X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=NEWS;fp=NEWS;h=34e7b9a5830c75286fe111113223b1ed91f8783c;hb=6ad45aa23af5f5f3b54468937d6a13089201b891;hp=21d4e611454b46ad6bce4463d655242707835eb3;hpb=97bd3ae46779c69fcdab82d0c64bdf05be009ec3;p=debian%2Fsudo diff --git a/NEWS b/NEWS index 21d4e61..34e7b9a 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,609 @@ +What's new in Sudo 1.8.5p2? + + * Fixed use of the SUDO_ASKPASS environment variable which was + broken in Sudo 1.8.5. + + * Fixed a problem reading the sudoers file when the file mode is + more restrictive than the expected mode. For example, when the + expected sudoers file mode is 0440 but the actual mode is 0400. + +What's new in Sudo 1.8.5p1? + + * Fixed a bug that prevented files in an include directory from + being evaluated. + +What's new in Sudo 1.8.5? + + * When "noexec" is enabled, sudo_noexec.so will now be prepended + to any existing LD_PRELOAD variable instead of replacing it. + + * The sudo_noexec.so shared library now wraps the execvpe(), + exect(), posix_spawn() and posix_spawnp() functions. + + * The user/group/mode checks on sudoers files have been relaxed. + As long as the file is owned by the sudoers uid, not world-writable + and not writable by a group other than the sudoers gid, the file + is considered OK. Note that visudo will still set the mode to + the value specified at configure time. + + * It is now possible to specify the sudoers path, uid, gid and + file mode as options to the plugin in the sudo.conf file. + + * Croatian, Galician, German, Lithuanian, Swedish and Vietnamese + translations from translationproject.org. + + * /etc/environment is no longer read directly on Linux systems + when PAM is used. Sudo now merges the PAM environment into the + user's environment which is typically set by the pam_env module. + + * The initial evironment created when env_reset is in effect now + includes the contents of /etc/environment on AIX systems and the + "setenv" and "path" entries from /etc/login.conf on BSD systems. + + * The plugin API has been extended in three ways. First, options + specified in sudo.conf after the plugin pathname are passed to + the plugin's open function. Second, sudo has limited support + for hooks that can be used by plugins. Currently, the hooks are + limited to environment handling functions. Third, the init_session + policy plugin function is passed a pointer to the user environment + which can be updated during session setup. The plugin API version + has been incremented to version 1.2. See the sudo_plugin manual + for more information. + + * The policy plugin's init_session function is now called by the + parent sudo process, not the child process that executes the + command. This allows the PAM session to be open and closed in + the same process, which some PAM modules require. + + * Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf, + which was broken in version 1.8.4. + + * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo + file is now uses to determine the controlling terminal, if possible. + This allows tty-based tickets to work properly even when, e.g. + standard input, output and error are redirected to /dev/null. + + * The output of "sudoreplay -l" is now sorted by file name (or + sequence number). Previously, entries were displayed in the + order in which they were found on the file system. + + * Sudo now behaves properly when I/O logging is enabled and the + controlling terminal is revoked (e.g. the running sshd is killed). + Previously, sudo may have exited without calling the I/O plugin's + close function which can lead to an incomplete I/O log. + + * Sudo can now detect when a user has logged out and back in again + on Solaris 11, just like it can on Solaris 10. + + * The built-in zlib included with Sudo has been upgraded to version + 1.2.6. + + * Setting the SSL parameter to start_tls in ldap.conf now works + properly when using Mozilla-based SDKs that support the + ldap_start_tls_s() function. + + * The TLS_CHECKPEER parameter in ldap.conf now works when the + Mozilla NSS crypto backend is used with OpenLDAP. + + * A new group provider plugin, system_group, is included which + performs group look ups by name using the system groups database. + This can be used to restore the pre-1.7.3 sudo group lookup + behavior. + +What's new in Sudo 1.8.4p5? + + * Fixed a bug when matching against an IP address with an associated + netmask in the sudoers file. In certain circumstances, this + could allow users to run commands on hosts they are not authorized + for. + +What's new in Sudo 1.8.4p4? + + * Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v" + from working. + +What's new in Sudo 1.8.4p3? + + * Fixed a crash on FreeBSD when no tty is present. + + * Fixed a bug introduced in Sudo 1.8.4 that allowed users to + specify environment variables to set on the command line without + having sudo "ALL" permissions or the "SETENV" tag. + + * When visudo is run with the -c (check) option, the sudoers + file(s) owner and mode are now also checked unless the -f option + was specified. + +What's new in Sudo 1.8.4p2? + + * Fixed a bug introduced in Sudo 1.8.4 where insufficient space + was allocated for group IDs in the LDAP filter. + + * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf + was "/sudo.conf" instead of "/etc/sudo.conf". + + * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang + when I/O logging is enabled and input is from a pipe or file. + +What's new in Sudo 1.8.4p1? + + * Fixed a bug introduced in sudo 1.8.4 that broke adding to or + deleting from the env_keep, env_check and env_delete lists in + sudoers on some platforms. + +What's new in Sudo 1.8.4? + + * The -D flag in sudo has been replaced with a more general debugging + framework that is configured in sudo.conf. + + * Fixed a false positive in visudo strict mode when aliases are + in use. + + * Fixed a crash with "sudo -i" when a runas group was specified + without a runas user. + + * The line on which a syntax error is reported in the sudoers file + is now more accurate. Previously it was often off by a line. + + * Fixed a bug where stack garbage could be printed at the end of + the lecture when the "lecture_file" option was enabled. + + * "make install" now honors the LINGUAS environment variable. + + * The #include and #includedir directives in sudoers now support + relative paths. If the path is not fully qualified it is expected + to be located in the same directory of the sudoers file that is + including it. + + * Serbian and Spanish translations for sudo from translationproject.org. + + * LDAP-based sudoers may now access by group ID in addition to + group name. + + * visudo will now fix the mode on the sudoers file even if no changes + are made unless the -f option is specified. + + * The "use_loginclass" sudoers option works properly again. + + * On systems that use login.conf, "sudo -i" now sets environment + variables based on login.conf. + + * For LDAP-based sudoers, values in the search expression are now + escaped as per RFC 4515. + + * The plugin close function is now properly called when a login + session is killed (as opposed to the actual command being killed). + This can happen when an ssh session is disconnected or the + terminal window is closed. + + * The deprecated "noexec_file" sudoers option is no longer supported. + + * Fixed a race condition when I/O logging is not enabled that could + result in tty-generated signals (e.g. control-C) being received + by the command twice. + + * If none of the standard input, output or error are connected to + a tty device, sudo will now check its parent's standard input, + output or error for the tty name on systems with /proc and BSD + systems that support the KERN_PROC_PID sysctl. This allows + tty-based tickets to work properly even when, e.g. standard + input, output and error are redirected to /dev/null. + + * Added the --enable-kerb5-instance configure option to allow + people using Kerberos V authentication to specify a custom + instance so the principal name can be, e.g. "username/sudo" + similar to how ksu uses "username/root". + + * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in + the results, which would be incorrectly be interpreted as if the + sudoers file had specified a directory. + + * "visudo -c" will now list any include files that were checked + in addition to the main sudoers file when everything parses OK. + + * Users that only have read-only access to the sudoers file may + now run "visudo -c". Previously, write permissions were required + even though no writing is down in check-only mode. + + * It is now possible to prevent the disabling of core dumps from + within sudo itself by adding a line to the sudo.conf file like + "Set disable_coredump false". + +What's new in Sudo 1.8.3p2? + + * Fixed a format string vulnerability when the sudo binary (or a + symbolic link to the sudo binary) contains printf format escapes + and the -D (debugging) flag is used. + +What's new in Sudo 1.8.3p1? + + * Fixed a crash in the monitor process on Solaris when NOPASSWD + was specified or when authentication was disabled. + + * Fixed matching of a Runas_Alias in the group section of a + Runas_Spec. + +What's new in Sudo 1.8.3? + + * Fixed expansion of strftime() escape sequences in the "log_dir" + sudoers setting. + + * Esperanto, Italian and Japanese translations from translationproject.org. + + * Sudo will now use PAM by default on AIX 6 and higher. + + * Added --enable-werror configure option for gcc's -Werror flag. + + * Visudo no longer assumes all editors support the +linenumber + command line argument. It now uses a whitelist of editors known + to support the option. + + * Fixed matching of network addresses when a netmask is specified + but the address is not the first one in the CIDR block. + + * The configure script now check whether or not errno.h declares + the errno variable. Previously, sudo would always declare