3 01) sudo now works under hpux, aix, sunos, bsd43, ultrix, linux, osf and irix.
5 02) Files w/o the executable bit will be ignored if they are in your PATH.
7 03) If execv() fails, perror is called (which prints out an error based on
8 errno) and sudo exits with -1.
10 04) Included in this shar should also be a version of getpass() derived from
11 the bsd net-2 source which works on bsd, ultrix, hpux, aix, and irix
12 at least. The latter three unixes have what i consider to be a broken
13 getpass() in that if /dev/tty can't be opened it doesn't just use stdin
14 like bsd getpass(). This means you cannot do: rsh host "sudo command"
15 and have it work if your ticket has expired.
17 05) The Makefile has changed significantly. It now has defines for all
18 supported architectures.
20 06) Changed MAXCOMMANDLENGTH from 48 bytes to MAXPATHLEN and included
21 sys/param.h where appropriate.
23 07) Rewrote the code that expands links & paths. It now works correctly.
26 08) Added a define NEED_STRDUP so we don't conflict with the system's strdup(3)
28 09) Now does *not* pass LD_* environmental vars on to programs that get
29 exec'd. Also removes SHLIB_PATH for hpux and _RLD_* for dec osf.
31 10) Now searches current dir last if '.' or '' are in PATH. Misses braindeath
32 like './' but if that's in your path you deserve all the trojans you get.
34 11) Added in linux patches from drew + flex support.
36 12) Added insults back in from original sudo(8) (define USE_INSULTS).
38 13) visudo now uses EDITOR envar (from John_Rouillard@dl5000.bc.edu)
40 14) you can now specify a dir containing commands that a sudoer can do.
41 (from John_Rouillard@dl5000.bc.edu)
43 15) Ported to Solaris 2.x (based on a port of sudo 1.1 done by UnixOps).
45 16) Took out setuid(0); setruid(uid); pairs that bracketed calls to
46 update_timestamp() since they are unnecessary and setruid() is
47 broken on systems without a setreuid(2) or setresuid(2) system call.
48 (Ie: AIX and Solaris 2.x).
50 17) The bulk of sudo now runs with the caller's real uid. Grep for
51 be_root() to find the exceptions.
55 18) Added SECURE_PATH as suggested by russells@ccu1.auckland.ac.nz.
57 19) Reworked clean_envp() to modify environ (not envp) so we can use
60 20) Now use execvp() instead of execve() so sudo /bin/kill works under
61 broken solaris. This also fixed sudo /etc/fastboot under stock
62 4.3 BSD. Basically, this means that any executable shell script that
63 lacks a '#!/bin/sh' magic number will now work with sudo. Personally
64 I think that the broken scripts should be fixed rather than changing
65 sudo, but vendors will be broken. Sigh.
67 21) Added USE_EXECV define so you can make sudo use execv() if you
68 want. Using execvp() shouldn't be a problem since it is always
69 handed a non-relative path that begins with '/' but some people
70 may not trust execvp().
72 22) Log file lines will no longer get truncated. Syslog entries that
73 would overrun the syslog(3) line limit are continued on another entry.
75 23) When logging to a log file, long entries are indented to improve
78 24) Whenever the umask is changed, it is changed back to what it was
81 25) Log file is written as mode 600 instead of 644
83 26) Umask that sudo runs with may now be specified.
85 27) There is now a "configure" script.
87 28) Sudo will use ultra fast crypt (ufc) if it finds it for systems w/o
88 a real crypt(3) (non-US ConvexOS/Secure for instance).
90 29) _BSD_COMPAT is now defined for Irix.
92 30) The global variable uid is now initialized to -2 because I'm paranoid.
94 31) Native Solaris 2 port from Matthew.Stier@aisg.com
96 32) Now use sysconf(2) instead of getdtablesize(2) if it is available
97 (see change #31). Because of the the getdtablesize() emulation for
98 hpux is no longer necessary.
100 33) Now only do a getcwd(3) or getwd(3) once and do it as the real user.
101 Sudo should no longer complain that it can't get the cwd unless
102 there is a real problem.
104 34) Changed some malloc'd globals of fixed length to be allocated from
105 the stack instead as there was no win in allocating them from the
108 35) Fixed AIX STATIC_FLAGS as per the AIX faq.
110 36) Added -V flag to sudo and visudo (for version)
112 37) Now treat EACCESS like EPERM when doing stat(2) in find_path.c
114 38) Added prototypes for sudo functions (via __P macro)
116 39) configure now uses uname(1) if it exists
118 40) gethostbyname(3) is now only called if you define FQDN. There's really
119 no reason to not trust gethostname(2) and this way if name service is
122 41) added -v (validate) flag to sudo to update a timestamp w/o running
125 42) now use tgetpass() (getpass with a timeout)
127 43) find_path() now uses realpath(3)
129 44) wrote versions of realpath(3) and getcwd(3) for those without
131 45) wrote tgetpass()--a getpass() that times out via select(2)
133 46) sudo now uses posix signals if available
135 47) Finally added ConvexOS C2 security support from
136 "Peter A. Nikitser, Systems Software Support, QUT" <P.NIKITSER@qut.edu.au>
138 48) You can now #undef MAILER if you don't run sendmail or the equivalent.
140 49) AFS support from adamh@austin.ibm.com
142 50) If you define BOTH_LOGS in sudo.h you can log both via syslog(3) *ans*
145 51) Added ultrix /etc/auth (enhanced security) support.
147 52) Sudo now will work with a 4.2BSD syslog (SunOS < 4 && ultrix).
148 Personally, I'd say you are better off logging to a file if
149 your syslog is this ancient.
151 53) Changed realpath(3) to sudo_realpath() since we need to do the
152 chdir(2) with the invoking uid. sudo_realpath() should be
153 faster than vendor-supplied realpath(3)'s anyway...
155 54) No longer create a static binary on AIX since it reportedly
156 causes problem on newer versions on AIX 3.x.
158 55) If sudo_realpath cannot chdir() back to cwd sudo will print
159 and error and exit. Previously it would either fail silently
160 or print an incorrect error message.
162 56) Moved code to send error mail to be after the log message.
163 From rouilj@cs.umb.edu.
165 57) Added SUDO_USER and SUDO_UID envars. Suggested by John P. Rouillard
166 (<rouilj@cs.umb.edu).
168 58) Added -k and -h options and rearranged some of the code to be
169 more modular and less braindamaged. This introduces the concept
170 of "run modes" to sudo.
172 59) Fixed visudo and flex. visudo now calls yyrestart() if you are using
173 flex instead of lex. From bostley@cs.colorado.edu.
175 60) Added a "cat page" for systems w/o nroff.
177 61) Fixed a bug whereby only the last directory specified in a Cmnd_Alias
178 was checked. Reported by "James R. Hendrick" <hendrick@ctron.com>.
180 62) All .{c,lex,yacc} files now include both sys/types.h and unistd.h so
181 we are sure to get the typedef of uid_t.
183 CHANGES from sudo 1.3.1
185 63) Added preliminary support for DEC OSF/1 protected passwords
188 CHANGES from sudo 1.3.1pl1
190 64) More support for DEC OSF/1 protected passwords (shadow passwords).
192 CHANGES from sudo 1.3.1pl2
194 65) Fixed mail logging to include the username as it should have.
196 66) Added hostname to log message in error mail.
198 67) Added -l flag to sudo to list the allowed/forbidden commands.
199 Suggested by matthew@gateway.bsis.com (Matthew Stier)
201 68) Fixed bison warnings for parse.yacc and visudo.yacc.
202 Pointed out by alfie@dcs.warwick.ac.uk (Nick Holloway).
204 CHANGES from sudo 1.3.1pl3
206 69) Sudo will now exit with an error if the command to be run is > MAXPATHLEN.
208 70) Test in configure for termios support was insufficient. It thought
209 Nextstep 3.2 had termios just because it as termios.h (need to link
210 with -posix for termios on NeXT's)
212 CHANGES from sudo 1.3.1pl4
214 71) First stab at Skey support.
216 72) Sudo now sets IFS to be SPACE, TAB, NEWLINE.
218 73) Sudo now sets the real and effective gid to root's group
219 (based on passwd file).
221 74) Sudo now checks that the sudoers file is owned by a certain user
222 and not readable or writable by anyone else.
223 (based on a suggestion by Joerg Schumacher <schuma@ips.cs.tu-bs.de>)
225 75) Visudo now sets the owner on the new sudoers file based on #74
227 76) Sudo and visudo will now compile with byacc (Berkeley yacc).
229 77) If the rename(2) of stmp -> sudoers fails /bin/mv is executed before
230 bailing. Based on code from Case Larsen <clarsen@mh1.lbl.gov>.
232 78) User-level configuration is now done in options.h.
234 79) Moved all compatibility #defines to compat.h
236 80) Incorporated new parsing code from Chris Jepeway <jepeway@cs.utk.edu>.
237 This is much better than the previous parser.
239 81) Rewrote visudo.c and tickled parse.yacc to work with it. Visudo
240 now gives you options if a parse error occurs rather than blindly
241 dumping you back in the editor.
243 82) Took out all references to realpath since we are now checking based
244 in inode and device (with Chris' new parser). The upshot of this
245 is that path matches are done safely and the symlink problem has
248 83) Fixed bison warnings from new parse.yacc.
250 84) Added a default case to parse.lex to error on unmatched tokens as Chris
253 85) Converted configure.in and acsite.m4 to autoconf 2.1.
255 86) Added lsearch.c and search.h for os's w/o lsearch()/lfind().
257 87) Sudo now checks to see that the file it is executing is a regular file
258 (was just checking the execute bit so dirs slipped through).
