1 What's new in Sudo 1.8.7?
3 * The non-Unix group plugin is now supported when sudoers data
6 * Sudo now uses a workaround for a locale bug on Solaris 11.0
7 that prevents setuid programs like sudo from fully using locales.
9 * User messages are now always displayed in the user's locale,
10 even when the same message is being logged or mailed in a
13 * Log files created by sudo now explicitly have the group set
14 to group ID 0 rather than relying on BSD group semantics (which
15 may not be the default).
17 * A new "exec_background" sudoers option can be used to initially
18 run the command without read access to the terminal when running
19 a command in a pseudo-tty. If the command tries to read from
20 the terminal it will be stopped by the kernel (via SIGTTIN or
21 SIGTTOU) and sudo will immediately restart it as the forground
22 process (if possible). This allows sudo to only pass terminal
23 input to the program if the program actually is expecting it.
24 Unfortunately, a few poorly-behaved programs (like "su" on most
25 Linux systems) do not handle SIGTTIN and SIGTTOU properly.
27 * Sudo now uses an efficient group query to get all the groups
28 for a user instead of iterating over every record in the group
29 database on HP-UX and Solaris.
31 * Sudo now produces better error messages when there is an error
32 in the sudo.conf file.
34 * Two new settings have been added to sudo.conf to give the admin
35 better control of how group database queries are performed. The
36 "group_source" specifies how the group list for a user will be
37 determined. Legal values are "static" (use the kernel groups
38 list), "dynamic" (perform a group database query) and "adaptive"
39 (only perform a group database query if the kernel list is full).
40 The "max_groups" specifies the maximum number of groups a user may
41 belong to when performing a group database query.
43 * The sudo.conf file now supports line continuation by using a
44 backslash as the last character on the line.
46 * There is now a standalone sudo.conf manual page.
48 * Sudo now stores its libexec files in a "sudo" subdirectory instead
49 of in libexec itself. For backwards compatibility, if the plugin
50 is not found in the default plugin directory, sudo will check
51 the parent directory if the default directory ends in "/sudo".
53 * The sudoers I/O logging plugin now logs the terminal size.
55 * A new sudoers option "maxseq" can be used to limit the number of
56 I/O log entries that are stored.
58 * The "system_group" and "group_file" sudoers group provider plugins
59 are now installed by default.
61 * The list output (sudo -l) output from the sudoers plugin is now
62 less ambiguous when an entry includes different runas users.
63 The long list output (sudo -ll) for file-based sudoers is now
64 more consistent with the format of LDAP-based sudoers.
66 * A uid may now be used in the sudoRunAsUser attributes for LDAP
69 * Minor plugin API change: the close and version functions are now
70 optional. If the policy plugin does not provide a close function
71 and the command is not being run in a new pseudo-tty, sudo may
72 now execute the command directly instead of in a child process.
74 * A new sudoers option "pam_session" can be used to disable sudo's
77 * On HP-UX systems, sudo will now use the pstat() function to
78 determine the tty instead of ttyname().
80 * Turkish translation for sudo and sudoers from translationproject.org.
82 * Dutch translation for sudo and sudoers from translationproject.org.
84 * Tivoli Directory Server client libraries may now be used with
85 HP-UX where libibmldap has a hidden dependency on libCsup.
87 * The sudoers plugin will now ignore invalid domain names when
88 checking netgroup membership. Most Linux systems use the string
89 "(none)" for the NIS-style domain name instead of an empty string.
91 * New support for specifying a SHA-2 digest along with the command
92 in sudoers. Supported hash types are sha224, sha256, sha384 and
93 sha512. See the description of Digest_Spec in the sudoers manual
94 or the description of sudoCommand in the sudoers.ldap manual for
97 * The paths to ldap.conf and ldap.secret may now be specified as
98 arguments to the sudoers plugin in the sudo.conf file.
100 * Fixed potential false positives in visudo's alias cycle detection.
102 * Fixed a problem where the time stamp file was being treated
103 as out of date on Linux systems where the change time on the
104 pseudo-tty device node can change after it is allocated.
106 * Sudo now only builds Position Independent Executables (PIE)
107 by default on Linux systems and verifies that a trivial test
108 program builds and runs.
110 * On Solaris 11.1 and higher, sudo binaries will now have the
111 ASLR tag enabled if supported by the linker.
113 What's new in Sudo 1.8.6p8?
115 * Terminal detection now works properly on 64-bit AIX kernels.
116 This was broken by the removal of the ttyname() fallback in Sudo
117 1.8.6p6. Sudo is now able to map an AIX 64-bit device number
118 to the corresponding device file in /dev.
120 * Sudo now checks for crypt() returning NULL when performing
121 passwd-based authentication.
123 What's new in Sudo 1.8.6p7?
125 * A time stamp file with the date set to the epoch by "sudo -k"
126 is now completely ignored regardless of what the local clock is
127 set to. Previously, if the local clock was set to a value between
128 the epoch and the time stamp timeout value, a time stamp reset
129 by "sudo -k" would be considered current.
