error message when trying
  402    to load a plugin with a name that conflicts with a Python module
  403    installed in the system location.
  405  * Sudo no longer sets the the open files resource limit to "unlimited"
  406    while it runs.  This avoids a problem where sudo's closefrom()
  407    emulation would need to close a very large number of descriptors
  408    on systems without a way to determine which ones are actually open.
  410  * Sudo now includes a configure check for va_copy or __va_copy and
  411    only defines its own version if the configure test fails.
  413  * Fixed a bug in sudo's utmp file handling which prevented old
  414    entries from being reused.  As a result, the utmp (or utmpx)
  415    file was appended to unnecessarily.  GitHub PR #108.
  417  * Fixed a bug introduced in sudo 1.9.7 that prevented sudo_logsrvd
  418    from accepting TLS connections when OpenSSL is used.  Bug #988.
  420 What's new in Sudo 1.9.7p1
  422  * Fixed an SELinux sudoedit bug when the edited temporary file
  423    could not be opened.  The sesh helper would still be run even
  424    when there are no temporary files available to install.
  426  * Fixed a compilation problem on FreeBSD.
  428  * The sudo_noexec.so file is now built as a module on all systems
  429    other than macOS.  This makes it possible to use other libtool
  430    implementations such as slibtool.  On macOS shared libraries and
  431    modules are not interchangeable and the version of libtool shipped
  432    with sudo must be used.
  434  * Fixed a few bugs in the getgrouplist() emulation on Solaris when
  435    reading from the local group file.
  437  * Fixed a bug in sudo_logsrvd that prevented periodic relay server
  438    connection retries from occurring in "store_first" mode.
  440  * Disabled the nss_search()-based getgrouplist() emulation on HP-UX
  441    due to a crash when the group source is set to "compat" in
  442    /etc/nsswitch.conf.  This is probably due to a mismatch between
  443    include/compat/nss_dbdefs.h and what HP-UX uses internally.  On
  444    HP-UX we now just cycle through groups the slow way using
  445    getgrent().  Bug #978.
  447 What's new in Sudo 1.9.7
  449  * The "fuzz" Makefile target now runs all the fuzzers for 8192
  450    passes (can be overridden via the FUZZ_RUNS variable).  This makes
  451    it easier to run the fuzzers in-tree.  To run a fuzzer indefinitely,
  452    set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz".
  454  * Fixed fuzzing on FreeBSD where the ld.lld linker returns an
  455    error by default when a symbol is multiply-defined.
  457  * Added support for determining local IPv6 addresses on systems
  458    that lack the getifaddrs() function.  This now works on AIX,
  459    HP-UX and Solaris (at least).  Bug #969.
  461  * Fixed a bug introduced in sudo 1.9.6 that caused "sudo -V" to
  462    report a usage error.  Also, when invoked as sudoedit, sudo now
  463    allows a more restricted set of options that matches the usage
  464    statement and documentation.  GitHub issue #95.
  466  * Fixed a crash in sudo_sendlog when the specified certificate
  467    or key does not exist or is invalid.  Bug #970
  469  * Fixed a compilation error when sudo is configured with the
  470    --disable-log-client option.
  472  * Sudo's limited support for SUCCESS=return entries in nsswitch.conf
  473    is now documented.  Bug #971.
  475  * Sudo now requires autoconf 2.70 or higher to regenerate the
  476    configure script.  Bug #972.
  478  * sudo_logsrvd now has a relay mode which can be used to create
  479    a hierarchy of log servers.  By default, when a relay server is
  480    defined, messages from the client are forwarded immediately to
  481    the relay.  However, if the "store_first" setting is enabled,
  482    the log will be stored locally until the command completes and
  483    then relayed.  Bug #965.
  485  * Sudo now links with OpenSSL by default if it is available unless
  486    the --disable-openssl configure option is used or both the
  487    --disable-log-client and --disable-log-server configure options
  488    are specified.
  490  * Fixed configure's Python version detection when the version minor
  491    number is more than a single digit, for example Python 3.10.
  493  * The sudo Python module tests now pass for Python 3.10.
  495  * Sudo will now avoid changing the datasize resource limit
  496    as long as the existing value is at least 1GB.  This works around
  497    a problem on 64-bit HP-UX where it is not possible to exactly
  498    restore the original datasize limit.  Bug #973.
  500  * Fixed a race condition that could result in a hang when sudo is
  501    executed by a process where the SIGCHLD handler is set to SIG_IGN.
  502    This fixes the bug described by GitHub PR #98.
  504  * Fixed an out-of-bounds read in sudoedit and visudo when the
  505    EDITOR, VISUAL or SUDO_EDITOR environment variables end in an
  506    unescaped backslash.  Also fixed the handling of quote characters
  507    that are escaped by a backslash.  GitHub issue #99.
  509  * Fixed a bug that prevented the "log_server_verify" sudoers option
  510    from taking effect.
  512  * The sudo_sendlog utility has a new -s option to cause it to stop
  513    sending I/O records after a user-specified elapsed time.  This
  514    can be used to test the I/O log restart functionality of sudo_logsrvd.
  516  * Fixed a crash introduced in sudo 1.9.4 in sudo_logsrvd when
  517    attempting to restart an interrupted I/O log transfer.
  519  * The TLS connection timeout in the sudoers log client was previously
  520    hard-coded to 10 seconds.  It now uses the value of log_server_timeout.
  522  * The configure script now outputs a summary of the user-configurable
  523    options at the end, separate from output of configure script tests.
  524    Bug #820.
  526  * Corrected the description of which groups may be specified via the
  527    -g option in the Runas_Spec section.  Bug #975.
  529 What's new in Sudo 1.9.6p1
  531  * Fixed a regression introduced in sudo 1.9.6 that resulted in an
  532    error message instead of a usage message when sudo is run with
  533    no arguments.
  535 What's new in Sudo 1.9.6
  537  * Fixed a sudo_sendlog compilation problem with the AIX xlC compiler.
  539  * Fixed a regression introduced in sudo 1.9.4 where the
  540    --disable-root-mailer configure option had no effect.
  542  * Added a --disable-leaks configure option that avoids some
  543    memory leaks on exit that would otherwise occur.  This is intended
  544    to be used with development tools that measure memory leaks.  It
  545    is not safe to use in production at this time.
  547  * Plugged some memory leaks identified by oss-fuzz and ASAN.
  549  * Fixed the handling of sudoOptions for an LDAP sudoRole that
  550    contains multiple sudoCommands.  Previously, some of the options
  551    would only be applied to the first sudoCommand.
  553  * Fixed a potential out of bounds read in the parsing of NOTBEFORE
  554    and NOTAFTER sudoers command options (and their LDAP equivalents).
  556  * The parser used for reading I/O log JSON files is now more
  557    resilient when processing invalid JSON.
  559  * Fixed typos that prevented "make uninstall" from working.
  560    GitHub issue #87.
  562  * Fixed a regression introduced in sudo 1.9.4 where the last line
  563    in a sudoers file might not have a terminating NUL character
  564    added if no newline was present.
  566  * Integrated oss-fuzz and LLVM's libFuzzer with sudo.  The new
  567    --enable-fuzzer configure option can be combined with the
  568    --enable-sanitizer option to build sudo with fuzzing support.
  569    Multiple fuzz targets are available for fuzzing different parts
  570    of sudo.  Fuzzers are built and tested via "make fuzz" or as part
  571    of "make check" (even when sudo is not built with fuzzing support).
  572    Fuzzing support currently requires the LLVM clang compiler (not gcc).
  574  * Fixed the --enable-static-sudoers configure option.
  575    GitHub issue #92.
  577  * Fixed a potential out of bounds read sudo when is run by a user
  578    with more groups than the value of "max_groups" in sudo.conf.
  580  * Added an "admin_flag" sudoers option to make the use of the
  581    ~/.sudo_as_admin_successful file configurable on systems where
  582    sudo is build with the --enable-admin-flag configure option.
  583    This mostly affects Ubuntu and its derivatives.  GitHub issue #56.
  585  * The "max_groups" setting in sudo.conf is now limited to 1024.
  586    This setting is obsolete and should no longer be needed.
  588  * Fixed a bug in the tilde expansion of "CHROOT=dir" and "CWD=dir"
  589    sudoers command options.  A path "~/foo" was expanded to
  590    "/home/userfoo" instead of "/home/user/foo".  This also affects
  591    the runchroot and runcwd Defaults settings.
  593  * Fixed a bug on systems without a native getdelim(3) function
  594    where very long lines could cause parsing of the sudoers file
  595    to end prematurely.  Bug #960.
  597  * Fixed a potential integer overflow when converting the
  598    timestamp_timeout and passwd_timeout sudoers settings to a
  599    timespec struct.
  601  * The default for the "group_source" setting in sudo.conf is now
  602    "dynamic" on macOS.  Recent versions of macOS do not reliably
  603    return all of a user's non-local groups via getgroups(2), even
  604    when _DARWIN_UNLIMITED_GETGROUPS is defined.  Bug #946.
  606  * Fixed a potential use-after-free in the PAM conversation function.
  607    Bug #967.
  609  * Fixed potential redefinition of sys/stat.h macros in sudo_compat.h.
  610    Bug #968.
  612 What's new in Sudo 1.9.5p2
  614  * Fixed sudo's setprogname(3) emulation on systems that don't
  615    provide it.
  617  * Fixed a problem with the sudoers log server client where a partial
  618    write to the server could result the sudo process consuming large
  619    amounts of CPU time due to a cycle in the buffer queue. Bug #954.
  621  * Added a missing dependency on libsudo_util in libsudo_eventlog.
  622    Fixes a link error when building sudo statically.
  624  * The user's KRB5CCNAME environment variable is now preserved when
  625    performing PAM authentication.  This fixes GSSAPI authentication
  626    when the user has a non-default ccache.
  628  * When invoked as sudoedit, the same set of command line options
  629    are now accepted as for "sudo -e".  The -H and -P options are
  630    now rejected for sudoedit and "sudo -e" which matches the sudo
  631    1.7 behavior.  This is part of the fix for CVE-2021-3156.
  633  * Fixed a potential buffer overflow when unescaping backslashes
  634    in the command's arguments.  Normally, sudo escapes special
  635    characters when running a command via a shell (sudo -s or sudo
  636    -i).  However, it was also possible to run sudoedit with the -s
  637    or -i flags in which case no escaping had actually been done,
  638    making a buffer overflow possible.  This fixes CVE-2021-3156.
  640 What's new in Sudo 1.9.5p1
  642  * Fixed a regression introduced in sudo 1.9.5 where the editor run
  643    by sudoedit was set-user-ID root unless SELinux RBAC was in use.
  644    The editor is now run with the user's real and effective user-IDs.
  646 What's new in Sudo 1.9.5
  648  * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an
  649    unknown user.  This is related to but distinct from Bug #948.
  651  * If the "lecture_file" setting is enabled in sudoers, it must now
  652    refer to a regular file or a symbolic link to a regular file.
  654  * Fixed a potential use-after-free bug in sudo_logsrvd when the
  655    server shuts down if there are existing connections from clients
  656    that are only logging events and not session I/O data.
  658  * Fixed a buffer size mismatch when serializing the list of IP
  659    addresses for configured network interfaces.  This bug is not
  660    actually exploitable since the allocated buffer is large enough
  661    to hold the list of addresses.
  663  * If sudo is executed with a name other than "sudo" or "sudoedit",
  664    it will now fall back to "sudo" as the program name.  This affects
  665    warning, help and usage messages as well as the matching of Debug
  666    lines in the /etc/sudo.conf file.  Previously, it was possible
  667    for the invoking user to manipulate the program name by setting
  668    argv[0] to an arbitrary value when executing sudo.
  670  * Sudo now checks for failure when setting the close-on-exec flag
  671    on open file descriptors.  This should never fail but, if it
  672    were to, there is the possibility of a file descriptor leak to
  673    a child process (such as the command sudo runs).
  675  * Fixed CVE-2021-23239, a potential information leak in sudoedit
  676    that could be used to test for the existence of directories not
  677    normally accessible to the user in certain circumstances.  When
  678    creating a new file, sudoedit checks to make sure the parent
  679    directory of the new file exists before running the editor.
  680    However, a race condition exists if the invoking user can replace
  681    (or create) the parent directory.  If a symbolic link is created
  682    in place of the parent directory, sudoedit will run the editor
  683    as long as the target of the link exists.  If the target of the
  684    link does not exist, an error message will be displayed.  The
  685    race condition can be used to test for the existence of an
  686    arbitrary directory.  However, it _cannot_ be used to write to
  687    an arbitrary location.
  689  * Fixed CVE-2021-23240, a flaw in the temporary file handling of
  690    sudoedit's SELinux RBAC support.  On systems where SELinux is
  691    enabled, a user with sudoedit permissions may be able to set the
  692    owner of an arbitrary file to the user-ID of the target user.
  693    On Linux kernels that support "protected symlinks", setting
  694    /proc/sys/fs/protected_symlinks to 1 will prevent the bug from
  695    being exploited.  For more information see
  696    https://www.sudo.ws/alerts/sudoedit_selinux.html.
  698  * Added writability checks for sudoedit when SELinux RBAC is in use.
  699    This makes sudoedit behavior consistent regardless of whether
  700    or not SELinux RBAC is in use.  Previously, the "sudoedit_checkdir"
  701    setting had no effect for RBAC entries.
  703  * A new sudoers option "selinux" can be used to disable sudo's
  704    SELinux RBAC support.
  706  * Quieted warnings from PVS Studio, clang analyzer, and cppcheck.
  707    Added suppression annotations for PVS Studio false positives.
  709 What's new in Sudo 1.9.4p2
  711  * Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash
  712    if the sudoers file contains a runas user-specific Defaults entry.
  713    Bug #951.
  715 What's new in Sudo 1.9.4p1
  717  * Sudo on macOS now supports users with more than 16 groups without
  718    needing to set "group_source" to "dynamic" in /etc/sudo.conf.
  719    Previously, only the first 15 were used when matching group-based
  720    rules in sudoers.  Bug #946.
  722  * Fixed a regression introduced in version 1.9.4 where sudo would
  723    not build when configured using the --without-sendmail option.
  724    Bug #947.
  726  * Fixed a problem where if I/O logging was disabled and sudo was
  727    unable to connect to sudo_logsrvd, the command would still be
  728    allowed to run even when the "ignore_logfile_errors" sudoers
  729    option was enabled.
  731  * Fixed a crash introduced in version 1.9.4 when attempting to run
  732    a command as a non-existent user.  Bug #948.
  734  * The installed sudo.conf file now has the default sudoers Plugin
  735    lines commented out.  This fixes a potential conflict when there
  736    is both a system-installed version of sudo and a user-installed
  737    version.  GitHub issue #75.
  739  * Fixed a regression introduced in sudo 1.9.4 where sudo would run
  740    the command as a child process even when a pseudo-terminal was
  741    not in use and the "pam_session" and "pam_setcred" options were
  742    disabled.  GitHub issue #76.
  744  * Fixed a regression introduced in sudo 1.8.9 where the "closefrom"
  745    sudoers option could not be set to a value of 3.  Bug #950.
  747 What's new in Sudo 1.9.4
  749  * The sudoers parser will now detect when an upper-case reserved
  750    word is used when declaring an alias.  Now instead of "syntax
  751    error, unexpected CHROOT, expecting ALIAS" the message will be
  752    "syntax error, reserved word CHROOT used as an alias name".
  753    Bug #941.
  755  * Better handling of sudoers files without a final newline.
  756    The parser now adds a newline at end-of-file automatically which
  757    removes the need for special cases in the parser.
  759  * Fixed a regression introduced in sudo 1.9.1 in the sssd back-end
  760    where an uninitialized pointer could be freed on an error path.
  761    GitHub issue #67.
  763  * The core logging code is now shared between sudo_logsrvd and
  764    the sudoers plugin.
  766  * JSON log entries sent to syslog now use "minimal" JSON which
  767    skips all non-essential white space.
  769  * The sudoers plugin can now produce JSON-formatted logs.  The
  770    "log_format" sudoers option can be used to select sudo or json
  771    format logs.  The default is sudo format logs.
  773  * The sudoers plugin and visudo now display the column number in
  774    syntax error messages in addition to the line number.  Bug #841.
  776  * If I/O logging is not enabled but "log_servers" is set, the
  777    sudoers plugin will now log accept events to sudo_logsrvd.
  778    Previously, the accept event was only sent when I/O logging was
  779    enabled.  The sudoers plugin now sends reject and alert events too.
  781  * The sudo logsrv protocol has been extended to allow an AlertMessage
  782    to contain an optional array of InfoMessage, as AcceptMessage
  783    and RejectMessage already do.
  785  * Fixed a bug in sudo_logsrvd where receipt of SIGHUP would result
  786    in duplicate entries in the debug log when debugging was enabled.
  788  * The visudo utility now supports EDITOR environment variables
  789    that use single or double quotes in the command arguments.
  790    Bug #942.
  792  * The PAM session modules now run when sudo is set-user-ID root,
  793    which allows a module to determine the original user-ID.
  794    Bug #944.
  796  * Fixed a regression introduced in sudo 1.8.24 in the LDAP back-end
  797    where sudoNotBefore and sudoNotAfter were applied even when the
  798    SUDOERS_TIMED setting was not present in ldap.conf.  Bug #945.
  800  * Sudo packages for macOS 11 now contain universal binaries that
  801    support both Intel and Apple Silicon CPUs.
  803  * For sudo_logsrvd, an empty value for the "pid_file" setting in
  804    sudo_logsrvd.conf will now disable the process ID file.
  806 What's new in Sudo 1.9.3p1
  808  * Fixed a regression introduced in sudo 1.9.3 where the configure
  809    script would not detect the crypt(3) function if it was present
  810    in the C library, not an additional library.
  812  * Fixed a regression introduced in sudo 1.8.23 with shadow passwd
  813    file authentication on OpenBSD.  BSD authentication was not
  814    affected.
  816  * Sudo now logs when a user-specified command-line option is
  817    rejected by a sudoers rule.  Previously, these conditions were
  818    written to the audit log, but the default sudo log file.  Affected
  819    command line arguments include -C (--close-from), -D (--chdir),
  820    -R (--chroot), -g (--group) and -u (--user).