errno + itself for older systems that don't declare it in errno.h. + + * The NOPASSWD tag is now honored for denied commands too, which + matches historic sudo behavior (prior to sudo 1.7.0). + + * Sudo now honors the "DEREF" setting in ldap.conf which controls + how alias dereferencing is done during an LDAP search. + + * A symbol conflict with the pam_ssh_agent_auth PAM module that + would cause a crash been resolved. + + * The inability to load a group provider plugin is no longer + a fatal error. + + * A potential crash in the utmp handling code has been fixed. + + * Two PAM session issues have been resolved. In previous versions + of sudo, the PAM session was opened as one user and closed as + another. Additionally, if no authentication was performed, the + PAM session would never be closed. + + * Sudo will now work correctly with LDAP-based sudoers using TLS + or SSL on Debian systems. + + * The LOGNAME, USER and USERNAME environment variables are preserved + correctly again in sudoedit mode. + +What's new in Sudo 1.8.2? + + * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural + language support (NLS). This can be disabled by passing configure + the --disable-nls option. Sudo will use gettext(), if available, + to display translated messages. All translations are coordinated + via The Translation Project, http://translationproject.org/. + + * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of + RTLD_LOCAL. This fixes missing symbol problems in PAM modules + on certain platforms, such as FreeBSD and SuSE Linux Enterprise. + + * I/O logging is now supported for commands run in background mode + (using sudo's -b flag). + + * Group ownership of the sudoers file is now only enforced when + the file mode on sudoers allows group readability or writability. + + * Visudo now checks the contents of an alias and warns about cycles + when the alias is expanded. + + * If the user specifies a group via sudo's -g option that matches + the target user's group in the password database, it is now + allowed even if no groups are present in the Runas_Spec. + + * The sudo Makefiles now have more complete dependencies which are + automatically generated instead of being maintained manually. + + * The "use_pty" sudoers option is now correctly passed back to the + sudo front end. This was missing in previous versions of sudo + 1.8 which prevented "use_pty" from being honored. + + * "sudo -i command" now works correctly with the bash version + 2.0 and higher. Previously, the .bash_profile would not be + sourced prior to running the command unless bash was built with + NON_INTERACTIVE_LOGIN_SHELLS defined. + + * When matching groups in the sudoers file, sudo will now match + based on the name of the group instead of the group ID. This can + substantially reduce the number of group lookups for sudoers + files that contain a large number of groups. + + * Multi-factor authentication is now supported on AIX. + + * Added support for non-RFC 4517 compliant LDAP servers that require + that seconds be present in a timestamp, such as Tivoli Directory Server. + + * If the group vector is to be preserved, the PATH search for the + command is now done with the user's original group vector. + + * For LDAP-based sudoers, the "runas_default" sudoOption now works + properly in a sudoRole that contains a sudoCommand. + + * Spaces in command line arguments for "sudo -s" and "sudo -i" are + now escaped with a backslash when checking the security policy. + +What's new in Sudo 1.8.1p2? + + * Two-character CIDR-style IPv4 netmasks are now matched correctly + in the sudoers file. + + * A build error with MIT Kerberos V has been resolved. + + * A crash on HP-UX in the sudoers plugin when wildcards are + present in the sudoers file has been resolved. + + * Sudo now works correctly on Tru64 Unix again. + +What's new in Sudo 1.8.1p1? + + * Fixed a problem on AIX where sudo was unable to set the final + uid if the PAM module modified the effective uid. + + * A non-existent includedir is now treated the same as an empty + directory and not reported as an error. + + * Removed extraneous parens in LDAP filter when sudoers_search_filter + is enabled that can cause an LDAP search error. + + * Fixed a "make -j" problem for "make install". + +What's new in Sudo 1.8.1? + + * A new LDAP setting, sudoers_search_filter, has been added to + ldap.conf. This setting can be used to restrict the set of + records returned by the LDAP query. Based on changes from Matthew + Thomas. + + * White space is now permitted within a User_List when used in + conjunction with a per-user Defaults definition. + + * A group ID (%#gid) may now be specified in a User_List or Runas_List. + Likewise, for non-Unix groups the syntax is %:#gid. + + * Support for double-quoted words in the sudoers file has been fixed. + The change in 1.7.5 for escaping the double quote character + caused the double quoting to only be available at the beginning + of an entry. + + * The fix for