259 Pointed out by Barb Dijker <barb@labyrinth.com>.
261 88) Fixed a problem on HP-UX trusted systems with getpwuid() returning "*"
262 unless the real uid is 0. Reported by Brian Cunnie (cunnie@nyc.hp.com).
264 89) configure now checks for size_t and ssize_t in unistd.h as well
267 90) configure now checks for egrep before actually using it.
269 91) configure now checks for a working void implementation (ie: void * as
270 a generic pointer) and sets VOID to void or char accordingly.
272 92) Added support for SunOS 4.x C2 security (shadow passwords) from
273 Kendall Libby (fubar@shore.net)
275 93) Changed all occurrences of bzero() to memset() and bcopy() to
278 94) Fixed a bug in sudo.c. If a user has no passwd entry sudo would
279 dump core (writing to a garbage pointer). Pointed out by
280 Stephen Schaefer <sps@gateway.bsis.com>.
282 95) Worked around a bug in AIX's lex in parse.c. AIX lex doesn't seem
283 to handle {x,y} range notation correctly. Bleah.
285 96) Sudo would not report a failed attempt if the user entered return
286 at the 2nd password: prompt so someone trying to guess a password
287 could just invoked sudo multiple times and try one passwd at a time.
288 Reported by Jonathan Adams <jonathan@smada.com>.
290 97) Added User_Alias facility.
292 98) Rewrote most of the ip address / network support. Now works on all
293 systems sudo has currently been tested on.
295 99) Sudo now sets SUDO_COMMAND and SUDO_GID envariables in addition to
296 SUDO_USER and SUDO_UID.
298 100) Added changes to configure.in for UnixWare.
299 (from John Warburton <jwarb@SACBH.com.au>)
301 101) Merged in changes for Interactive Unix and RISCos.
302 (from Andy Smith <abs@maunsell.co.uk>)
304 102) Added testsudoers (from Chris Jepeway <jepeway@cs.utk.edu>).
306 103) Added fix for parse.yacc to avoid the kludge I was doing.
307 (from Chris Jepeway <jepeway@cs.utk.edu>)
309 104) Now remove the IFS envar if set instead of setting it to a "safe"
310 value to avoid problems with make and others.
312 105) Added FAST_MATCH option to check basenames of sudo command and
313 paths listed in sudoers file. If the basename doesn't match
314 then it is not a match. If the basename matches, then do
315 a stat to make sure it is a valid match.
317 106) Now only stat(2) cmnd once in path_matches() (in parse.c). Sudo
318 was stating cmnd for *every* attempted match. Now the stat struct
319 is cached (ie: the var is a static).
321 107) Signal handlers in visudo are now only installed after the stmp
322 file is opened. Previously, it was possible to erase an open
323 stmp file by sending visudo a signal within a small window.
325 108) Added Goon Show insults from Russell Street <r.street@auckland.ac.nz>.
327 109) Broke out the insults into separate include files (insults.h
328 is the master and includes the appropriate one).
330 110) Now use getwd() instead of getcwd() and provide emulation for
331 OS's w/o it. This was done since some OS's with getwd()
332 implement getcwd() via a pipe to pwd(1). By emulating getwd()
333 by calling getcwd() on OS's w/o getwd() we lose nothing since
334 the compiler should optimize away the extra function call.
336 111) Added crypt() for DEC OSF/1 3.x enhanced security.
337 From "Richard L Jackson Jr" <rjackson@osf1.gmu.edu>.
339 112) Added an option to run the command in the background (-b) as
340 suggested by Jonathan Adams <jonathan@smada.com>
342 113) First stab at kerberos support. I'm not really sure it is
343 possible to do this in a sane manor. Sigh.
345 114) Better kerberos support. Had to use setreuid(2) but falls
346 back on a kludge if that does not exist or is broken.
348 115) Added -p (password prompt) support.
349 Suggested by "David W. Cooley" <dwcooley@COLBY.EDU>
351 116) Added partial implementation of -l (list) flag.
352 This is probably as good as it will get until sudo:tng.
354 117) Added anti-spoofing code to tighten up a race condition
355 where a user could run sudo some_link and then change
356 where the link pointed after the old link had been
357 validated but before the exec().
359 118) Now update timestamp file via utime() (and emulate via utimes()
360 if necessary) to eliminate a small race. Works with
361 both POSIX utime() as well as old utime() in BSD <= 4.3.
363 119) Kerberos ticket file now lives in same dirs as sudo timestamp
364 files (to avoid trouncing on normal ticket file) and is removed
367 120) Now log tty user is on as well as pwd in sudo logs.
369 CHANGES from sudo 1.3.2 BETA
371 121) Fixed a bug in the anti-spoofing check.
373 122) Fixed up ISC support so that it works and looks like non-streams
374 stuff in interfaces.c.
376 123) Now deal correctly with ip implementations that has an sa_len
377 field in struct sockaddr.
379 124) Check ownership and permissions on timestamp dir and ignore if
380 not owned by root and mode 0700. Problem pointed out by Larry Auton
381 <lda@research.AT&T.com> and Navjot Singh <singh@research.AT&T.com>.
383 125) Ignore timestamp files with preposterous dates to keep people from
384 faking out sudo on OS's that allow you to give away files to root.
385 Problem pointed out by Larry Auton <lda@research.AT&T.com> and
386 Navjot Singh <singh@research.AT&T.com>.
388 126) A timeout of 0 will now cause a password to be entered every
389 time. Based on a suggestion by Larry Auton <lda@research.AT&T.com>
390 and Navjot Singh <singh@research.AT&T.com>.
392 CHANGES from sudo 1.3.3 BETA
394 127) Cleaned up interfaces.c so that it is more readable.
396 128) Added support for syslog()'s that don't guarantee delivery
397 of a message. HP-UX is the only known offender.
399 129) No longer use memmove() since memcpy() does what we need and
400 configure doesn't always catch memmove() even when it is
401 there (may be a library problem).
403 130) Updated man page to reflect two more security issues.
405 131) Cleaned up shadow password support in check.c. It should now
408 132) Added SCO support.
410 133) Added check to configure to find the max length of a uid_t
413 134) Removed uid2str() since we now know how big a uid_t/gid_t
414 can be. This elminates a few malloc()'s.
416 135) Added support for multiple insult types. Based on code and
417 a suggestion from Dieter Dworkin Muller <dworkin@village.org>.
419 136) Replaced clean_env() and rmenv() with a rewritten clean_env()
420 that should be a little faster. This also makes it easier to
421 add to the list of "dangerous" envariables.
423 137) Added netgroup support. Netgroups must start with a leading
424 "+" to that sudo knows it is a netgroup.
426 138) Split out sudoers file format into its own man page.
427 As suggested by Andy Smith <abs@maunsell.co.uk>.
429 139) Updated testsudoers.c to grok netgroups.
431 CHANGES from sudo 1.3.4 BETA
433 140) Added SecurID support from Giles Todd <giles@gt.demon.co.uk>.
435 141) Added -s flag to start a root shell and -- to signify end of args.
437 142) Sped up logging routines by replacing strncpy()'s with strcat()'s.
438 This is safe because we dyanically allocate logline to be big enough.
440 143) Now support command line arguments in the sudoers file.
442 144) Sped up the loading on command line arguments. This fixes the
443 "commands with large argc's take forever to run" bug.
445 145) Expanded MAXCOMMANDLEN to 8K since we now have to deal with
446 command line arguments. Added bounds checking in fill() and
447 append() so we don't drop core.
448 XXX - 8k makes sudo *SLOW*
450 146) Added support in the lexer for "termination characters" to be
451 escaped. Ie: you can now use [\,:=] in command line args
452 as long as you escape with a \.
454 147) Testsudoers can now deal with commands that have arguments.
456 148) If a file is not executable or not a regular file sudo will
457 now give the appropriate error message instead of just
458 "command not found" which is misleading.
460 149) Fixed a bug where if FQDN is set, load_interfaces() was never
463 150) tty is now a global so it can be used in the ticket file
466 151) Strings in the parser are now allocated dynamically. This results
467 in a large speedup as compared to a 1K array on the stack. I
468 have freed the strings in the parser where appropriate but that
469 may not catch all instances. Even so, the average sudo now
470 takes up less memory than the 1K array version.
472 152) Fixed a bug in tgetpass() and configure that broke termio/termios
473 support for some OS's.
475 153) Added cheapo implementation of tty-based timestamps. The correct
476 way is to have username be a directory with the tty tickets
477 inside. However, the current code does not take to that very
478 well, and it does not allow the two systems to coexist. Therefore,
479 instead of timestampdir/user/tty it is timestampdir/user.tty.
481 154) Added support for building in other than the source directory.
482 Based on changes from "Simon J. Gerraty" <sjg@frodo.dn.itg.telecom.com.au>
484 155) options.h and pathnames.h are now included via angle brackets
485 (<>) so as to use the -I include path. This way, those using
486 a shadow build tree may have local copies of these headers
487 w/o clobbering the distribution ones.
489 156) EXEMPTGROUP is now a string (group name) and user_is_exempt()
490 is now less of a hack. It uses getgrnam(EXEMPTGROUP) to
491 get a list of users in the exempted group.
493 157) --prefix and --exe_prefix are now honored in the Makefile.
495 158) Sudo will now behave reasonably in the case where the sudoers
496 file location is mounted via NFS and the client does not
497 have "root" NFS privs.
499 159) _PATH_SUDO_SUDOERS, _PATH_SUDO_STMP, and SUDOERS_OWNER are
500 now set via the Makefile since that appears to be what
501 most people expect...
