diff options
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 3312 |
1 files changed, 3312 insertions, 0 deletions
@@ -0,0 +1,3312 @@ +What's new in Sudo 1.9.5p2 + + * Fixed sudo's setprogname(3) emulation on systems that don't + provide it. + + * Fixed a problem with the sudoers log server client where a partial + write to the server could result the sudo process consuming large + amounts of CPU time due to a cycle in the buffer queue. Bug #954. + + * Added a missing dependency on libsudo_util in libsudo_eventlog. + Fixes a link error when building sudo statically. + + * The user's KRB5CCNAME environment variable is now preserved when + performing PAM authentication. This fixes GSSAPI authentication + when the user has a non-default ccache. + + * When invoked as sudoedit, the same set of command line options + are now accepted as for "sudo -e". The -H and -P options are + now rejected for sudoedit and "sudo -e" which matches the sudo + 1.7 behavior. This is part of the fix for CVE-2021-3156. + + * Fixed a potential buffer overflow when unescaping backslashes + in the command's arguments. Normally, sudo escapes special + characters when running a command via a shell (sudo -s or sudo + -i). However, it was also possible to run sudoedit with the -s + or -i flags in which case no escaping had actually been done, + making a buffer overflow possible. This fixes CVE-2021-3156. + +What's new in Sudo 1.9.5p1 + + * Fixed a regression introduced in sudo 1.9.5 where the editor run + by sudoedit was set-user-ID root unless SELinux RBAC was in use. + The editor is now run with the user's real and effective user-IDs. + +What's new in Sudo 1.9.5 + + * Fixed a crash introduced in 1.9.4 when running "sudo -i" as an + unknown user. This is related to but distinct from Bug #948. + + * If the "lecture_file" setting is enabled in sudoers, it must now + refer to a regular file or a symbolic link to a regular file. + + * Fixed a potential use-after-free bug in sudo_logsrvd when the + server shuts down if there are existing connections from clients + that are only logging events and not session I/O data. + + * Fixed a buffer size mismatch when serializing the list of IP + addresses for configured network interfaces. This bug is not + actually exploitable since the allocated buffer is large enough + to hold the list of addresses. + + * If sudo is executed with a name other than "sudo" or "sudoedit", + it will now fall back to "sudo" as the program name. This affects + warning, help and usage messages as well as the matching of Debug + lines in the /etc/sudo.conf file. Previously, it was possible + for the invoking user to manipulate the program name by setting + argv[0] to an arbitrary value when executing sudo. + + * Sudo now checks for failure when setting the close-on-exec flag + on open file descriptors. This should never fail but, if it + were to, there is the possibility of a file descriptor leak to + a child process (such as the command sudo runs). + + * Fixed CVE-2021-23239, a potential information leak in sudoedit + that could be used to test for the existence of directories not + normally accessible to the user in certain circumstances. When + creating a new file, sudoedit checks to make sure the parent + directory of the new file exists before running the editor. + However, a race condition exists if the invoking user can replace + (or create) the parent directory. If a symbolic link is created + in place of the parent directory, sudoedit will run the editor + as long as the target of the link exists. If the target of the + link does not exist, an error message will be displayed. The + race condition can be used to test for the existence of an + arbitrary directory. However, it _cannot_ be used to write to + an arbitrary location. + + * Fixed CVE-2021-23240, a flaw in the temporary file handling of + sudoedit's SELinux RBAC support. On systems where SELinux is + enabled, a user with sudoedit permissions may be able to set the + owner of an arbitrary file to the user-ID of the target user. + On Linux kernels that support "protected symlinks", setting + /proc/sys/fs/protected_symlinks to 1 will prevent the bug from + being exploited. For more information see + https://www.sudo.ws/alerts/sudoedit_selinux.html. + + * Added writability checks for sudoedit when SELinux RBAC is in use. + This makes sudoedit behavior consistent regardless of whether + or not SELinux RBAC is in use. Previously, the "sudoedit_checkdir" + setting had no effect for RBAC entries. + + * A new sudoers option "selinux" can be used to disable sudo's + SELinux RBAC support. + + * Quieted warnings from PVS Studio, clang analyzer, and cppcheck. + Added suppression annotations for PVS Studio false positives. + +What's new in Sudo 1.9.4p2 + + * Fixed a bug introduced in sudo 1.9.4p1 which could lead to a crash + if the sudoers file contains a runas user-specific Defaults entry. + Bug #951. + +What's new in Sudo 1.9.4p1 + + * Sudo on macOS now supports users with more than 16 groups without + needing to set "group_source" to "dynamic" in /etc/sudo.conf. + Previously, only the first 15 were used when matching group-based + rules in sudoers. Bug #946. + + * Fixed a regression introduced in version 1.9.4 where sudo would + not build when configured using the --without-sendmail option. + Bug #947. + + * Fixed a problem where if I/O logging was disabled and sudo was + unable to connect to sudo_logsrvd, the command would still be + allowed to run even when the "ignore_logfile_errors" sudoers + option was enabled. + + * Fixed a crash introduced in version 1.9.4 when attempting to run + a command as a non-existent user. Bug #948. + + * The installed sudo.conf file now has the default sudoers Plugin + lines commented out. This fixes a potential conflict when there + is both a system-installed version of sudo and a user-installed + version. GitHub issue #75. + + * Fixed a regression introduced in sudo 1.9.4 where sudo would run + the command as a child process