  822 What's new in Sudo 1.9.3
  824  * sudoedit will now prompt the user before overwriting an existing
  825    file with one that is zero-length after editing.  Bug #922.
  827  * Fixed building the Python plugin on systems with a compiler that
  828    doesn't support symbol hiding.
  830  * Sudo now uses a linker script to hide symbols even when the
  831    compiler supports symbol hiding.  This should make it easier to
  832    detect omissions in the symbol exports file, regardless of the
  833    platform.
  835  * Fixed the libssl dependency in Debian packages for older releases
  836    that use libssl1.0.0.
  838  * Sudo and visudo now provide more detailed messages when a syntax
  839    error is detected in sudoers.  The offending line and token are
  840    now displayed.  If the parser was generated by GNU bison,
  841    additional information about what token was expected is also
  842    displayed.  Bug #841.
  844  * Sudoers rules must now end in either a newline or the end-of-file.
  845    Previously, it was possible to have multiple rules on a single
  846    line, separated by white space.  The use of an end-of-line
  847    terminator makes it possible to display accurate error messages.
  849  * Sudo no longer refuses to run if a syntax error in the sudoers
  850    file is encountered.  The entry with the syntax error will be
  851    discarded and sudo will continue to parse the file.  This makes
  852    recovery from a syntax error less painful on systems where sudo
  853    is the primary method of superuser access.  The historic behavior
  854    can be restored by add "error_recovery=false" to the sudoers
  855    plugin's optional arguments in sudo.conf.  Bug #618.
  857  * Fixed the sample_approval plugin's symbol exports file for systems
  858    where the compiler doesn't support symbol hiding.
  860  * Fixed a regression introduced in sudo 1.9.1 where arguments to
  861    the "sudoers_policy" plugin in sudo.conf were not being applied.
  862    The sudoers file is now parsed by the "sudoers_audit" plugin,
  863    which is loaded implicitly when "sudoers_policy" is listed in
  864    sudo.conf.  Starting with sudo 1.9.3, if there are plugin arguments
  865    for "sudoers_policy" but "sudoers_audit" is not listed, those
  866    arguments will be applied to "sudoers_audit" instead.
  868  * The user's resource limits are now passed to sudo plugins in
  869    the user_info[] list.  A plugin cannot determine the limits
  870    itself because sudo changes the limits while it runs to prevent
  871    resource starvation.
  873  * It is now possible to set the working directory or change the
  874    root directory on a per-command basis using the CWD and CHROOT
  875    options.  CWD and CHROOT are now reserved words in sudoers--they
  876    can no longer be used as alias names.  There are also new Defaults
  877    settings, runchroot and runcwd, that can be used to set the
  878    working directory or root directory on a more global basis.
  880  * New -D (--chdir) and -R (--chroot) command line options can be
  881    used to set the working directory or root directory if the sudoers
  882    file allows it.  This functionality is not enabled by default
  883    and must be explicitly enabled in the sudoers file.
  885  * Fixed a regression introduced in sudo 1.9.1 where the sudoers_audit
  886    symbol could not be resolved when sudo is configured with the
  887    --enable-static-sudoers option.  Bug #936 and GitHub issue #61.
  889 What's new in Sudo 1.9.2
  891  * Fixed package builds on RedHat Enterprise Linux 8.
  893  * The configure script now uses pkg-config to find the openssl
  894    cflags and libs where possible.
  896  * The contents of the log.json I/O log file is now documented in
  897    the sudoers manual.
  899  * The sudoers plugin now properly exports the sudoers_audit symbol
  900    on systems where the compiler lacks symbol visibility controls.
  901    This caused a regression in 1.9.1 where a successful sudo command
  902    was not logged due to the missing audit plugin.  Bug #931.
  904  * Fixed a regression introduced in 1.9.1 that can result in crash
  905    when there is a syntax error in the sudoers file.  Bug #934.
  907 What's new in Sudo 1.9.1
  909  * Fixed an AIX-specific problem when I/O logging was enabled.
  910    The terminal device was not being properly set to raw mode.
  911    Bug #927.
  913  * Corrected handling of sudo_logsrvd connections without associated
  914    I/O log data.  This fixes support for RejectMessage as well as
  915    AcceptMessage when the expect_iobufs flag is not set.
  917  * Added an "iolog_path" entry to the JSON-format event log produced
  918    by sudo_logsrvd.  Previously, it was only possible to determine
  919    the I/O log file an event belonged to using sudo-format logs.
  921  * Fixed the bundle IDs for sudo-logsrvd and sudo-python macOS packages.
  923  * I/O log files produced by the sudoers plugin now clear the write
  924    bits on the I/O log timing file when the log is complete.  This
  925    is consistent with how sudo_logsrvd indicates that a log is
  926    complete.
  928  * The sudoreplay utility has a new "-F" (follow) command line
  929    option to allow replaying a session that is still in progress,
  930    similar to "tail -f".
  932  * The @include and @includedir directives can be used in sudoers
  933    instead of #include and #includedir.  In addition, include paths
  934    may now have embedded white space by either using a double-quoted
  935    string or escaping the space characters with a backslash.
  937  * Fixed some Solaris 11.4 compilation errors.
  939  * When running a command in a pty, sudo will no longer try to
  940    suspend itself if the user's tty has been revoked (for instance
  941    when the parent ssh daemon is killed).  This fixes a bug where
  942    sudo would continuously suspend the command (which would succeed),
  943    then suspend itself (which would fail due to the missing tty)
  944    and then resume the command.
  946  * If sudo's event loop fails due to the tty being revoked, remove
  947    the user's tty events and restart the event loop (once).  This
  948    fixes a problem when running "sudo reboot" in a pty on some
  949    systems.  When the event loop exited unexpectedly, sudo would
  950    kill the command running in the pty, which in the case of "reboot",
  951    could lead to the system being in a half-rebooted state.
  953  * Fixed a regression introduced in sudo 1.8.23 in the LDAP and
  954    SSSD back-ends where a missing sudoHost attribute was treated
  955    as an "ALL" wildcard value.  A sudoRole with no sudoHost attribute
  956    is now ignored as it was prior to version 1.8.23.
  958  * The audit plugin API has been changed slightly.  The sudo front-end
  959    now audits an accept event itself after all approval plugins are
  960    run and the I/O logging plugins (if any) are opened.  This makes
  961    it possible for an audit plugin to only log a single overall
  962    accept event if desired.
  964  * The sudoers plugin can now be loaded as an audit plugin.  Logging
  965    of successful commands is now performed in the audit plugin's
  966    accept function.  As a result, commands are now only logged if
  967    allowed by sudoers and all approval plugins.  Commands rejected
  968    by an approval plugin are now also logged by the sudoers plugin.
  970  * Romanian translation for sudo and sudoers from translationproject.org.
  972  * Fixed a regression introduced in sudo 1.9.0 where sudoedit did
  973    not remove its temporary files after installing them.  Bug #929.
  975  * Fixed a regression introduced in sudo 1.9.0 where the iolog_file
  976    setting in sudoers and sudo_logsrvd.conf caused an error if the
  977    file name ended in six or more X's.
  979 What's new in Sudo 1.9.0
  981  * Fixed a test failure in the strsig_test regress test on FreeBSD.
  983  * The maximum length of a conversation reply has been increased
  984    from 255 to 1023 characters.  This allows for longer user passwords.
  985    Bug #860.
  987  * Sudo now includes a logging daemon, sudo_logsrvd, which can be
  988    used to implement centralized logging of I/O logs.  TLS connections
  989    are supported when sudo is configured with the --enable-openssl
  990    option.  For more information, see the sudo_logsrvd, logsrvd.conf
  991    and sudo_logsrv.proto manuals as well as the log_servers setting
  992    in the sudoers manual.
  994    The --disable-log-server and --disable-log-client configure
  995    options can be used to disable building the I/O log server and/or
  996    remote I/O log support in the sudoers plugin.
  998  * The new sudo_sendlog utility can be used to test sudo_logsrvd
  999    or send existing sudo I/O logs to a centralized server.
 1001  * It is now possible to write sudo plugins in Python 3 when sudo
 1002    is configured with the --enable-python option.  See the
 1003    sudo_plugin_python manual for details.
 1005    Sudo 1.9.0 comes with several Python example plugins that get
 1006    installed sudo's examples directory.
 1008    The sudo blog article "What's new in sudo 1.9: Python"
 1009    (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/)
 1010    includes a simple tutorial on writing python plugins.
 1012  * Sudo now supports an "audit" plugin type.  An audit plugin
 1013    receives accept, reject, exit and error messages and can be used
 1014    to implement custom logging that is independent of the underlying
 1015    security policy.   Multiple audit plugins may be specified in
 1016    the sudo.conf file.  A sample audit plugin is included that
 1017    writes logs in JSON format.
 1019  * Sudo now supports an "approval" plugin type.  An approval plugin
 1020    is run only after the main security policy (such as sudoers) accepts
 1021    a command to be run.  The approval policy may perform additional
 1022    checks, potentially interacting with the user.  Multiple approval
 1023    plugins may be specified in the sudo.conf file.  Only if all
 1024    approval plugins succeed will the command be allowed.
 1026  * Sudo's -S command line option now causes the sudo conversation
 1027    function to write to the standard output or standard error instead
 1028    of the terminal device.
 1030  * Fixed a bug where if a #include or #includedir directive was the
 1031    last line in sudoers and there was no final newline character, it
 1032    was silently ignored.  Bug #917.
 1034  * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" for
 1035    people who find the former more natural.
 1037  * The new "pam_ruser" and "pam_rhost" sudoers settings can be used
 1038    to enable or disable setting the PAM remote user and/or host
 1039    values during PAM session setup.
 1041  * More than one SHA-2 digest may now be specified for a single
 1042    command.  Multiple digests must be separated by a comma.
 1044  * It is now possible to specify a SHA-2 digest in conjunction with
 1045    the "ALL" reserved word in a command specification.  This allows
 1046    one to give permission to run any command that matches the
 1047    specified digest, regardless of its path.
 1049  * Sudo and sudo_logsrvd now create an extended I/O log info file
 1050    in JSON format that contains additional information about the
 1051    command that was run, such as the host name.  The sudoreplay
 1052    utility uses this file in preference to the legacy log file.
 1054  * The sudoreplay utility can now match on a host name in list mode.
 1055    The list output also now includes the host name if one is present
 1056    in the log file.
 1058  * For "sudo -i", if the target user's home directory does not
 1059    exist, sudo will now warn about the problem but run the command
 1060    in the current working directory.  Previously, this was a fatal
 1061    error.  Debian bug #598519.
 1063  * The command line arguments in the SUDO_COMMAND environment
 1064    variable are now truncated at 4096 characters.  This avoids an
 1065    "Argument list too long" error when executing a command with a
 1066    large number of arguments.  Bug #923 (Debian bug #596631).
 1068  * Sudo now properly ends the PAM transaction when the user
 1069    authenticates successfully but sudoers denies the command.
 1070    Debian bug #669687.
 1072  * The sudoers grammar in the manual now indicates that "sudoedit"
 1073    requires one or more arguments.  Debian bug #571621.
 1075  * When copying the edited files to the original path, sudoedit now
 1076    allocates any additional space needed before writing.  Previously,
 1077    it could truncate the destination file if the file system was
 1078    full.  Bug #922.
 1080  * Fixed an issue where PAM session modules could be called with
 1081    the wrong user name when multiple users in the passwd database
 1082    share the the same user-ID.  Debian bug #734752.
 1084  * Sudo command line options that take a value may only be specified
 1085    once.  This is to help guard against problems caused by poorly
 1086    written scripts that invoke sudo with user-controlled input.
 1087    Bug #924.
 1089 What's new in Sudo 1.8.31p1
 1091  * Sudo once again ignores a failure to restore the RLIMIT_CORE
 1092    resource limit, as it did prior to version 1.8.29.  Linux
 1093    containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
 1094    if we set the limit to zero, even for root, which resulted in a
 1095    warning from sudo.
 1097 What's new in Sudo 1.8.31
 1099  * Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback"
 1100    sudoers option is enabled on systems with uni-directional pipes.
 1102  * The "sudoedit_checkdir" option now treats a user-owned directory
 1103    as writable, even if it does not have the write bit set at the
 1104    time of check.  Symbolic links will no longer be followed by
 1105    sudoedit in any user-owned directory.  Bug #912
 1107  * Fixed sudoedit on macOS 10.15 and above where the root file system
 1108    is mounted read-only.  Bug #913.
 1110  * Fixed a crash introduced in sudo 1.8.30 when suspending sudo
 1111    at the password prompt.  Bug #914.
 1113  * Fixed compilation on systems where the mmap MAP_ANON flag
 1114    is not available.  Bug #915.
 1116 What's new in Sudo 1.8.30
 1118  * Fixed a warning on macOS introduced in sudo 1.8.29 when sudo
 1119    attempts to set the open file limit to unlimited.  Bug #904.
 1121  * Sudo now closes file descriptors before changing uids.  This
 1122    prevents a non-root process from interfering with sudo's ability
 1123    to close file descriptors on systems that support the prlimit(2)
 1124    system call.
 1126  * Sudo now treats an attempt to run "sudo sudoedit" as simply
 1127    "sudoedit".  If the sudoers file contains a fully-qualified path
 1128    to sudoedit, sudo will now treat it simply as "sudoedit" (with
 1129    no path).  Visudo will will now treat a fully-qualified path
 1130    to sudoedit as an error.  Bug #871.
 1132  * Fixed a bug introduced in sudo 1.8.28 where sudo would warn about
 1133    a missing /etc/environment file on AIX and Linux when PAM is not
 1134    enabled.  Bug #907
 1136  * Fixed a bug on Linux introduced in sudo 1.8.29 that prevented
 1137    the askpass program from running due to an unlimited stack size
 1138    resource limit.  Bug #908.
 1140  * If a group provider plugin has optional arguments, the argument list
 1141    passed to the plugin is now NULL terminated as per the documentation.
 1143  * The user's time stamp file is now only updated if both authentication
 1144    and approval phases succeed.  This is consistent with the behavior
 1145    of sudo prior to version 1.8.23.  Bug #910
 1147  * The new allow_unknown_runas_id sudoers setting can be used to
 1148    enable or disable the use of unknown user or group IDs.  Previously,
 1149    sudo would always allow unknown user or group IDs if the sudoers
 1150    entry permitted it, including via the "ALL" alias.  As of sudo
 1151    1.8.30, the admin must explicitly enable support for unknown IDs.
 1153  * The new runas_check_shell sudoers setting can be used to require
 1154    that the runas user have a shell listed in the /etc/shells file.
 1155    On many systems, users such as "bin", do not have a valid shell
 1156    and this flag can be used to prevent commands from being run as
 1157    those users.
 1159  * Fixed a problem restoring the SELinux tty context during reboot
 1160    if mctransd is killed before sudo finishes.  GitHub issue #17.
 1162  * Fixed an intermittent warning on NetBSD when sudo restores the
 1163    initial stack size limit.
 1165 What's new in Sudo 1.8.29
 1167  * The cvtsudoers command will now reject non-LDIF input when converting
 1168    from LDIF format to sudoers or JSON formats.
 1170  * The new log_allowed and log_denied sudoers settings make it possible
 1171    to disable logging and auditing of allowed and/or denied commands.
 1173  * The umask is now handled differently on systems with PAM or login.conf.
 1174    If the umask is explicitly set in sudoers, that value is used regardless
 1175    of what PAM or login.conf may specify.  However, if the umask is not
 1176    explicitly set in sudoers, PAM or login.conf may now override the default
 1177    sudoers umask.  Bug #900.
 1179  * For "make install", the sudoers file is no longer checked for syntax
 1180    errors when DESTDIR is set.  The default sudoers file includes the
 1181    contents of /etc/sudoers.d which may not be readable as non-root.
 1182    Bug #902.
 1184  * Sudo now sets most resource limits to their maximum value to avoid
 1185    problems caused by insufficient resources, such as an inability to
 1186    allocate memory or open files and pipes.
 1188  * Fixed a regression introduced in sudo 1.8.28 where sudo would refuse
 1189    to run if the parent process was not associated with a session.
 1190    This was due to sudo passing a session ID of -1 to the plugin.
 1192 What's new in Sudo 1.8.28p1
 1194  * The fix for Bug #869 caused "sudo -v" to prompt for a password
 1195    when "verifypw" is set to "all" (the default) and all of the
 1196    user's sudoers entries are marked with NOPASSWD.  Bug #901.
 1198 What's new in Sudo 1.8.28
 1200  * Sudo will now only set PAM_TTY to the empty string when no
 1201    terminal is present on Solaris and Linux.  This workaround is
 1202    only needed on those systems which may have PAM modules that
 1203    misbehave when PAM_TTY is not set.
 1205  * The mailerflags sudoers option now has a default value even if
 1206    sendmail support was disabled at configure time.  Fixes a crash
 1207    when the mailerpath sudoers option is set but mailerflags is not.
 1208    Bug #878.
 1210  * Sudo will now filter out last login messages on HP-UX unless it
 1211    a shell is being run via "sudo -s" or "sudo -i".  Otherwise,
 1212    when trusted mode is enabled, these messages will be displayed
 1213    for each command.
 1215  * On AIX, when the user's password has expired and PAM is not in use,
 1216    sudo will now allow the user to change their password.
 1217    Bug #883.
 1219  * Sudo has a new -B command line option that will ring the terminal
 1220    bell when prompting for a password.
 1222  * Sudo no longer refuses to prompt for a password when it cannot
 1223    determine the user's terminal as long as it can open /dev/tty.
 1224    This allows sudo to function on systems where /proc is unavailable,
 1225    such as when running in a chroot environment.
 1227  * The "env_editor" sudoers flag is now on by default.  This makes
 1228    source builds more consistent with the packages generated by
 1229    sudo's mkpkg script.
 1231  * Sudo no longer ships with pre-formatted copies of the manual pages.
 1232    These were included for systems like IRIX that don't ship with an
 1233    nroff utility.  There are now multiple Open Source nroff replacements
 1234    so this should no longer be an issue.
 1236  * Fixed a bad interaction with configure's --prefix and
 1237    --disable-shared options.  Bug #886.
 1239  * More verbose error message when a password is required and no terminal
 1240    is present.  Bug #828.