503 160) Now include a pre-generated version of parse.lex since so many
504 versions of lex are brain damaged. If parse.lex is changed
505 a new lex.yy.c will be generated. The distribution copy is
508 161) Upgraded to GNU autoconf version 1.5. There are now even
511 CHANGES from sudo 1.3.5 BETA
513 162) Fixed S/Key support.
515 163) Cleaned up shadow password support further by moving much of
518 164) First cut at DCE support. [needs work to be functional]
520 165) New Digital UNIX C2 support based on code from
521 "Randy M. Hayman" <haymanr@icefog.sois.alaska.edu>
523 166) S/key support now works with the generic bellcore s/key
524 as well as the s/key from Wietse Venema's logdaemon.
525 (Previously only worked with the logdaemon s/key).
526 As an added bonus the s/key challenge is now embedded
527 in the password prompt for a cleaner look.
529 167) lsearch.c will now compile on a strict ANSI C compiler.
530 ANSI doesn't allow pointer arithmetic on a "void *"
533 168) Bought back latest HP-UX DCE support from Jeff Earickson
534 <jaearick@colby.edu>.
536 169) configure now comletely groks $SUDO_LIBS and $VISUDO_LIBS.
537 Plain old $LIBS is no longer used. LDFLAGS has also been
538 split up into $SUDO_LDFLAGS and $VISUDO_LDFLAGS.
539 The reason for this is that sudo often needs extra libs
540 for alternate authentication schemes but visudo rarely does.
542 170) The code to copy command arguments flaied for large values of
543 argc due to realloc() lossage. We now cheat and treat argv[]
544 as a flat string (since that's what it is) and use pointer
545 arithmetic to compute the length. Kind of sneaky but it
546 works (and is relatively fast).
548 CHANGES from sudo 1.3.6 BETA
550 171) Added support for UN*X groups in sudoers based on code from
551 Dougal Scott <dwagon@aaii.oz.au>.
553 172) interfaces.c should work on ISC UN*X again.
555 173) All source files are <= 14 characters for old SYSV file systems.
557 CHANGES from sudo 1.3.7 GAMMA
559 174) Minor configure[.in] fixes.
561 175) tgetpass.c now compiles on OS's that put the definition of
562 fd_set in <sys/bsdtypes.h>
564 CHANGES from sudo 1.4
566 176) Command args in sudoers are now stored in an argument vector
567 instead of a flat string to make wildcard matching simpler.
569 177) Added NewArgv and NewArgc that describe the command to be
570 executed. The copy of args in cmnd_args is no longer necessary
571 and has been removed.
573 178) Using strcmp(3) for argument matching in command_matches()
574 (was path_matches()) is no longer sufficient since we don't
575 have a flat string. compare_args() is used instead which
576 calls either strcmp(3) or wildmat(3l) depending on whether
577 there are shell-style meta chars (wildcards) present.
579 179) Shell-style wildcard matches are now available in the sudoers
580 file. Matches are done via Rich $alz's wildmat(3).
581 This required the tweaks described in #176-178 as well as
582 other, more minor, changes.
584 180) Commented out rule to build lex.yy.c from parse.lex since
585 we ship with a pre-flex'd parser and can't rely on file
586 dates being set correctly.
588 181) Fixed visudo and testsudoers to deal with new argument
591 182) A null string ("") as shell in passwd file (or $SHELL) is
592 now treated as the bourne shell.
594 183) Converted *.man to pod format for easy conversion to man,
595 html, latex, and just plain text. Tried to make the
596 sudoers manual easier to read in the process.
598 184) Updated sample.sudoers and sudoers.pod to include info
601 CHANGES from sudo 1.4.1
603 185) compat.h now defines _PASSWD_LEN based on PASS_MAX if it
604 is defined (from limits.h on SYSV).
606 186) Both short and long hostnames may now be used in the sudoers
607 file if FQDN is defined. From patches submitted by
608 Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.
610 187) Now use skeylookup() instead of skeychallenge(). Hopefully
611 this will work around a problem some people have reported
612 on Solaris 2.5 with sudo and logdaemon 5.0's skey.
614 188) Now uses /var/run to hold timestamp files if it exists. This
617 189) configure now puts the timestamp dir in /var/run if it exists.
618 Sugestion by Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.
620 190) Both short and long hostnames now exist even if FQDN is not set.
621 This allows machines with fully qualified hostnames set via
622 hostname(1) to use them in the sudoers file.
624 191) sudo was not honoring "." in $PATH due to a bug in find_path().
626 192) Added IGNORE_DOT_PATH option to ignore "." in $PATH.
628 193) tgetpass() now uses raw read(2) and write(2) instead of stdio.
629 This should make it work on more OS's. Previously, it used
630 stdio (buffered) fgets(3) and fputs(3) with select(2) which
631 may not be legal. Also got rid of the nasty goto's and
632 generally simplified the code.
634 194) Parser now supports hostnames like UPPERCASE.foo.com. Previously,
635 `UPPERCASE' was interpreted as an Alias. This means that
636 the `fqdn' stuff has been moved to the lexer (FQHOST is used
637 to avoid collision with FQDN option).
639 195) Reworked --with-FOO in configure.in to support --without-FOO.
640 Made shadow passwords the default for appropriate OS's. They
641 can be turned off with --without-C2.
643 196) Added NO_PASSWD option for those who don't want to be bothered
644 by a password prompt from sudo. This is really just a hack.
646 197) Added support for double quotes to mean "treat these words as one
647 argument". This is similar to what most shells do.
649 198) Added mkinstalldirs to make install destination dirs if
650 they do not already exist.
652 CHANGES from sudo 1.4.2
654 199) Added support for --with-CC (which C compiler to use).
656 200) Added support for NOPASSWD token and running commands a
657 specified users (sudo -u) from Keith Garry Boyce
660 201) Only link with -lshadow for Linux if libc lacks getspnam(). Problem
661 pointed out by Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.
663 202) Replaced SUDOERS_OWNER with SUDOERS_UID and SUDOERS_GID. Added
664 SUDOERS_MODE and changed the default to 0440 (from 0400).
665 It is now possible to NFS-mount sudoers without doing anything fancy.
667 202) If a runas list is specified, a user may only run commands as
668 "root" if "root" is a member of the runas list. The old behavior
669 was to always allow commands to be run as root, even if a runas
670 list was specified. Now you can give someone "sudo -u operator"
671 and not have the equivalent of "sudo -u root" as well.
673 203) Added "USER=%s" to logging functions.
675 204) configure will now add -lPW to (VI)?SUDO_LIBS if using bison
676 or DCE and alloca(3) is not in libc (or provided by gcc) but
679 205) sudo would give an incorrect error message if the sudoers file
680 didn't exist due to close() stomping errno if the open() failed.
682 206) Fixed "shell" mode (sudo -s). When building NewArgv sudo was
683 not allocating space for the NULL.
685 207) Added support for wildcards in the pathname. Ie: /bin/*.
687 208) 'command ""' in sudoers now means no args allowed.
689 209) Added command line args to SUDO_COMMAND envariable.
691 210) HP-UX 10.x with C2 now uses bigcrypt().
692 Changes from david_dill@Merck.Com (David Dill).
694 211) lsearch.c will now compile w/o compiler warnings.
695 (Updated from NetBSD lsearch.c)
697 212) Now uses POSIX fnmatch(3) (which uses ! instead of ^ in ranges)
699 CHANGES from sudo 1.4.3
701 213) Now allows network/netmask in sudoers to override per-interface
704 214) Fixed -u support with multiple user lists on a line.
706 215) Fixed a core dump problem when built with -DSHELL_IF_NO_ARGS.
708 216) Fixed 2 typos in parse.yacc and removed some unnecessary if's.
710 217) Now always use install-sh since SunOS install can't do uid/gid's.
711 Other BSD installs are probably similarly afflicted.
713 218) Fixed NFS-mounted sudoers file under solaris both uid *and* gid
714 were being set to -2. Now set uid to 1 to avoid group being
717 219) Now includes alloca.c (from gcc) for those w/o it. Linking
718 against -lPW breaks visudo on HP-UX and probably others.
720 220) Added --with-libpath, --with-libraries, --with-incpath options
723 221) configure now uses shicc instead of gcc on BSD/OS >= 2.0 to
724 generate binaries linked with shared libs.
726 222) The parser was setting no_passwd even if there wasn't a
727 runas match. I reordered some things in parse.yacc
730 223) `sudo -v' (validate) wasn't paying attention to NOPASSWD.
733 224) testsudoers now groks "-u user".
735 225) Updated AFS support based on what tcsh 6.06 does.
737 226) Fixed a typo/thinko that broke BSD > 4.3reno wrt interfaces.c.
739 227) HPUX 10.X shadow password stuff now uses SecureWare routines.
741 228) SecureWare passwd checking now uses bigcrypt() if available.
742 Now uses AUTH_MAX_PASSWD_LENGTH if defined.
744 229) configure now makes sure you don't have a config.cache file
747 230) Added better shadow password detection.
748 BSD >= 4.3reno -> /etc/master.passwd
749 hpux9: getspwnam() -> /.secure/etc/passwd
750 hpux10: getspnam() or getprpwnam() -> /tcb/files/auth/*/* (link with -lsec)
751 SVR4: getspnam() -> /etc/shadow
752 solaris: getspnam() -> /etc/shadow
753 irix[56].x: getspnam() -> /etc/shadow
754 sunos 4.x: getpwanam() -> /etc/security/passwd.adjunct
755 DUNIX: getprpwnam() -> /tcb/files/auth/*/* (link with -lsecurity)
756 SecureWare: getprpwnam() -> /tcb/files/auth/*/*
757 ultrix 4.x: getauthuid() -> /etc/auth.{pag,dir}
759 231) '(' in command args no longer are a syntax error.