even when a pseudo-terminal was + not in use and the "pam_session" and "pam_setcred" options were + disabled. GitHub issue #76. + + * Fixed a regression introduced in sudo 1.8.9 where the "closefrom" + sudoers option could not be set to a value of 3. Bug #950. + +What's new in Sudo 1.9.4 + + * The sudoers parser will now detect when an upper-case reserved + word is used when declaring an alias. Now instead of "syntax + error, unexpected CHROOT, expecting ALIAS" the message will be + "syntax error, reserved word CHROOT used as an alias name". + Bug #941. + + * Better handling of sudoers files without a final newline. + The parser now adds a newline at end-of-file automatically which + removes the need for special cases in the parser. + + * Fixed a regression introduced in sudo 1.9.1 in the sssd back-end + where an uninitialized pointer could be freed on an error path. + GitHub issue #67. + + * The core logging code is now shared between sudo_logsrvd and + the sudoers plugin. + + * JSON log entries sent to syslog now use "minimal" JSON which + skips all non-essential white space. + + * The sudoers plugin can now produce JSON-formatted logs. The + "log_format" sudoers option can be used to select sudo or json + format logs. The default is sudo format logs. + + * The sudoers plugin and visudo now display the column number in + syntax error messages in addition to the line number. Bug #841. + + * If I/O logging is not enabled but "log_servers" is set, the + sudoers plugin will now log accept events to sudo_logsrvd. + Previously, the accept event was only sent when I/O logging was + enabled. The sudoers plugin now sends reject and alert events too. + + * The sudo logsrv protocol has been extended to allow an AlertMessage + to contain an optional array of InfoMessage, as AcceptMessage + and RejectMessage already do. + + * Fixed a bug in sudo_logsrvd where receipt of SIGHUP would result + in duplicate entries in the debug log when debugging was enabled. + + * The visudo utility now supports EDITOR environment variables + that use single or double quotes in the command arguments. + Bug #942. + + * The PAM session modules now run when sudo is set-user-ID root, + which allows a module to determine the original user-ID. + Bug #944. + + * Fixed a regression introduced in sudo 1.8.24 in the LDAP back-end + where sudoNotBefore and sudoNotAfter were applied even when the + SUDOERS_TIMED setting was not present in ldap.conf. Bug #945. + + * Sudo packages for macOS 11 now contain universal binaries that + support both Intel and Apple Silicon CPUs. + + * For sudo_logsrvd, an empty value for the "pid_file" setting in + sudo_logsrvd.conf will now disable the process ID file. + +What's new in Sudo 1.9.3p1 + + * Fixed a regression introduced in sudo 1.9.3 where the configure + script would not detect the crypt(3) function if it was present + in the C library, not an additional library. + + * Fixed a regression introduced in sudo 1.8.23 with shadow passwd + file authentication on OpenBSD. BSD authentication was not + affected. + + * Sudo now logs when a user-specified command-line option is + rejected by a sudoers rule. Previously, these conditions were + written to the audit log, but the default sudo log file. Affected + command line arguments include -C (--close-from), -D (--chdir), + -R (--chroot), -g (--group) and -u (--user). + +What's new in Sudo 1.9.3 + + * sudoedit will now prompt the user before overwriting an existing + file with one that is zero-length after editing. Bug #922. + + * Fixed building the Python plugin on systems with a compiler that + doesn't support symbol hiding. + + * Sudo now uses a linker script to hide symbols even when the + compiler supports symbol hiding. This should make it easier to + detect omissions in the symbol exports file, regardless of the + platform. + + * Fixed the libssl dependency in Debian packages for older releases + that use libssl1.0.0. + + * Sudo and visudo now provide more detailed messages when a syntax + error is detected in sudoers. The offending line and token are + now displayed. If the parser was generated by GNU bison, + additional information about what token was expected is also + displayed. Bug #841. + + * Sudoers rules must now end in either a newline or the end-of-file. + Previously, it was possible to have multiple rules on a single + line, separated by white space. The use of an end-of-line + terminator makes it possible to display accurate error messages. + + * Sudo no longer refuses to run if a syntax error in the sudoers + file is encountered. The entry with the syntax error will be + discarded and sudo will continue to parse the file. This makes + recovery from a syntax error less painful on systems where sudo + is the primary method of superuser access. The historic behavior + can be restored by add "error_recovery=false" to the sudoers + plugin's optional arguments in sudo.conf. Bug #618. + + * Fixed the sample_approval plugin's symbol exports file for systems + where the compiler doesn't support symbol hiding. + + * Fixed a regression introduced in sudo 1.9.1 where arguments to + the "sudoers_policy" plugin in sudo.conf were not being applied. + The sudoers file is now parsed by the "sudoers_audit" plugin, + which is loaded implicitly when "sudoers_policy" is listed in + sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments + for "sudoers_policy" but "sudoers_audit" is not listed, those + arguments will be applied to "sudoers_audit" instead. + + * The user's resource limits are now passed to sudo plugins in + the user_info[] list. A plugin cannot determine the limits + itself because sudo changes the limits while it runs to prevent + resource starvation. + + * It is now possible to set the working directory or change the + root directory on a per-command basis using the CWD and CHROOT + options. CWD and CHROOT are now reserved words in sudoers--they + can no longer be used as alias names. There are also new Defaults + settings, runchroot and