1 What's new in Sudo 1.7.6p1
3 * A non-existent includedir is now treated the same as an empty
4 directory and not reported as an error.
6 * Removed extraneous parens in LDAP filter when sudoers_search_filter
7 is enabled that can cause an LDAP search error.
9 What's new in Sudo 1.7.6?
11 * A new LDAP setting, sudoers_search_filter, has been added to
12 ldap.conf. This setting can be used to restrict the set of
13 records returned by the LDAP query. Based on changes from Matthew
16 * White space is now permitted within a User_List when used in
17 conjunction with a per-user Defaults definition.
19 * A group ID (%#gid) may now be specified in a User_List or Runas_List.
20 Likewise, for non-Unix groups the syntax is %:#gid.
22 * Support for double-quoted words in the sudoers file has been fixed.
23 The change in 1.7.5 for escaping the double quote character
24 caused the double quoting to only be available at the beginning
27 * The fix for resuming a suspended shell in 1.7.5 caused problems
28 with resuming non-shells on Linux. Sudo will now save the process
29 group ID of the program it is running on suspend and restore it
30 when resuming, which fixes both problems.
32 * A bug that could result in corrupted output in "sudo -l" has been
35 What's new in Sudo 1.7.5?
37 * When using visudo in check mode, a file named "-" may be used to
38 check sudoers data on the standard input.
40 * Sudo now only fetches shadow password entries when using the
41 password database directly for authentication.
43 * Password and group entries are now cached using the same key
44 that was used to look them up. This fixes a problem when looking
45 up entries by name if the name in the retrieved entry does not
46 match the name used to look it up. This may happen on some systems
47 that do case insensitive lookups or that truncate long names.
49 * GCC will no longer display warnings on glibc systems that use
50 the warn_unused_result attribute for write(2) and other system calls.
52 * If a PAM account management module denies access, sudo now prints
53 a more useful error message and stops trying to validate the user.
55 * Fixed a potential hang on idle systems when the sudo-run process
58 * Sudo now includes a copy of zlib that will be used on systems
59 that do not have zlib installed.
61 * The --with-umask-override configure flag has been added to enable
62 the "umask_override" sudoers Defaults option at build time.
64 * Sudo now unblocks all signals on startup to avoid problems caused
65 by the parent process changing the default signal mask.
67 * LDAP Sudoers entries may now specify a time period for which
68 the entry is valid. This requires an updated sudoers schema
69 that includes the sudoNotBefore and sudoNotAfter attributes.
70 Support for timed entries must be explicitly enabled in the
71 ldap.conf file. Based on changes from Andreas Mueller.
73 * LDAP Sudoers entries may now specify a sudoOrder attribute that
74 determines the order in which matching entries are applied. The
75 last matching entry is used, just like file-based sudoers. This
76 requires an updated sudoers schema that includes the sudoOrder
77 attribute. Based on changes from Andreas Mueller.
79 * When run as sudoedit, or when given the -e flag, sudo now treats
80 command line arguments as pathnames. This means that slashes
81 in the sudoers file entry must explicitly match slashes in
82 the command line arguments. As a result, and entry such as:
83 user ALL = sudoedit /etc/*
84 will allow editing of /etc/motd but not /etc/security/default.
86 * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
87 compatibility with OpenLDAP configuration files.
89 * The LDAP API TIMEOUT parameter is now honored in ldap.conf.
91 * The I/O log directory may now be specified in the sudoers file.
93 * Sudo will no longer refuse to run if the sudoers file is writable
96 * Sudo now performs command line escaping for "sudo -s" and "sudo -i"
97 after validating the command so the sudoers entries do not need
98 to include the backslashes.
100 * Logging and email sending are now done in the locale specified
101 by the "sudoers_locale" setting ("C" by default). Email send by
102 sudo now includes MIME headers when "sudoers_locale" is not "C".
104 * The configure script has a new option, --disable-env-reset, to
105 allow one to change the default for the sudoers Default setting
106 "env_reset" at compile time.
108 * When logging "sudo -l command", sudo will now prepend "list "
109 to the command in the log line to distinguish between an
110 actual command invocation in the logs.