761 232) '!command' now works in the presence of a runas or NOPASSWD token.
762 Simplified parse rules wrt runas and NOPASSWD (more consistent).
764 233) Command args and now compared as a flat string again. This makes
765 wildcard matches more consistent.
767 234) DUNIX C2 support now groks AUTH_CRYPT_OLDCRYPT and AUTH_CRYPT_C1CRYPT.
769 235) configure now uses config.{sub,guess} to guess OS type.
770 Sudo should work out of the box on more OS's now.
772 236) Got rid of HAVE_C2_SECURITY, now just use SHADOW_TYPE.
774 237) Fixed race in tgetpass() where echo can be turned off and
775 left off if sudo is used in a pipeline and a password is
778 CHANGES from sudo 1.4.4
780 238) `sudo -l' output now includes runas and NOPASSWD info and
781 asks for a password unless NOPASSWD for ALL is set.
783 239) Sudo can now deal with all-caps user and host names.
785 240) Sudo will now remove the "ENV" and "BASH_ENV" envariables.
786 From Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.
788 241) `sudo -l' will now expand Cmnd_Alias's (could be prettier).
790 242) `sudo -s' will now set $HOME to root's homedir (or that of
791 the user specified -u) so dot files get sourced.
793 CHANGES from sudo 1.4.5
795 243) $HOME was always being set, not just with `-s'.
797 244) In visudo, the owner and group of the sudoers file were
798 being set too early; an editor could change them and change
799 the owner/group of the resulting sudoers file.
801 CHANGES from sudo 1.5
803 245) Added SHELL_SETS_HOME option.
805 246) Added NO_MESSAGE option.
807 247) Added %u and %h escapes in PASSPROMPT to expand to user's name
810 248) Added "SUDO_PROMPT" envariable.
812 249) Usernames may now begin with a digit. Gross, but people do it.
816 250) Added `opie' support.
818 251) Added check to make sure fnmatch() really works.
820 252) Now use the prompt S/Key gives us instead of rolling our own.
822 253) Added -H flag from Danny Barron <dcbarro@nppd.com>.
824 254) Add SUDO_PS1 envariable support.
826 255) Attempt at sequent support.
830 256) visudo acts sanely when there is no sudoers file.
832 257) Added Runas_Alias support.
834 258) Sudo will now work with SUDOERS_MODE == 400 and SUDO_UID = 0.
836 259) Alias's in a runas list are now expanded.
838 260) Fixed bug with > 32 saved aliases. Reported by BHH@capgroup.com.
840 261) Code that uses sprintf() is now more paranoid about buffer
843 262) Whitespace is now allowed after a line continuation character before
844 a newline in sudoers.
846 263) %h in MAILSUBJECT expands to local hostname.
850 264) Don't pass getdtablesize() as first arg to select(2). No need
851 to do this since we only select on one fd--use (fd+1) as nfds
852 and the old way caused problems on some systems (arguably
853 a bug in those OS's). From Marc Slemko marcs@znep.com.
855 265) Fixed coredump when passwd file is missing or unavailable.
856 Reported by Jason Downs <downsj@teeny.org> and
857 Klee Dienes <klee@mit.edu> (via a Debian Linux bug report).
859 266) Fixed bug wrt exclusion lists and relative pathnames.
860 Reported by osiris@COURIER.CB.LUCENT.COM.
862 267) exit(1) if user doesn't enter a passwd.
863 Noted by Alex Parchkov <alexp@ind.tansu.com.au>.
867 268) Newer versions of Irix use _RLDN32_* envariables for 32-bit binaries
868 so ignore _RLD* instead of _RLD_*. From tarrall@bamboo.Colorado.EDU.
870 269) Only open sudoers file once as opposed to once for sanity checks and
871 once for the parser. Also try to open ten times if we get EAGAIN.
875 270) Initialize group vector if we are becoming a user other than root.
876 For root, it is often more useful to hang on to our existing group
879 271) Fix usage of select(2) to deal correctly with a high-numbered fd.
881 272) Fixed a bug where sudo sometime didn't give the user a chance to
882 enter a password at the prompt.
884 273) Use a dynamically sized buffer when reading ether interfaces.
886 274) Fixed configure problems with identification of HP-UX > 10.x and
887 with cc being identified as a cross compiler on some platforms.
889 275) Fixed a problem with HP-UX 10.x and alloca. Bison does not
890 include alloca.h on HP-UX 10.x even though it uses alloca()
891 (and thus needs the #define of alloca(x) to __builtin_alloca(x)).
892 To fix this we include alloca.h ourselves if using bison and not gcc.
894 276) Included support for the AIX 4.x authenticate() function from
895 Matt Richards <v2matt@btv.ibm.com>.
897 277) Fixed an off by one error in the parser. Found by
898 Piete Brooks <Piete.Brooks@cl.cam.ac.uk>
900 278) Change NewArgv size computation to work on UNICOS.
901 From Mike Kienenberger <mkienenb@arsc.edu>
903 279) Added --with-logfile and --with-timedir configure options.
905 280) Use getcwd(3), not getwd(3) to avoid possible buffer overflow.
906 Use BSD getcwd(3) if system lacks one or is SunOS 4.x.
908 281) Fix 'fprintf' argument mismatches in 'visudo.c'.
909 From ariel@oz.engr.sgi.com (Ariel Faigon)
911 282) Use waitpid or wait3 to reap children in logging.c.
912 Pointed out by Theo de Raadt <deraadt@theos.com>
914 283) Sudo should prompt for a password before telling the user that
915 a command could not be found. Noted by rhodie@NAC.NET.
917 284) Fix OTP_ONLY for opie; "Deven T. Corzine" <deven@fuse.net>.
919 285) Include pre-yacc'd parse.yacc as sudo.tab.[ch] since more and
920 more vendors are charging for yacc (bad vendor, no cookie).
922 286) Use MAX*, not MAX*+1
924 287) Add support for Hitachi SR2201, from b-edgington@hpcc.hitachi-eu.co.uk
926 288) Added RUNAS_DEFAULT option to allow one to compile sudo with a
927 default runas user other than root.
929 289) Add options to log the hostname in the file-based log and to not
930 do word wrap in file-based log. From Theo Van Dinter <tvd@chrysalis.com>
932 290) RedHat Linux pam support, from Gary Calvin <GCalvin@kenwoodusa.com>.
933 pam.sudo goes in /etc/pam.d/sudo on RedHat 5.0 and above.
935 291) With sudo -s, set command the full path of the shell, not the basename.
936 Noted by Peter W. Osel <pwo@guug.de>
940 292) Pam auth now runs as root; necessary for shadow passwords.
942 293) Shadow password support is now compiled in by default. You can disable
943 it via --disable-shadow.
945 294) We now remove a timestamp file with a bogus date when it is detected.
946 From Steve Fobes <sfobes@uswest.com>.
948 295) In tgetpass(), restart select if it is interrupted. This really fixes a
949 problem where a user sometimes is not given a change to enter a password.
951 296) All options have moved from options.h -> configure.
953 297) visudo is now installed in /usr/local/sbin where it belongs.
955 298) Lots of configure changes. Instead of checking for the existence
956 of -lsocket, -lnsl, or -linet, we instead check them for the
957 functions we need only if they are not already in libc.
959 299) Added DUNIX SIA (Security Integration Architecture) support from
960 Spider Boardman <spider@Orb.Nashua.NH.US>.
962 300) Added test for broken Digital UNIX 4.0 prot.h.
964 301) Better support for C2 security on Digital UNIX.
966 302) Hacked autoconf so that you have have single quotes in
969 303) For SecureWare-style shadow passwords use getprpwnam() instead
970 of getprpwuid() since getprpwuid is broken in HP-UX 10.20 at
971 least (it sleeps for 2 minutes if the shadow files don't exist).
973 304) We can't really trust UID_MAX or MAXUID since they may only exist for
974 backwards compatibility; spider-both@Orb.Nashua.NH.US
976 305) Make %groups work as RunAs specifiers; Ray Bellis <rpb@community.net.uk>.
978 306) Set USER environment variable to target user.
979 Suggested by Ray Bellis <rpb@community.net.uk>.
981 307) Go back to printing "command not found" unless --disable-path-info
982 specified. Also, tell user when we ignore '.' in their path and it
983 would have been used but for --with-ignore-dot.
985 308) When using tty tickets make it user:tty not user.tty as a username
986 could have a '.' in it.
988 309) Define BSD_COMP for svr4 to get BSD ioctl defs. Also, if we have
989 sys/sockio.h but SIOCGIFCONF is not defined by including sys/ioctl.h
990 include sys/sockio.h directly.
992 310) Fixed a bug that could cause "sudo -l" to segfault or complain
993 about non-existent syntax errors.
997 311) Fixed square bracket quoting in configure and moved check for -lnsl
998 to be before -lsocket.
1000 312) In load_interfaces(), close sock after bwe are done with it. Leak
1001 noticed by Mike Kienenberger <mkienenb@arsc.edu>.
1003 313) Missing pieces from change #308; from Mike Kienenberger.
1005 314) Real Kerberos 5 support from Frank Cusack <fcusack@iconnet.net>.
1007 315) FWTK 'authsrv' support from Kevin Kadow <kadow@MSG.NET>.
1009 316) Fixed handling and documentation of -with-umask.
1011 317) If the check for socket() or inet_addr() fails, retry, this time
1012 linking with both -lsocket and -lnsl for those systems that
1013 have interlibrary dependencies.
1015 Sudo 1.5.8 released.
1017 318) Add dirfd() macro for systems without it.