runcwd, that can be used to set the + working directory or root directory on a more global basis. + + * New -D (--chdir) and -R (--chroot) command line options can be + used to set the working directory or root directory if the sudoers + file allows it. This functionality is not enabled by default + and must be explicitly enabled in the sudoers file. + + * Fixed a regression introduced in sudo 1.9.1 where the sudoers_audit + symbol could not be resolved when sudo is configured with the + --enable-static-sudoers option. Bug #936 and GitHub issue #61. + +What's new in Sudo 1.9.2 + + * Fixed package builds on RedHat Enterprise Linux 8. + + * The configure script now uses pkg-config to find the openssl + cflags and libs where possible. + + * The contents of the log.json I/O log file is now documented in + the sudoers manual. + + * The sudoers plugin now properly exports the sudoers_audit symbol + on systems where the compiler lacks symbol visibility controls. + This caused a regression in 1.9.1 where a successful sudo command + was not logged due to the missing audit plugin. Bug #931. + + * Fixed a regression introduced in 1.9.1 that can result in crash + when there is a syntax error in the sudoers file. Bug #934. + +What's new in Sudo 1.9.1 + + * Fixed an AIX-specific problem when I/O logging was enabled. + The terminal device was not being properly set to raw mode. + Bug #927. + + * Corrected handling of sudo_logsrvd connections without associated + I/O log data. This fixes support for RejectMessage as well as + AcceptMessage when the expect_iobufs flag is not set. + + * Added an "iolog_path" entry to the JSON-format event log produced + by sudo_logsrvd. Previously, it was only possible to determine + the I/O log file an event belonged to using sudo-format logs. + + * Fixed the bundle IDs for sudo-logsrvd and sudo-python macOS packages. + + * I/O log files produced by the sudoers plugin now clear the write + bits on the I/O log timing file when the log is complete. This + is consistent with how sudo_logsrvd indicates that a log is + complete. + + * The sudoreplay utility has a new "-F" (follow) command line + option to allow replaying a session that is still in progress, + similar to "tail -f". + + * The @include and @includedir directives can be used in sudoers + instead of #include and #includedir. In addition, include paths + may now have embedded white space by either using a double-quoted + string or escaping the space characters with a backslash. + + * Fixed some Solaris 11.4 compilation errors. + + * When running a command in a pty, sudo will no longer try to + suspend itself if the user's tty has been revoked (for instance + when the parent ssh daemon is killed). This fixes a bug where + sudo would continuously suspend the command (which would succeed), + then suspend itself (which would fail due to the missing tty) + and then resume the command. + + * If sudo's event loop fails due to the tty being revoked, remove + the user's tty events and restart the event loop (once). This + fixes a problem when running "sudo reboot" in a pty on some + systems. When the event loop exited unexpectedly, sudo would + kill the command running in the pty, which in the case of "reboot", + could lead to the system being in a half-rebooted state. + + * Fixed a regression introduced in sudo 1.8.23 in the LDAP and + SSSD back-ends where a missing sudoHost attribute was treated + as an "ALL" wildcard value. A sudoRole with no sudoHost attribute + is now ignored as it was prior to version 1.8.23. + + * The audit plugin API has been changed slightly. The sudo front-end + now audits an accept event itself after all approval plugins are + run and the I/O logging plugins (if any) are opened. This makes + it possible for an audit plugin to only log a single overall + accept event if desired. + + * The sudoers plugin can now be loaded as an audit plugin. Logging + of successful commands is now performed in the audit plugin's + accept function. As a result, commands are now only logged if + allowed by sudoers and all approval plugins. Commands rejected + by an approval plugin are now also logged by the sudoers plugin. + + * Romanian translation for sudo and sudoers from translationproject.org. + + * Fixed a regression introduced in sudo 1.9.0 where sudoedit did + not remove its temporary files after installing them. Bug #929. + + * Fixed a regression introduced in sudo 1.9.0 where the iolog_file + setting in sudoers and sudo_logsrvd.conf caused an error if the + file name ended in six or more X's. + +What's new in Sudo 1.9.0 + + * Fixed a test failure in the strsig_test regress test on FreeBSD. + + * The maximum length of a conversation reply has been increased + from 255 to 1023 characters. This allows for longer user passwords. + Bug #860. + + * Sudo now includes a logging daemon, sudo_logsrvd, which can be + used to implement centralized logging of I/O logs. TLS connections + are supported when sudo is configured with the --enable-openssl + option. For more information, see the sudo_logsrvd, logsrvd.conf + and sudo_logsrv.proto manuals as well as the log_servers setting + in the sudoers manual. + + The --disable-log-server and --disable-log-client configure + options can be used to disable building the I/O log server and/or + remote I/O log support in the sudoers plugin. + + * The new sudo_sendlog utility can be used to test sudo_logsrvd + or send existing sudo I/O logs to a centralized server. + + * It is now possible to write sudo plugins in Python 3 when sudo + is configured with the --enable-python option. See the + sudo_plugin_python manual for details. + + Sudo 1.9.0 comes with several Python example plugins that get + installed sudo's examples directory. + + The sudo blog article "What's new in sudo 1.9: Python" + (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/) + includes a simple tutorial on writing python plugins. + + * Sudo now supports an "audit" plugin type. An audit plugin + receives accept, reject, exit