131 * The tty-specific time stamp file now includes the session ID
132 of the sudo process that created it. If a process with the same
133 tty but a different session ID runs sudo, the user will now be
134 prompted for a password (assuming authentication is required for
137 What's new in Sudo 1.8.6p6?
139 * On systems where the controlling tty can be determined via /proc
140 or sysctl(), sudo will no longer fall back to using ttyname()
141 if the process has no controlling tty. This prevents sudo from
142 using a non-controlling tty for logging and time stamp purposes.
144 What's new in Sudo 1.8.6p5?
146 * Fixed a potential crash in visudo's alias cycle detection.
148 * Improved performance on Solaris when retrieving the group list
149 for the target user. On systems with a large number of groups
150 where the group database is not local (NIS, LDAP, AD), fetching
151 the group list could take a minute or more.
153 What's new in Sudo 1.8.6p4?
155 * The -fstack-protector is now used when linking visudo, sudoreplay
158 * Avoid building PIE binaries on FreeBSD/ia64 as they don't run
161 * Fixed a crash in visudo strict mode when an unknown Defaults
162 setting is encountered.
164 * Do not inform the user that the command was not permitted by the
165 policy if they do not successfully authenticate. This is a
166 regression introduced in sudo 1.8.6.
168 * Allow sudo to be build with sss support without also including
171 * Fix running commands that need the terminal in the background
172 when I/O logging is enabled. E.g. "sudo vi &". When the command
173 is foregrounded, it will now resume properly.
175 What's new in Sudo 1.8.6p3?
177 * Fixed post-processing of the man pages on systems with legacy
180 * Fixed "sudoreplay -l" on Linux systems with file systems that
181 set DT_UNKNOWN in the d_type field of struct dirent.
183 What's new in Sudo 1.8.6p2?
185 * Fixed suspending a command after it has already been resumed
186 once when I/O logging (or use_pty) is not enabled.
187 This was a regression introduced in version 1.8.6.
189 What's new in Sudo 1.8.6p1?
191 * Fixed the setting of LOGNAME, USER and USERNAME variables in the
192 command's environment when env_reset is enabled (the default).
193 This was a regression introduced in version 1.8.6.
195 * Sudo now honors SUCCESS=return in /etc/nsswitch.conf.
197 What's new in Sudo 1.8.6?
199 * Sudo is now built with the -fstack-protector flag if the the
200 compiler supports it. Also, the -zrelro linker flag is used if
201 supported. The --disable-hardening configure option can be used
202 to build sudo without stack smashing protection.
204 * Sudo is now built as a Position Independent Executable (PIE)
205 if supported by the compiler and linker.
207 * If the user is a member of the "exempt" group in sudoers, they
208 will no longer be prompted for a password even if the -k flag
209 is specified with the command. This makes "sudo -k command"
210 consistent with the behavior one would get if the user ran "sudo
211 -k" immediately before running the command.
213 * The sudoers file may now be a symbolic link. Previously, sudo
214 would refuse to read sudoers unless it was a regular file.
216 * The sudoreplay command can now properly replay sessions where
219 * The sudoers plugin now takes advantage of symbol visibility
220 controls when supported by the compiler or linker. As a result,
221 only a small number of symbols are exported which significantly
222 reduces the chances of a conflict with other shared objects.
224 * Improved support for the Tivoli Directory Server LDAP client
225 libraries. This includes support for using LDAP over SSL (ldaps)
226 as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS
227 ldap.conf options. A new ldap.conf option, TLS_KEYPW can be
228 used to specify a password to decrypt the key database.
230 * When constructing a time filter for use with LDAP sudoNotBefore
231 and sudoNotAfter attributes, the current time now includes tenths
232 of a second. This fixes a problem with timed entries on Active
235 * If a user fails to authenticate and the command would be rejected
236 by sudoers, it is now logged with "command not allowed" instead
237 of "N incorrect password attempts". Likewise, the "mail_no_perms"
238 sudoers option now takes precedence over "mail_badpass".
240 * The sudo manuals are now formatted using the mdoc macros. Versions
241 using the legacy man macros are provided for systems that lack mdoc.
243 * New support for Solaris privilege sets. This makes it possible
244 to specify fine-grained privileges in the sudoers file on Solaris
245 10 and above. A Runas_Spec that contains no Runas_Lists can be
246 used to give a user the ability to run a command as themselves
247 but with an expanded privilege set.
249 * Fixed a problem with the reboot and shutdown commands on some
250 systems (such as HP-UX and BSD). On these systems, reboot sends
251 all processes (except itself) SIGTERM. When sudo received
252 SIGTERM, it would relay it to the reboot process, thus killing
253 reboot before it had a chance to actually reboot the system.
255 * Support for using the System Security Services Daemon (SSSD) as
256 a source of sudoers data.
258 * Slovenian translation for sudo and sudoers from translationproject.org.
260 * Visudo will now warn about unknown Defaults entries that are
261 per-host, per-user, per-runas or per-command.
263 * Fixed a race condition that could cause sudo to receive SIGTTOU
264 (and stop) when resuming a shell that was run via sudo when I/O
265 logging (and use_pty) is not enabled.
267 * Sending SIGTSTP directly to the sudo process will now suspend the
268 running command when I/O logging (and use_pty) is not enabled.
270 What's new in Sudo 1.8.5p3?
272 * Fixed the loading of I/O plugins that conform to a plugin API
273 version older than 1.2.