 1242  * Command tags, such as NOPASSWD, are honored when a user tries to run a
 1243    command that is allowed by sudoers but which does not actually
 1244    exist on the file system.  Bug #888.
 1246  * Asturian translation for sudoers from translationproject.org.
 1248  * I/O log timing files now store signal suspend and resume information
 1249    in the form of a signal name instead of a number.
 1251  * Fixed a bug introduced in 1.8.24 that prevented sudo from honoring
 1252    the value of "ipa_hostname" from sssd.conf, if specified, when
 1253    matching the host name.
 1255  * Fixed a bug introduced in 1.8.21 that prevented the core dump
 1256    resource limit set in the pam_limits module from taking effect.
 1257    Bug #894.
 1259  * Fixed parsing of double-quoted Defaults group and netgroup bindings.
 1261  * The user ID is now used when matching sudoUser attributes in LDAP.
 1262    Previously, the user name, group name and group IDs were used
 1263    when matching but not the user ID.
 1265  * Sudo now writes PAM messages to the user's terminal, if available,
 1266    instead of the standard output or standard error.  This prevents
 1267    PAM output from being intermixed with that of the command when
 1268    output is sent to a file or pipe.  Bug #895.
 1270  * Sudoedit now honors the umask and umask_override settings in sudoers.
 1271    Previously, the user's umask was used as-is.
 1273  * Fixed a bug where the terminal's file context was not restored
 1274    when using SELinux RBAC.  Bug #898.
 1276  * Fixed CVE-2019-14287, a bug where a sudo user may be able to
 1277    run a command as root when the Runas specification explicitly
 1278    disallows root access as long as the ALL keyword is listed first.
 1280 What's new in Sudo 1.8.27
 1282  * On HP-UX, sudo will now update the utmps file when running a command
 1283    in a pseudo-tty.  Previously, only the utmp and utmpx files were
 1284    updated.
 1286  * Nanosecond precision file time stamps are now supported in HP-UX.
 1288  * Fixes and clarifications to the sudo plugin documentation.
 1290  * The sudo manuals no longer require extensive post-processing to
 1291    hide system-specific features.  Conditionals in the roff source
 1292    are now used instead.  This fixes corruption of the sudo manual
 1293    on systems without BSD login classes.  Bug #861.
 1295  * If an I/O logging plugin is configured but the plugin does not
 1296    actually log any I/O, sudo will no longer force the command to
 1297    be run in a pseudo-tty.
 1299  * The fix for bug #843 in sudo 1.8.24 was incomplete.  If the
 1300    user's password was expired or needed to be updated, but no sudo
 1301    password was required, the PAM handle was freed too early,
 1302    resulting in a failure when processing PAM session modules.
 1304  * In visudo, it is now possible to specify the path to sudoers
 1305    without using the -f option.  Bug #864.
 1307  * Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx)
 1308    file would not be updated when a command was run in a pseudo-tty.
 1309    Bug #865.
 1311  * Sudo now sets the silent flag when opening the PAM session except
 1312    when running a shell via "sudo -s" or "sudo -i".  This prevents
 1313    the pam_lastlog module from printing the last login information
 1314    for each sudo command.  Bug #867.
 1316  * Fixed the default AIX hard resource limit for the maximum number
 1317    of files a user may have open.  If no hard limit for "nofiles"
 1318    is explicitly set in /etc/security/limits, the default should
 1319    be "unlimited".  Previously, the default hard limit was 8196.
 1321 What's new in Sudo 1.8.26
 1323  * Fixed a bug in cvtsudoers when converting to JSON format when
 1324    alias expansion is enabled. Bug #853.
 1326  * Sudo no long sets the USERNAME environment variable when running
 1327    commands. This is a non-standard environment variable that was
 1328    set on some older Linux systems.
 1330  * Sudo now treats the LOGNAME and USER environment variables (as
 1331    well as the LOGIN variable on AIX) as a single unit.  If one is
 1332    preserved or removed from the environment using env_keep, env_check
 1333    or env_delete, so is the other.
 1335  * Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf.
 1337  * Sudo now logs when the command was suspended and resumed in the
 1338    I/O logs.  This information is used by sudoreplay to skip the
 1339    time suspended when replaying the session unless the new -S flag
 1340    is used.
 1342  * Fixed documentation problems found by the igor utility.  Bug #854.
 1344  * Sudo now prints a warning message when there is an error or end
 1345    of file while reading the password instead of exiting silently.
 1347  * Fixed a bug in the sudoers LDAP back-end parsing the command_timeout,
 1348    role, type, privs and limitprivs sudoOptions.  This also affected
 1349    cvtsudoers conversion from LDIF to sudoers or JSON.
 1351  * Fixed a bug that prevented timeout settings in sudoers from
 1352    functioning unless a timeout was also specified on the command
 1353    line.
 1355  * Asturian translation for sudo from translationproject.org.
 1357  * When generating LDIF output, cvtsudoers can now be configured
 1358    to pad the sudoOrder increment such that the start order is used
 1359    as a prefix.  Bug #856.
 1361  * Fixed a bug introduced in sudo 1.8.25 that prevented sudo from
 1362    properly setting the user's groups on AIX.  Bug #857.
 1364  * If the user specifies a group via sudo's -g option that matches
 1365    any of the target user's groups, it is now allowed even if no
 1366    groups are present in the Runas_Spec.  Previously, it was only
 1367    allowed if it matched the target user's primary group.
 1369  * The sudoers LDAP back-end now supports negated sudoRunAsUser and
 1370    sudoRunAsGroup entries.
 1372  * Sudo now provides a proper error message when the "fqdn" sudoers
 1373    option is set and it is unable to resolve the local host name.
 1374    Bug #859.
 1376  * Portuguese translation for sudo and sudoers from translationproject.org.
 1378  * Sudo now includes sudoers LDAP schema for the on-line configuration
 1379    supported by OpenLDAP.
 1381 What's new in Sudo 1.8.25p1
 1383  * Fixed a bug introduced in sudo 1.8.25 that caused a crash on
 1384    systems that have the poll() function but not the ppoll() function.
 1385    Bug #851.
 1387 What's new in Sudo 1.8.25
 1389  * Fixed a bug introduced in sudo 1.8.20 that broke formatting of
 1390    I/O log timing file entries on systems without a C99-compatible
 1391    snprintf() function.  Our replacement snprintf() doesn't support
 1392    floating point so we can't use the "%f" format directive.
 1394  * I/O log timing file entries now use a monotonic timer and include
 1395    nanosecond precision.  A monotonic timer that does not increment
 1396    while the system is sleeping is used where available.
 1398  * Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP
 1399    back-end was not being properly parsed.  Bug #845.
 1401  * When sudo runs a command in a pseudo-terminal, the follower
 1402    device is now closed in the main process immediately after
 1403    starting the monitor process.  This removes the need for an
 1404    AIX-specific workaround that was added in sudo 1.8.24.
 1406  * Added support for monotonic timers on HP-UX.
 1408  * Fixed a bug displaying timeout values the "sudo -V" output.
 1409    The value displayed was 3600 times the actual value.  Bug #846.
 1411  * Fixed a build issue on AIX 7.1 BOS levels that include memset_s()
 1412    and define rsize_t in string.h.  Bug #847.
 1414  * The testsudoers utility now supports querying an LDIF-format
 1415    policy.
 1417  * Sudo now sets the LOGIN environment variable to the same value as
 1418    LOGNAME on AIX systems.  Bug #848.
 1420  * Fixed a regression introduced in sudo 1.8.24 where the LDAP and
 1421    SSSD back-ends evaluated the rules in reverse sudoOrder.  Bug #849.
 1423 What's new in Sudo 1.8.24
 1425  * The LDAP and SSS back-ends now use the same rule evaluation code
 1426    as the sudoers file back-end.  This builds on the work in sudo
 1427    1.8.23 where the formatting functions for "sudo -l" output were
 1428    shared.  The handling of negated commands in SSS and LDAP is
 1429    unchanged.
 1431  * Fixed a regression introduced in 1.8.23 where "sudo -i" could
 1432    not be used in conjunction with --preserve-env=VARIABLE.  Bug #835.
 1434  * cvtsudoers can now parse base64-encoded attributes in LDIF files.
 1436  * Random insults are now more random.
 1438  * Fixed the noexec wordexp(3) test on FreeBSD.
 1440  * Added SUDO_CONV_PREFER_TTY flag for conversation function to
 1441    tell sudo to try writing to /dev/tty first. Can be used in
 1442    conjunction with SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG.
 1444  * Sudo now supports an arbitrary number of groups per user on
 1445    Solaris.  Previously, only the first 64 groups were found.
 1446    This should remove the need to set "max_groups" in sudo.conf.
 1448  * Fixed typos in the OpenLDAP sudo schema.  Bugs #839 and #840.
 1450  * Fixed a race condition when building with parallel make.
 1451    Bug #842.
 1453  * Fixed a duplicate free when netgroup_base in ldap.conf is set
 1454    to an invalid value.
 1456  * Fixed a bug introduced in sudo 1.8.23 on AIX that could prevent
 1457    local users and groups from being resolved properly on systems
 1458    that have users stored in NIS, LDAP or AD.
 1460  * Added a workaround for an AIX bug exposed by a change in sudo
 1461    1.8.23 that prevents the terminal mode from being restored when
 1462    I/O logging is enabled.
 1464  * On systems using PAM, sudo now ignores the PAM_NEW_AUTHTOK_REQD
 1465    and PAM_AUTHTOK_EXPIRED errors from PAM account management if
 1466    authentication is disabled for the user.  This fixes a regression
 1467    introduced in sudo 1.8.23.  Bug #843.
 1469  * Fixed an ambiguity in the sudoers manual in the description and
 1470    definition of User, Runas, Host, and Cmnd Aliases.  Bug #834.
 1472  * Fixed a bug that resulted in only the first window size change
 1473    event being logged.
 1475  * Fixed a bug on HP-UX systems introduced in sudo 1.8.22 that
 1476    caused sudo to prompt for a password every time when tty-based
 1477    time stamp files were in use.
 1479  * Fixed a compilation problem on systems that define O_PATH or
 1480    O_SEARCH in fnctl.h but do not define O_DIRECTORY.  Bug #844.
 1482 What's new in Sudo 1.8.23
 1484  * PAM account management modules and BSD auth approval modules are
 1485    now run even when no password is required.
 1487  * For kernel-based time stamps, if no terminal is present, fall
 1488    back to parent-pid style time stamps.
 1490  * The new cvtsudoers utility replaces both the "sudoers2ldif" script
 1491    and the "visudo -x" functionality.  It can read a file in either
 1492    sudoers or LDIF format and produce JSON, LDIF or sudoers output.
 1493    It is also possible to filter the generated output file by user,
 1494    group or host name.
 1496  * The file, ldap and sss sudoers back-ends now share a common set
 1497    of formatting functions for "sudo -l" output, which is also used
 1498    by the cvtsudoers utility.
 1500  * The /run directory is now used in preference to /var/run if it
 1501    exists. Bug #822.
 1503  * More accurate descriptions of the --with-rundir and --with-vardir
 1504    configure options.  Bug #823.
 1506  * The setpassent() and setgroupent() functions are now used on systems
 1507    that support them to keep the passwd and group database open.
 1508    Sudo performs a lot of passwd and group lookups so it can be
 1509    beneficial to avoid opening and closing the files each time.
 1511  * The new case_insensitive_user and case_insensitive_group sudoers
 1512    options can be used to control whether sudo does case-sensitive
 1513    matching of users and groups in sudoers.  Case insensitive
 1514    matching is now the default.
 1516  * Fixed a bug on some systems where sudo could hang on command
 1517    exit when I/O logging was enabled.  Bug #826.
 1519  * Fixed the build-time process start time test on Linux when the
 1520    test is run from within a container.  Bug #829.
 1522  * When determining which temporary directory to use, sudoedit now
 1523    checks the directory for writability before using it.  Previously,
 1524    sudoedit only performed an existence check.  Bug #827.
 1526  * Sudo now includes an optional set of Monty Python-inspired insults.
 1528  * Fixed the execution of scripts with an associated digest (checksum)
 1529    in sudoers on FreeBSD systems.  FreeBSD does not have a proper
 1530    /dev/fd directory mounted by default and its fexecve(2) is not
 1531    fully POSIX compliant when executing scripts.  Bug #831.
 1533  * Chinese (Taiwan) translation for sudo from translationproject.org.
 1535 What's new in Sudo 1.8.22
 1537  * Commands run in the background from a script run via sudo will
 1538    no longer receive SIGHUP when the parent exits and I/O logging
 1539    is enabled.  Bug #502
 1541  * A particularly offensive insult is now disabled by default.
 1542    Bug #804
 1544  * The description of "sudo -i" now correctly documents that
 1545    the "env_keep" and "env_check" sudoers options are applied to
 1546    the environment.  Bug #806
 1548  * Fixed a crash when the system's host name is not set.
 1549    Bug #807
 1551  * The sudoers2ldif script now handles #include and #includedir
 1552    directives.
 1554  * Fixed a bug where sudo would silently exit when the command was
 1555    not allowed by sudoers and the "passwd_tries" sudoers option
 1556    was set to a value less than one.
 1558  * Fixed a bug with the "listpw" and "verifypw" sudoers options and
 1559    multiple sudoers sources.  If the option is set to "all", a
 1560    password should be required unless none of a user's sudoers
 1561    entries from any source require authentication.
 1563  * Fixed a bug with the "listpw" and "verifypw" sudoers options in
 1564    the LDAP and SSSD back-ends.  If the option is set to "any", and
 1565    the entry contained multiple rules, only the first matching rule
 1566    was checked.  If an entry contained more than one matching rule
 1567    and the first rule required authentication but a subsequent rule
 1568    did not, sudo would prompt for a password when it should not have.
 1570  * When running a command as the invoking user (not root), sudo
 1571    would execute the command with the same group vector it was
 1572    started with.  Sudo now executes the command with a new group
 1573    vector based on the group database which is consistent with
 1574    how su(1) operates.
 1576  * Fixed a double free in the SSSD back-end that could occur when
 1577    ipa_hostname is present in sssd.conf and is set to an unqualified
 1578    host name.
 1580  * When I/O logging is enabled, sudo will now write to the terminal
 1581    even when it is a background process.  Previously, sudo would
 1582    only write to the tty when it was the foreground process when
 1583    I/O logging was enabled.  If the TOSTOP terminal flag is set,
 1584    sudo will suspend the command (and then itself) with the SIGTTOU
 1585    signal.
 1587  * A new "authfail_message" sudoers option that overrides the
 1588    default "N incorrect password attempt(s)".
 1590  * An empty sudoRunAsUser attribute in the LDAP and SSSD back-ends
 1591    will now match the invoking user.  This is more consistent with
 1592    how an empty runas user in the sudoers file is treated.
 1594  * Documented that in check mode, visudo does not check the owner/mode
 1595    on files specified with the -f flag.  Bug #809.
 1597  * It is now an error to specify the runas user as an empty string
 1598    on the command line.  Previously, an empty runas user was treated
 1599    the same as an unspecified runas user.  Bug #817.
 1601  * When "timestamp_type" option is set to "tty" and a terminal is
 1602    present, the time stamp record will now include the start time
 1603    of the session leader.  When the "timestamp_type" option is set
 1604    to "ppid" or when no terminal is available, the start time of
 1605    the parent process is used instead.  This significantly reduces
 1606    the likelihood of a time stamp record being re-used when a user
 1607    logs out and back in again.  Bug #818.
 1609  * The sudoers time stamp file format is now documented in the new
 1610    sudoers_timestamp manual.
 1612  * The "timestamp_type" option now takes a "kernel" value on OpenBSD
 1613    systems.  This causes the tty-based time stamp to be stored in
 1614    the kernel instead of on the file system.  If no tty is present,
 1615    the time stamp is considered to be invalid.
 1617  * Visudo will now use the SUDO_EDITOR environment variable (if
 1618    present) in addition to VISUAL and EDITOR.
 1620 What's new in Sudo 1.8.21p2
 1622  * Fixed a bug introduced in version 1.8.21 which prevented sudo
 1623    from using the PAM-supplied prompt.  Bug #799
 1625  * Fixed a bug introduced in version 1.8.21 which could result in
 1626    sudo hanging when running commands that exit quickly.  Bug #800
 1628  * Fixed a bug introduced in version 1.8.21 which prevented the
 1629    command from being run when the password was read via an external
 1630    program using the askpass interface.  Bug #801
 1632 What's new in Sudo 1.8.21p1
 1634  * On systems that support both PAM and SIGINFO, the main sudo
 1635    process will no longer forward SIGINFO to the command if the
 1636    signal was generated from the keyboard.  The command will have
 1637    already received SIGINFO since it is part of the same process
 1638    group so there's no need for sudo to forward it.  This is
 1639    consistent with the handling of SIGINT, SIGQUIT and SIGTSTP.
 1640    Bug #796
 1642  * If SUDOERS_SEARCH_FILTER in ldap.conf does not specify a value,
 1643    the LDAP search expression used when looking up netgroups and
 1644    non-Unix groups had a syntax error if a group plugin was not
 1645    specified.
 1647  * "sudo -U otheruser -l" will now have an exit value of 0 even
 1648    if "otheruser" has no sudo privileges.  The exit value when a
 1649    user attempts to lists their own privileges or when a command
 1650    is specified is unchanged.
 1652  * Fixed a regression introduced in sudo 1.8.21 where sudoreplay
 1653    playback would hang for I/O logs that contain terminal input.
 1655  * Sudo 1.8.18 contained an incomplete fix for the matching of
 1656    entries in the LDAP and SSSD back-ends when a sudoRunAsGroup is
 1657    specified but no sudoRunAsUser is present in the sudoRole.
 1659 What's new in Sudo 1.8.21
 1661  * The path that sudo uses to search for terminal devices can now
 1662    be configured via the new "devsearch" Path setting in sudo.conf.
 1664  * It is now possible to preserve bash shell functions in the
 1665    environment when the "env_reset" sudoers setting is disabled by
 1666    removing the "*=()*" pattern from the env_delete list.
 1668  * A change made in sudo 1.8.15 inadvertently caused sudoedit to
 1669    send itself SIGHUP instead of exiting when the editor returns
 1670    an error or the file was not modified.