and error messages and can be used + to implement custom logging that is independent of the underlying + security policy. Multiple audit plugins may be specified in + the sudo.conf file. A sample audit plugin is included that + writes logs in JSON format. + + * Sudo now supports an "approval" plugin type. An approval plugin + is run only after the main security policy (such as sudoers) accepts + a command to be run. The approval policy may perform additional + checks, potentially interacting with the user. Multiple approval + plugins may be specified in the sudo.conf file. Only if all + approval plugins succeed will the command be allowed. + + * Sudo's -S command line option now causes the sudo conversation + function to write to the standard output or standard error instead + of the terminal device. + + * Fixed a bug where if a #include or #includedir directive was the + last line in sudoers and there was no final newline character, it + was silently ignored. Bug #917. + + * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" for + people who find the former more natural. + + * The new "pam_ruser" and "pam_rhost" sudoers settings can be used + to enable or disable setting the PAM remote user and/or host + values during PAM session setup. + + * More than one SHA-2 digest may now be specified for a single + command. Multiple digests must be separated by a comma. + + * It is now possible to specify a SHA-2 digest in conjunction with + the "ALL" reserved word in a command specification. This allows + one to give permission to run any command that matches the + specified digest, regardless of its path. + + * Sudo and sudo_logsrvd now create an extended I/O log info file + in JSON format that contains additional information about the + command that was run, such as the host name. The sudoreplay + utility uses this file in preference to the legacy log file. + + * The sudoreplay utility can now match on a host name in list mode. + The list output also now includes the host name if one is present + in the log file. + + * For "sudo -i", if the target user's home directory does not + exist, sudo will now warn about the problem but run the command + in the current working directory. Previously, this was a fatal + error. Debian bug #598519. + + * The command line arguments in the SUDO_COMMAND environment + variable are now truncated at 4096 characters. This avoids an + "Argument list too long" error when executing a command with a + large number of arguments. Bug #923 (Debian bug #596631). + + * Sudo now properly ends the PAM transaction when the user + authenticates successfully but sudoers denies the command. + Debian bug #669687. + + * The sudoers grammar in the manual now indicates that "sudoedit" + requires one or more arguments. Debian bug #571621. + + * When copying the edited files to the original path, sudoedit now + allocates any additional space needed before writing. Previously, + it could truncate the destination file if the file system was + full. Bug #922. + + * Fixed an issue where PAM session modules could be called with + the wrong user name when multiple users in the passwd database + share the the same user-ID. Debian bug #734752. + + * Sudo command line options that take a value may only be specified + once. This is to help guard against problems caused by poorly + written scripts that invoke sudo with user-controlled input. + Bug #924. + +What's new in Sudo 1.8.31p1 + + * Sudo once again ignores a failure to restore the RLIMIT_CORE + resource limit, as it did prior to version 1.8.29. Linux + containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY + if we set the limit to zero, even for root, which resulted in a + warning from sudo. + +What's new in Sudo 1.8.31 + + * Fixed CVE-2019-18634, a buffer overflow when the "pwfeedback" + sudoers option is enabled on systems with uni-directional pipes. + + * The "sudoedit_checkdir" option now treats a user-owned directory + as writable, even if it does not have the write bit set at the + time of check. Symbolic links will no longer be followed by + sudoedit in any user-owned directory. Bug #912 + + * Fixed sudoedit on macOS 10.15 and above where the root file system + is mounted read-only. Bug #913. + + * Fixed a crash introduced in sudo 1.8.30 when suspending sudo + at the password prompt. Bug #914. + + * Fixed compilation on systems where the mmap MAP_ANON flag + is not available. Bug #915. + +What's new in Sudo 1.8.30 + + * Fixed a warning on macOS introduced in sudo 1.8.29 when sudo + attempts to set the open file limit to unlimited. Bug #904. + + * Sudo now closes file descriptors before changing uids. This + prevents a non-root process from interfering with sudo's ability + to close file descriptors on systems that support the prlimit(2) + system call. + + * Sudo now treats an attempt to run "sudo sudoedit" as simply + "sudoedit". If the sudoers file contains a fully-qualified path + to sudoedit, sudo will now treat it simply as "sudoedit" (with + no path). Visudo will will now treat a fully-qualified path + to sudoedit as an error. Bug #871. + + * Fixed a bug introduced in sudo 1.8.28 where sudo would warn about + a missing /etc/environment file on AIX and Linux when PAM is not + enabled. Bug #907 + + * Fixed a bug on Linux introduced in sudo 1.8.29 that prevented + the askpass program from running due to an unlimited stack size + resource limit. Bug #908. + + * If a group provider plugin has optional arguments, the argument list + passed to the plugin is now NULL terminated as per the documentation. + + * The user's time stamp file is now only updated if both authentication + and approval phases succeed. This is consistent with the behavior + of sudo prior to version 1.8.23. Bug #910 + + * The new allow_unknown_runas_id sudoers setting can be used to + enable or disable the use of unknown user or group IDs. Previously, + sudo would always allow unknown user or group IDs if the sudoers + entry permitted it, including via the "ALL" alias. As of sudo + 1.8.30, the admin must explicitly enable support for unknown IDs. + + * The new runas_check_shell sudoers setting can be used to require + that the runas user have a shell listed in the /etc/shells file. + On many systems, users such as "bin", do not have a valid shell + and this flag can be used to prevent commands from being run as + those users. + + * Fixed a problem restoring the SELinux tty context during reboot + if mctransd is killed before sudo finishes. GitHub Issue #17. + + * Fixed an intermittent warning on NetBSD when sudo restores the + initial stack size limit. + +What's new in Sudo 1.8.29 + + * The cvtsudoers command will now reject non-LDIF input when converting + from LDIF format to sudoers or JSON formats. + + * The new log_allowed and log_denied sudoers settings make it possible + to disable logging and auditing of allowed and/or denied commands. + + * The umask is now handled differently on systems with PAM or login.conf. + If the umask is explicitly set in sudoers, that value is used regardless + of what PAM or login.conf may specify. However, if the umask is not + explicitly set in sudoers, PAM or login.conf may now override the default + sudoers umask. Bug #900. + + * For "make install", the sudoers file is no longer checked for syntax + errors when DESTDIR is set. The default sudoers file includes the + contents of /etc/sudoers.d which may not be readable as non-root. + Bug #902. + + * Sudo now sets most resource limits to their maximum value to avoid + problems caused by insufficient resources, such as an inability to + allocate memory or open files and pipes. + + * Fixed a regression introduced in sudo 1.8.28 where sudo would refuse + to run if the parent process was not associated with a session. + This was due to sudo passing a session ID of -1 to the plugin. + +What's new in Sudo 1.8.28p1 + + * The fix for Bug #869 caused "sudo -v" to prompt for a password + when "verifypw" is set to "all" (the default) and all of the + user's sudoers entries are marked with NOPASSWD. Bug #901. + +What's new in Sudo 1.8.28 + + * Sudo will now only set PAM_TTY to the empty string when no + terminal is present on Solaris and Linux. This workaround is + only needed on those systems which may have PAM modules that + misbehave when PAM_TTY is not set. + + * The mailerflags sudoers option now has a default value even if + sendmail support was disabled at configure time. Fixes a crash + when the mailerpath sudoers option is set but mailerflags is not. + Bug #878. + + * Sudo will now filter out last login messages on HP-UX unless it + a shell is being run via "sudo -s" or "sudo -i". Otherwise, + when trusted mode is enabled, these messages will be displayed + for each command. + + * On AIX, when the user's password has expired and PAM is not in use, + sudo will now allow the user to change their password. + Bug #883. + + * Sudo has a new -B command line option that will ring the terminal + bell when prompting for a password. + + * Sudo no longer refuses to prompt for a password when it cannot + determine the user's terminal as long as it can open /dev/tty. + This allows sudo to function on systems where /proc is unavailable, + such as when running in a chroot environment. + + * The "env_editor" sudoers flag is now on by default. This makes + source builds more consistent with the packages generated by + sudo's mkpkg script. + + * Sudo no longer ships with pre-formatted copies of the manual pages. + These were included for systems like IRIX that don't ship with an + nroff utility. There are now multiple Open Source nroff replacements + so this should no longer be an issue. + + * Fixed a bad interaction with configure's --prefix and + --disable-shared options. Bug #886. + + * More verbose error message when a password is required and no terminal + is present. Bug #828. + + * Command tags, such as NOPASSWD, are honored when a user tries to run a + command that is allowed by sudoers but which does not actually + exist on the file system. Bug #888. + + * Asturian translation for sudoers from translationproject.org. + + * I/O log timing files now store signal suspend and resume information + in the form of a signal name instead of a number. + + * Fixed a bug introduced in 1.8.24 that prevented sudo from honoring + the value of "ipa_hostname" from sssd.conf, if specified, when + matching the host name. + + * Fixed a bug introduced in 1.8.21 that prevented the core dump + resource limit set in the pam_limits module from taking effect. + Bug #894. + + * Fixed parsing of double-quoted Defaults group and netgroup bindings. + + * The user ID is now used when matching sudoUser attributes in LDAP. + Previously, the user name, group name and group IDs were used + when matching but not the user ID. + + * Sudo now writes PAM messages to the user's terminal, if available, + instead of the standard output or standard error. This prevents + PAM output from being intermixed with that of the command when + output is sent to a file or pipe. Bug #895. + + * Sudoedit now honors the umask and umask_override settings in sudoers. + Previously, the user's umask was used as-is. + + * Fixed a bug where the terminal's file context was not restored + when using SELinux RBAC. Bug #898. + + * Fixed CVE-2019-14287, a bug where a sudo user may be able to + run a command as root when the Runas specification explicitly + disallows root access as long as the ALL keyword is listed first. + +What's new in Sudo 1.8.27 + + * On HP-UX, sudo will now update the utmps file when running a command + in a pseudo-tty. Previously, only the utmp and utmpx files were + updated. + + * Nanosecond precision file time stamps are now supported in HP-UX. + + * Fixes and clarifications to the sudo plugin documentation. + + * The sudo manuals no longer require extensive post-processing to + hide system-specific features. Conditionals in the roff source + are now used instead. This fixes corruption of the sudo manual + on systems without