275 What's new in Sudo 1.8.5p2?
277 * Fixed use of the SUDO_ASKPASS environment variable which was
278 broken in Sudo 1.8.5.
280 * Fixed a problem reading the sudoers file when the file mode is
281 more restrictive than the expected mode. For example, when the
282 expected sudoers file mode is 0440 but the actual mode is 0400.
284 What's new in Sudo 1.8.5p1?
286 * Fixed a bug that prevented files in an include directory from
289 What's new in Sudo 1.8.5?
291 * When "noexec" is enabled, sudo_noexec.so will now be prepended
292 to any existing LD_PRELOAD variable instead of replacing it.
294 * The sudo_noexec.so shared library now wraps the execvpe(),
295 exect(), posix_spawn() and posix_spawnp() functions.
297 * The user/group/mode checks on sudoers files have been relaxed.
298 As long as the file is owned by the sudoers uid, not world-writable
299 and not writable by a group other than the sudoers gid, the file
300 is considered OK. Note that visudo will still set the mode to
301 the value specified at configure time.
303 * It is now possible to specify the sudoers path, uid, gid and
304 file mode as options to the plugin in the sudo.conf file.
306 * Croatian, Galician, German, Lithuanian, Swedish and Vietnamese
307 translations from translationproject.org.
309 * /etc/environment is no longer read directly on Linux systems
310 when PAM is used. Sudo now merges the PAM environment into the
311 user's environment which is typically set by the pam_env module.
313 * The initial evironment created when env_reset is in effect now
314 includes the contents of /etc/environment on AIX systems and the
315 "setenv" and "path" entries from /etc/login.conf on BSD systems.
317 * The plugin API has been extended in three ways. First, options
318 specified in sudo.conf after the plugin pathname are passed to
319 the plugin's open function. Second, sudo has limited support
320 for hooks that can be used by plugins. Currently, the hooks are
321 limited to environment handling functions. Third, the init_session
322 policy plugin function is passed a pointer to the user environment
323 which can be updated during session setup. The plugin API version
324 has been incremented to version 1.2. See the sudo_plugin manual
325 for more information.
327 * The policy plugin's init_session function is now called by the
328 parent sudo process, not the child process that executes the
329 command. This allows the PAM session to be open and closed in
330 the same process, which some PAM modules require.
332 * Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf,
333 which was broken in version 1.8.4.
335 * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
336 file is now uses to determine the controlling terminal, if possible.
337 This allows tty-based tickets to work properly even when, e.g.
338 standard input, output and error are redirected to /dev/null.
340 * The output of "sudoreplay -l" is now sorted by file name (or
341 sequence number). Previously, entries were displayed in the
342 order in which they were found on the file system.
344 * Sudo now behaves properly when I/O logging is enabled and the
345 controlling terminal is revoked (e.g. the running sshd is killed).
346 Previously, sudo may have exited without calling the I/O plugin's
347 close function which can lead to an incomplete I/O log.
349 * Sudo can now detect when a user has logged out and back in again
350 on Solaris 11, just like it can on Solaris 10.
352 * The built-in zlib included with Sudo has been upgraded to version
355 * Setting the SSL parameter to start_tls in ldap.conf now works
356 properly when using Mozilla-based SDKs that support the
357 ldap_start_tls_s() function.
359 * The TLS_CHECKPEER parameter in ldap.conf now works when the
360 Mozilla NSS crypto backend is used with OpenLDAP.
362 * A new group provider plugin, system_group, is included which
363 performs group look ups by name using the system groups database.
364 This can be used to restore the pre-1.7.3 sudo group lookup
367 What's new in Sudo 1.8.4p5?
369 * Fixed a bug when matching against an IP address with an associated
370 netmask in the sudoers file. In certain circumstances, this
371 could allow users to run commands on hosts they are not authorized
374 What's new in Sudo 1.8.4p4?
376 * Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v"
379 What's new in Sudo 1.8.4p3?
381 * Fixed a crash on FreeBSD when no tty is present.
383 * Fixed a bug introduced in Sudo 1.8.4 that allowed users to
384 specify environment variables to set on the command line without
385 having sudo "ALL" permissions or the "SETENV" tag.
387 * When visudo is run with the -c (check) option, the sudoers
388 file(s) owner and mode are now also checked unless the -f option
391 What's new in Sudo 1.8.4p2?
393 * Fixed a bug introduced in Sudo 1.8.4 where insufficient space
394 was allocated for group IDs in the LDAP filter.
396 * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf
397 was "/sudo.conf" instead of "/etc/sudo.conf".
399 * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang
400 when I/O logging is enabled and input is from a pipe or file.
402 What's new in Sudo 1.8.4p1?
404 * Fixed a bug introduced in sudo 1.8.4 that broke adding to or
405 deleting from the env_keep, env_check and env_delete lists in
406 sudoers on some platforms.
408 What's new in Sudo 1.8.4?
410 * The -D flag in sudo has been replaced with a more general debugging
411 framework that is configured in sudo.conf.
413 * Fixed a false positive in visudo strict mode when aliases are
416 * Fixed a crash with "sudo -i" when a runas group was specified
417 without a runas user.
419 * The line on which a syntax error is reported in the sudoers file
420 is now more accurate. Previously it was often off by a line.