 1672  * Sudoedit now uses an exit code of zero if the file was not
 1673    actually modified.  Previously, sudoedit treated a lack of
 1674    modifications as an error.
 1676  * When running a command in a pseudo-tty (pty), sudo now copies a
 1677    subset of the terminal flags to the new pty.  Previously, all
 1678    flags were copied, even those not appropriate for a pty.
 1680  * Fixed a problem with debug logging in the sudoers I/O logging
 1681    plugin.
 1683  * Window size change events are now logged to the policy plugin.
 1684    On xterm and compatible terminals, sudoreplay is now capable of
 1685    resizing the terminal to match the size of the terminal the
 1686    command was run on.  The new -R option can be used to disable
 1687    terminal resizing.
 1689  * Fixed a bug in visudo where a newly added file was not checked
 1690    for syntax errors.  Bug #791.
 1692  * Fixed a bug in visudo where if a syntax error in an include
 1693    directory (like /etc/sudoers.d) was detected, the edited version
 1694    was left as a temporary file instead of being installed.
 1696  * On PAM systems, sudo will now treat "username's Password:" as
 1697    a standard password prompt.  As a result, the SUDO_PROMPT
 1698    environment variable will now override "username's Password:"
 1699    as well as the more common "Password:".  Previously, the
 1700    "passprompt_override" Defaults setting would need to be set for
 1701    SUDO_PROMPT to override a prompt of "username's Password:".
 1703  * A new "syslog_pid" sudoers setting has been added to include
 1704    sudo's process ID along with the process name when logging via
 1705    syslog.  Bug #792.
 1707  * Fixed a bug introduced in sudo 1.8.18 where a command would
 1708    not be terminated when the I/O logging plugin returned an error
 1709    to the sudo front-end.
 1711  * A new "timestamp_type" sudoers setting has been added that replaces
 1712    the "tty_tickets" option.  In addition to tty and global time stamp
 1713    records, it is now possible to use the parent process ID to restrict
 1714    the time stamp to commands run by the same process, usually the shell.
 1715    Bug #793.
 1717  * The --preserve-env command line option has been extended to accept
 1718    a comma-separated list of environment variables to preserve.
 1719    Bug #279.
 1721  * Friulian translation for sudo from translationproject.org.
 1723 What's new in Sudo 1.8.20p2
 1725  * Fixed a bug parsing /proc/pid/stat on Linux when the process
 1726    name contains newlines.  This is not exploitable due to the /dev
 1727    traversal changes in sudo 1.8.20p1.
 1729 What's new in Sudo 1.8.20p1
 1731  * Fixed "make check" when using OpenSSL or GNU crypt.
 1732    Bug #787.
 1734  * Fixed CVE-2017-1000367, a bug parsing /proc/pid/stat on Linux
 1735    when the process name contains spaces.  Since the user has control
 1736    over the command name, this could potentially be used by a user
 1737    with sudo access to overwrite an arbitrary file on systems with
 1738    SELinux enabled.  Also stop performing a breadth-first traversal
 1739    of /dev when looking for the device; only a hard-coded list of
 1740    directories are checked,
 1742 What's new in Sudo 1.8.20
 1744  * Added support for SASL_MECH in ldap.conf. Bug #764
 1746  * Added support for digest matching when the command is a glob-style
 1747    pattern or a directory. Previously, only explicit path matches
 1748    supported digest checks.
 1750  * New "fdexec" Defaults option to control whether a command
 1751    is executed by path or by open file descriptor.
 1753  * The embedded copy of zlib has been upgraded to version 1.2.11.
 1755  * Fixed a bug that prevented sudoers include files with a relative
 1756    path starting with the letter 'i' from being opened.  Bug #776.
 1758  * Added support for command timeouts in sudoers.  The command will
 1759    be terminated if the timeout expires.
 1761  * The SELinux role and type are now displayed in the "sudo -l"
 1762    output for the LDAP and SSSD back-ends, just as they are in the
 1763    sudoers back-end.
 1765  * A new command line option, -T, can be used to specify a command
 1766    timeout as long as the user-specified timeout is not longer than
 1767    the timeout specified in sudoers.  This option may only be
 1768    used when the "user_command_timeouts" flag is enabled in sudoers.
 1770  * Added NOTBEFORE and NOTAFTER command options to the sudoers
 1771    back-end similar to what is already available in the LDAP back-end.
 1773  * Sudo can now optionally use the SHA2 functions in OpenSSL or GNU
 1774    crypt instead of the SHA2 implementation bundled with sudo.
 1776  * Fixed a compilation error on systems without the stdbool.h header
 1777    file.  Bug #778.
 1779  * Fixed a compilation error in the standalone Kerberos V authentication
 1780    module.  Bug #777.
 1782  * Added the iolog_flush flag to sudoers which causes I/O log data
 1783    to be written immediately to disk instead of being buffered.
 1785  * I/O log files are now created with group ID 0 by default unless
 1786    the "iolog_user" or "iolog_group" options are set in sudoers.
 1788  * It is now possible to store I/O log files on an NFS-mounted
 1789    file system where uid 0 is remapped to an unprivileged user.
 1790    The "iolog_user" option must be set to a non-root user and the
 1791    top-level I/O log directory must exist and be owned by that user.
 1793  * Added the restricted_env_file setting to sudoers which is similar
 1794    to env_file but its contents are subject to the same restrictions
 1795    as variables in the invoking user's environment.
 1797  * Fixed a use after free bug in the SSSD back-end when the fqdn
 1798    sudoOption is enabled and no hostname value is present in
 1799    /etc/sssd/sssd.conf.
 1801  * Fixed a typo that resulted in a compilation error on systems
 1802    where the killpg() function is not found by configure.
 1804  * Fixed a compilation error with the included version of zlib
 1805    when sudo was built outside the source tree.
 1807  * Fixed the exit value of sudo when the command is terminated by
 1808    a signal other than SIGINT.  This was broken in sudo 1.8.15 by
 1809    the fix for Bug #722.  Bug #784.
 1811  * Fixed a regression introduced in sudo 1.8.18 where the "lecture"
 1812    option could not be used in a positive boolean context, only
 1813    a negative one.
 1815  * Fixed an issue where sudo would consume stdin if it was not
 1816    connected to a tty even if log_input is not enabled in sudoers.
 1817    Bug #786.
 1819  * Clarify in the sudoers manual that the #includedir directive
 1820    diverts control to the files in the specified directory and,
 1821    when parsing of those files is complete, returns control to the
 1822    original file.  Bug #775.
 1824 What's new in Sudo 1.8.19p2
 1826  * Fixed a crash in visudo introduced in sudo 1.8.9 when an IP address
 1827    or network is used in a host-based Defaults entry.  Bug #766
 1829  * Added a missing check for the ignore_iolog_errors flag when
 1830    the sudoers plugin generates the I/O log file path name.
 1832  * Fixed a typo in sudo's vsyslog() replacement that resulted in
 1833    garbage being logged to syslog.
 1835 What's new in Sudo 1.8.19p1
 1837  * Fixed a bug introduced in sudo 1.8.19 that resulted in the wrong
 1838    syslog priority and facility being used.
 1840 What's new in Sudo 1.8.19
 1842  * New "syslog_maxlen" Defaults option to control the maximum size of
 1843    syslog messages generated by sudo.
 1845  * Sudo has been run against PVS-Studio and any issues that were
 1846    not false positives have been addressed.
 1848  * I/O log files are now created with the same group ID as the
 1849    parent directory and not the invoking user's group ID.
 1851  * I/O log permissions and ownership are now configurable via the
 1852    "iolog_mode", "iolog_user" and "iolog_group" sudoers Defaults
 1853    variables.
 1855  * Fixed configuration of the sudoers I/O log plugin debug subsystem.
 1856    Previously, I/O log information was not being written to the
 1857    sudoers debug log.
 1859  * Fixed a bug in visudo that broke editing of files in an include
 1860    dir that have a syntax error.  Normally, visudo does not edit
 1861    those files, but if a syntax error is detected in one, the user
 1862    should get a chance to fix it.
 1864  * Warnings about unknown or unparsable sudoers Defaults entries now
 1865    include the file and line number of the problem.
 1867  * Visudo will now use the file and line number information about an
 1868    unknown or unparsable Defaults entry to go directly to the file
 1869    with the problem.
 1871  * Fixed a bug in the sudoers LDAP back-end where a negated sudoHost
 1872    entry would prevent other sudoHost entries following it from matching.
 1874  * Warnings from visudo about a cycle in an Alias entry now include the
 1875    file and line number of the problem.
 1877  * In strict mode, visudo will now use the file and line number
 1878    information about a cycle in an Alias entry to go directly to the
 1879    file with the problem.
 1881  * The sudo_noexec.so file is now linked with -ldl on systems that
 1882    require it for the wordexp() wrapper.
 1884  * Fixed linking of sudo_noexec.so on macOS systems where it must be
 1885    a dynamic library and not a module.
 1887  * Sudo's "make check" now includes a test for sudo_noexec.so
 1888    working.
 1890  * The sudo front-end now passes the user's umask to the plugin.
 1891    Previously the plugin had to determine this itself.
 1893  * Sudoreplay can now display the stdin and ttyin streams when they
 1894    are explicitly added to the filter list.
 1896  * Fixed a bug introduced in sudo 1.8.17 where the "all" setting
 1897    for verifypw and listpw was not being honored.  Bug #762.
 1899  * The syslog priority (syslog_goodpri and syslog_badpri) can now
 1900    be negated or set to "none" to disable logging of successful or
 1901    unsuccessful sudo attempts via syslog.
 1903 What's new in Sudo 1.8.18p1
 1905  * When sudo_noexec.so is used, the WRDE_NOCMD flag is now added
 1906    if the wordexp() function is called.  This prevents commands
 1907    from being run via wordexp() without disabling it entirely.
 1909  * On Linux systems, sudo_noexec.so now uses a seccomp filter to
 1910    disable execute access if the kernel supports seccomp.  This is
 1911    more robust than the traditional method of using stub functions
 1912    that return an error.
 1914 What's new in Sudo 1.8.18
 1916  * The sudoers locale is now set before parsing the sudoers file.
 1917    If sudoers_locale is set in sudoers, it is applied before
 1918    evaluating other Defaults entries.  Previously, sudoers_locale
 1919    was used when evaluating sudoers but not during the initial parse.
 1920    Bug #748.
 1922  * A missing or otherwise invalid #includedir is now ignored instead
 1923    of causing a parse error.
 1925  * During "make install", backup files are only used on HP-UX where
 1926    it is not possible to unlink a shared object that is in use.
 1927    This works around a bug in ldconfig on Linux which could create
 1928    links to the backup shared library file instead of the current
 1929    one.
 1931  * Fixed a bug introduced in 1.8.17 where sudoers entries with long
 1932    commands lines could be truncated, preventing a match.  Bug #752.
 1934  * The fqdn, runas_default and sudoers_locale Defaults settings are
 1935    now applied before any other Defaults settings since they can
 1936    change how other Defaults settings are parsed.
 1938  * On systems without the O_NOFOLLOW open(2) flag, when the NOFOLLOW
 1939    flag is set, sudoedit now checks whether the file is a symbolic link
 1940    before opening it as well as after the open.  Bug #753.
 1942  * Sudo will now only resolve a user's group IDs to group names
 1943    when sudoers includes group-based permissions.  Group lookups
 1944    can be expensive on some systems where the group database is
 1945    not local.
 1947  * If the file system holding the sudo log file is full, allow
 1948    the command to run unless the new ignore_logfile_errors Defaults
 1949    option is disabled.  Bug #751.
 1951  * The ignore_audit_errors and ignore_iolog_errors Defaults options
 1952    have been added to control sudo's behavior when it is unable to
 1953    write to the audit and I/O logs.
 1955  * Fixed a bug introduced in 1.8.17 where the SIGPIPE signal handler
 1956    was not being restored when sudo directly executes the command.
 1958  * Fixed a bug where "sudo -l command" would indicate that a command
 1959    was runnable even when denied by sudoers when using the LDAP or
 1960    SSSD back-ends.
 1962  * The match_group_by_gid Defaults option has been added to allow
 1963    sites where group name resolution is slow and where sudoers only
 1964    contains a small number of groups to match groups by group ID
 1965    instead of by group name.
 1967  * Fixed a bug on Linux where a 32-bit sudo binary could fail with
 1968    an "unable to allocate memory" error when run on a 64-bit system.
 1969    Bug #755
 1971  * When parsing ldap.conf, sudo will now only treat a '#' character
 1972    as the start of a comment when it is at the beginning of the
 1973    line.
 1975  * Fixed a potential crash when auditing is enabled and the audit
 1976    function fails with an error.  Bug #756
 1978  * Norwegian Nynorsk translation for sudo from translationproject.org.
 1980  * Fixed a typo that broke short host name matching when the fqdn
 1981    flag is enabled in sudoers.  Bug #757
 1983  * Negated sudoHost attributes are now supported by the LDAP and
 1984    SSSD back-ends.
 1986  * Fixed matching entries in the LDAP and SSSD back-ends when a
 1987    RunAsGroup is specified but no RunAsUser is present.
 1989  * Fixed "sudo -l" output in the LDAP and SSSD back-ends when a
 1990    RunAsGroup is specified but no RunAsUser is present.
 1992 What's new in Sudo 1.8.17p1
 1994  * Fixed a bug introduced in 1.8.17 where the user's groups were
 1995    not set on systems that don't use PAM.  Bug #749.
 1997 What's new in Sudo 1.8.17
 1999  * On AIX, if /etc/security/login.cfg has auth_type set to PAM_AUTH
 2000    but pam_start(3) fails, fall back to AIX authentication.
 2001    Bug #740.
 2003  * Sudo now takes all sudoers sources into account when determining
 2004    whether or not "sudo -l" or "sudo -v" should prompt for a password.
 2005    In other words, if both file and ldap sudoers sources are in
 2006    specified in /etc/nsswitch.conf, "sudo -v" will now require that
 2007    all entries in both sources be have NOPASSWD (file) or !authenticate
 2008    (ldap) in the entries.
 2010  * Sudo now ignores SIGPIPE until the command is executed.  Previously,
 2011    SIGPIPE was only ignored in a few select places.  Bug #739.
 2013  * Fixed a bug introduced in sudo 1.8.14 where (non-syslog) log
 2014    file entries were missing the newline when loglinelen is set to
 2015    a non-positive number.  Bug #742.
 2017  * Unix groups are now set before the plugin session initialization
 2018    code is run.  This makes it possible to use dynamic groups with
 2019    the Linux-PAM pam_group module.
 2021  * Fixed a bug where a debugging statement could dereference a NULL
 2022    pointer when looking up a group that doesn't exist.  Bug #743.
 2024  * Sudo has been run through the Coverity code scanner.  A number of
 2025    minor bugs have been fixed as a result.  None were security issues.
 2027  * SELinux support, which was broken in 1.8.16, has been repaired.
 2029  * Fixed a bug when logging I/O where all output buffers might not
 2030    get flushed at exit.
 2032  * Forward slashes are no longer escaped in the JSON output of
 2033    "visudo -x".  This was never required by the standard and not
 2034    escaping them improves readability of the output.
 2036  * Sudo no longer treats PAM_SESSION_ERR as a fatal error when
 2037    opening the PAM session.  Other errors from pam_open_session()
 2038    are still treated as fatal.  This avoids the "policy plugin
 2039    failed session initialization" error message seen on some systems.
 2041  * Korean translation for sudo and sudoers from translationproject.org.
 2043  * Fixed a bug on AIX where the stack size hard resource limit was
 2044    being set to 2GB instead of 4GB on 64-bit systems.
 2046  * The SSSD back-end now properly supports "sudo -U otheruser -l".
 2048  * The SSSD back-end now uses the value of "ipa_hostname"
 2049    from sssd.conf, if specified, when matching the host name.
 2051  * Fixed a hang on some systems when the command is being run in
 2052    a pty and it failed to execute.
 2054  * When performing a wildcard match in sudoers, check for an exact
 2055    string match if the user command was fully-qualified (or resolved
 2056    via the PATH).  This fixes an issue executing scripts on Linux
 2057    when there are multiple wildcard matches with the same base name.
 2058    Bug #746.
 2060 What's new in Sudo 1.8.16
 2062  * Fixed a compilation error on Solaris 10 with Stun Studio 12.
 2063    Bug #727.
 2065  * When preserving variables from the invoking user's environment, if
 2066    there are duplicates sudo now only keeps the first instance.
 2068  * Fixed a bug that could cause warning mail to be sent in list
 2069    mode (sudo -l) for users without sudo privileges when the
 2070    LDAP and sssd back-ends are used.
 2072  * Fixed a bug that prevented the "mail_no_user" option from working
 2073    properly with the LDAP back-end.
 2075  * In the LDAP and sssd back-ends, white space is now ignored between
 2076    an operator (!, +, +=, -=) when parsing a sudoOption.
 2078  * It is now possible to disable Path settings in sudo.conf
 2079    by omitting the path name.
 2081  * The sudoedit_checkdir Defaults option is now enabled by default
 2082    and has been extended.  When editing files with sudoedit, each
 2083    directory in the path to be edited is now checked.  If a directory
 2084    is writable by the invoking user, symbolic links will not be
 2085    followed.  If the parent directory of the file to be edited is
 2086    writable, sudoedit will refuse to edit it.
 2087    Bug #707.
 2089  * The netgroup_tuple Defaults option has been added to enable matching
 2090    of the entire netgroup tuple, not just the host or user portion.
 2091    Bug #717.
 2093  * When matching commands based on the SHA2 digest, sudo will now
 2094    use fexecve(2) to execute the command if it is available.  This
 2095    fixes a time of check versus time of use race condition when the
 2096    directory holding the command is writable by the invoking user.
 2098  * On AIX systems, sudo now caches the auth registry string along
 2099    with password and group information.  This fixes a potential
 2100    problem when a user or group of the same name exists in multiple
 2101    auth registries.  For example, local and LDAP.
 2103  * Fixed a crash in the SSSD back-end when the invoking user is not
 2104    found.  Bug #732.
 2106  * Added the --enable-asan configure flag to enable address sanitizer
 2107    support.  A few minor memory leaks have been plugged to quiet
 2108    the ASAN leak detector.