BSD login classes. Bug #861. + + * If an I/O logging plugin is configured but the plugin does not + actually log any I/O, sudo will no longer force the command to + be run in a pseudo-tty. + + * The fix for bug #843 in sudo 1.8.24 was incomplete. If the + user's password was expired or needed to be updated, but no sudo + password was required, the PAM handle was freed too early, + resulting in a failure when processing PAM session modules. + + * In visudo, it is now possible to specify the path to sudoers + without using the -f option. Bug #864. + + * Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx) + file would not be updated when a command was run in a pseudo-tty. + Bug #865. + + * Sudo now sets the silent flag when opening the PAM session except + when running a shell via "sudo -s" or "sudo -i". This prevents + the pam_lastlog module from printing the last login information + for each sudo command. Bug #867. + + * Fixed the default AIX hard resource limit for the maximum number + of files a user may have open. If no hard limit for "nofiles" + is explicitly set in /etc/security/limits, the default should + be "unlimited". Previously, the default hard limit was 8196. + +What's new in Sudo 1.8.26 + + * Fixed a bug in cvtsudoers when converting to JSON format when + alias expansion is enabled. Bug #853. + + * Sudo no long sets the USERNAME environment variable when running + commands. This is a non-standard environment variable that was + set on some older Linux systems. + + * Sudo now treats the LOGNAME and USER environment variables (as + well as the LOGIN variable on AIX) as a single unit. If one is + preserved or removed from the environment using env_keep, env_check + or env_delete, so is the other. + + * Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf. + + * Sudo now logs when the command was suspended and resumed in the + I/O logs. This information is used by sudoreplay to skip the + time suspended when replaying the session unless the new -S flag + is used. + + * Fixed documentation problems found by the igor utility. Bug #854. + + * Sudo now prints a warning message when there is an error or end + of file while reading the password instead of exiting silently. + + * Fixed a bug in the sudoers LDAP back-end parsing the command_timeout, + role, type, privs and limitprivs sudoOptions. This also affected + cvtsudoers conversion from LDIF to sudoers or JSON. + + * Fixed a bug that prevented timeout settings in sudoers from + functioning unless a timeout was also specified on the command + line. + + * Asturian translation for sudo from translationproject.org. + + * When generating LDIF output, cvtsudoers can now be configured + to pad the sudoOrder increment such that the start order is used + as a prefix. Bug #856. + + * Fixed a bug introduced in sudo 1.8.25 that prevented sudo from + properly setting the user's groups on AIX. Bug #857. + + * If the user specifies a group via sudo's -g option that matches + any of the target user's groups, it is now allowed even if no + groups are present in the Runas_Spec. Previously, it was only + allowed if it matched the target user's primary group. + + * The sudoers LDAP back-end now supports negated sudoRunAsUser and + sudoRunAsGroup entries. + + * Sudo now provides a proper error message when the "fqdn" sudoers + option is set and it is unable to resolve the local host name. + Bug #859. + + * Portuguese translation for sudo and sudoers from translationproject.org. + + * Sudo now includes sudoers LDAP schema for the on-line configuration + supported by OpenLDAP. + +What's new in Sudo 1.8.25p1 + + * Fixed a bug introduced in sudo 1.8.25 that caused a crash on + systems that have the poll() function but not the ppoll() function. + Bug #851. + +What's new in Sudo 1.8.25 + + * Fixed a bug introduced in sudo 1.8.20 that broke formatting of + I/O log timing file entries on systems without a C99-compatible + snprintf() function. Our replacement snprintf() doesn't support + floating point so we can't use the "%f" format directive. + + * I/O log timing file entries now use a monotonic timer and include + nanosecond precision. A monotonic timer that does not increment + while the system is sleeping is used where available. + + * Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP + back-end was not being properly parsed. Bug #845. + + * When sudo runs a command in a pseudo-terminal, the follower + device is now closed in the main process immediately after + starting the monitor process. This removes the need for an + AIX-specific workaround that was added in sudo 1.8.24. + + * Added support for monotonic timers on HP-UX. + + * Fixed a bug displaying timeout values the "sudo -V" output. + The value displayed was 3600 times the actual value. Bug #846. + + * Fixed a build issue on AIX 7.1 BOS levels that include memset_s() + and define rsize_t in string.h. Bug #847. + + * The testsudoers utility now supports querying an LDIF-format + policy. + + * Sudo now sets the LOGIN environment variable to the same value as + LOGNAME on AIX systems. Bug #848. + + * Fixed a regression introduced in sudo 1.8.24 where the LDAP and + SSSD back-ends evaluated the rules in reverse sudoOrder. Bug #849. + +What's new in Sudo 1.8.24 + + * The LDAP and SSS back-ends now use the same rule evaluation code + as the sudoers file back-end. This builds on the work in sudo + 1.8.23 where the formatting functions for "sudo -l" output were + shared. The handling of negated commands in SSS and LDAP is + unchanged. + + * Fixed a regression introduced in 1.8.23 where "sudo -i" could + not be used in conjunction with --preserve-env=VARIABLE. Bug #835. + + * cvtsudoers can now parse base64-encoded attributes in LDIF files. + + * Random insults are now more random. + + * Fixed the noexec wordexp(3) test on FreeBSD. + + * Added SUDO_CONV_PREFER_TTY flag for conversation function to + tell sudo to try writing to /dev/tty first. Can be used in + conjunction with SUDO_CONV_INFO_MSG and