1019 319) Better check for socket() in -lsocket -lnsl in configure.
1021 320) Minor configure fixes.
1023 Sudo 1.5.8p1 released.
1025 321) Fixed a bug wrt quoting characters in command args.
1027 322) Make --without-sendmail work.
1029 Sudo 1.5.8p2 released.
1031 323) Fixed a segv if HOST_IN_LOG defined and gethostbyname() fails.
1032 Reported by Gero Treuner <gero@faveve.uni-stuttgart.de>.
1034 324) Fixed a parse bug wrt the ! operator and runas specs. Noted by
1035 David A Beck <BKD@payserv.telekurs.com>.
1037 325) Use new emalloc/erealloc/estrdup functions (catch errors and exit).
1039 326) New PAM code that should work on both Solaris and Linux.
1041 327) Make sudo's usage info better when mutually exclusive args are given
1042 and don't rely on argument order to detect this. From Nick Andrew.
1044 328) In visudo, shift return value of system() by 8 to get the real exit value.
1046 Sudo 1.5.9 released.
1048 329) The runas user and NOPASSWD tags are now persistent across entries
1049 in a command list (ie: cmnd1,cmnd2,cmnd3). A PASSWD tag has been
1050 added to reverse NOPASSWD. The runas user and *PASSWD tags can be
1051 overridden on a per-command basis at which point they become the
1052 new default for the rest of the list.
1054 330) It is now possible to use the '!' operator in a runas list as
1055 well as in a Cmnd_Alias, Host_Alias and User_Alias.
1057 331) In estrdup(), do the malloc ourselves so we don't need to rely on the
1058 system strdup(3) which may or may not exist. There is now no need to
1059 provide strdup() for those w/o it.
1061 332) You can now specify a host list instead of just a host or alias
1062 in a privilege list. Ie: user=host1,host2,ALIAS,!host3 /bin/ls
1064 333) Stash the "safe" path to the command instead of stashing the struct
1065 stat. Should be safer.
1067 334) Now set $LOGNAME in addition to $USER.
1069 335) No longer use stdio in tgetpass()
1071 336) Don't use _PASSWD_LEN or PASS_MAX as we can't rely on them corresponding
1072 to anything real. Instead, we just use a max password size of 256
1075 337) Block keyboard-generated signals during startup and restore signal
1076 mask before exec'ing the program. We don't want the user to be
1077 able to simply kill us and avoid logging.
1079 338) Rewrote timestamp handling. For the default case, a directory is used
1080 instead of a file. For the tty-based case, the timestamp is just a
1081 file in that directory (eg. /var/run/sudo/username/tty). You now only
1082 get the lecture once, even in the tty case. The goal here is to allow
1083 the tty and non-tty schemes to coexist, though it is worth noting that
1084 when you update a tty file, the mtime of the dir gets updated too.
1086 339) The meaning of -k has changed to mean "invalidate the timestamp".
1087 There is a new -K option to really remove the timestamp file/dir.
1089 340) New modular authentication API. This fixes the rat's nest of
1090 #ifdefs that was the old auth code.
1092 341) New logging functions. log_error() now takes a variable number of
1093 args ala printf() and log_auth() reacts to the return value of validate().
1095 342) If a user is not in the sudoers file they are still asked for a password.
1096 This keeps someone who finds a user logged in to a terminal from being
1097 able to tell whether or not the user is allowed to use sudo.
1099 343) New PAM code again, this time it should be correct.
1101 344) tgetpass() now has a flag to specify whether or not to turn
1102 off echo while reading the password. Used by the new PAM and
1105 345) Fixed shadow password dectection on SCO.
1107 346) Sudo is now available under a BSD/Apache style license. This is
1108 possible because it no longer contains any of the original 1.1 code.
1110 347) Added configuration info when sudo is run with the -V flag by root.
1112 348) Change visudo tmp file from /etc/stmp -> /etc/sudoers.tmp since
1113 Solaris uses stmp for shadow temp file. Also rename _PATH_SUDO_SUDOERS
1114 to _PATH_SUDOERS and _PATH_SUDO_STMP to _PATH_SUDOERS_TMP.
1116 349) Added configure option to set syslog priorities.
1118 350) Sudo now locks its log file to prevent mangled entries.
1120 351) Visudo now locks the sudoers temp file instead of bailing when
1121 the temp file already exists. This fixes the problem of stale
1122 temp files but it does *require* that you not try to put the
1123 temp file in a world-writable directory. This shoud not be
1124 an issue as the temp file should live in the same dir as sudoers.
1126 352) Fixed crypt() check in libufc.
1128 353) It is now possible to put a list of users as the first thing in a
1129 user specification. I don't suggest this but it makes the grammar
1132 354) Visudo will now warn about what it thinks are undefined aliases.
1133 Since it can't be 100% sure these are just warnings, not errors.
1135 355) Add a --without-passwd option to configure that turns off
1136 passwd/shadow file authentication. Only usable with an alternate
1137 authentication scheme.
1139 356) Add a --disable-authentication option to configure that causes sudo
1140 to not require authentication by default. The PASSWD tag can be
1141 used to require authentication for an entry.
1143 357) Add a --with-devel option to add -Wall and uncomment yacc/lex
1144 generation in Makefile.
1146 358) Zero out plaintext password after use (should do encrypted as well).
1148 359) Added real dependencies in Makefile.
1150 360) Deprecated --with-otp-only in favor of --without-passwd.
1152 361) Add --with-mail-if-no-host to send mail if a user tries to run sudo on
1153 a host for which he/she is not authorized.
1155 362) Most of sudo now runs as root instead of the invoking user to
1156 minimize the possibility of user control via signals or tracing.
1158 363) Now Support CIDR-style netmasks (ie: 128.138.0.0/16).
1160 364) In "sudo -l" mode, the type of the stored (expanded) alias was not
1161 stored with the contents. This could lead to incorrect output
1162 if the sudoers file had different alias types with the same name.
1163 Normal parsing (ie: not in '-l' mode) is unaffected.
1165 365) Now include strcasecmp() for those without it.
1167 366) Most compile-time options are now changable at runtime via
1168 the 'Defaults' specification in the sudoers file.
1170 367) Added a -L flag to printout all the possible 'Defaults' parameters.
1172 368) It is now possible to escape "special" characters in usernames, hostnames,
1173 etc with a backslash.
1175 369) Sudo will now accept a hostname/username/netgroupname that contains
1176 almost any character in it. It seems many people want to use '.'
1177 and other non-alphanumerics in usernames.
1179 370) Fixed the root_sudo option. Sudo was always complaining that root
1180 was not allowed to run sudo if the root_sudo flag was turned off.
1182 371) tgetpass() now uses a function to read up until the end of line.
1183 Fixes problems in a pipeline when a program sets the tty mode
1184 to be character at a time.
1186 372) sudo now turns off core dumps via setrlimit (probably paranoia).
1190 373) Better diagnostics on PAM failure.
1192 374) Killed shell_noargs option, it cannot work since the command needs to
1193 be set before sudoers is parsed.
1195 375) Fixed the following Defaults options: set_home, fqdn, syslog, tty_tickets,
1196 ticket_dir, insults.
1198 376) When using select() in tgetpass(), do a separate select before
1199 each read to be sure we can timeout correctly.
1201 377) SecurID support compiles and works again.
1203 378) Fixed a bug parsing runas modifiers. If a user spec contained multiple
1204 runas specs, the latter ones may not be applied.
1206 379) #uid now works in a RunasAlias
1208 380) Don't ask the user for a password if the user is not allowed to run
1209 the command and the authenticate flag (in sudoers) is false.
1211 381) Added configure check for initgroups(3).
1213 382) Use our own fnmatch() if there is no fnmatch.h, even if there is an
1216 Sudo 1.6.1 released.
1218 383) Better behavior for -l and -v flags in conjunction with NOPASSWD and
1219 added "verifypw" and "listpw" options.
1221 384) For HP-UX with cc, add the -Aa flag along with -D_HPUX_SOURCE.
1223 385) Fix compilation with K&R compilers.
1225 386) For netgroup host matching, match against the short version of the
1226 hostname as well as the long one if they are different.
1228 387) Terminate passwd reading on '\r' in addition to '\n'
1230 388) Visudo used to loop endlessly if a user entered ^D at the whatnow
1231 prompt. EOF is now treaded as 'x' (exit w/o saving changes).
1233 389) The 'shell_noargs' runtime option is back based on a patch from
1234 bguillory@email.com.
1236 390) Systems that return RLIM_INFINITY for RLIMIT_NOFILE (like AIX)
1237 would loop for a very loing time during sudo startup. A value of
1238 RLIM_INFINITY is now ignored (getdtablesize/sysconf is used instead).
1240 391) Locking in visudo was broken. We now lock the sudoers file, not the
1241 sudoers temp file, which should be safe.
1243 392) PAM fixups: custom prompts now work correctly and errors are
1244 dealt with more sanely. Patches from Cloyce D. Spradling.
1246 Sudo 1.6.2 released.
1248 393) Users in the 'exempt' group shouldn't get their $PATH overridden
1249 by 'secure-path'. Patch from jmknoble@pobox.com.
1251 394) Pam now works on HP-UX 11.0, thanks to Jeff A. Earickson.
1253 395) Fixed a bug that caused an infinite loop when the password
1254 timeout was disabled.
1256 396) It is now possible to set the path to the editor for visudo as well
1257 as the flag that determines whether or not visudo will look at
1258 $EDITOR in the sudoers file.
1260 397) configure now pulls in the values of LIBS, LDFLAGS, CPPFLAGS, etc
1261 as the documentation says it ought to.