 2110  * The value of _PATH_SUDO_CONF may once again be overridden via
 2111    the Makefile.  Bug #735.
 2113  * The sudoers2ldif script now handles multiple roles with same name.
 2115  * Fixed a compilation error on systems that have the posix_spawn()
 2116    and posix_spawnp() functions but an unusable spawn.h header.
 2117    Bug #730.
 2119  * Fixed support for negating character classes in sudo's version
 2120    of the fnmatch() function.
 2122  * Fixed a bug in the LDAP and SSSD back-ends that could allow an
 2123    unauthorized user to list another user's privileges.  Bug #738.
 2125  * The PAM conversation function now works around an ambiguity in the
 2126    PAM spec with respect to multiple messages.  Bug #726.
 2128 What's new in Sudo 1.8.15
 2130  * Fixed a bug that prevented sudo from building outside the source tree
 2131    on some platforms.  Bug #708.
 2133  * Fixed the location of the sssd library in the RHEL/Centos packages.
 2134    Bug #710.
 2136  * Fixed a build problem on systems that don't implicitly include
 2137    sys/types.h from other header files.  Bug #711.
 2139  * Fixed a problem on Linux using containers where sudo would ignore
 2140    signals sent by a process in a different container.
 2142  * Sudo now refuses to run a command if the PAM session module
 2143    returns an error.
 2145  * When editing files with sudoedit, symbolic links will no longer
 2146    be followed by default.  The old behavior can be restored by
 2147    enabling the sudoedit_follow option in sudoers or on a per-command
 2148    basis with the FOLLOW and NOFOLLOW tags.  Bug #707.
 2150  * Fixed a bug introduced in version 1.8.14 that caused the last
 2151    valid editor in the sudoers "editor" list to be used by visudo
 2152    and sudoedit instead of the first.  Bug #714.
 2154  * Fixed a bug in visudo that prevented the addition of a final
 2155    newline to edited files without one.
 2157  * Fixed a bug decoding certain base64 digests in sudoers when the
 2158    intermediate format included a '=' character.
 2160  * Individual records are now locked in the time stamp file instead
 2161    of the entire file.  This allows sudo to avoid prompting for a
 2162    password multiple times on the same terminal when used in a
 2163    pipeline.  In other words, "sudo cat foo | sudo grep bar" now
 2164    only prompts for the password once.  Previously, both sudo
 2165    processes would prompt for a password, often making it impossible
 2166    to enter.
 2168  * Fixed a bug where sudo would fail to run commands as a non-root
 2169    user on systems that lack both setresuid() and setreuid().
 2170    Bug #713.
 2172  * Fixed a bug introduced in sudo 1.8.14 that prevented visudo from
 2173    re-editing the correct file when a syntax error was detected.
 2175  * Fixed a bug where sudo would not relay a SIGHUP signal to the
 2176    command when the terminal is closed and the command is not run
 2177    in its own pseudo-tty.  Bug #719
 2179  * If some, but not all, of the LOGNAME, USER or USERNAME environment
 2180    variables have been preserved from the invoking user's environment,
 2181    sudo will now use the preserved value to set the remaining variables
 2182    instead of using the runas user.  This ensures that if, for example,
 2183    only LOGNAME is present in the env_keep list, that sudo will not
 2184    set USER and USERNAME to the runas user.
 2186 *  When the command sudo is running dies due to a signal, sudo will
 2187    now send itself that same signal with the default signal handler
 2188    installed instead of exiting.  The bash shell appears to ignore
 2189    some signals, e.g. SIGINT, unless the command being run is killed
 2190    by that signal.  This makes the behavior of commands run under
 2191    sudo the same as without sudo when bash is the shell.  Bug #722
 2193  * Slovak translation for sudo from translationproject.org.
 2195  * Hungarian and Slovak translations for sudoers from translationproject.org.
 2197  * Previously, when env_reset was enabled (the default) and the -s
 2198    option was not used, the SHELL environment variable was set to the
 2199    shell of the invoking user.  Now, when env_reset is enabled and
 2200    the -s option is not used, SHELL is set based on the target user.
 2202  * Fixed challenge/response style BSD authentication.
 2204  * Added the sudoedit_checkdir Defaults option to prevent sudoedit
 2205    from editing files located in a directory that is writable by
 2206    the invoking user.
 2208  * Added the always_query_group_plugin Defaults option to control
 2209    whether groups not found in the system group database are passed
 2210    to the group plugin.  Previously, unknown system groups were
 2211    always passed to the group plugin.
 2213  * When creating a new file, sudoedit will now check that the file's
 2214    parent directory exists before running the editor.
 2216  * Fixed the compiler stack protector test in configure for compilers
 2217    that support -fstack-protector but don't actually have the ssp
 2218    library available.
 2220 What's new in Sudo 1.8.14p3
 2222  * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo
 2223    from working when no tty was present.
 2225  * Fixed tty detection on newer AIX systems where dev_t is 64-bit.
 2227 What's new in Sudo 1.8.14p2
 2229  * Fixed a bug introduced in sudo 1.8.14 that prevented the lecture
 2230    file from being created.  Bug #704.
 2232 What's new in Sudo 1.8.14p1
 2234  * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd
 2235    back-end from working.  Bug #703.
 2237 What's new in Sudo 1.8.14
 2239  * Log messages on Mac OS X now respect sudoers_locale when sudo
 2240    is build with NLS support.
 2242  * The sudo manual pages now pass "mandoc -Tlint" with no warnings.
 2244  * Fixed a compilation problem on systems with the sig2str() function
 2245    that do not define SIG2STR_MAX in signal.h.
 2247  * Worked around a compiler bug that resulted in unexpected behavior
 2248    when returning an int from a function declared to return bool
 2249    without an explicit cast.
 2251  * Worked around a bug in Mac OS X 10.10 BSD auditing where the
 2252    au_preselect() fails for AUE_sudo events but succeeds for
 2253    AUE_DARWIN_sudo.
 2255  * Fixed a hang on Linux systems with glibc when sudo is linked with
 2256    jemalloc.
 2258  * When the user runs a command as a user ID that is not present in
 2259    the password database via the -u flag, the command is now run
 2260    with the group ID of the invoking user instead of group ID 0.
 2262  * Fixed a compilation problem on systems that don't pull in
 2263    definitions of uid_t and gid_t without sys/types.h or unistd.h.
 2265  * Fixed a compilation problem on newer AIX systems which use a
 2266    struct st_timespec for time stamps in struct stat that differs
 2267    from struct timespec.  Bug #702.
 2269  * The example directory is now configurable via --with-exampledir
 2270    and defaults to DATAROOTDIR/examples/sudo on BSD systems.
 2272  * The /usr/lib/tmpfiles.d/sudo.conf file is now installed as part
 2273    of "make install" when systemd is in use.
 2275  * Fixed a linker problem on some systems with libintl.  Bug #690.
 2277  * Fixed compilation with compilers that don't support __func__
 2278    or __FUNCTION__.
 2280  * Sudo no longer needs to uses weak symbols to support localization
 2281    in the warning functions.  A registration function is used instead.
 2283  * Fixed a setresuid() failure in sudoers on Linux kernels where
 2284    uid changes take the nproc resource limit into account.
 2286  * Fixed LDAP netgroup queries on AIX.
 2288  * Sudo will now display the custom prompt on Linux systems with PAM
 2289    even if the "Password: " prompt is not localized by the PAM module.
 2290    Bug #701.
 2292  * Double-quoted values in an LDAP sudoOption are now supported
 2293    for consistency with file-based sudoers.
 2295  * Fixed a bug that prevented the btime entry in /proc/stat from
 2296    being parsed on Linux.
 2298 What's new in Sudo 1.8.13
 2300  * The examples directory is now a subdirectory of the doc dir to
 2301    conform to Debian guidelines.  Bug #682.
 2303  * Fixed a compilation error for siglist.c and signame.c on some
 2304    systems.  Bug #686
 2306  * Weak symbols are now used for sudo_warn_gettext() and
 2307    sudo_warn_strerror() in libsudo_util to avoid link errors when
 2308    -Wl,--no-undefined is used in LDFLAGS.  The --disable-weak-symbols
 2309    configure option can be used to disable the user of weak symbols.
 2311  * Fixed a bug in sudo's mkstemps() replacement function that
 2312    prevented the file extension from being preserved in sudoedit.
 2314  * A new mail_all_cmnds sudoers flag will send mail when a user runs
 2315    a command (or tries to). The behavior of the mail_always flag has
 2316    been restored to always send mail when sudo is run.
 2318  * New "MAIL" and "NOMAIL" command tags have been added to toggle
 2319    mail sending behavior on a per-command (or Cmnd_Alias) basis.
 2321  * Fixed matching of empty passwords when sudo is configured to
 2322    use passwd (or shadow) file authentication on systems where the
 2323    crypt() function returns NULL for invalid salts.
 2325  * On AIX, sudo now uses the value of the auth_type setting in
 2326    /etc/security/login.cfg to determine whether to use LAM or PAM
 2327    for user authentication.
 2329  * The "all" setting for listpw and verifypw now works correctly
 2330    with LDAP and sssd sudoers.
 2332  * The sudo timestamp directory is now created at boot time on
 2333    platforms that use systemd.
 2335  * Sudo will now restore the value of the SIGPIPE handler before
 2336    executing the command.
 2338  * Sudo now uses "struct timespec" instead of "struct timeval" for
 2339    time keeping when possible.  If supported, sudoedit and visudo
 2340    now use nanosecond granularity time stamps.
 2342  * Fixed a symbol name collision with systems that have their own
 2343    SHA2 implementation.  This fixes a problem where PAM could use
 2344    the wrong SHA2 implementation on Solaris 10 systems configured
 2345    to use SHA512 for passwords.
 2347  * The editor invoked by sudoedit once again uses an unmodified
 2348    copy of the user's environment as per the documentation.  This
 2349    was inadvertently changed in sudo 1.8.0.  Bug #688.
 2351 What's new in Sudo 1.8.12
 2353  * The embedded copy of zlib has been upgraded to version 1.2.8 and
 2354    is now installed as a shared library where supported.
 2356  * Debug settings for the sudo front end and sudoers plugin are now
 2357    configured separately.
 2359  * Multiple sudo.conf Debug entries may now be specified per program
 2360    (or plugin).
 2362  * The plugin API has been extended such that the path to the plugin
 2363    that was loaded is now included in the settings array.  This
 2364    path can be used to register with the debugging subsystem.  The
 2365    debug_flags setting is now prefixed with a file name and may be
 2366    specified multiple times if there is more than one matching Debug
 2367    setting in sudo.conf.
 2369  * The sudoers regression tests now run with the locale set to C
 2370    since some of the tests compare output that includes locale-specific
 2371    messages.  Bug #672
 2373  * Fixed a bug where sudo would not run commands on Linux when
 2374    compiled with audit support if audit is disabled.  Bug #671
 2376  * Added __BASH_FUNC<* to the environment blacklist to match
 2377    Apple's syntax for newer-style bash functions.
 2379  * The default password prompt now includes a trailing space after
 2380    "Password:" for consistency with su(1) on most systems.
 2381    Bug #663
 2383  * Fixed a problem on DragonFly BSD where SIGCHLD could be ignored,
 2384    preventing sudo from exiting.  Bug #676
 2386  * Visudo will now use the optional sudoers_file, sudoers_mode,
 2387    sudoers_uid and sudoers_gid arguments if specified on the
 2388    sudoers.so Plugin line in the sudo.conf file.
 2390  * Fixed a problem introduced in sudo 1.8.8 that prevented the full
 2391    host name from being used when the "fqdn" sudoers option is used.
 2392    Bug #678
 2394  * French and Russian translations for sudoers from translationproject.org.
 2396  * Sudo now installs a handler for SIGCHLD signal handler immediately
 2397    before stating the process that will execute the command (or
 2398    start the monitor).  The handler used to be installed earlier
 2399    but this causes problems with poorly behaved PAM modules that
 2400    install their own SIGCHLD signal handler and neglect to restore
 2401    sudo's original handler.  Bug #657
 2403  * Removed a limit on the length of command line arguments expanded
 2404    by a wild card using sudo's version of the fnmatch() function.
 2405    This limit was introduced when sudo's version of fnmatch()
 2406    was replaced in sudo 1.8.4.
 2408  * LDAP-based sudoers can now query an LDAP server for a user's
 2409    netgroups directly.  This is often much faster than fetching
 2410    every sudoRole object containing a sudoUser that begins with a
 2411    `+' prefix and checking whether the user is a member of any of
 2412    the returned netgroups.
 2414  * The mail_always sudoers option no longer sends mail for "sudo -l"
 2415    or "sudo -v" unless the user is unable to authenticate themselves.
 2417  * Fixed a crash when sudo is run with an empty argument vector.
 2419  * Fixed two potential crashes when sudo is run with very low
 2420    resource limits.
 2422  * The TZ environment variable is now checked for safety instead
 2423    of simply being copied to the environment of the command.
 2425 What's new in Sudo 1.8.11p2
 2427  * Fixed a bug where dynamic shared objects loaded from a plugin
 2428    could use the hooked version of getenv() but not the hooked
 2429    versions of putenv(), setenv() or unsetenv().  This can cause
 2430    problems for PAM modules that use those functions.
 2432 What's new in Sudo 1.8.11p1
 2434  * Fixed a compilation problem on some systems when the
 2435    --disable-shared-libutil configure option was specified.
 2437  * The user can no longer interrupt the sleep after an incorrect
 2438    password on PAM systems using pam_unix.
 2439    Bug #666
 2441  * Fixed a compilation problem on Linux systems that do not use PAM.
 2442    Bug #667
 2444  * "make install" will now work with the stock GNU autotools
 2445    install-sh script.  Bug #669
 2447  * Fixed a crash with "sudo -i" when the current working directory
 2448    does not exist.  Bug #670
 2450  * Fixed a potential crash in the debug subsystem when logging a message
 2451    larger that 1024 bytes.
 2453  * Fixed a "make check" failure for ttyname when stdin is closed and
 2454    stdout and stderr are redirected to a different tty.  Bug #643
 2456  * Added BASH_FUNC_* to the environment blacklist to match newer-style
 2457    bash functions.
 2459 What's new in Sudo 1.8.11
 2461  * The sudoers plugin no longer uses setjmp/longjmp to recover
 2462    from fatal errors.  All errors are now propagated to the caller
 2463    via return codes.
 2465  * When running a command in the background, sudo will now forward
 2466    SIGINFO to the command (if supported).
 2468  * Sudo will now use the system versions of the sha2 functions from
 2469    libc or libmd if available.
 2471  * Visudo now works correctly on GNU Hurd.  Bug #647
 2473  * Fixed suspend and resume of curses programs on some system when
 2474    the command is not being run in a pseudo-terminal.  Bug #649
 2476  * Fixed a crash with LDAP-based sudoers on some systems when
 2477    Kerberos was enabled.
 2479  * Sudo now includes optional Solaris audit support.
 2481  * Catalan translation for sudoers from translationproject.org.
 2483  * Norwegian Bokmaal translation for sudo from translationproject.org.
 2485  * Greek translation for sudoers from translationproject.org
 2487  * The sudo source tree has been reorganized to more closely resemble
 2488    that of other gettext-enabled packages.
 2490  * Sudo and its associated programs now link against a shared version
 2491    of libsudo_util.  The --disable-shared-libutil configure option
 2492    may be used to force static linking if the --enable-static-sudoers
 2493    option is also specified.
 2495  * The passwords in ldap.conf and ldap.secret may now be encoded
 2496    in base64.
 2498  * Audit updates.  SELinux role changes are now audited.  For
 2499    sudoedit, we now audit the actual editor being run, instead of
 2500    just the sudoedit command.
 2502  * Fixed bugs in the man page post-processing that could cause
 2503    portions of the manuals to be removed.
 2505  * Fixed a crash in the system_group plugin.  Bug #653.
 2507  * Fixed sudoedit on platforms without a system version of the
 2508    getprogname() function.  Bug #654.
 2510  * Fixed compilation problems with some pre-C99 compilers.
 2512  * Fixed sudo's -C option which was broken in version 1.8.9.
 2514  * It is now possible to match an environment variable's value as
 2515    well as its name using env_keep and env_check.  This can be used
 2516    to preserve bash functions which would otherwise be removed from
 2517    the environment.
 2519  * New files created via sudoedit as a non-root user now have the
 2520    proper group id.  Bug #656
 2522  * Sudoedit now works correctly in conjunction with sudo's SELinux
 2523    RBAC support.  Temporary files are now created with the proper
 2524    security context.
 2526  * The sudo I/O logging plugin API has been updated.  If a logging
 2527    function returns an error, the command will be terminated and
 2528    all of the plugin's logging functions will be disabled.  If a
 2529    logging function rejects the command's output it will no longer
 2530    be displayed to the user's terminal.
 2532  * Fixed a compilation error on systems that lack openpty(), _getpty()
 2533    and grantpt(). Bug #660
 2535  * Fixed a hang when a sudoers source is listed more than once in
 2536    a single sudoers nsswitch.conf entry.
 2538  * On AIX, shell scripts without a #! magic number are now passed to
 2539    /usr/bin/sh, not /usr/bin/bsh.  This is consistent with what the
 2540    execvp() function on AIX does and matches historic sudo behavior.
 2541    Bug #661
 2543  * Fixed a cross-compilation problem building mksiglist and mksigname.
 2544    Bug #662
 2546 What's new in Sudo 1.8.10p3?
 2548  * Fixed expansion of %p in the prompt for "sudo -l" when rootpw,
 2549    runaspw or targetpw is set.  Bug #639
 2551  * Fixed matching of UIDs and GIDs which was broken in version 1.8.9.
 2552    Bug #640
 2554  * PAM credential initialization has been re-enabled.  It was
 2555    unintentionally disabled by default in version 1.8.8.  The way
 2556    credentials are initialized has also been fixed.  Bug #642.
 2558  * Fixed a descriptor leak on Linux when determining boot time.  Sudo
 2559    normally closes extra descriptors before running a command so
 2560    the impact is limited.  Bug #645
 2562  * Fixed flushing of the last buffer of data when I/O logging is
 2563    enabled.  This bug, introduced in version 1.8.9, could cause
 2564    incomplete command output on some systems.  Bug #646
 2566 What's new in Sudo 1.8.10p2?
 2568  * Fixed a hang introduced in sudo 1.8.10 when timestamp_timeout
 2569    is set to zero.