422 * Fixed a bug where stack garbage could be printed at the end of
423 the lecture when the "lecture_file" option was enabled.
425 * "make install" now honors the LINGUAS environment variable.
427 * The #include and #includedir directives in sudoers now support
428 relative paths. If the path is not fully qualified it is expected
429 to be located in the same directory of the sudoers file that is
432 * Serbian and Spanish translations for sudo from translationproject.org.
434 * LDAP-based sudoers may now access by group ID in addition to
437 * visudo will now fix the mode on the sudoers file even if no changes
438 are made unless the -f option is specified.
440 * The "use_loginclass" sudoers option works properly again.
442 * On systems that use login.conf, "sudo -i" now sets environment
443 variables based on login.conf.
445 * For LDAP-based sudoers, values in the search expression are now
446 escaped as per RFC 4515.
448 * The plugin close function is now properly called when a login
449 session is killed (as opposed to the actual command being killed).
450 This can happen when an ssh session is disconnected or the
451 terminal window is closed.
453 * The deprecated "noexec_file" sudoers option is no longer supported.
455 * Fixed a race condition when I/O logging is not enabled that could
456 result in tty-generated signals (e.g. control-C) being received
457 by the command twice.
459 * If none of the standard input, output or error are connected to
460 a tty device, sudo will now check its parent's standard input,
461 output or error for the tty name on systems with /proc and BSD
462 systems that support the KERN_PROC_PID sysctl. This allows
463 tty-based tickets to work properly even when, e.g. standard
464 input, output and error are redirected to /dev/null.
466 * Added the --enable-kerb5-instance configure option to allow
467 people using Kerberos V authentication to specify a custom
468 instance so the principal name can be, e.g. "username/sudo"
469 similar to how ksu uses "username/root".
471 * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
472 the results, which would be incorrectly be interpreted as if the
473 sudoers file had specified a directory.
475 * "visudo -c" will now list any include files that were checked
476 in addition to the main sudoers file when everything parses OK.
478 * Users that only have read-only access to the sudoers file may
479 now run "visudo -c". Previously, write permissions were required
480 even though no writing is down in check-only mode.
482 * It is now possible to prevent the disabling of core dumps from
483 within sudo itself by adding a line to the sudo.conf file like
484 "Set disable_coredump false".
486 What's new in Sudo 1.8.3p2?
488 * Fixed a format string vulnerability when the sudo binary (or a
489 symbolic link to the sudo binary) contains printf format escapes
490 and the -D (debugging) flag is used.
492 What's new in Sudo 1.8.3p1?
494 * Fixed a crash in the monitor process on Solaris when NOPASSWD
495 was specified or when authentication was disabled.
497 * Fixed matching of a Runas_Alias in the group section of a
500 What's new in Sudo 1.8.3?
502 * Fixed expansion of strftime() escape sequences in the "log_dir"
505 * Esperanto, Italian and Japanese translations from translationproject.org.
507 * Sudo will now use PAM by default on AIX 6 and higher.
509 * Added --enable-werror configure option for gcc's -Werror flag.
511 * Visudo no longer assumes all editors support the +linenumber
512 command line argument. It now uses a whitelist of editors known
513 to support the option.
515 * Fixed matching of network addresses when a netmask is specified
516 but the address is not the first one in the CIDR block.
518 * The configure script now check whether or not errno.h declares
519 the errno variable. Previously, sudo would always declare errno
520 itself for older systems that don't declare it in errno.h.
522 * The NOPASSWD tag is now honored for denied commands too, which
523 matches historic sudo behavior (prior to sudo 1.7.0).
525 * Sudo now honors the "DEREF" setting in ldap.conf which controls
526 how alias dereferencing is done during an LDAP search.
528 * A symbol conflict with the pam_ssh_agent_auth PAM module that
529 would cause a crash been resolved.
531 * The inability to load a group provider plugin is no longer
534 * A potential crash in the utmp handling code has been fixed.
536 * Two PAM session issues have been resolved. In previous versions
537 of sudo, the PAM session was opened as one user and closed as
538 another. Additionally, if no authentication was performed, the
539 PAM session would never be closed.
541 * Sudo will now work correctly with LDAP-based sudoers using TLS
542 or SSL on Debian systems.
544 * The LOGNAME, USER and USERNAME environment variables are preserved
545 correctly again in sudoedit mode.
547 What's new in Sudo 1.8.2?
549 * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural
550 language support (NLS). This can be disabled by passing configure
551 the --disable-nls option. Sudo will use gettext(), if available,
552 to display translated messages. All translations are coordinated
553 via The Translation Project, http://translationproject.org/.
555 * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of
556 RTLD_LOCAL. This fixes missing symbol problems in PAM modules
557 on certain platforms, such as FreeBSD and SuSE Linux Enterprise.
559 * I/O logging is now supported for commands run in background mode
560 (using sudo's -b flag).
562 * Group ownership of the sudoers file is now only enforced when
563 the file mode on sudoers allows group readability or writability.
565 * Visudo now checks the contents of an alias and warns about cycles
566 when the alias is expanded.
568 * If the user specifies a group via sudo's -g option that matches
569 the target user's group in the password database, it is now
570 allowed even if no groups are present in the Runas_Spec.