112 * Double-quoted group and user names may now include escaped double
113 quotes as part of the name. Previously this was a parse error.
115 * Sudo once again restores the state of the signal handlers it
116 modifies before executing the command. This allows sudo to be
117 used with the nohup command.
119 * Resuming a suspended shell now works properly when I/O logging
120 is not enabled (the I/O logging case was already correct).
122 What's new in Sudo 1.7.4p6?
124 * A bug has been fixed in the I/O logging support that could cause
125 visual artifacts in full-screen programs such as text editors.
127 What's new in Sudo 1.7.4p5?
129 * A bug has been fixed that would allow a command to be run without the
130 user entering a password when sudo's -g flag is used without the -u flag.
132 * If user has no supplementary groups, sudo will now fall back on checking
133 the group file explicitly, which restores historic sudo behavior.
135 * A crash has been fixed when sudo's -g flag is used without the -u flag
136 and the sudoers file contains an entry with no runas user or group listed.
138 * A crash has been fixed when the Solaris project support is enabled
139 and sudo's -g flag is used without the -u flag.
141 * Sudo no longer exits with an error when support for auditing is
142 compiled in but auditing is not enabled.
144 * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
145 being honored when the "targetpw" sudoers Defaults option was enabled.
147 * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.
149 * A crash has been fixed in "sudo -l" when sudo is built with auditing
150 support and the user is not allowed to run any commands on the host.
152 What's new in Sudo 1.7.4p4?
154 * A potential security issue has been fixed with respect to the handling
155 of sudo's -g command line option when -u is also specified. The flaw
156 may allow an attacker to run commands as a user that is not authorized
159 * A bug has been fixed where "sudo -l" output was incomplete if multiple
160 sudoers sources were defined in nsswitch.conf and there was an error
161 querying one of the sources.
163 * The log_input, log_output, and use_pty sudoers options now work correctly
164 on AIX. Previously, sudo would hang if they were enabled.
166 * The "make install" target now works correctly when sudo is built in a
167 directory other than the source directory.
169 * The "runas_default" sudoers setting now works properly in a per-command
172 * Suspending and resuming the bash shell when PAM is in use now works
173 correctly. The SIGCONT signal was not propagated to the child process.
175 What's new in Sudo 1.7.4p3?
177 * A bug has been fixed where duplicate HOME environment variables could be
178 present when the env_reset setting was disabled and the always_set_home
179 setting was enabled in sudoers.
181 * The value of sysconfdir is now substituted into the path to the sudoers.d
182 directory in the installed sudoers file.
184 * Compilation problems on IRIX and other platforms have been fixed.
186 * If multiple PAM "auth" actions are specified and the user enters ^C at
187 the password prompt, sudo will no longer prompt for a password for any
188 subsequent "auth" actions. Previously it was necessary to enter ^C for
191 What's new in Sudo 1.7.4p2?
193 * A bug where sudo could spin in a busy loop waiting for the child process
196 What's new in Sudo 1.7.4p1?
198 * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from
199 functioning when the tty_tickets sudoers option is enabled has been fixed.
201 * Sudo no longer prints a warning when the -k or -K options are specified
202 and the ticket file does not exist.
204 * It is now easier to cross-compile sudo.
206 What's new in Sudo 1.7.4?
208 * Sudoedit will now preserve the file extension in the name of the
209 temporary file being edited. The extension is used by some
210 editors (such as emacs) to choose the editing mode.
212 * Time stamp files have moved from /var/run/sudo to either /var/db/sudo,
213 /var/lib/sudo or /var/adm/sudo. The directories are checked for
214 existence in that order. This prevents users from receiving the
215 sudo lecture every time the system reboots. Time stamp files older
216 than the boot time are ignored on systems where it is possible to
219 * The tty_tickets sudoers option is now enabled by default.
221 * Ancillary documentation (README files, LICENSE, etc) is now installed
222 in a sudo documentation directory.
224 * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
227 * Defaults settings that are tied to a user, host or command may
228 now include the negation operator. For example:
229 Defaults:!millert lecture
230 will match any user but millert.
232 * The default PATH environment variable, used when no PATH variable
233 exists, now includes /usr/sbin and /sbin.