1263 398) Added rootpw, runaspw, and targetpw to prompt for the root, runas_default
1264 and target user's passwords respectively (instead of the invoking user's
1267 399) Added -S flag to force password read from stdin.
1269 400) Restore coredumpsize resource limit before exec'ing the child
1270 process (sudo sets it to 0 internally).
1272 401) Truncate unencrypted password to 8 chars if encrypted password is exactly
1273 13 characters (indicateing standard a DES password). Many versions
1274 of crypt() do this for you, but not all (like HP-UX's).
1276 402) Fixed a typo/thinko that broke secureware support for long passwords.
1278 403) Added a new command line switch '-c' to support BSD login classes.
1279 The '-c' option can be used to sudo a command with specific resource
1280 limits in the login.conf database. This feature is optionally enabled
1281 via the --with-logincap configure switch. Based on a patch from
1282 Michael D. Marchionna.
1284 404) Fixed a bug where sudo would hang around and consume CPU if we spawn
1285 a long-running process.
1287 405) Deal with HP-UX password aging info tacked on to the end of the
1290 406) Added set_logname run-time option. When unset, sudo will not set
1291 the USER and LOGNAME environment variables.
1293 407) Wildcards are now allowed in the hostnames specified in sudoers.
1294 The 'fqdn' option is often required for this to be useful.
1296 408) Fixed a bug where host and user qualifiers in a Defaults entry were
1297 not being used correctly and the entry was being applied globally.
1299 Sudo 1.6.3 released.
1301 409) Fixed targetpw, rootpw, and runaspw options when used with non-passwd
1302 authentication (pam, etc).
1304 Sudo 1.6.3p1 released.
1306 410) When the targetpw flag is set, use the target username as part
1307 of the timestamp path.
1309 Sudo 1.6.3p2 released.
1311 411) Fixed a bug that prevented the -H option from being useful.
1313 Sudo 1.6.3p3 released.
1315 412) Fixed a case where a string was used after it had been freed.
1317 Sudo 1.6.3p4 released.
1319 413) Fixed listpw and verifypw sudoers options.
1321 414) Do not write NUL when writing passwd prompt; hag@linnaean.org.
1323 Sudo 1.6.3p5 released.
1325 415) Fix word splitting bug that caused a segv for very long command line args.
1327 Sudo 1.6.3p6 released.
1329 416) Fix negation of path-type Defaults entries in a boolean context.
1331 Sudo 1.6.3p7 released.
1333 417) Visudo now checks for the existence of an editor and gives a sensible
1334 error if it does not exist.
1336 418) The path to the editor for visudo is now a colon-separated list of
1337 allowable editors. If the user has $EDITOR set and it matches
1338 one of the allowed editors that editor will be used. If not,
1339 the first editor that actually exists is used.
1341 419) Visudo now does its own fork/exec instead of calling system(3).
1343 420) Allow special characters (including '#') to be embedded in pathnames
1344 if quoted by a '\\'. The quoted chars will be dealt with by fnmatch().
1345 Unfortunately, 'sudo -l' still prints the '\\'.
1347 421) Added the always_set_home option.
1349 422) Strip NLSPATH and PATH_LOCALE out from the environment to prevent
1350 reading of protected files by a less privileged user.
1352 423) Added support for BSD authentication and associated -a flag.
1354 424) Added check for _innetgr(3) since NCR systems have this instead
1357 425) Added stay_setuid option for systems that have libraries that perform
1358 extra paranoia checks in system libraries for setuid programs.
1360 426) Environment munging is now done by hand. The environment is zeroed
1361 upon sudo startup and a new environment is built before the command
1362 is executed. This means we don't rely on getenv(3), putenv(3),
1365 427) Added a class of environment variables that are only cleared if they
1366 contain '/' or '%' characters.
1368 428) Use stashed user_gid when checking against exempt gid since sudo
1369 sets its gid to SUDOERS_GID, making getgid() return that, not the
1370 real gid. Fixes problem with setting exempt group == SUDOERS_GID.
1371 Fix from Paul Kranenburg.
1373 429) Fixed file locking in visudo on NeXT which has a broken lockf().
1374 Patch from twetzel@gwdg.de.
1376 430) Regenerated configure script with autoconf-2.52 (required some
1377 tweaking of configure.in and friends).
1379 431) Added mail_badpass option to send mail when the user does not
1380 authenticate successfully.
1382 432) Added env_reset Defaults option to reset the environment to
1383 a clean slate. Also implemented env_keep Defaults option
1384 to specify variables to be preserved when resetting the
1387 433) Added env_check and env_delete Defaults options to allow the admin
1388 to modify the built-in list of environment variables to remove.
1390 434) If timestamp_timeout < 0 then the timestamp never expires. This
1391 allows users to manage their own timestamps and create or delete
1392 them via 'sudo -v' and 'sudo -k' respectively.
1394 435) Authentication routines that use sudo's tgetpass() now accept
1395 ^C or ^Z at the password prompt and sudo will act appropriately.
1397 436) Added a check-only mode to visudo to check an existing sudoers
1400 437) Visudo can now edit an alternate sudoers file.
1402 438) If sudo is configured with S/Key support and the system has
1403 skeyaccess(3) use that to determine whether or not to allow
1404 a normal Unix password or just S/Key.
1406 439) Fixed CIDR handling in sudoers.
1408 440) Fixed a segv if the local hostname is not resolvable and
1409 the 'fqdn' option is set.
1411 441) "listpw=never" was not having an effect for users who did not
1412 appear in sudoers--now it does.
1414 442) The --without-sendmail option now works on systems with
1415 a /usr/include/paths.h file that defines _PATH_SENDMAIL.
1417 443) Removed the "secure_path" Defaults option as it does not work and
1418 cannot work until the parser is overhauled.
1420 444) Added new -P flag and "preserve_groups" sudoers option to cause
1421 sudo to preserve the group vector instead of setting it to that
1422 of the target user. Previously, if the target user was root
1423 the group vector was not changed. Now it is always changed unless
1424 the -P flag or "preserve_groups" option was given.
1426 445) If find_path() fails as root, try again as the invoking user (useful
1427 for NFS). Idea from Chip Capelik.
1429 446) Use setpwent()/endpwent() and its shadow equivalents to be sure
1430 the passwd/shadow file gets closed.
1432 447) Use getifaddrs(3) to get the list of network interfaces if it is
1435 448) Dump list of local IP addresses and environment variables to clear
1436 when 'sudo -V' is run as root.
1438 449) Reorganized the lexer a bit and added more states. Sudo now does a
1439 better job of parsing command arguments in the sudoers file.
1441 450) Wrap each call to syslog() with openlog()/closelog() since some
1442 things (such as PAM) may call closelog(3) behind sudo's back.
1444 451) The LOGNAME and USER environment variables are now set if the user
1445 specified a target uid and that uid exists in the password database.
1447 452) configure will no longer add the -g flag to CFLAGS by default.
1449 453) Now call pam_setcreds() to setup creds for the target user when
1450 PAM is in use. On Linux this often sets resource limits.
1452 454) If "make install" is run by non-root and the destination dir
1453 is writable, install things normally but don't set owner and mode.
1455 455) The Makefile now supports installing in a shadow hierarchy
1456 specified via the DESTDIR variable.
1458 456) config.h.in is now generated by autoheader.
1460 Sudo 1.6.4 released.
1462 457) Move the call to rebuild_env() until after MODE_RESET_HOME is set.
1463 Otherwise, the set_home option has no effect.
1465 458) Fix use of freed memory when the "fqdn" flag is set. This was
1466 introduced by the fix for the "segv when gethostbynam() fails" bug.
1468 459) Add 'continue' statements to optimize the switch statement.
1469 From Solar Designer.
1471 Sudo 1.6.4p1 released.
1473 460) Some special characters were not being escaped properly (e.g. '\,')
1474 in command line arguments and would cause a syntax error instead.
1476 461) "sudo -l" would not work if the always_set_home option was set.
1478 462) Added a configure option to disable use of POSIX saved IDs for
1479 operating systems where these are broken.
1481 463) The SHELL environment variable was preserved from the user's environment
1482 instead of being reset based on the passwd database even when the
1483 "env_reset" option was set.
1485 Sudo 1.6.4p2 released.
1487 464) Added a configure option to cause mail sent by sudo to be run as
1488 the invoking user instead of root. Some people consider this to
1491 465) If the mailer is being run as root, use a hard-coded environment
1492 that is not influenced in any way by the invoking user's environment.
1494 466) Fixed the call to skeyaccess(). Patch from Phillip E. Lobbes.
1496 Sudo 1.6.5 released.
1498 467) Visudo could access memory that was already freed.
1500 468) If the skey.access file denied use of plaintext passwords sudo
1501 would exit instead of allowing the user to enter an S/Key.
1503 Sudo 1.6.5p1 released.
1505 469) Older versions of BSDi have getifaddrs() but no freeifaddrs().
1507 470) BSDi has a fake setreuid() as do certain versions of FreeBSD and NetBSD.
1509 471) Ignore the return value of pam_setcred(). In Linux-PAM 0.75,
1510 pam_setcred() will return PAM_PERM_DENIED even if the setcred function
1511 of the module succeeds when pam_authenticate() has not been called.
1513 472) Avoid giving PAM a NULL password response, use the empty string instead.
1514 This avoids a log warning when the user hits ^C at the password prompt
1515 when Linux-PAM is in use. This also prevents older versions of
1516 Linux-PAM from dereferencing the NULL pointer.
1518 473) The user's password was not zeroed after use when AIX authentication,
1519 BSD authentication, FWTK or PAM was in use.
1521 Sudo 1.6.5p2 released.
1523 474) Fixed compilation problem on HP-UX 9.x.