572 * The sudo Makefiles now have more complete dependencies which are
573 automatically generated instead of being maintained manually.
575 * The "use_pty" sudoers option is now correctly passed back to the
576 sudo front end. This was missing in previous versions of sudo
577 1.8 which prevented "use_pty" from being honored.
579 * "sudo -i command" now works correctly with the bash version
580 2.0 and higher. Previously, the .bash_profile would not be
581 sourced prior to running the command unless bash was built with
582 NON_INTERACTIVE_LOGIN_SHELLS defined.
584 * When matching groups in the sudoers file, sudo will now match
585 based on the name of the group instead of the group ID. This can
586 substantially reduce the number of group lookups for sudoers
587 files that contain a large number of groups.
589 * Multi-factor authentication is now supported on AIX.
591 * Added support for non-RFC 4517 compliant LDAP servers that require
592 that seconds be present in a timestamp, such as Tivoli Directory Server.
594 * If the group vector is to be preserved, the PATH search for the
595 command is now done with the user's original group vector.
597 * For LDAP-based sudoers, the "runas_default" sudoOption now works
598 properly in a sudoRole that contains a sudoCommand.
600 * Spaces in command line arguments for "sudo -s" and "sudo -i" are
601 now escaped with a backslash when checking the security policy.
603 What's new in Sudo 1.8.1p2?
605 * Two-character CIDR-style IPv4 netmasks are now matched correctly
608 * A build error with MIT Kerberos V has been resolved.
610 * A crash on HP-UX in the sudoers plugin when wildcards are
611 present in the sudoers file has been resolved.
613 * Sudo now works correctly on Tru64 Unix again.
615 What's new in Sudo 1.8.1p1?
617 * Fixed a problem on AIX where sudo was unable to set the final
618 uid if the PAM module modified the effective uid.
620 * A non-existent includedir is now treated the same as an empty
621 directory and not reported as an error.
623 * Removed extraneous parens in LDAP filter when sudoers_search_filter
624 is enabled that can cause an LDAP search error.
626 * Fixed a "make -j" problem for "make install".
628 What's new in Sudo 1.8.1?
630 * A new LDAP setting, sudoers_search_filter, has been added to
631 ldap.conf. This setting can be used to restrict the set of
632 records returned by the LDAP query. Based on changes from Matthew
635 * White space is now permitted within a User_List when used in
636 conjunction with a per-user Defaults definition.
638 * A group ID (%#gid) may now be specified in a User_List or Runas_List.
639 Likewise, for non-Unix groups the syntax is %:#gid.
641 * Support for double-quoted words in the sudoers file has been fixed.
642 The change in 1.7.5 for escaping the double quote character
643 caused the double quoting to only be available at the beginning
646 * The fix for resuming a suspended shell in 1.7.5 caused problems
647 with resuming non-shells on Linux. Sudo will now save the process
648 group ID of the program it is running on suspend and restore it
649 when resuming, which fixes both problems.
651 * A bug that could result in corrupted output in "sudo -l" has been
654 * Sudo will now create an entry in the utmp (or utmpx) file when
655 allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp"
656 and "utmp_runas" sudoers file options can be used to control this.
657 Other policy plugins may use the "set_utmp" and "utmp_user"
658 entries in the command_info list.
660 * The sudoers policy now stores the TSID field in the logs
661 even when the "iolog_file" sudoers option is defined to a value
662 other than %{sessid}. Previously, the TSID field was only
663 included in the log file when the "iolog_file" option was set
664 to its default value.
666 * The sudoreplay utility now supports arbitrary session IDs.
667 Previously, it would only work with the base-36 session IDs
668 that the sudoers plugin uses by default.
670 * Sudo now passes "run_shell=true" to the policy plugin in the
671 settings list when sudo's -s command line option is specified.
672 The sudoers policy plugin uses this to implement the "set_home"
673 sudoers option which was missing from sudo 1.8.0.
675 * The "noexec" functionality has been moved out of the sudoers
676 policy plugin and into the sudo front-end, which matches the
677 behavior documented in the plugin writer's guide. As a result,
678 the path to the noexec file is now specified in the sudo.conf
679 file instead of the sudoers file.
681 * On Solaris 10, the PRIV_PROC_EXEC privilege is now used to
682 implement the "noexec" feature. Previously, this was implemented
683 via the LD_PRELOAD environment variable.
685 * The exit values for "sudo -l", "sudo -v" and "sudo -l command"
686 have been fixed in the sudoers policy plugin.
688 * The sudoers policy plugin now passes the login class, if any,
689 back to the sudo front-end.
691 * The sudoers policy plugin was not being linked with requisite
692 libraries in certain configurations.
694 * Sudo now parses command line arguments before loading any plugins.
695 This allows "sudo -V" or "sudo -h" to work even if there is a problem
698 * Plugins are now linked with the static version of libgcc to allow
699 the plugin to run on a system where no shared libgcc is installed,
700 or where it is installed in a different location.
702 What's new in Sudo 1.8.0?
704 * Sudo has been refactored to use a modular framework that can
705 support third-party policy and I/O logging plugins. The default
706 plugin is "sudoers" which provides the traditional sudo functionality.
707 See the sudo_plugin manual for details on the plugin API and the
708 sample in the plugins directory for a simple example.