235 * Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/)
236 for cross-platform packing.
238 * On Linux, sudo will now restore the nproc resource limit before
239 executing a command, unless the limit appears to have been modified
240 by pam_limits. This avoids a problem with bash scripts that open
241 more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
242 will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).
244 * The HOME and MAIL environment variables are now reset based on the
245 target user's password database entry when the env_reset sudoers option
246 is enabled (which is the case in the default configuration). Users
247 wishing to preserve the original values should use a sudoers entry like:
248 Defaults env_keep += HOME
249 to preserve the old value of HOME and
250 Defaults env_keep += MAIL
251 to preserve the old value of MAIL.
253 * Fixed a problem in the restoration of the AIX authdb registry setting.
255 * Sudo will now fork(2) and wait until the command has completed before
256 calling pam_close_session().
258 * The default syslog facility is now "authpriv" if the operating system
259 supports it, else "auth".
261 What's new in Sudo 1.7.3?
263 * Support for logging I/O for the command being run.
264 For more information, see the documentation for the "log_input"
265 and "log_output" Defaults options in the sudoers manual. Also
266 see the sudoreplay manual for how to replay I/O log sessions.
268 * The use_pty sudoers option can be used to force a command to be
269 run in a pseudo-pty, even when I/O logging is not enabled.
271 * On some systems, sudo can now detect when a user has logged out
272 and back in again when tty-based time stamps are in use. Supported
273 systems include Solaris systems with the devices file system,
274 Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys
277 * On AIX systems, the registry setting in /etc/security/user is
278 now taken into account when looking up users and groups. Sudo
279 now applies the correct the user and group ids when running a
280 command as a user whose account details come from a different
281 source (e.g. LDAP or DCE vs. local files).
283 * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf.
284 When multiple entries are listed, sudo will try each one in the
285 order in which they are specified.
287 * Sudo's SELinux support should now function correctly when running
288 commands as a non-root user and when one of stdin, stdout or stderr
291 * Sudo will now use the Linux audit system with configure with
292 the --with-linux-audit flag.
294 * Sudo now uses mbr_check_membership() on systems that support it
295 to determine group membership. Currently, only Darwin (Mac OS X)
298 * When the tty_tickets sudoers option is enabled but there is no
299 terminal device, sudo will no longer use or create a tty-based
300 ticket file. Previously, sudo would use a tty name of "unknown".
301 As a consequence, if a user has no terminal device, sudo will
302 now always prompt for a password.
304 * The passwd_timeout and timestamp_timeout options may now be
305 specified as floating point numbers for more granular timeout
308 * Negating the fqdn option in sudoers now works correctly when sudo
309 is configured with the --with-fqdn option. In previous versions
310 of sudo the fqdn was set before sudoers was parsed.
312 What's new in Sudo 1.7.2?
314 * A new #includedir directive is available in sudoers. This can be
315 used to implement an /etc/sudo.d directory. Files in an includedir
316 are not edited by visudo unless they contain a syntax error.
318 * The -g option did not work properly when only setting the group
319 (and not the user). Also, in -l mode the wrong user was displayed
320 for sudoers entries where only the group was allowed to be set.
322 * Fixed a problem with the alias checking in visudo which
323 could prevent visudo from exiting.
325 * Sudo will now correctly parse the shell-style /etc/environment
326 file format used by pam_env on Linux.
328 * When doing password and group database lookups, sudo will only
329 cache an entry by name or by id, depending on how the entry was
330 looked up. Previously, sudo would cache by both name and id
331 from a single lookup, but this breaks sites that have multiple
332 password or group database names that map to the same uid or
335 * User and group names in sudoers may now be enclosed in double
336 quotes to avoid having to escape special characters.
338 * BSM audit fixes when changing to a non-root uid.
340 * Experimental non-Unix group support. Currently only works with
341 Quest Authorization Services and allows Active Directory groups
344 * For Netscape/Mozilla-derived LDAP SDKs the certificate and key
345 paths may be specified as a directory or a file. However, version
346 5.0 of the SDK only appears to support using a directory (despite
347 documentation to the contrary). If SSL client initialization
348 fails and the certificate or key paths look like they could be
349 default file name, strip off the last path element and try again.