1525 475) Moved call to endpwent() and added a call to endgrent().
1527 476) Fixed a warning conflicting declaration of VOID with AFS.
1529 477) Fixed a security hole in prompt rewriting found by Global InterSec.
1531 Sudo 1.6.6 released.
1533 478) Wildcards now work correctly in the env_keep Defaults directive.
1535 479) Added support for non-root timestamp dirs. This allows the timestamp
1536 dir to be shared via NFS (though this is not recommended).
1538 480) Removed double printing of bad environment variable table in -V mode.
1540 481) configure script has been regenerated with autoconf 2.5.7.
1541 This required some changes to configure.in.
1543 482) Fixed a compilation problem on SunOS; thanks to Alek O. Komarnitsky.
1545 483) SecurID 5.0 API support from Michael Stroucken.
1547 484) Restore state of signal handlers to what we had upon startup.
1548 Fixes a problem when using sudo with nohup; thanks to Paul Markham.
1550 485) Revamp set_perms() to use setresuid() or setreuid() when available
1551 in preference to POSIX stuff since they allow us to properly
1552 implement "stay_setuid" whereas POSIX does not really.
1554 486) In strict mode sudo did not throw an error for undefined User_Aliases.
1556 487) Fixed a Makefile bug on IRIX.
1558 488) Write the prompt *after* turning off echo to avoid some password
1559 characters being echoed on heavily-loaded machines with fast typists.
1561 489) Added %U and %H escapes in the prompt and fixed treatment of %%.
1563 490) Visudo will now add a final newline to sudoers if the user's editor
1564 not add one before EOF.
1566 491) The lexer state is now reset to its initial value on EOF.
1567 Previously, the state was not reset between parser invocations
1568 which could cause problems for visudo in rare cases.
1570 492) Added support for Defaults that apply based on the RunasUser.
1572 493) Sudo now includes copies of strlc{at,py} and uses them throughout.
1574 494) Sudo is now careful to avoid interger overflow when allocating
1575 memory. This is one of those "should not happen" situations.
1577 495) Added a configure option (--with-stow) to make sudo compatible
1580 496) auth/kerb5.c now compiles under Heimdal.
1582 497) The volatile prefix is used in the hopes of preventing compilers
1583 from optimizing away memory zeroing. Unfortunately, this results
1584 in some warnings from gcc.
1586 498) Better Kerberos IV/V support in the configure script.
1588 499) Fixed a logic thinko in the SIGCHLD handler that caused problems
1589 with rlogin on HP-UX.
1591 500) configure now adds -R to LDFLAGS when it adds -L for Solaris and
1592 SVR4. There is a configure option, --with-rpath, to control this.
1594 501) On AIX, configure will pass extra directory paths to the linker
1595 via the -blibpath ld option. This is only active when additional
1596 library paths are used. It may be disabled via the
1597 --without-blibpath configure option.
1599 502) The --with-skey and --with-opie configure options now take
1600 an optional directory argument that should have an include and
1601 lib dir for the skey/opie include file and library respectively.
1603 Sudo 1.6.7 released.
1605 503) Fixed false positives in the overflow detection of expand_prompt().
1607 Sudo 1.6.7p1 released.
1609 504) An unterminated comment broke Kerberos V authentication.
1611 505) The krb5-config script is used to determine Kerberos V CPPFLAGS
1612 and LDFLAGS/LIBS if it exists.
1614 506) Backed out changes to mkinstalldirs from autoconf 2.57 that
1615 caused problems on Tru64 Unix.
1617 Sudo 1.6.7p2 released.
1619 507) Kerberos V support should work on latest MIT Kerberos V and Heimdal.
1621 Sudo 1.6.7p3 released.
1623 508) Fixed remaining Kerberos V issues with MIT Kerberos V and old Heimdal.
1625 Sudo 1.6.7p4 released.
1627 509) Fixed a typo that caused a compilation error on Heimdal.
1629 510) Darwin (MacOS X) doesn't have a real setreuid() system call.
1631 511) Fixed a problem with large numbers of environment variables.
1633 Sudo 1.6.7p5 released.
1635 512) Fixed a problem on FreeBSD when the user is only listed in NIS (not
1636 master.passwd) and netgroups are used in the master.passwd file.
1638 513) BSD-style warn/err functions are now used throughout.
1640 514) Fixed the --with-stow configure option
1642 515) Added a "sudo_lecture" option that points to a file containing a custom
1645 516) The username in a log entry is no longer truncated at 8 characters.
1647 517) A new tag, NOEXEC, will prevent a dynamically-linked program being run
1648 by sudo from executing another program (think shell escapes).
1649 Because this uses LD_PRELOAD it has no effect on static binaries.
1650 Idea from Reznic Valery.
1652 518) TIS fwtk authentication now supports fwtk 2.0 and higher.
1654 519) Sudo will now try to stat the command to be run as the user
1655 specified by the -u flag if the stat fails as root. Fixes
1658 520) Added Stan Lee / Uncle Ben quote to the lecture (from RedHat).
1660 521) Added a -i option to simulate an initial login similar to "su -".
1661 Originally based on a patch from David J. MacKenzie.
1663 522) Added a -e option to edit files the with uid of the invoking user.
1664 This prevents the user from editing other files or running commands
1665 as the target user. If sudo is run as "sudoedit" the -e flag is implied.
1667 523) If sudo is used to run as root shell, further sudo commands will
1668 be logged as run by the user specified by the SUDO_USER environment
1669 variable. In -e mode (sudoedit), SUDO_USER is used to determine
1670 what user to run the editor when the real uid is 0.
1672 524) Merged in LDAP support from Aaron Spangler.
1674 525) Added the --with-pc-insults configure to replace politically
1675 incorrect insults with ones from Alek O. Komarnitsky.
1677 526) Added start_tls support from Gudleik Rasch <gudleik@rastamatra.org>.
1679 527) A uid specified in sudoers now matches the user specified by the
1680 -u flag even if the -u flag specified a name, not a uid.
1682 528) /tmp/.odus is no longer used for timestamps by default. One of
1683 /var/run/sudo, /var/adm/sudo or /usr/adm/sudo is used depending
1684 on what directories exist.
1686 529) Quoting globbing characters with a backslash now works as documented.
1688 530) A negated user/uid in a runas list was not treated the same as a
1689 negated command (it did not override a previously allowed entry).
1692 531) Added support for Tandem NSK and other systems w/o seteuid().
1694 532) The timeout on password reading is now done via alarm(), not select().
1696 533) Fixed several issues when closing all open descriptors. Sudo now uses
1697 closefrom() if it exists, using /proc/$$/fd if possible.
1699 534) Use PATH_MAX, not MAXPATHLEN since the former is standardized.
1701 535) Added a check in visudo for runas_default being used before it
1704 536) If the target user == invoking user a password is no longer required.
1706 537) PAM support now uses Use pam_acct_mgmt() to check for disabled accounts
1707 (from Brian Farrell).
1709 538) The sudoers file is now parsed as the runas user in all cases instead
1710 of root. This fixes some issues with running NFS-mounted commands.
1712 539) Sudo now produces a sensible error message when the targetpw
1713 Defaults option is set and a non-existent uid is specified via -u.
1715 Sudo 1.6.8 released.
1717 540) Now find the command base and fill in struct stat earlier.
1719 541) sudoedit now re-opens the temp file as the invoking user.
1721 542) struct timespec is used throughout the code base.
1723 543) Added --with-ldap-conf-file option to override /etc/ldap.conf
1725 544) Added SSL tls_* certificate checking options when using LDAP.
1727 545) Sudoedit will now only attempt to edit regular files or links.
1729 546) Sudo now uses futime() or futimes() where possible.
1731 547) Updated sample.pam to a current version.
1733 548) Better detection of unchanged files in sudoedit.
1735 Sudo 1.6.8p1 released.
1737 549) Bash exported functions are now stripped from the environment passed
1738 to the program to be executed.
1740 Sudo 1.6.8p2 released.
1742 550) The CDPATH variable is now stripped from the environment passed
1743 to the program to be executed.
1745 551) Fix temp file generation on systems where the _PATH_VARTMP macro
1746 lacks a trailing slash.
1748 Sudo 1.6.8p3 released.
1750 552) The KRB5CCNAME environment variable is preserved during sudo
1751 execution for password lookups that use GSSAPI.
1753 Sudo 1.6.8p4 released.
1755 553) Added a configure check for systems with a 2-argument version of
1756 timespecsub (like BSD/OS).
1758 554) Added stub struct defintions to sudo.h to quiet compiler warnings
1761 555) In sudoers Defaults lines, tuples like "lecture" may now be used
1762 without a value, restoring their old boolean-like nature.
1764 556) Invalid values for a tuple are now handled correctly.
1766 Sudo 1.6.8p5 released.
1768 557) Added a set of missing braces needed for MacOS X / Darwin.
1770 558) Define LDAP_OPT_SUCCESS for those without it.
1772 Sudo 1.6.8p6 released.
1774 559) Warn if the user tries to use the -u option when not running a command.
1776 560) Better PAM error handling and messages.
1778 561) Fixed setting of $USER when env_reset is enabled.
1780 Sudo 1.6.8p7 released.
1782 562) Fixed noexec functionality on Linux.
1784 563) Fixed minor format string mismatches in some error cases.
1786 564) Fixed a bug that prevented Heimdal authentication from working.
1788 Sudo 1.6.8p8 released.
1790 565) Updated config.guess and config.sub entries for OpenBSD.