710 What's new in Sudo 1.7.5?
712 * When using visudo in check mode, a file named "-" may be used to
713 check sudoers data on the standard input.
715 * Sudo now only fetches shadow password entries when using the
716 password database directly for authentication.
718 * Password and group entries are now cached using the same key
719 that was used to look them up. This fixes a problem when looking
720 up entries by name if the name in the retrieved entry does not
721 match the name used to look it up. This may happen on some systems
722 that do case insensitive lookups or that truncate long names.
724 * GCC will no longer display warnings on glibc systems that use
725 the warn_unused_result attribute for write(2) and other system calls.
727 * If a PAM account management module denies access, sudo now prints
728 a more useful error message and stops trying to validate the user.
730 * Fixed a potential hang on idle systems when the sudo-run process
733 * Sudo now includes a copy of zlib that will be used on systems
734 that do not have zlib installed.
736 * The --with-umask-override configure flag has been added to enable
737 the "umask_override" sudoers Defaults option at build time.
739 * Sudo now unblocks all signals on startup to avoid problems caused
740 by the parent process changing the default signal mask.
742 * LDAP Sudoers entries may now specify a time period for which
743 the entry is valid. This requires an updated sudoers schema
744 that includes the sudoNotBefore and sudoNotAfter attributes.
745 Support for timed entries must be explicitly enabled in the
746 ldap.conf file. Based on changes from Andreas Mueller.
748 * LDAP Sudoers entries may now specify a sudoOrder attribute that
749 determines the order in which matching entries are applied. The
750 last matching entry is used, just like file-based sudoers. This
751 requires an updated sudoers schema that includes the sudoOrder
752 attribute. Based on changes from Andreas Mueller.
754 * When run as sudoedit, or when given the -e flag, sudo now treats
755 command line arguments as pathnames. This means that slashes
756 in the sudoers file entry must explicitly match slashes in
757 the command line arguments. As a result, and entry such as:
758 user ALL = sudoedit /etc/*
759 will allow editing of /etc/motd but not /etc/security/default.
761 * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
762 compatibility with OpenLDAP configuration files.
764 * The LDAP API TIMEOUT parameter is now honored in ldap.conf.
766 * The I/O log directory may now be specified in the sudoers file.
768 * Sudo will no longer refuse to run if the sudoers file is writable
771 * Sudo now performs command line escaping for "sudo -s" and "sudo -i"
772 after validating the command so the sudoers entries do not need
773 to include the backslashes.
775 * Logging and email sending are now done in the locale specified
776 by the "sudoers_locale" setting ("C" by default). Email send by
777 sudo now includes MIME headers when "sudoers_locale" is not "C".
779 * The configure script has a new option, --disable-env-reset, to
780 allow one to change the default for the sudoers Default setting
781 "env_reset" at compile time.
783 * When logging "sudo -l command", sudo will now prepend "list "
784 to the command in the log line to distinguish between an
785 actual command invocation in the logs.
787 * Double-quoted group and user names may now include escaped double
788 quotes as part of the name. Previously this was a parse error.
790 * Sudo once again restores the state of the signal handlers it
791 modifies before executing the command. This allows sudo to be
792 used with the nohup command.
794 * Resuming a suspended shell now works properly when I/O logging
795 is not enabled (the I/O logging case was already correct).
797 What's new in Sudo 1.7.4p6?
799 * A bug has been fixed in the I/O logging support that could cause
800 visual artifacts in full-screen programs such as text editors.
802 What's new in Sudo 1.7.4p5?
804 * A bug has been fixed that would allow a command to be run without the
805 user entering a password when sudo's -g flag is used without the -u flag.
807 * If user has no supplementary groups, sudo will now fall back on checking
808 the group file explicitly, which restores historic sudo behavior.
810 * A crash has been fixed when sudo's -g flag is used without the -u flag
811 and the sudoers file contains an entry with no runas user or group listed.
813 * A crash has been fixed when the Solaris project support is enabled
814 and sudo's -g flag is used without the -u flag.
816 * Sudo no longer exits with an error when support for auditing is
817 compiled in but auditing is not enabled.
819 * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
820 being honored when the "targetpw" sudoers Defaults option was enabled.
822 * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.
824 * A crash has been fixed in "sudo -l" when sudo is built with auditing
825 support and the user is not allowed to run any commands on the host.
827 What's new in Sudo 1.7.4p4?
829 * A potential security issue has been fixed with respect to the handling
830 of sudo's -g command line option when -u is also specified. The flaw
831 may allow an attacker to run commands as a user that is not authorized
834 * A bug has been fixed where "sudo -l" output was incomplete if multiple
835 sudoers sources were defined in nsswitch.conf and there was an error
836 querying one of the sources.
838 * The log_input, log_output, and use_pty sudoers options now work correctly
839 on AIX. Previously, sudo would hang if they were enabled.
841 * The "make install" target now works correctly when sudo is built in a
842 directory other than the source directory.
844 * The "runas_default" sudoers setting now works properly in a per-command
847 * Suspending and resuming the bash shell when PAM is in use now works
848 correctly. The SIGCONT signal was not propagated to the child process.