resuming a suspended shell in 1.7.5 caused problems + with resuming non-shells on Linux. Sudo will now save the process + group ID of the program it is running on suspend and restore it + when resuming, which fixes both problems. + + * A bug that could result in corrupted output in "sudo -l" has been + fixed. + + * Sudo will now create an entry in the utmp (or utmpx) file when + allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp" + and "utmp_runas" sudoers file options can be used to control this. + Other policy plugins may use the "set_utmp" and "utmp_user" + entries in the command_info list. + + * The sudoers policy now stores the TSID field in the logs + even when the "iolog_file" sudoers option is defined to a value + other than %{sessid}. Previously, the TSID field was only + included in the log file when the "iolog_file" option was set + to its default value. + + * The sudoreplay utility now supports arbitrary session IDs. + Previously, it would only work with the base-36 session IDs + that the sudoers plugin uses by default. + + * Sudo now passes "run_shell=true" to the policy plugin in the + settings list when sudo's -s command line option is specified. + The sudoers policy plugin uses this to implement the "set_home" + sudoers option which was missing from sudo 1.8.0. + + * The "noexec" functionality has been moved out of the sudoers + policy plugin and into the sudo front-end, which matches the + behavior documented in the plugin writer's guide. As a result, + the path to the noexec file is now specified in the sudo.conf + file instead of the sudoers file. + + * On Solaris 10, the PRIV_PROC_EXEC privilege is now used to + implement the "noexec" feature. Previously, this was implemented + via the LD_PRELOAD environment variable. + + * The exit values for "sudo -l", "sudo -v" and "sudo -l command" + have been fixed in the sudoers policy plugin. + + * The sudoers policy plugin now passes the login class, if any, + back to the sudo front-end. + + * The sudoers policy plugin was not being linked with requisite + libraries in certain configurations. + + * Sudo now parses command line arguments before loading any plugins. + This allows "sudo -V" or "sudo -h" to work even if there is a problem + with sudo.conf + + * Plugins are now linked with the static version of libgcc to allow + the plugin to run on a system where no shared libgcc is installed, + or where it is installed in a different location. + +What's new in Sudo 1.8.0? + + * Sudo has been refactored to use a modular framework that can + support third-party policy and I/O logging plugins. The default + plugin is "sudoers" which provides the traditional sudo functionality. + See the sudo_plugin manual for details on the plugin API and the + sample in the plugins directory for a simple example. + +What's new in Sudo 1.7.5? + + * When using visudo in check mode, a file named "-" may be used to + check sudoers data on the standard input. + + * Sudo now only fetches shadow password entries when using the + password database directly for authentication. + + * Password and group entries are now cached using the same key + that was used to look them up. This fixes a problem when looking + up entries by name if the name in the retrieved entry does not + match the name used to look it up. This may happen on some systems + that do case insensitive lookups or that truncate long names. + + * GCC will no longer display warnings on glibc systems that use + the warn_unused_result attribute for write(2) and other system calls. + + * If a PAM account management module denies access, sudo now prints + a more useful error message and stops trying to validate the user. + + * Fixed a potential hang on idle systems when the sudo-run process + exits immediately. + + * Sudo now includes a copy of zlib that will be used on systems + that do not have zlib installed. + + * The --with-umask-override configure flag has been added to enable + the "umask_override" sudoers Defaults option at build time. + + * Sudo now unblocks all signals on startup to avoid problems caused + by the parent process changing the default signal mask. + + * LDAP Sudoers entries may now specify a time period for which + the entry is valid. This requires an updated sudoers schema + that includes the sudoNotBefore and sudoNotAfter attributes. + Support for timed entries must be explicitly enabled in the + ldap.conf file. Based on changes from Andreas Mueller. + + * LDAP Sudoers entries may now specify a sudoOrder attribute that + determines the order in which matching entries are applied. The + last matching entry is used, just like file-based sudoers. This + requires an updated sudoers schema that includes the sudoOrder + attribute. Based on changes from Andreas Mueller. + + * When run as sudoedit, or when given the -e flag, sudo now treats + command line arguments as pathnames. This means that slashes + in the sudoers file entry must explicitly match slashes in + the command line arguments. As