SUDO_CONV_ERROR_MSG. + + * Sudo now supports an arbitrary number of groups per user on + Solaris. Previously, only the first 64 groups were found. + This should remove the need to set "max_groups" in sudo.conf. + + * Fixed typos in the OpenLDAP sudo schema. Bugs #839 and #840. + + * Fixed a race condition when building with parallel make. + Bug #842. + + * Fixed a duplicate free when netgroup_base in ldap.conf is set + to an invalid value. + + * Fixed a bug introduced in sudo 1.8.23 on AIX that could prevent + local users and groups from being resolved properly on systems + that have users stored in NIS, LDAP or AD. + + * Added a workaround for an AIX bug exposed by a change in sudo + 1.8.23 that prevents the terminal mode from being restored when + I/O logging is enabled. + + * On systems using PAM, sudo now ignores the PAM_NEW_AUTHTOK_REQD + and PAM_AUTHTOK_EXPIRED errors from PAM account management if + authentication is disabled for the user. This fixes a regression + introduced in sudo 1.8.23. Bug #843. + + * Fixed an ambiguity in the sudoers manual in the description and + definition of User, Runas, Host, and Cmnd Aliases. Bug #834. + + * Fixed a bug that resulted in only the first window size change + event being logged. + + * Fixed a bug on HP-UX systems introduced in sudo 1.8.22 that + caused sudo to prompt for a password every time when tty-based + time stamp files were in use. + + * Fixed a compilation problem on systems that define O_PATH or + O_SEARCH in fnctl.h but do not define O_DIRECTORY. Bug #844. + +What's new in Sudo 1.8.23 + + * PAM account management modules and BSD auth approval modules are + now run even when no password is required. + + * For kernel-based time stamps, if no terminal is present, fall + back to parent-pid style time stamps. + + * The new cvtsudoers utility replaces both the "sudoers2ldif" script + and the "visudo -x" functionality. It can read a file in either + sudoers or LDIF format and produce JSON, LDIF or sudoers output. + It is also possible to filter the generated output file by user, + group or host name. + + * The file, ldap and sss sudoers back-ends now share a common set + of formatting functions for "sudo -l" output, which is also used + by the cvtsudoers utility. + + * The /run directory is now used in preference to /var/run if it + exists. Bug #822. + + * More accurate descriptions of the --with-rundir and --with-vardir + configure options. Bug #823. + + * The setpassent() and setgroupent() functions are now used on systems + that support them to keep the passwd and group database open. + Sudo performs a lot of passwd and group lookups so it can be + beneficial to avoid opening and closing the files each time. + + * The new case_insensitive_user and case_insensitive_group sudoers + options can be used to control whether sudo does case-sensitive + matching of users and groups in sudoers. Case insensitive + matching is now the default. + + * Fixed a bug on some systems where sudo could hang on command + exit when I/O logging was enabled. Bug #826. + + * Fixed the build-time process start time test on Linux when the + test is run from within a container. Bug #829. + + * When determining which temporary directory to use, sudoedit now + checks the directory for writability before using it. Previously, + sudoedit only performed an existence check. Bug #827. + + * Sudo now includes an optional set of Monty Python-inspired insults. + + * Fixed the execution of scripts with an associated digest (checksum) + in sudoers on FreeBSD systems. FreeBSD does not have a proper + /dev/fd directory mounted by default and its fexecve(2) is not + fully POSIX compliant when executing scripts. Bug #831. + + * Chinese (Taiwan) translation for sudo from translationproject.org. + +What's new in Sudo 1.8.22 + + * Commands run in the background from a script run via sudo will + no longer receive SIGHUP when the parent exits and I/O logging + is enabled. Bug #502 + + * A particularly offensive insult is now disabled by default. + Bug #804 + + * The description of "sudo -i" now correctly documents that + the "env_keep" and "env_check" sudoers options are applied to + the environment. Bug #806 + + * Fixed a crash when the system's host name is not set. + Bug #807 + + * The sudoers2ldif script now handles #include and #includedir + directives. + + * Fixed a bug where sudo would silently exit when the command was + not allowed by sudoers and the "passwd_tries" sudoers option + was set to a value less than one. + + * Fixed a bug with the "listpw" and "verifypw" sudoers options and + multiple sudoers sources. If the option is set to "all", a + password should be required unless none of a user's sudoers + entries from any source require authentication. + + * Fixed a bug with the "listpw" and "verifypw" sudoers options in + the LDAP and SSSD back-ends. If the option is set to "any", and + the entry contained multiple rules, only the first matching rule + was checked. If an entry contained more than one matching rule + and the first rule required authentication but a subsequent rule + did not, sudo would prompt for a password when it should not have. + + * When running a command as the invoking user (not root), sudo + would execute the command with the same group vector it was + started with. Sudo now executes the command with a new group + vector based on the group database which is consistent with + how su(1) operates. + + * Fixed a double free in the SSSD back-end that could occur when + ipa_hostname is present in sssd.conf and is set to an unqualified + host name. + + * When I/O logging is enabled, sudo will now write to the terminal + even when it is a background process. Previously, sudo would + only write to the tty when it was the foreground process when + I/O logging was enabled. If the TOSTOP terminal flag is set, + sudo will suspend the command (and then itself) with the SIGTTOU + signal. + + * A new "authfail_message" sudoers option that overrides the + default "N incorrect password