 2571 What's new in Sudo 1.8.10p1?
 2573  * Fixed a bug introduced in sudo 1.8.10 that prevented the disabling
 2574    of tty-based tickets.
 2576  * Fixed a bug with negated commands in "sudo -l command" that
 2577    could cause the command to be listed even when it was explicitly
 2578    denied.  This only affected list mode when a command was specified.
 2579    Bug #636
 2581 What's new in Sudo 1.8.10?
 2583  * It is now possible to disable network interface probing in
 2584    sudo.conf by changing the value of the probe_interfaces
 2585    setting.
 2587  * When listing a user's privileges (sudo -l), the sudoers plugin
 2588    will now prompt for the user's password even if the targetpw,
 2589    rootpw or runaspw options are set.
 2591  * The sudoers plugin uses a new format for its time stamp files.
 2592    Each user now has a single file which may contain multiple records
 2593    when per-tty time stamps are in use (the default).  The time
 2594    stamps use a monotonic timer where available and are once again
 2595    located in a directory under /var/run.  The lecture status is
 2596    now stored separately from the time stamps in a different directory.
 2597    Bug #616
 2599  * sudo's -K option will now remove all of the user's time stamps,
 2600    not just the time stamp for the current terminal.  The -k option
 2601    can be used to only disable time stamps for the current terminal.
 2603  * If sudo was started in the background and needed to prompt for
 2604    a password, it was not possible to suspend it at the password
 2605    prompt.  This now works properly.
 2607  * LDAP-based sudoers now uses a default search filter of
 2608    (objectClass=sudoRole) for more efficient queries.  The netgroup
 2609    query has been modified to avoid falling below the minimum length
 2610    for OpenLDAP substring indices.
 2612  * The new "use_netgroups" sudoers option can be used to explicitly
 2613    enable or disable netgroups support.  For LDAP-based sudoers,
 2614    netgroup support requires an expensive substring match on the
 2615    server.  If netgroups are not needed, this option can be disabled
 2616    to reduce the load on the LDAP server.
 2618  * Sudo is once again able to open the sudoers file when the group
 2619    on sudoers doesn't match the expected value, so long as the file
 2620    is not group writable.
 2622  * Sudo now installs an init.d script to clear the time stamp
 2623    directory at boot time on AIX and HP-UX systems.  These systems
 2624    either lack /var/run or do not clear it on boot.
 2626  * The JSON format used by "visudo -x" now properly supports the
 2627    negation operator.  In addition, the Options object is now the
 2628    same for both Defaults and Cmnd_Specs.
 2630  * Czech and Serbian translations for sudoers from translationproject.org.
 2632  * Catalan translation for sudo from translationproject.org.
 2634 What's new in Sudo 1.8.9p5?
 2636  * Fixed a compilation error on AIX when LDAP support is enabled.
 2638  * Fixed parsing of the "umask" defaults setting in sudoers.  Bug #632.
 2640  * Fixed a failed assertion when the "closefrom_override" defaults
 2641    setting is enabled in sudoers and sudo's -C flag is used.  Bug #633.
 2643 What's new in Sudo 1.8.9p4?
 2645  * Fixed a bug where sudo could consume large amounts of CPU while
 2646    the command was running when I/O logging is not enabled.  Bug #631
 2648  * Fixed a bug where sudo would exit with an error when the debug
 2649    level is set to util@debug or all@debug and I/O logging is not
 2650    enabled.  The command would continue running after sudo exited.
 2652 What's new in Sudo 1.8.9p3?
 2654  * Fixed a bug introduced in sudo 1.8.9 that prevented the tty name
 2655    from being resolved properly on Linux systems.  Bug #630.
 2657 What's new in Sudo 1.8.9p2?
 2659  * Updated config.guess, config.sub and libtool to support the ppc64le
 2660    architecture (IBM PowerPC Little Endian).
 2662 What's new in Sudo 1.8.9p1?
 2664  * Fixed a problem with gcc 4.8's handling of bit fields that could
 2665    lead to the noexec flag being enabled even when it was not
 2666    explicitly set.
 2668 What's new in Sudo 1.8.9?
 2670  * Reworked sudo's main event loop to use a simple event subsystem
 2671    using poll(2) or select(2) as the back end.
 2673  * It is now possible to statically compile the sudoers plugin into
 2674    the sudo binary without disabling shared library support.  The
 2675    sudo.conf file may still be used to configure other plugins.
 2677  * Sudo can now be compiled again with a C preprocessor that does
 2678    not support variadic macros.
 2680  * Visudo can now export a sudoers file in JSON format using the
 2681    new -x flag.
 2683  * The locale is now set correctly again for visudo and sudoreplay.
 2685  * The plugin API has been extended to allow the plugin to exclude
 2686    specific file descriptors from the "closefrom" range.
 2688  * There is now a workaround for a Solaris-specific problem where
 2689    NOEXEC was overriding traditional root DAC behavior.
 2691  * Add user netgroup filtering for SSSD. Previously, rules for
 2692    a netgroup were applied to all even when they did not belong
 2693    to the specified netgroup.
 2695  * On systems with BSD login classes, if the user specified a group
 2696    (not a user) to run the command as, it was possible to specify
 2697    a different login class even when the command was not run as the
 2698    super user.
 2700  * The closefrom() emulation on Mac OS X now uses /dev/fd if possible.
 2702  * Fixed a bug where sudoedit would not update the original file
 2703    from the temporary when PAM or I/O logging is not enabled.
 2705  * When recycling I/O logs, the log files are now truncated properly.
 2707  * Fixes bugs #617, #621, #622, #623, #624, #625, #626
 2709 What's new in Sudo 1.8.8?
 2711  * Removed a warning on PAM systems with stacked auth modules
 2712    where the first module on the stack does not succeed.
 2714  * Sudo, sudoreplay and visudo now support GNU-style long options.
 2716  * The -h (--host) option may now be used to specify a host name.
 2717    This is currently only used by the sudoers plugin in conjunction
 2718    with the -l (--list) option.
 2720  * Program usage messages and manual SYNOPSIS sections have been
 2721    simplified.
 2723  * Sudo's LDAP SASL support now works properly with Kerberos.
 2724    Previously, the SASL library was unable to locate the user's
 2725    credential cache.
 2727  * It is now possible to set the nproc resource limit to unlimited
 2728    via pam_limits on Linux (bug #565).
 2730  * New "pam_service" and "pam_login_service" sudoers options
 2731    that can be used to specify the PAM service name to use.
 2733  * New "pam_session" and "pam_setcred" sudoers options that
 2734    can be used to disable PAM session and credential support.
 2736  * The sudoers plugin now properly supports UIDs and GIDs
 2737    that are larger than 0x7fffffff on 32-bit platforms.
 2739  * Fixed a visudo bug introduced in sudo 1.8.7 where per-group
 2740    Defaults entries would cause an internal error.
 2742  * If the "tty_tickets" sudoers option is enabled (the default),
 2743    but there is no tty present, sudo will now use a ticket file
 2744    based on the parent process ID.  This makes it possible to support
 2745    the normal timeout behavior for the session.
 2747  * Fixed a problem running commands that change their process
 2748    group and then attempt to change the terminal settings when not
 2749    running the command in a pseudo-terminal.  Previously, the process
 2750    would receive SIGTTOU since it was effectively a background
 2751    process.  Sudo will now grant the child the controlling tty and
 2752    continue it when this happens.
 2754  * The "closefrom_override" sudoers option may now be used in
 2755    a command-specified Defaults entry (bug #610).
 2757  * Sudo's BSM audit support now works on Solaris 11.
 2759  * Brazilian Portuguese translation for sudo and sudoers from
 2760    translationproject.org.
 2762  * Czech translation for sudo from translationproject.org.
 2764  * French translation for sudo from translationproject.org.
 2766  * Sudo's noexec support on Mac OS X 10.4 and above now uses dynamic
 2767    symbol interposition instead of setting DYLD_FORCE_FLAT_NAMESPACE=1
 2768    which causes issues with some programs.
 2770  * Fixed visudo's -q (--quiet) flag, broken in sudo 1.8.6.
 2772  * Root may no longer change its SELinux role without entering
 2773    a password.
 2775  * Fixed a bug introduced in Sudo 1.8.7 where the indexes written
 2776    to the I/O log timing file are two greater than they should be.
 2777    Sudoreplay now contains a work-around to parse those files.
 2779  * In sudoreplay's list mode, the "this" qualifier in "fromdate"
 2780    or "todate" expressions now behaves more sensibly.  Previously,
 2781    it would often match a date that was "one more" than expected.
 2782    For example, "this week" now matches the current week instead
 2783    of the following week.
 2785 What's new in Sudo 1.8.7?
 2787  * The non-Unix group plugin is now supported when sudoers data
 2788    is stored in LDAP.
 2790  * Sudo now uses a workaround for a locale bug on Solaris 11.0
 2791    that prevents setuid programs like sudo from fully using locales.
 2793  * User messages are now always displayed in the user's locale,
 2794    even when the same message is being logged or mailed in a
 2795    different locale.
 2797  * Log files created by sudo now explicitly have the group set
 2798    to group ID 0 rather than relying on BSD group semantics (which
 2799    may not be the default).
 2801  * A new "exec_background" sudoers option can be used to initially
 2802    run the command without read access to the terminal when running
 2803    a command in a pseudo-tty.  If the command tries to read from
 2804    the terminal it will be stopped by the kernel (via SIGTTIN or
 2805    SIGTTOU) and sudo will immediately restart it as the foreground
 2806    process (if possible).  This allows sudo to only pass terminal
 2807    input to the program if the program actually is expecting it.
 2808    Unfortunately, a few poorly-behaved programs (like "su" on most
 2809    Linux systems) do not handle SIGTTIN and SIGTTOU properly.
 2811  * Sudo now uses an efficient group query to get all the groups
 2812    for a user instead of iterating over every record in the group
 2813    database on HP-UX and Solaris.
 2815  * Sudo now produces better error messages when there is an error
 2816    in the sudo.conf file.
 2818  * Two new settings have been added to sudo.conf to give the admin
 2819    better control of how group database queries are performed.  The
 2820    "group_source" specifies how the group list for a user will be
 2821    determined.  Legal values are "static" (use the kernel groups
 2822    list), "dynamic" (perform a group database query) and "adaptive"
 2823    (only perform a group database query if the kernel list is full).
 2824    The "max_groups" setting specifies the maximum number of groups
 2825    a user may belong to when performing a group database query.
 2827  * The sudo.conf file now supports line continuation by using a
 2828    backslash as the last character on the line.
 2830  * There is now a standalone sudo.conf manual page.
 2832  * Sudo now stores its libexec files in a "sudo" sub-directory instead
 2833    of in libexec itself. For backward compatibility, if the plugin
 2834    is not found in the default plugin directory, sudo will check
 2835    the parent directory if the default directory ends in "/sudo".
 2837  * The sudoers I/O logging plugin now logs the terminal size.
 2839  * A new sudoers option "maxseq" can be used to limit the number of
 2840    I/O log entries that are stored.
 2842  * The "system_group" and "group_file" sudoers group provider plugins
 2843    are now installed by default.
 2845  * The list output (sudo -l) output from the sudoers plugin is now
 2846    less ambiguous when an entry includes different runas users.
 2847    The long list output (sudo -ll) for file-based sudoers is now
 2848    more consistent with the format of LDAP-based sudoers.
 2850  * A UID may now be used in the sudoRunAsUser attributes for LDAP
 2851    sudoers.
 2853  * Minor plugin API change: the close and version functions are now
 2854    optional.  If the policy plugin does not provide a close function
 2855    and the command is not being run in a new pseudo-tty, sudo may
 2856    now execute the command directly instead of in a child process.
 2858  * A new sudoers option "pam_session" can be used to disable sudo's
 2859    PAM session support.
 2861  * On HP-UX systems, sudo will now use the pstat() function to
 2862    determine the tty instead of ttyname().
 2864  * Turkish translation for sudo and sudoers from translationproject.org.
 2866  * Dutch translation for sudo and sudoers from translationproject.org.
 2868  * Tivoli Directory Server client libraries may now be used with
 2869    HP-UX where libibmldap has a hidden dependency on libCsup.
 2871  * The sudoers plugin will now ignore invalid domain names when
 2872    checking netgroup membership.  Most Linux systems use the string
 2873    "(none)" for the NIS-style domain name instead of an empty string.
 2875  * New support for specifying a SHA-2 digest along with the command
 2876    in sudoers.  Supported hash types are sha224, sha256, sha384 and
 2877    sha512.  See the description of Digest_Spec in the sudoers manual
 2878    or the description of sudoCommand in the sudoers.ldap manual for
 2879    details.
 2881  * The paths to ldap.conf and ldap.secret may now be specified as
 2882    arguments to the sudoers plugin in the sudo.conf file.
 2884  * Fixed potential false positives in visudo's alias cycle detection.
 2886  * Fixed a problem where the time stamp file was being treated
 2887    as out of date on Linux systems where the change time on the
 2888    pseudo-tty device node can change after it is allocated.
 2890  * Sudo now only builds Position Independent Executables (PIE)
 2891    by default on Linux systems and verifies that a trivial test
 2892    program builds and runs.
 2894  * On Solaris 11.1 and higher, sudo binaries will now have the
 2895    ASLR tag enabled if supported by the linker.
 2897 What's new in Sudo 1.8.6p8?
 2899  * Terminal detection now works properly on 64-bit AIX kernels.
 2900    This was broken by the removal of the ttyname() fallback in Sudo
 2901    1.8.6p6.  Sudo is now able to map an AIX 64-bit device number
 2902    to the corresponding device file in /dev.
 2904  * Sudo now checks for crypt() returning NULL when performing
 2905    passwd-based authentication.
 2907 What's new in Sudo 1.8.6p7?
 2909  * A time stamp file with the date set to the epoch by "sudo -k"
 2910    is now completely ignored regardless of what the local clock is
 2911    set to.  Previously, if the local clock was set to a value between
 2912    the epoch and the time stamp timeout value, a time stamp reset
 2913    by "sudo -k" would be considered current.
 2915  * The tty-specific time stamp file now includes the session ID
 2916    of the sudo process that created it.  If a process with the same
 2917    tty but a different session ID runs sudo, the user will now be
 2918    prompted for a password (assuming authentication is required for
 2919    the command).
 2921 What's new in Sudo 1.8.6p6?
 2923  * On systems where the controlling tty can be determined via /proc
 2924    or sysctl(), sudo will no longer fall back to using ttyname()
 2925    if the process has no controlling tty.  This prevents sudo from
 2926    using a non-controlling tty for logging and time stamp purposes.
 2928 What's new in Sudo 1.8.6p5?
 2930  * Fixed a potential crash in visudo's alias cycle detection.
 2932  * Improved performance on Solaris when retrieving the group list
 2933    for the target user.  On systems with a large number of groups
 2934    where the group database is not local (NIS, LDAP, AD), fetching
 2935    the group list could take a minute or more.
 2937 What's new in Sudo 1.8.6p4?
 2939  * The -fstack-protector is now used when linking visudo, sudoreplay
 2940    and testsudoers.
 2942  * Avoid building PIE binaries on FreeBSD/ia64 as they don't run
 2943    properly.
 2945  * Fixed a crash in visudo strict mode when an unknown Defaults
 2946    setting is encountered.
 2948  * Do not inform the user that the command was not permitted by the
 2949    policy if they do not successfully authenticate. This is a
 2950    regression introduced in sudo 1.8.6.
 2952  * Allow sudo to be build with sss support without also including
 2953    ldap support.
 2955  * Fixed running commands that need the terminal in the background
 2956    when I/O logging is enabled. E.g. "sudo vi &". When the command
 2957    is foregrounded, it will now resume properly.
 2959 What's new in Sudo 1.8.6p3?
 2961  * Fixed post-processing of the man pages on systems with legacy
 2962    versions of sed.
 2964  * Fixed "sudoreplay -l" on Linux systems with file systems that
 2965    set DT_UNKNOWN in the d_type field of struct dirent.
 2967 What's new in Sudo 1.8.6p2?
 2969  * Fixed suspending a command after it has already been resumed
 2970    once when I/O logging (or use_pty) is not enabled.
 2971    This was a regression introduced in version 1.8.6.
 2973 What's new in Sudo 1.8.6p1?
 2975  * Fixed the setting of LOGNAME, USER and USERNAME variables in the
 2976    command's environment when env_reset is enabled (the default).
 2977    This was a regression introduced in version 1.8.6.
 2979  * Sudo now honors SUCCESS=return in /etc/nsswitch.conf.
 2981 What's new in Sudo 1.8.6?
 2983  * Sudo is now built with the -fstack-protector flag if the the
 2984    compiler supports it.  Also, the -zrelro linker flag is used if
 2985    supported.  The --disable-hardening configure option can be used
 2986    to build sudo without stack smashing protection.
 2988  * Sudo is now built as a Position Independent Executable (PIE)
 2989    if supported by the compiler and linker.
 2991  * If the user is a member of the "exempt" group in sudoers, they
 2992    will no longer be prompted for a password even if the -k flag
 2993    is specified with the command.  This makes "sudo -k command"
 2994    consistent with the behavior one would get if the user ran "sudo
 2995    -k" immediately before running the command.
 2997  * The sudoers file may now be a symbolic link.  Previously, sudo
 2998    would refuse to read sudoers unless it was a regular file.
 3000  * The sudoreplay command can now properly replay sessions where
 3001    no tty was present.
 3003  * The sudoers plugin now takes advantage of symbol visibility
 3004    controls when supported by the compiler or linker.  As a result,
 3005    only a small number of symbols are exported which significantly
 3006    reduces the chances of a conflict with other shared objects.
 3008  * Improved support for the Tivoli Directory Server LDAP client
 3009    libraries.  This includes support for using LDAP over SSL (ldaps)
 3010    as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS
 3011    ldap.conf options.  A new ldap.conf option, TLS_KEYPW can be
 3012    used to specify a password to decrypt the key database.