1792 566) A sudoers entry with sudo ALL no longer overwrites the value of
1795 Sudo 1.6.8p9 released.
1797 567) Added PS4 and SHELLOPTS to the list of variables to remove from
1800 Sudo 1.6.8p10 released.
1802 567) Added JAVA_TOOL_OPTIONS to the list of variables to remove from
1805 Sudo 1.6.8p11 released.
1807 567) Added PERLLIB, PERL5LIB and PERL5OPT to the list of variables to
1808 remove from the environment.
1810 Sudo 1.6.8p12 released.
1812 568) Fixed a file descriptor leak when the lecture file option is enabled.
1814 569) Added to the list of variables to remove from the environment.
1816 570) Fixed a Kerberos V security issue that could allow a
1817 user to authenticate using a fake KDC.
1819 571) Pulled in updated configure and libtool from sudo 1.7.
1821 572) PAM is now the default on systems where it is supported.
1823 573) Removed POSIX saved uid use; the stay_setuid option now
1824 requires the setreuid() or setresuid() functions to work.
1826 574) Regenerated configure with up to date autoconf and libtool.
1828 575) Fixed fd leak when lecture file option is enabled.
1830 576) Removed used of POSIX saved uids. The stay_setuid
1831 option now requires setreuid() or setresuid().
1833 577) PAM fixes. If the user enters ^C at the password prompt,
1834 abort instead of trying to authenticate with an empty password
1835 (which causes an annoying delay). Also Call pam_open_session()
1836 and pam_close_session() to give pam_limits a chance to run.
1838 578) Security fix for Kerberos5. If we cannot get a valid service
1839 key using the default keytab it is a fatal error. Now uses
1840 krb5_verify_user() and krb5_init_secure_context() if they
1843 579) Fixed securid5 authentication.
1845 580) Added fcntl F_CLOSEM support to closefrom().
1847 581) Added NOEXEC support for AIX 5.3.
1849 582) Sudo now uses the supplemental group vector for matching.
1850 This fixes problems with split group lines in /etc/group
1851 as well as multiple group sources in nsswitch.conf.
1853 583) Added more environment variables to remove by default.
1855 584) Mail from sudo now includes an Auto-Submitted: auto-generated
1856 header ala rfc 3834.
1858 585) Reworked the environment handling code.
1860 586) Remove the --with-execv option, it was not useful.
1862 587) Use TCSADRAIN instead of TCSAFLUSH in tgetpass() since
1863 some OSes have issues with TCSAFLUSH.
1865 588) Use glob(3) instead of fnmatch(3) for matching pathnames
1866 and stat() each result that matches the basename of the user's
1867 command. This makes "cd /usr/bin ; sudo ./blah" work when
1868 sudoers allows /usr/bin/blah.
1870 589) Reworked the syslog long line splitting code based on changes
1871 from Eygene Ryabinkin.
1873 590) Sudo can now with deal more than 32 network interfaces on
1876 591) Visudo will now honor command line arguments in the EDITOR or
1877 VISUAL environment variables if env_editor is enabled.
1879 592) LDAP now honors rootbinddn, timelimit and bind_timelimit in
1882 593) For LDAP, do a sub tree search instead of a base search (one
1883 level in the tree only) for sudo right objects. This allows
1884 system administrators to categorize the rights in a tree to
1885 make them easier to manage.
1887 594) The env_reset option is now enabled by default. Commands run
1888 through sudo now receive a minimal environment with certain
1889 variables passed through and/or checked. The list of variables
1890 allowed is configurable via the env_keep and env_check options
1893 595) Added support for Solaris 10 resource control limits using
1894 the "project" interface.
1896 596) Moved LDAP schema data into separate files.
1898 597) Sudo no longer assumes that gr_mem in struct group is non-NULL.
1900 598) Added support for setting environment variables on the command
1901 line if the command has the SETENV attribute set in sudoers.
1903 599) Added a -E flag to preserve the environment if the SETENV attribute
1906 600) The sudoers2ldif script now parses Runas users.
1908 601) The -- flag now behaves as documented.
1910 602) sudo -k/-K no longer cares if the timestamp is in the future.
1912 603) When searching for the command, sudo now uses the effective gid
1915 604) Sudo no longer updates the timestamp if not validated by sudoers.
1917 605) Now rebuild environment regardless of how sudo was invoked.
1919 606) More accurate usage() when called as sudoedit.
1921 607) Command line environment variables are now treated like
1922 normal environment variables unless the SETENV tag is set.
1924 608) Better explanation of environment handling in the sudo man page.
1926 Sudo 1.6.9 released.
1928 609) Worked around a bug ins some PAM implementations that caused a crash
1929 when no tty was present.
1931 610) Fixed a crash on some platforms in the error logging function.
1933 611) Documentation improvements.
1935 Sudo 1.6.9p1 released.
1937 612) Fixed updating of the saved environment when the environ pointer
1938 gets changed out from underneath us.
1940 Sudo 1.6.9p2 released.
1942 613) Fixed a bug related to supplemental group matching introduced
1945 Sudo 1.6.9p3 released.
1947 614) Added IPv6 support from YOSHIFUJI Hideaki.
1949 615) Fixed sudo_noexec installation path.
1951 616) Fixed a K&R compilation error.
1953 Sudo 1.6.9p4 released.
1955 617) Fixed a bug in the IP address matching introduced by the IPV6 merge.
1957 618) For "visudo -f file" we now use the permissions of the original file
1958 and not the hard-coded sudoers owner/group/mode. This makes
1959 it possible to use visudo with a revision control system.
1961 619) Fixed sudoedit when used on a non-existent file.
1963 620) Regenerated configure using autoconf 2.6.1 and libtool 1.5.24.
1965 621) Groups and netgroups are now valid in an LDAP sudoRunas statement.
1967 Sudo 1.6.9p5 released.
1969 622) Worked around bugs in the session support of some PAM implementations.
1970 The full tty path is now passed to PAM as well.
1972 623) Sudo now only prints the password prompt if the process is in the
1975 624) inttypes.h is now included when appropriate if it is present.
1977 625) Simplified alias allocation in the parser.
1979 Sudo 1.6.9p6 released.
1981 626) Go back to using TCSAFLUSH instead of TCSADRAIN when turning
1982 off echo in tgetpass().
1984 627) Fixed addition of -lutil for logincap on FreeBSD and NetBSD.
1986 628) Add configure check for struct in6_addr since some systems define
1987 AF_INET6 but have no real IPv6 support.
1989 Sudo 1.6.9p7 released.
1991 629) Fixed a bug where a sudoers entry with no runas user specified
1992 was treated differently from a line with the default runas
1995 Sudo 1.6.9p8 released.
1997 630) The ALL command in sudoers now implies SETENV permissions.
1999 631) The command search is now performed using the target user's
2000 auxiliary group vector too.
2002 632) When determining if the PAM prompt is the default "Password: ",
2003 compare the localized version if possible.
2005 633) Added passprompt_override flag to sudoers to cause sudo's prompt
2006 to be used in all cases. Also set when the -p flag is used.
2008 Sudo 1.6.9p9 released.
2010 634) Moved LDAP options into a table for simplified parsing/setting.
2012 635) Fixed a problem with how some LDAP options were being applied.
2014 636) Added support for connecting directly to LDAP servers via SSL
2015 in addition to the existing start_tls support.
2017 Sudo 1.6.9p10 released.
2019 637) Fixed a compilation problem on SCO related to how they
2020 store the high resolution timestamps in struct stat.
2022 638) Avoid checking the passwd file group multiple times
2023 in the LDAP query when the user's passwd group is also
2024 listed in the supplemental group vector.
2026 639) The URI specifier can now be used in ldap.conf even when
2027 the LDAP SDK doesn't support ldap_initialize().
2029 640) New %p prompt escape that expands to the user whose password
2030 is being prompted, as specified by the rootpw, targetpw and
2031 runaspw sudoers flags. Based on a diff from Patrick Schoenfeld.
2033 Sudo 1.6.9p11 released.
2035 641) Added a configure check for the ber_set_option() function.
2037 642) Fixed a compilation problem with the HP-UX K&R C compiler.
2039 643) Revamped the Kerberos 5 ticket verification code.
2041 644) Added support for the checkpeer ldap.conf variable for
2042 netscape-based LDAP SDKs.
2044 645) Fixed a problem where an incomplete password could be echoed
2045 to the screen if there was a read timeout.
2047 Sudo 1.6.9p12 released.
2049 646) Sudo will now set the nproc resource limit to unlimited on Linux
2050 systems to work around Linux's setuid() resource limit semantics.
2051 On PAM systems the resource limits will be reset by pam_limits.so
2052 before the command is executed.
2054 647) SELinux support that can be used to implement role based access
2055 control (RBAC). A role and (optional) type may be specified
2056 in sudoers or on the command line. These are then used in the
2057 security context that the command is run as.
2059 648) Fixed a Kerberos 5 compilation problem with MIT Kerberos.
2061 Sudo 1.6.9p13 released.
2063 649) Fixed an invalid assumption in the PAM conversation function
2064 introduced in version 1.6.9p9. The conversation function may
2065 be called for non-password reading purposes as well.
2067 650) Fixed freeing an uninitialized pointer in -l mode, introduced in
2070 651) Check /etc/sudoers after LDAP even if the user was found in LDAP.
2071 This allows Defaults options in /etc/sudoers to take effect.
2073 652) Add missing checks for enforcing mode in SELinux RBAC mode.
2075 Sudo 1.6.9p14 released.
2077 653) Fixed installation of sudo_noexec.so on AIX.
2079 654) Updated libtool to version 1.5.26.
2081 655) Fixed printing of default SELinux role and type in -V mode.
2083 656) The HOME environment variable is once again preserved by default,
2084 as per the documentation.
2086 Sudo 1.6.9p15 released.