351 * A setenv() compatibility fix for Linux systems, where a NULL
352 value is treated the same as an empty string and the variable
353 name is checked against the NULL pointer.
355 What's new in Sudo 1.7.1?
357 * A new Defaults option "pwfeedback" will cause sudo to provide visual
358 feedback when the user is entering a password.
360 * A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
361 function for file name globbing instead of glob(). When this option
362 is enabled, sudo will not check the file system when expanding wildcards.
363 This is faster but a side effect is that relative paths with wildcard
366 * New BSM audit support for systems that support it such as FreeBSD
369 * The file name specified with the #include directive may now include
370 a %h escape which is expanded to the short form of hostname.
372 * The -k flag may now be specified along with a command, causing the
373 user's timestamp file to be ignored.
375 * New support for Tivoli-based LDAP START_TLS, present in AIX.
377 * New support for /etc/netsvc.conf on AIX.
379 * The unused alias checks in visudo now handle the case of an alias
380 referring to another alias.
382 What's new in Sudo 1.7.0?
384 * Rewritten parser that converts sudoers into a set of data structures.
385 This eliminates a number of ordering issues and makes it possible to
386 apply sudoers Defaults entries before searching for the command.
387 It also adds support for per-command Defaults specifications.
389 * Sudoers now supports a #include facility to allow the inclusion of other
390 sudoers-format files.
392 * Sudo's -l (list) flag has been enhanced:
393 o applicable Defaults options are now listed
394 o a command argument can be specified for testing whether a user
395 may run a specific command.
396 o a new -U flag can be used in conjunction with "sudo -l" to allow
397 root (or a user with "sudo ALL") list another user's privileges.
399 * A new -g flag has been added to allow the user to specify a
400 primary group to run the command as. The sudoers syntax has been
401 extended to include a group section in the Runas specification.
403 * A uid may now be used anywhere a username is valid.
405 * The "secure_path" run-time Defaults option has been restored.
407 * Password and group data is now cached for fast lookups.
409 * The file descriptor at which sudo starts closing all open files is now
410 configurable via sudoers and, optionally, the command line.
412 * Visudo will now warn about aliases that are defined but not used.
414 * The -i and -s command line flags now take an optional command
415 to be run via the shell. Previously, the argument was passed
416 to the shell as a script to run.
418 * Improved LDAP support. SASL authentication may now be used in
419 conjunction when connecting to an LDAP server. The krb5_ccname
420 parameter in ldap.conf may be used to enable Kerberos.
422 * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
423 to specify the sudoers order. E.g.:
425 to check LDAP, then /etc/sudoers. The default is "files", even
426 when LDAP support is compiled in. This differs from sudo 1.6
427 where LDAP was always consulted first.
429 * Support for /etc/environment on AIX and Linux. If sudo is run
430 with the -i flag, the contents of /etc/environment are used to
431 populate the new environment that is passed to the command being
434 * If no terminal is available or if the new -A flag is specified,
435 sudo will use a helper program to read the password if one is
436 configured. Typically, this is a graphical password prompter
439 * A new Defaults option, "mailfrom" that sets the value of the
440 "From:" field in the warning/error mail. If unspecified, the
441 login name of the invoking user is used.
443 * A new Defaults option, "env_file" that refers to a file containing
444 environment variables to be set in the command being run.
446 * A new flag, -n, may be used to indicate that sudo should not
447 prompt the user for a password and, instead, exit with an error
448 if authentication is required.
450 * If sudo needs to prompt for a password and it is unable to disable
451 echo (and no askpass program is defined), it will refuse to run
452 unless the "visiblepw" Defaults option has been specified.
454 * Prior to version 1.7.0, hitting enter/return at the Password: prompt
455 would exit sudo. In sudo 1.7.0 and beyond, this is treated as
456 an empty password. To exit sudo, the user must press ^C or ^D
459 * visudo will now check the sudoers file owner and mode in -c (check)
460 mode when the -s (strict) flag is specified.
462 * A new Defaults option "umask_override" will cause sudo to set the
463 umask specified in sudoers even if it is more permissive than the
464 invoking user's umask.