 3014  * When constructing a time filter for use with LDAP sudoNotBefore
 3015    and sudoNotAfter attributes, the current time now includes tenths
 3016    of a second.  This fixes a problem with timed entries on Active
 3017    Directory.
 3019  * If a user fails to authenticate and the command would be rejected
 3020    by sudoers, it is now logged with "command not allowed" instead
 3021    of "N incorrect password attempts".  Likewise, the "mail_no_perms"
 3022    sudoers option now takes precedence over "mail_badpass".
 3024  * The sudo manuals are now formatted using the mdoc macros.  Versions
 3025    using the legacy man macros are provided for systems that lack mdoc.
 3027  * New support for Solaris privilege sets.  This makes it possible
 3028    to specify fine-grained privileges in the sudoers file on Solaris
 3029    10 and above.  A Runas_Spec that contains no Runas_Lists can be
 3030    used to give a user the ability to run a command as themselves
 3031    but with an expanded privilege set.
 3033  * Fixed a problem with the reboot and shutdown commands on some
 3034    systems (such as HP-UX and BSD).  On these systems, reboot sends
 3035    all processes (except itself) SIGTERM.  When sudo received
 3036    SIGTERM, it would relay it to the reboot process, thus killing
 3037    reboot before it had a chance to actually reboot the system.
 3039  * Support for using the System Security Services Daemon (SSSD) as
 3040    a source of sudoers data.
 3042  * Slovenian translation for sudo and sudoers from translationproject.org.
 3044  * Visudo will now warn about unknown Defaults entries that are
 3045    per-host, per-user, per-runas or per-command.
 3047  * Fixed a race condition that could cause sudo to receive SIGTTOU
 3048    (and stop) when resuming a shell that was run via sudo when I/O
 3049    logging (and use_pty) is not enabled.
 3051  * Sending SIGTSTP directly to the sudo process will now suspend the
 3052    running command when I/O logging (and use_pty) is not enabled.
 3054 What's new in Sudo 1.8.5p3?
 3056  * Fixed the loading of I/O plugins that conform to a plugin API
 3057    version older than 1.2.
 3059 What's new in Sudo 1.8.5p2?
 3061  * Fixed use of the SUDO_ASKPASS environment variable which was
 3062    broken in Sudo 1.8.5.
 3064  * Fixed a problem reading the sudoers file when the file mode is
 3065    more restrictive than the expected mode.  For example, when the
 3066    expected sudoers file mode is 0440 but the actual mode is 0400.
 3068 What's new in Sudo 1.8.5p1?
 3070  * Fixed a bug that prevented files in an include directory from
 3071    being evaluated.
 3073 What's new in Sudo 1.8.5?
 3075  * When "noexec" is enabled, sudo_noexec.so will now be prepended
 3076    to any existing LD_PRELOAD variable instead of replacing it.
 3078  * The sudo_noexec.so shared library now wraps the execvpe(),
 3079    exect(), posix_spawn() and posix_spawnp() functions.
 3081  * The user/group/mode checks on sudoers files have been relaxed.
 3082    As long as the file is owned by the sudoers UID, not world-writable
 3083    and not writable by a group other than the sudoers GID, the file
 3084    is considered OK.  Note that visudo will still set the mode to
 3085    the value specified at configure time.
 3087  * It is now possible to specify the sudoers path, UID, GID and
 3088    file mode as options to the plugin in the sudo.conf file.
 3090  * Croatian, Galician, German, Lithuanian, Swedish and Vietnamese
 3091    translations from translationproject.org.
 3093  * /etc/environment is no longer read directly on Linux systems
 3094    when PAM is used.  Sudo now merges the PAM environment into the
 3095    user's environment which is typically set by the pam_env module.
 3097  * The initial environment created when env_reset is in effect now
 3098    includes the contents of /etc/environment on AIX systems and the
 3099    "setenv" and "path" entries from /etc/login.conf on BSD systems.
 3101  * The plugin API has been extended in three ways.  First, options
 3102    specified in sudo.conf after the plugin pathname are passed to
 3103    the plugin's open function.  Second, sudo has limited support
 3104    for hooks that can be used by plugins.  Currently, the hooks are
 3105    limited to environment handling functions.  Third, the init_session
 3106    policy plugin function is passed a pointer to the user environment
 3107    which can be updated during session setup.  The plugin API version
 3108    has been incremented to version 1.2.  See the sudo_plugin manual
 3109    for more information.
 3111  * The policy plugin's init_session function is now called by the
 3112    parent sudo process, not the child process that executes the
 3113    command.  This allows the PAM session to be open and closed in
 3114    the same process, which some PAM modules require.
 3116  * Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf,
 3117    which was broken in version 1.8.4.
 3119  * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
 3120    file is now uses to determine the controlling terminal, if possible.
 3121    This allows tty-based tickets to work properly even when, e.g.
 3122    standard input, output and error are redirected to /dev/null.
 3124  * The output of "sudoreplay -l" is now sorted by file name (or
 3125    sequence number).  Previously, entries were displayed in the
 3126    order in which they were found on the file system.
 3128  * Sudo now behaves properly when I/O logging is enabled and the
 3129    controlling terminal is revoked (e.g. the running sshd is killed).
 3130    Previously, sudo may have exited without calling the I/O plugin's
 3131    close function which can lead to an incomplete I/O log.
 3133  * Sudo can now detect when a user has logged out and back in again
 3134    on Solaris 11, just like it can on Solaris 10.
 3136  * The built-in zlib included with Sudo has been upgraded to version
 3137    1.2.6.
 3139  * Setting the SSL parameter to start_tls in ldap.conf now works
 3140    properly when using Mozilla-based SDKs that support the
 3141    ldap_start_tls_s() function.
 3143  * The TLS_CHECKPEER parameter in ldap.conf now works when the
 3144    Mozilla NSS crypto back-end is used with OpenLDAP.
 3146  * A new group provider plugin, system_group, is included which
 3147    performs group look ups by name using the system groups database.
 3148    This can be used to restore the pre-1.7.3 sudo group lookup
 3149    behavior.
 3151 What's new in Sudo 1.8.4p5?
 3153  * Fixed a bug when matching against an IP address with an associated
 3154    netmask in the sudoers file.  In certain circumstances, this
 3155    could allow users to run commands on hosts they are not authorized
 3156    for.
 3158 What's new in Sudo 1.8.4p4?
 3160  * Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v"
 3161    from working.
 3163 What's new in Sudo 1.8.4p3?
 3165  * Fixed a crash on FreeBSD when no tty is present.
 3167  * Fixed a bug introduced in Sudo 1.8.4 that allowed users to
 3168    specify environment variables to set on the command line without
 3169    having sudo "ALL" permissions or the "SETENV" tag.
 3171  * When visudo is run with the -c (check) option, the sudoers
 3172    file(s) owner and mode are now also checked unless the -f option
 3173    was specified.
 3175 What's new in Sudo 1.8.4p2?
 3177  * Fixed a bug introduced in Sudo 1.8.4 where insufficient space
 3178    was allocated for group IDs in the LDAP filter.
 3180  * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf
 3181    was "/sudo.conf" instead of "/etc/sudo.conf".
 3183  * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang
 3184    when I/O logging is enabled and input is from a pipe or file.
 3186 What's new in Sudo 1.8.4p1?
 3188  * Fixed a bug introduced in sudo 1.8.4 that broke adding to or
 3189    deleting from the env_keep, env_check and env_delete lists in
 3190    sudoers on some platforms.
 3192 What's new in Sudo 1.8.4?
 3194  * The -D flag in sudo has been replaced with a more general debugging
 3195    framework that is configured in sudo.conf.
 3197  * Fixed a false positive in visudo strict mode when aliases are
 3198    in use.
 3200  * Fixed a crash with "sudo -i" when a runas group was specified
 3201    without a runas user.
 3203  * The line on which a syntax error is reported in the sudoers file
 3204    is now more accurate.  Previously it was often off by a line.
 3206  * Fixed a bug where stack garbage could be printed at the end of
 3207    the lecture when the "lecture_file" option was enabled.
 3209  * "make install" now honors the LINGUAS environment variable.
 3211  * The #include and #includedir directives in sudoers now support
 3212    relative paths.  If the path is not fully qualified it is expected
 3213    to be located in the same directory of the sudoers file that is
 3214    including it.
 3216  * Serbian and Spanish translations for sudo from translationproject.org.
 3218  * LDAP-based sudoers may now access by group ID in addition to
 3219    group name.
 3221  * visudo will now fix the mode on the sudoers file even if no changes
 3222    are made unless the -f option is specified.
 3224  * The "use_loginclass" sudoers option works properly again.
 3226  * On systems that use login.conf, "sudo -i" now sets environment
 3227    variables based on login.conf.
 3229  * For LDAP-based sudoers, values in the search expression are now
 3230    escaped as per RFC 4515.
 3232  * The plugin close function is now properly called when a login
 3233    session is killed (as opposed to the actual command being killed).
 3234    This can happen when an ssh session is disconnected or the
 3235    terminal window is closed.
 3237  * The deprecated "noexec_file" sudoers option is no longer supported.
 3239  * Fixed a race condition when I/O logging is not enabled that could
 3240    result in tty-generated signals (e.g. control-C) being received
 3241    by the command twice.
 3243  * If none of the standard input, output or error are connected to
 3244    a tty device, sudo will now check its parent's standard input,
 3245    output or error for the tty name on systems with /proc and BSD
 3246    systems that support the KERN_PROC_PID sysctl.  This allows
 3247    tty-based tickets to work properly even when, e.g. standard
 3248    input, output and error are redirected to /dev/null.
 3250  * Added the --enable-kerb5-instance configure option to allow
 3251    people using Kerberos V authentication to specify a custom
 3252    instance so the principal name can be, e.g. "username/sudo"
 3253    similar to how ksu uses "username/root".
 3255  * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
 3256    the results, which would be incorrectly be interpreted as if the
 3257    sudoers file had specified a directory.
 3259  * "visudo -c" will now list any include files that were checked
 3260    in addition to the main sudoers file when everything parses OK.
 3262  * Users that only have read-only access to the sudoers file may
 3263    now run "visudo -c".  Previously, write permissions were required
 3264    even though no writing is down in check-only mode.
 3266  * It is now possible to prevent the disabling of core dumps from
 3267    within sudo itself by adding a line to the sudo.conf file like
 3268    "Set disable_coredump false".
 3270 What's new in Sudo 1.8.3p2?
 3272  * Fixed a format string vulnerability when the sudo binary (or a
 3273    symbolic link to the sudo binary) contains printf format escapes
 3274    and the -D (debugging) flag is used.
 3276 What's new in Sudo 1.8.3p1?
 3278  * Fixed a crash in the monitor process on Solaris when NOPASSWD
 3279    was specified or when authentication was disabled.
 3281  * Fixed matching of a Runas_Alias in the group section of a
 3282    Runas_Spec.
 3284 What's new in Sudo 1.8.3?
 3286  * Fixed expansion of strftime() escape sequences in the "log_dir"
 3287    sudoers setting.
 3289  * Esperanto, Italian and Japanese translations from translationproject.org.
 3291  * Sudo will now use PAM by default on AIX 6 and higher.
 3293  * Added --enable-werror configure option for gcc's -Werror flag.
 3295  * Visudo no longer assumes all editors support the +linenumber
 3296    command line argument.  It now uses a allowlist of editors known
 3297    to support the option.
 3299  * Fixed matching of network addresses when a netmask is specified
 3300    but the address is not the first one in the CIDR block.
 3302  * The configure script now check whether or not errno.h declares
 3303    the errno variable.  Previously, sudo would always declare errno
 3304    itself for older systems that don't declare it in errno.h.
 3306  * The NOPASSWD tag is now honored for denied commands too, which
 3307    matches historic sudo behavior (prior to sudo 1.7.0).
 3309  * Sudo now honors the "DEREF" setting in ldap.conf which controls
 3310    how alias dereferencing is done during an LDAP search.
 3312  * A symbol conflict with the pam_ssh_agent_auth PAM module that
 3313    would cause a crash been resolved.
 3315  * The inability to load a group provider plugin is no longer
 3316    a fatal error.
 3318  * A potential crash in the utmp handling code has been fixed.
 3320  * Two PAM session issues have been resolved.  In previous versions
 3321    of sudo, the PAM session was opened as one user and closed as
 3322    another.  Additionally, if no authentication was performed, the
 3323    PAM session would never be closed.
 3325  * Sudo will now work correctly with LDAP-based sudoers using TLS
 3326    or SSL on Debian systems.
 3328  * The LOGNAME, USER and USERNAME environment variables are preserved
 3329    correctly again in sudoedit mode.
 3331 What's new in Sudo 1.8.2?
 3333  * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural
 3334    language support (NLS). This can be disabled by passing configure
 3335    the --disable-nls option.  Sudo will use gettext(), if available,
 3336    to display translated messages.  All translations are coordinated
 3337    via The Translation Project, https://translationproject.org/.
 3339  * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of
 3340    RTLD_LOCAL.  This fixes missing symbol problems in PAM modules
 3341    on certain platforms, such as FreeBSD and SuSE Linux Enterprise.
 3343  * I/O logging is now supported for commands run in background mode
 3344    (using sudo's -b flag).
 3346  * Group ownership of the sudoers file is now only enforced when
 3347    the file mode on sudoers allows group readability or writability.
 3349  * Visudo now checks the contents of an alias and warns about cycles
 3350    when the alias is expanded.
 3352  * If the user specifies a group via sudo's -g option that matches
 3353    the target user's group in the password database, it is now
 3354    allowed even if no groups are present in the Runas_Spec.
 3356  * The sudo Makefiles now have more complete dependencies which are
 3357    automatically generated instead of being maintained manually.
 3359  * The "use_pty" sudoers option is now correctly passed back to the
 3360    sudo front end.  This was missing in previous versions of sudo
 3361    1.8 which prevented "use_pty" from being honored.
 3363  * "sudo -i command" now works correctly with the bash version
 3364    2.0 and higher.  Previously, the .bash_profile would not be
 3365    sourced prior to running the command unless bash was built with
 3368  * When matching groups in the sudoers file, sudo will now match
 3369    based on the name of the group instead of the group ID. This can
 3370    substantially reduce the number of group lookups for sudoers
 3371    files that contain a large number of groups.
 3373  * Multi-factor authentication is now supported on AIX.
 3375  * Added support for non-RFC 4517 compliant LDAP servers that require
 3376    that seconds be present in a timestamp, such as Tivoli Directory Server.
 3378  * If the group vector is to be preserved, the PATH search for the
 3379    command is now done with the user's original group vector.
 3381  * For LDAP-based sudoers, the "runas_default" sudoOption now works
 3382    properly in a sudoRole that contains a sudoCommand.
 3384  * Spaces in command line arguments for "sudo -s" and "sudo -i" are
 3385    now escaped with a backslash when checking the security policy.
 3387 What's new in Sudo 1.8.1p2?
 3389  * Two-character CIDR-style IPv4 netmasks are now matched correctly
 3390    in the sudoers file.
 3392  * A build error with MIT Kerberos V has been resolved.
 3394  * A crash on HP-UX in the sudoers plugin when wildcards are
 3395    present in the sudoers file has been resolved.
 3397  * Sudo now works correctly on Tru64 Unix again.
 3399 What's new in Sudo 1.8.1p1?
 3401  * Fixed a problem on AIX where sudo was unable to set the final
 3402    UID if the PAM module modified the effective UID.
 3404  * A non-existent includedir is now treated the same as an empty
 3405    directory and not reported as an error.
 3407  * Removed extraneous parens in LDAP filter when sudoers_search_filter
 3408    is enabled that can cause an LDAP search error.
 3410  * Fixed a "make -j" problem for "make install".
 3412 What's new in Sudo 1.8.1?
 3414  * A new LDAP setting, sudoers_search_filter, has been added to
 3415    ldap.conf.  This setting can be used to restrict the set of
 3416    records returned by the LDAP query.  Based on changes from Matthew
 3417    Thomas.
 3419  * White space is now permitted within a User_List when used in
 3420    conjunction with a per-user Defaults definition.
 3422  * A group ID (%#GID) may now be specified in a User_List or Runas_List.
 3423    Likewise, for non-Unix groups the syntax is %:#GID.
 3425  * Support for double-quoted words in the sudoers file has been fixed.
 3426    The change in 1.7.5 for escaping the double quote character
 3427    caused the double quoting to only be available at the beginning
 3428    of an entry.
 3430  * The fix for resuming a suspended shell in 1.7.5 caused problems
 3431    with resuming non-shells on Linux.  Sudo will now save the process
 3432    group ID of the program it is running on suspend and restore it
 3433    when resuming, which fixes both problems.
 3435  * A bug that could result in corrupted output in "sudo -l" has been
 3436    fixed.
 3438  * Sudo will now create an entry in the utmp (or utmpx) file when
 3439    allocating a pseudo-tty (e.g. when logging I/O).  The "set_utmp"
 3440    and "utmp_runas" sudoers file options can be used to control this.
 3441    Other policy plugins may use the "set_utmp" and "utmp_user"
 3442    entries in the command_info list.
 3444  * The sudoers policy now stores the TSID field in the logs
 3445    even when the "iolog_file" sudoers option is defined to a value
 3446    other than %{sessid}.  Previously, the TSID field was only
 3447    included in the log file when the "iolog_file" option was set
 3448    to its default value.
 3450  * The sudoreplay utility now supports arbitrary session IDs.
 3451    Previously, it would only work with the base-36 session IDs
 3452    that the sudoers plugin uses by default.
 3454  * Sudo now passes "run_shell=true" to the policy plugin in the
 3455    settings list when sudo's -s command line option is specified.
 3456    The sudoers policy plugin uses this to implement the "set_home"
 3457    sudoers option which was missing from sudo 1.8.0.
 3459  * The "noexec" functionality has been moved out of the sudoers
 3460    policy plugin and into the sudo front-end, which matches the
 3461    behavior documented in the plugin writer's guide.  As a result,
 3462    the path to the noexec file is now specified in the sudo.conf
 3463    file instead of the sudoers file.
 3465  * On Solaris 10, the PRIV_PROC_EXEC privilege is now used to
 3466    implement the "noexec" feature.  Previously, this was implemented
 3467    via the LD_PRELOAD environment variable.
