1 What's new in Sudo 1.7.0?
3 * Rewritten parser that converts sudoers into a set of data structures.
4 This eliminates a number of ordering issues and makes it possible to
5 apply sudoers Defaults entries before searching for the command.
6 It also adds support for per-command Defaults specifications.
8 * Sudoers now supports a #include facility to allow the inclusion of other
11 * Sudo's -l (list) flag has been enhanced:
12 o applicable Defaults options are now listed
13 o a command argument can be specified for testing whether a user
14 may run a specific command.
15 o a new -U flag can be used in conjunction with "sudo -l" to allow
16 root (or a user with "sudo ALL") list another user's privileges.
18 * A new -g flag has been added to allow the user to specify a
19 primary group to run the command as. The sudoers syntax has been
20 extended to include a group section in the Runas specification.
22 * A uid may now be used anywhere a username is valid.
24 * The "secure_path" run-time Defaults option has been restored.
26 * Password and group data is now cached for fast lookups.
28 * The file descriptor at which sudo starts closing all open files is now
29 configurable via sudoers and, optionally, the command line.
31 * Visudo will now warn about aliases that are defined but not used.
33 * The -i and -s command line flags now take an optional command
34 to be run via the shell. Previously, the argument was passed
35 to the shell as a script to run.
37 * Improved LDAP support. SASL authentication may now be used in
38 conjunction when connecting to an LDAP server. The krb5_ccname
39 parameter in ldap.conf may be used to enable Kerberos.
41 * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
42 to specify the sudoers order. E.g.:
44 to check LDAP, then /etc/sudoers. The default is "files", even
45 when LDAP support is compiled in. This differs from sudo 1.6
46 where LDAP was always consulted first.
48 * Support for /etc/environment on AIX and Linux. If sudo is run
49 with the -i flag, the contents of /etc/environment are used to
50 populate the new environment that is passed to the command being
53 * If no terminal is available or if the new -A flag is specified,
54 sudo will use a helper program to read the password if one is
55 configured. Typically, this is a graphical password prompter
58 * A new Defaults option, "mailfrom" that sets the value of the
59 "From:" field in the warning/error mail. If unspecified, the
60 login name of the invoking user is used.
62 * A new Defaults option, "env_file" that refers to a file containing
63 environment variables to be set in the command being run.
65 * A new flag, -n, may be used to indicate that sudo should not
66 prompt the user for a password and, instead, exit with an error
67 if authentication is required.
69 * If sudo needs to prompt for a password and it is unable to disable
70 echo (and no askpass program is defined), it will refuse to run
71 unless the "visiblepw" Defaults option has been specified.
73 * Prior to version 1.7.0, hitting enter/return at the Password: prompt
74 would exit sudo. In sudo 1.7.0 and beyond, this is treated as
75 an empty password. To exit sudo, the user must press ^C or ^D
78 * visudo will now check the sudoers file owner and mode in -c (check)
79 mode when the -s (strict) flag is specified.