850 What's new in Sudo 1.7.4p3?
852 * A bug has been fixed where duplicate HOME environment variables could be
853 present when the env_reset setting was disabled and the always_set_home
854 setting was enabled in sudoers.
856 * The value of sysconfdir is now substituted into the path to the sudoers.d
857 directory in the installed sudoers file.
859 * Compilation problems on IRIX and other platforms have been fixed.
861 * If multiple PAM "auth" actions are specified and the user enters ^C at
862 the password prompt, sudo will no longer prompt for a password for any
863 subsequent "auth" actions. Previously it was necessary to enter ^C for
866 What's new in Sudo 1.7.4p2?
868 * A bug where sudo could spin in a busy loop waiting for the child process
871 What's new in Sudo 1.7.4p1?
873 * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from
874 functioning when the tty_tickets sudoers option is enabled has been fixed.
876 * Sudo no longer prints a warning when the -k or -K options are specified
877 and the ticket file does not exist.
879 * It is now easier to cross-compile sudo.
881 What's new in Sudo 1.7.4?
883 * Sudoedit will now preserve the file extension in the name of the
884 temporary file being edited. The extension is used by some
885 editors (such as emacs) to choose the editing mode.
887 * Time stamp files have moved from /var/run/sudo to either /var/db/sudo,
888 /var/lib/sudo or /var/adm/sudo. The directories are checked for
889 existence in that order. This prevents users from receiving the
890 sudo lecture every time the system reboots. Time stamp files older
891 than the boot time are ignored on systems where it is possible to
894 * The tty_tickets sudoers option is now enabled by default.
896 * Ancillary documentation (README files, LICENSE, etc) is now installed
897 in a sudo documentation directory.
899 * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
902 * Defaults settings that are tied to a user, host or command may
903 now include the negation operator. For example:
904 Defaults:!millert lecture
905 will match any user but millert.
907 * The default PATH environment variable, used when no PATH variable
908 exists, now includes /usr/sbin and /sbin.
910 * Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/)
911 for cross-platform packing.
913 * On Linux, sudo will now restore the nproc resource limit before
914 executing a command, unless the limit appears to have been modified
915 by pam_limits. This avoids a problem with bash scripts that open
916 more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
917 will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).
919 * The HOME and MAIL environment variables are now reset based on the
920 target user's password database entry when the env_reset sudoers option
921 is enabled (which is the case in the default configuration). Users
922 wishing to preserve the original values should use a sudoers entry like:
923 Defaults env_keep += HOME
924 to preserve the old value of HOME and
925 Defaults env_keep += MAIL
926 to preserve the old value of MAIL.
928 * Fixed a problem in the restoration of the AIX authdb registry setting.
930 * Sudo will now fork(2) and wait until the command has completed before
931 calling pam_close_session().
933 * The default syslog facility is now "authpriv" if the operating system
934 supports it, else "auth".
936 What's new in Sudo 1.7.3?
938 * Support for logging I/O for the command being run.
939 For more information, see the documentation for the "log_input"
940 and "log_output" Defaults options in the sudoers manual. Also
941 see the sudoreplay manual for how to replay I/O log sessions.
943 * The use_pty sudoers option can be used to force a command to be
944 run in a pseudo-pty, even when I/O logging is not enabled.
946 * On some systems, sudo can now detect when a user has logged out
947 and back in again when tty-based time stamps are in use. Supported
948 systems include Solaris systems with the devices file system,
949 Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys
952 * On AIX systems, the registry setting in /etc/security/user is
953 now taken into account when looking up users and groups. Sudo
954 now applies the correct the user and group ids when running a
955 command as a user whose account details come from a different
956 source (e.g. LDAP or DCE vs. local files).
958 * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf.
959 When multiple entries are listed, sudo will try each one in the
960 order in which they are specified.
962 * Sudo's SELinux support should now function correctly when running
963 commands as a non-root user and when one of stdin, stdout or stderr
966 * Sudo will now use the Linux audit system with configure with
967 the --with-linux-audit flag.
969 * Sudo now uses mbr_check_membership() on systems that support it
970 to determine group membership. Currently, only Darwin (Mac OS X)
973 * When the tty_tickets sudoers option is enabled but there is no
974 terminal device, sudo will no longer use or create a tty-based
975 ticket file. Previously, sudo would use a tty name of "unknown".
976 As a consequence, if a user has no terminal device, sudo will
977 now always prompt for a password.
979 * The passwd_timeout and timestamp_timeout options may now be
980 specified as floating point numbers for more granular timeout
983 * Negating the fqdn option in sudoers now works correctly when sudo
984 is configured with the --with-fqdn option. In previous versions
985 of sudo the fqdn was set before sudoers was parsed.
987 What's new in Sudo 1.7.2?
989 * A new #includedir directive is available in sudoers. This can be
990 used to implement an /etc/sudo.d directory. Files in an includedir
991 are not edited by visudo unless they contain a syntax error.
993 * The -g option did not work properly when only setting the group
994 (and not the user). Also, in -l mode the wrong user was displayed
995 for sudoers entries where only the group was allowed to be set.
997 * Fixed a problem with the alias checking in visudo which
998 could prevent visudo from exiting.
1000 * Sudo will now correctly parse the shell-style /etc/environment
1001 file format used by pam_env on Linux.