 3469  * The exit values for "sudo -l", "sudo -v" and "sudo -l command"
 3470    have been fixed in the sudoers policy plugin.
 3472  * The sudoers policy plugin now passes the login class, if any,
 3473    back to the sudo front-end.
 3475  * The sudoers policy plugin was not being linked with requisite
 3476    libraries in certain configurations.
 3478  * Sudo now parses command line arguments before loading any plugins.
 3479    This allows "sudo -V" or "sudo -h" to work even if there is a problem
 3480    with sudo.conf
 3482  * Plugins are now linked with the static version of libgcc to allow
 3483    the plugin to run on a system where no shared libgcc is installed,
 3484    or where it is installed in a different location.
 3486 What's new in Sudo 1.8.0?
 3488  * Sudo has been refactored to use a modular framework that can
 3489    support third-party policy and I/O logging plugins.  The default
 3490    plugin is "sudoers" which provides the traditional sudo functionality.
 3491    See the sudo_plugin manual for details on the plugin API and the
 3492    sample in the plugins directory for a simple example.
 3494 What's new in Sudo 1.7.5?
 3496  * When using visudo in check mode, a file named "-" may be used to
 3497    check sudoers data on the standard input.
 3499  * Sudo now only fetches shadow password entries when using the
 3500    password database directly for authentication.
 3502  * Password and group entries are now cached using the same key
 3503    that was used to look them up.  This fixes a problem when looking
 3504    up entries by name if the name in the retrieved entry does not
 3505    match the name used to look it up.  This may happen on some systems
 3506    that do case insensitive lookups or that truncate long names.
 3508  * GCC will no longer display warnings on glibc systems that use
 3509    the warn_unused_result attribute for write(2) and other system calls.
 3511  * If a PAM account management module denies access, sudo now prints
 3512    a more useful error message and stops trying to validate the user.
 3514  * Fixed a potential hang on idle systems when the sudo-run process
 3515    exits immediately.
 3517  * Sudo now includes a copy of zlib that will be used on systems
 3518    that do not have zlib installed.
 3520  * The --with-umask-override configure flag has been added to enable
 3521    the "umask_override" sudoers Defaults option at build time.
 3523  * Sudo now unblocks all signals on startup to avoid problems caused
 3524    by the parent process changing the default signal mask.
 3526  * LDAP Sudoers entries may now specify a time period for which
 3527    the entry is valid.  This requires an updated sudoers schema
 3528    that includes the sudoNotBefore and sudoNotAfter attributes.
 3529    Support for timed entries must be explicitly enabled in the
 3530    ldap.conf file.  Based on changes from Andreas Mueller.
 3532  * LDAP Sudoers entries may now specify a sudoOrder attribute that
 3533    determines the order in which matching entries are applied.  The
 3534    last matching entry is used, just like file-based sudoers.  This
 3535    requires an updated sudoers schema that includes the sudoOrder
 3536    attribute.  Based on changes from Andreas Mueller.
 3538  * When run as sudoedit, or when given the -e flag, sudo now treats
 3539    command line arguments as pathnames.  This means that slashes
 3540    in the sudoers file entry must explicitly match slashes in
 3541    the command line arguments.  As a result, and entry such as:
 3542 	user ALL = sudoedit /etc/*
 3543    will allow editing of /etc/motd but not /etc/security/default.
 3545  * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
 3546    compatibility with OpenLDAP configuration files.
 3548  * The LDAP API TIMEOUT parameter is now honored in ldap.conf.
 3550  * The I/O log directory may now be specified in the sudoers file.
 3552  * Sudo will no longer refuse to run if the sudoers file is writable
 3553    by root.
 3555  * Sudo now performs command line escaping for "sudo -s" and "sudo -i"
 3556    after validating the command so the sudoers entries do not need
 3557    to include the backslashes.
 3559  * Logging and email sending are now done in the locale specified
 3560    by the "sudoers_locale" setting ("C" by default).  Email send by
 3561    sudo now includes MIME headers when "sudoers_locale" is not "C".
 3563  * The configure script has a new option, --disable-env-reset, to
 3564    allow one to change the default for the sudoers Default setting
 3565    "env_reset" at compile time.
 3567  * When logging "sudo -l command", sudo will now prepend "list "
 3568    to the command in the log line to distinguish between an
 3569    actual command invocation in the logs.
 3571  * Double-quoted group and user names may now include escaped double
 3572    quotes as part of the name.  Previously this was a parse error.
 3574  * Sudo once again restores the state of the signal handlers it
 3575    modifies before executing the command.  This allows sudo to be
 3576    used with the nohup command.
 3578  * Resuming a suspended shell now works properly when I/O logging
 3579    is not enabled (the I/O logging case was already correct).
 3581 What's new in Sudo 1.7.4p6?
 3583  * A bug has been fixed in the I/O logging support that could cause
 3584    visual artifacts in full-screen programs such as text editors.
 3586 What's new in Sudo 1.7.4p5?
 3588  * A bug has been fixed that would allow a command to be run without the
 3589    user entering a password when sudo's -g flag is used without the -u flag.
 3591  * If user has no supplementary groups, sudo will now fall back on checking
 3592    the group file explicitly, which restores historic sudo behavior.
 3594  * A crash has been fixed when sudo's -g flag is used without the -u flag
 3595    and the sudoers file contains an entry with no runas user or group listed.
 3597  * A crash has been fixed when the Solaris project support is enabled
 3598    and sudo's -g flag is used without the -u flag.
 3600  * Sudo no longer exits with an error when support for auditing is
 3601    compiled in but auditing is not enabled.
 3603  * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
 3604    being honored when the "targetpw" sudoers Defaults option was enabled.
 3606  * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.
 3608  * A crash has been fixed in "sudo -l" when sudo is built with auditing
 3609    support and the user is not allowed to run any commands on the host.
 3611 What's new in Sudo 1.7.4p4?
 3613  * A potential security issue has been fixed with respect to the handling
 3614    of sudo's -g command line option when -u is also specified.  The flaw
 3615    may allow an attacker to run commands as a user that is not authorized
 3616    by the sudoers file.
 3618  * A bug has been fixed where "sudo -l" output was incomplete if multiple
 3619    sudoers sources were defined in nsswitch.conf and there was an error
 3620    querying one of the sources.
 3622  * The log_input, log_output, and use_pty sudoers options now work correctly
 3623    on AIX.  Previously, sudo would hang if they were enabled.
 3625  * The "make install" target now works correctly when sudo is built in a
 3626    directory other than the source directory.
 3628  * The "runas_default" sudoers setting now works properly in a per-command
 3629    Defaults line.
 3631  * Suspending and resuming the bash shell when PAM is in use now works
 3632    correctly.  The SIGCONT signal was not propagated to the child process.
 3634 What's new in Sudo 1.7.4p3?
 3636  * A bug has been fixed where duplicate HOME environment variables could be
 3637    present when the env_reset setting was disabled and the always_set_home
 3638    setting was enabled in sudoers.
 3640  * The value of sysconfdir is now substituted into the path to the sudoers.d
 3641    directory in the installed sudoers file.
 3643  * Compilation problems on IRIX and other platforms have been fixed.
 3645  * If multiple PAM "auth" actions are specified and the user enters ^C at
 3646    the password prompt, sudo will no longer prompt for a password for any
 3647    subsequent "auth" actions.  Previously it was necessary to enter ^C for
 3648    each "auth" action.
 3650 What's new in Sudo 1.7.4p2?
 3652  * A bug where sudo could spin in a busy loop waiting for the child process
 3653    has been fixed.
 3655 What's new in Sudo 1.7.4p1?
 3657  * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from
 3658    functioning when the tty_tickets sudoers option is enabled has been fixed.
 3660  * Sudo no longer prints a warning when the -k or -K options are specified
 3661    and the ticket file does not exist.
 3663  * It is now easier to cross-compile sudo.
 3665 What's new in Sudo 1.7.4?
 3667  * Sudoedit will now preserve the file extension in the name of the
 3668    temporary file being edited.  The extension is used by some
 3669    editors (such as emacs) to choose the editing mode.
 3671  * Time stamp files have moved from /var/run/sudo to either /var/db/sudo,
 3672    /var/lib/sudo or /var/adm/sudo.  The directories are checked for
 3673    existence in that order.  This prevents users from receiving the
 3674    sudo lecture every time the system reboots.  Time stamp files older
 3675    than the boot time are ignored on systems where it is possible to
 3676    determine this.
 3678  * The tty_tickets sudoers option is now enabled by default.
 3680  * Ancillary documentation (README files, LICENSE, etc) is now installed
 3681    in a sudo documentation directory.
 3683  * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
 3684    in ldap.conf.
 3686  * Defaults settings that are tied to a user, host or command may
 3687    now include the negation operator.  For example:
 3688 	Defaults:!millert lecture
 3689    will match any user but millert.
 3691  * The default PATH environment variable, used when no PATH variable
 3692     exists, now includes /usr/sbin and /sbin.
 3694  * Sudo now uses polypkg (https://github.com/OneIdentity/Polypkg)
 3695    for cross-platform packing.
 3697  * On Linux, sudo will now restore the nproc resource limit before
 3698    executing a command, unless the limit appears to have been modified
 3699    by pam_limits.  This avoids a problem with bash scripts that open
 3700    more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
 3701    will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).
 3703  * The HOME and MAIL environment variables are now reset based on the
 3704    target user's password database entry when the env_reset sudoers option
 3705    is enabled (which is the case in the default configuration).  Users
 3706    wishing to preserve the original values should use a sudoers entry like:
 3707 	Defaults env_keep += HOME
 3708    to preserve the old value of HOME and
 3709 	Defaults env_keep += MAIL
 3710    to preserve the old value of MAIL.
 3712  * Fixed a problem in the restoration of the AIX authdb registry setting.
 3714  * Sudo will now fork(2) and wait until the command has completed before
 3715    calling pam_close_session().
 3717  * The default syslog facility is now "authpriv" if the operating system
 3718    supports it, else "auth".
 3720 What's new in Sudo 1.7.3?
 3722  * Support for logging I/O for the command being run.
 3723    For more information, see the documentation for the "log_input"
 3724    and "log_output" Defaults options in the sudoers manual.  Also
 3725    see the sudoreplay manual for how to replay I/O log sessions.
 3727  * The use_pty sudoers option can be used to force a command to be
 3728    run in a pseudo-pty, even when I/O logging is not enabled.
 3730  * On some systems, sudo can now detect when a user has logged out
 3731    and back in again when tty-based time stamps are in use.  Supported
 3732    systems include Solaris systems with the devices file system,
 3733    Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys
 3734    only).
 3736  * On AIX systems, the registry setting in /etc/security/user is
 3737    now taken into account when looking up users and groups.  Sudo
 3738    now applies the correct the user and group ids when running a
 3739    command as a user whose account details come from a different
 3740    source (e.g. LDAP or DCE vs.  local files).
 3742  * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf.
 3743    When multiple entries are listed, sudo will try each one in the
 3744    order in which they are specified.
 3746  * Sudo's SELinux support should now function correctly when running
 3747    commands as a non-root user and when one of stdin, stdout or stderr
 3748    is not a terminal.
 3750  * Sudo will now use the Linux audit system with configure with
 3751    the --with-linux-audit flag.
 3753  * Sudo now uses mbr_check_membership() on systems that support it
 3754    to determine group membership.  Currently, only Darwin (Mac OS X)
 3755    supports this.
 3757  * When the tty_tickets sudoers option is enabled but there is no
 3758    terminal device, sudo will no longer use or create a tty-based
 3759    ticket file.  Previously, sudo would use a tty name of "unknown".
 3760    As a consequence, if a user has no terminal device, sudo will
 3761    now always prompt for a password.
 3763  * The passwd_timeout and timestamp_timeout options may now be
 3764    specified as floating point numbers for more granular timeout
 3765    values.
 3767  * Negating the fqdn option in sudoers now works correctly when sudo
 3768    is configured with the --with-fqdn option.  In previous versions
 3769    of sudo the fqdn was set before sudoers was parsed.
 3771 What's new in Sudo 1.7.2?
 3773  * A new #includedir directive is available in sudoers.  This can be
 3774    used to implement an /etc/sudo.d directory.  Files in an includedir
 3775    are not edited by visudo unless they contain a syntax error.
 3777  * The -g option did not work properly when only setting the group
 3778    (and not the user).  Also, in -l mode the wrong user was displayed
 3779    for sudoers entries where only the group was allowed to be set.
 3781  * Fixed a problem with the alias checking in visudo which
 3782    could prevent visudo from exiting.
 3784  * Sudo will now correctly parse the shell-style /etc/environment
 3785    file format used by pam_env on Linux.
 3787  * When doing password and group database lookups, sudo will only
 3788    cache an entry by name or by id, depending on how the entry was
 3789    looked up.  Previously, sudo would cache by both name and id
 3790    from a single lookup, but this breaks sites that have multiple
 3791    password or group database names that map to the same UID or
 3792    GID.
 3794  * User and group names in sudoers may now be enclosed in double
 3795    quotes to avoid having to escape special characters.
 3797  * BSM audit fixes when changing to a non-root UID.
 3799  * Experimental non-Unix group support.  Currently only works with
 3800    Quest Authorization Services and allows Active Directory groups
 3801    fixes for Minix-3.
 3803  * For Netscape/Mozilla-derived LDAP SDKs the certificate and key
 3804    paths may be specified as a directory or a file.  However, version
 3805    5.0 of the SDK only appears to support using a directory (despite
 3806    documentation to the contrary).  If SSL client initialization
 3807    fails and the certificate or key paths look like they could be
 3808    default file name, strip off the last path element and try again.
 3810  * A setenv() compatibility fix for Linux systems, where a NULL
 3811    value is treated the same as an empty string and the variable
 3812    name is checked against the NULL pointer.
 3814 What's new in Sudo 1.7.1?
 3816  * A new Defaults option "pwfeedback" will cause sudo to provide visual
 3817    feedback when the user is entering a password.
 3819  * A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
 3820    function for file name globbing instead of glob().  When this option
 3821    is enabled, sudo will not check the file system when expanding wildcards.
 3822    This is faster but a side effect is that relative paths with wildcard
 3823    will no longer work.
 3825  * New BSM audit support for systems that support it such as FreeBSD
 3826    and Mac OS X.
 3828  * The file name specified with the #include directive may now include
 3829    a %h escape which is expanded to the short form of hostname.
 3831  * The -k flag may now be specified along with a command, causing the
 3832    user's timestamp file to be ignored.
 3834  * New support for Tivoli-based LDAP START_TLS, present in AIX.
 3836  * New support for /etc/netsvc.conf on AIX.
 3838  * The unused alias checks in visudo now handle the case of an alias
 3839    referring to another alias.
 3841 What's new in Sudo 1.7.0?
 3843  * Rewritten parser that converts sudoers into a set of data structures.
 3844    This eliminates a number of ordering issues and makes it possible to
 3845    apply sudoers Defaults entries before searching for the command.
 3846    It also adds support for per-command Defaults specifications.
 3848  * Sudoers now supports a #include facility to allow the inclusion of other
 3849    sudoers-format files.
 3851  * Sudo's -l (list) flag has been enhanced:
 3852     o applicable Defaults options are now listed
 3853     o a command argument can be specified for testing whether a user
 3854       may run a specific command.
 3855     o a new -U flag can be used in conjunction with "sudo -l" to allow
 3856       root (or a user with "sudo ALL") list another user's privileges.
 3858  * A new -g flag has been added to allow the user to specify a
 3859    primary group to run the command as.  The sudoers syntax has been
 3860    extended to include a group section in the Runas specification.
 3862  * A UID may now be used anywhere a username is valid.
 3864  * The "secure_path" run-time Defaults option has been restored.
 3866  * Password and group data is now cached for fast lookups.
 3868  * The file descriptor at which sudo starts closing all open files is now
 3869    configurable via sudoers and, optionally, the command line.
 3871  * Visudo will now warn about aliases that are defined but not used.
 3873  * The -i and -s command line flags now take an optional command
 3874    to be run via the shell.  Previously, the argument was passed
 3875    to the shell as a script to run.
 3877  * Improved LDAP support.  SASL authentication may now be used in
 3878    conjunction when connecting to an LDAP server.  The krb5_ccname
 3879    parameter in ldap.conf may be used to enable Kerberos.
 3881  * Support for /etc/nsswitch.conf.  LDAP users may now use nsswitch.conf
 3882    to specify the sudoers order.  E.g.:
 3883 	sudoers: ldap files
 3884    to check LDAP, then /etc/sudoers.  The default is "files", even
 3885    when LDAP support is compiled in.  This differs from sudo 1.6
 3886    where LDAP was always consulted first.
 3888  * Support for /etc/environment on AIX and Linux.  If sudo is run
 3889    with the -i flag, the contents of /etc/environment are used to
 3890    populate the new environment that is passed to the command being
 3891    run.
 3893  * If no terminal is available or if the new -A flag is specified,
 3894    sudo will use a helper program to read the password if one is
 3895    configured.  Typically, this is a graphical password prompter
 3896    such as ssh-askpass.
 3898  * A new Defaults option, "mailfrom" that sets the value of the
 3899    "From:" field in the warning/error mail.  If unspecified, the
 3900    login name of the invoking user is used.
 3902  * A new Defaults option, "env_file" that refers to a file containing
 3903    environment variables to be set in the command being run.
 3905  * A new flag, -n, may be used to indicate that sudo should not
 3906    prompt the user for a password and, instead, exit with an error
 3907    if authentication is required.
 3909  * If sudo needs to prompt for a password and it is unable to disable
 3910    echo (and no askpass program is defined), it will refuse to run
 3911    unless the "visiblepw" Defaults option has been specified.
 3913  * Prior to version 1.7.0, hitting enter/return at the Password: prompt
 3914    would exit sudo.  In sudo 1.7.0 and beyond, this is treated as
 3915    an empty password.  To exit sudo, the user must press ^C or ^D
 3916    at the prompt.
 3918  * visudo will now check the sudoers file owner and mode in -c (check)
 3919    mode when the -s (strict) flag is specified.
 3921  * A new Defaults option "umask_override" will cause sudo to set the
 3922    umask specified in sudoers even if it is more permissive than the
 3923    invoking user's umask.