a result, and entry such as: + user ALL = sudoedit /etc/* + will allow editing of /etc/motd but not /etc/security/default. + + * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for + compatibility with OpenLDAP configuration files. + + * The LDAP API TIMEOUT parameter is now honored in ldap.conf. + + * The I/O log directory may now be specified in the sudoers file. + + * Sudo will no longer refuse to run if the sudoers file is writable + by root. + + * Sudo now performs command line escaping for "sudo -s" and "sudo -i" + after validating the command so the sudoers entries do not need + to include the backslashes. + + * Logging and email sending are now done in the locale specified + by the "sudoers_locale" setting ("C" by default). Email send by + sudo now includes MIME headers when "sudoers_locale" is not "C". + + * The configure script has a new option, --disable-env-reset, to + allow one to change the default for the sudoers Default setting + "env_reset" at compile time. + + * When logging "sudo -l command", sudo will now prepend "list " + to the command in the log line to distinguish between an + actual command invocation in the logs. + + * Double-quoted group and user names may now include escaped double + quotes as part of the name. Previously this was a parse error. + + * Sudo once again restores the state of the signal handlers it + modifies before executing the command. This allows sudo to be + used with the nohup command. + + * Resuming a suspended shell now works properly when I/O logging + is not enabled (the I/O logging case was already correct). + +What's new in Sudo 1.7.4p6? + + * A bug has been fixed in the I/O logging support that could cause + visual artifacts in full-screen programs such as text editors. + +What's new in Sudo 1.7.4p5? + + * A bug has been fixed that would allow a command to be run without the + user entering a password when sudo's -g flag is used without the -u flag. + + * If user has no supplementary groups, sudo will now fall back on checking + the group file explicitly, which restores historic sudo behavior. + + * A crash has been fixed when sudo's -g flag is used without the -u flag + and the sudoers file contains an entry with no runas user or group listed. + + * A crash has been fixed when the Solaris project support is enabled + and sudo's -g flag is used without the -u flag. + + * Sudo no longer exits with an error when support for auditing is + compiled in but auditing is not enabled. + + * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not + being honored when the "targetpw" sudoers Defaults option was enabled. + + * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly. + + * A crash has been fixed in "sudo -l" when sudo is built with auditing + support and the user is not allowed to run any commands on the host. + +What's new in Sudo 1.7.4p4? + + * A potential security issue has been fixed with respect to the handling + of sudo's -g command line option when -u is also specified. The flaw + may allow an attacker to run commands as a user that is not authorized + by the sudoers file. + + * A bug has been fixed where "sudo -l" output was incomplete if multiple + sudoers sources were defined in nsswitch.conf and there was an error + querying one of the sources. + + * The log_input, log_output, and use_pty sudoers options now work correctly + on AIX. Previously, sudo would hang if they were enabled. + + * The "make install" target now works correctly when sudo is built in a + directory other than the source directory. + + * The "runas_default" sudoers setting now works properly in a per-command + Defaults line. + + * Suspending and resuming the bash shell when PAM is in use now works + correctly. The SIGCONT signal was not propagated to the child process. + +What's new in Sudo 1.7.4p3? + + * A bug has been fixed where duplicate HOME environment variables could be + present when the env_reset setting was disabled and the always_set_home + setting was enabled in sudoers. + + * The value of sysconfdir is now substituted into the path to the sudoers.d + directory in the installed sudoers file. + + * Compilation problems on IRIX and other platforms have been fixed. + + * If multiple PAM "auth" actions are specified and the user enters ^C at + the password prompt, sudo will no longer prompt for a password for any + subsequent "auth" actions. Previously it was necessary to enter ^C for + each "auth" action. + +What's new in Sudo 1.7.4p2? + + * A bug where sudo could spin in a busy loop waiting for the child process + has been fixed. + +What's new in Sudo 1.7.4p1? + + * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from + functioning when the tty_tickets sudoers option is enabled has been fixed. + + * Sudo no longer prints a warning when the -k or -K options are specified + and the ticket file does not exist. + + * It is now easier to cross-compile sudo. + What's new in Sudo 1.7.4? * Sudoedit will now preserve the file extension in the name of the