1003 * When doing password and group database lookups, sudo will only
1004 cache an entry by name or by id, depending on how the entry was
1005 looked up. Previously, sudo would cache by both name and id
1006 from a single lookup, but this breaks sites that have multiple
1007 password or group database names that map to the same uid or
1010 * User and group names in sudoers may now be enclosed in double
1011 quotes to avoid having to escape special characters.
1013 * BSM audit fixes when changing to a non-root uid.
1015 * Experimental non-Unix group support. Currently only works with
1016 Quest Authorization Services and allows Active Directory groups
1019 * For Netscape/Mozilla-derived LDAP SDKs the certificate and key
1020 paths may be specified as a directory or a file. However, version
1021 5.0 of the SDK only appears to support using a directory (despite
1022 documentation to the contrary). If SSL client initialization
1023 fails and the certificate or key paths look like they could be
1024 default file name, strip off the last path element and try again.
1026 * A setenv() compatibility fix for Linux systems, where a NULL
1027 value is treated the same as an empty string and the variable
1028 name is checked against the NULL pointer.
1030 What's new in Sudo 1.7.1?
1032 * A new Defaults option "pwfeedback" will cause sudo to provide visual
1033 feedback when the user is entering a password.
1035 * A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
1036 function for file name globbing instead of glob(). When this option
1037 is enabled, sudo will not check the file system when expanding wildcards.
1038 This is faster but a side effect is that relative paths with wildcard
1039 will no longer work.
1041 * New BSM audit support for systems that support it such as FreeBSD
1044 * The file name specified with the #include directive may now include
1045 a %h escape which is expanded to the short form of hostname.
1047 * The -k flag may now be specified along with a command, causing the
1048 user's timestamp file to be ignored.
1050 * New support for Tivoli-based LDAP START_TLS, present in AIX.
1052 * New support for /etc/netsvc.conf on AIX.
1054 * The unused alias checks in visudo now handle the case of an alias
1055 referring to another alias.
1057 What's new in Sudo 1.7.0?
1059 * Rewritten parser that converts sudoers into a set of data structures.
1060 This eliminates a number of ordering issues and makes it possible to
1061 apply sudoers Defaults entries before searching for the command.
1062 It also adds support for per-command Defaults specifications.
1064 * Sudoers now supports a #include facility to allow the inclusion of other
1065 sudoers-format files.
1067 * Sudo's -l (list) flag has been enhanced:
1068 o applicable Defaults options are now listed
1069 o a command argument can be specified for testing whether a user
1070 may run a specific command.
1071 o a new -U flag can be used in conjunction with "sudo -l" to allow
1072 root (or a user with "sudo ALL") list another user's privileges.
1074 * A new -g flag has been added to allow the user to specify a
1075 primary group to run the command as. The sudoers syntax has been
1076 extended to include a group section in the Runas specification.
1078 * A uid may now be used anywhere a username is valid.
1080 * The "secure_path" run-time Defaults option has been restored.
1082 * Password and group data is now cached for fast lookups.
1084 * The file descriptor at which sudo starts closing all open files is now
1085 configurable via sudoers and, optionally, the command line.
1087 * Visudo will now warn about aliases that are defined but not used.
1089 * The -i and -s command line flags now take an optional command
1090 to be run via the shell. Previously, the argument was passed
1091 to the shell as a script to run.
1093 * Improved LDAP support. SASL authentication may now be used in
1094 conjunction when connecting to an LDAP server. The krb5_ccname
1095 parameter in ldap.conf may be used to enable Kerberos.
1097 * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
1098 to specify the sudoers order. E.g.:
1100 to check LDAP, then /etc/sudoers. The default is "files", even
1101 when LDAP support is compiled in. This differs from sudo 1.6
1102 where LDAP was always consulted first.
1104 * Support for /etc/environment on AIX and Linux. If sudo is run
1105 with the -i flag, the contents of /etc/environment are used to
1106 populate the new environment that is passed to the command being
1109 * If no terminal is available or if the new -A flag is specified,
1110 sudo will use a helper program to read the password if one is
1111 configured. Typically, this is a graphical password prompter
1112 such as ssh-askpass.
1114 * A new Defaults option, "mailfrom" that sets the value of the
1115 "From:" field in the warning/error mail. If unspecified, the
1116 login name of the invoking user is used.
1118 * A new Defaults option, "env_file" that refers to a file containing
1119 environment variables to be set in the command being run.
1121 * A new flag, -n, may be used to indicate that sudo should not
1122 prompt the user for a password and, instead, exit with an error
1123 if authentication is required.
1125 * If sudo needs to prompt for a password and it is unable to disable
1126 echo (and no askpass program is defined), it will refuse to run
1127 unless the "visiblepw" Defaults option has been specified.
1129 * Prior to version 1.7.0, hitting enter/return at the Password: prompt
1130 would exit sudo. In sudo 1.7.0 and beyond, this is treated as
1131 an empty password. To exit sudo, the user must press ^C or ^D
1134 * visudo will now check the sudoers file owner and mode in -c (check)
1135 mode when the -s (strict) flag is specified.
1137 * A new Defaults option "umask_override" will cause sudo to set the
1138 umask specified in sudoers even if it is more permissive than the
1139 invoking user's umask.