attempt(s)". + + * An empty sudoRunAsUser attribute in the LDAP and SSSD back-ends + will now match the invoking user. This is more consistent with + how an empty runas user in the sudoers file is treated. + + * Documented that in check mode, visudo does not check the owner/mode + on files specified with the -f flag. Bug #809. + + * It is now an error to specify the runas user as an empty string + on the command line. Previously, an empty runas user was treated + the same as an unspecified runas user. Bug #817. + + * When "timestamp_type" option is set to "tty" and a terminal is + present, the time stamp record will now include the start time + of the session leader. When the "timestamp_type" option is set + to "ppid" or when no terminal is available, the start time of + the parent process is used instead. This significantly reduces + the likelihood of a time stamp record being re-used when a user + logs out and back in again. Bug #818. + + * The sudoers time stamp file format is now documented in the new + sudoers_timestamp manual. + + * The "timestamp_type" option now takes a "kernel" value on OpenBSD + systems. This causes the tty-based time stamp to be stored in + the kernel instead of on the file system. If no tty is present, + the time stamp is considered to be invalid. + + * Visudo will now use the SUDO_EDITOR environment variable (if + present) in addition to VISUAL and EDITOR. + +What's new in Sudo 1.8.21p2 + + * Fixed a bug introduced in version 1.8.21 which prevented sudo + from using the PAM-supplied prompt. Bug #799 + + * Fixed a bug introduced in version 1.8.21 which could result in + sudo hanging when running commands that exit quickly. Bug #800 + + * Fixed a bug introduced in version 1.8.21 which prevented the + command from being run when the password was read via an external + program using the askpass interface. Bug #801 + +What's new in Sudo 1.8.21p1 + + * On systems that support both PAM and SIGINFO, the main sudo + process will no longer forward SIGINFO to the command if the + signal was generated from the keyboard. The command will have + already received SIGINFO since it is part of the same process + group so there's no need for sudo to forward it. This is + consistent with the handling of SIGINT, SIGQUIT and SIGTSTP. + Bug #796 + + * If SUDOERS_SEARCH_FILTER in ldap.conf does not specify a value, + the LDAP search expression used when looking up netgroups and + non-Unix groups had a syntax error if a group plugin was not + specified. + + * "sudo -U otheruser -l" will now have an exit value of 0 even + if "otheruser" has no sudo privileges. The exit value when a + user attempts to lists their own privileges or when a command + is specified is unchanged. + + * Fixed a regression introduced in sudo 1.8.21 where sudoreplay + playback would hang for I/O logs that contain terminal input. + + * Sudo 1.8.18 contained an incomplete fix for the matching of + entries in the LDAP and SSSD back-ends when a sudoRunAsGroup is + specified but no sudoRunAsUser is present in the sudoRole. + +What's new in Sudo 1.8.21 + + * The path that sudo uses to search for terminal devices can now + be configured via the new "devsearch" Path setting in sudo.conf. + + * It is now possible to preserve bash shell functions in the + environment when the "env_reset" sudoers setting is disabled by + removing the "*=()*" pattern from the env_delete list. + + * A change made in sudo 1.8.15 inadvertently caused sudoedit to + send itself SIGHUP instead of exiting when the editor returns + an error or the file was not modified. + + * Sudoedit now uses an exit code of zero if the file was not + actually modified. Previously, sudoedit treated a lack of + modifications as an error. + + * When running a command in a pseudo-tty (pty), sudo now copies a + subset of the terminal flags to the new pty. Previously, all + flags were copied, even those not appropriate for a pty. + + * Fixed a problem with debug logging in the sudoers I/O logging + plugin. + + * Window size change events are now logged to the policy plugin. + On xterm and compatible terminals, sudoreplay is now capable of + resizing the terminal to match the size of the terminal the + command was run on. The new -R option can be used to disable + terminal resizing. + + * Fixed a bug in visudo where a newly added file was not checked + for syntax errors. Bug #791. + + * Fixed a bug in visudo where if a syntax error in an include + directory (like /etc/sudoers.d) was detected, the edited version + was left as a temporary file instead of being installed. + + * On PAM systems, sudo will now treat "username's Password:" as + a standard password prompt. As a result, the SUDO_PROMPT + environment variable will now override "username's Password:" + as well as the more common "Password:". Previously, the + "passprompt_override" Defaults setting would need to be set for + SUDO_PROMPT to override a prompt of "username's Password:". + + * A new "syslog_pid" sudoers setting has been added to include + sudo's process ID along with the process name when logging via + syslog. Bug #792. + + * Fixed a bug introduced in sudo 1.8.18 where a command would + not be terminated when the I/O logging plugin returned an error + to the sudo front-end. + + * A new "timestamp_type" sudoers setting has been added that replaces + the "tty_tickets" option. In addition to tty and global time stamp + records, it is now possible to use the parent process ID to restrict + the time stamp to commands run by the same process, usually the shell. + Bug #793. + + * The --preserve-env command line option has been extended to accept + a comma-separated list of environment variables to preserve. + Bug #279. + + * Friulian translation for sudo from translationproject.org. + +What's new in Sudo 1.8.20p2 + + * Fixed a bug parsing /proc/pid/stat on Linux when the process + name contains newlines. This is not exploitable due to the /dev + traversal changes in sudo 1.8.20p1. + +What's new in Sudo 1.8.20p1 + + * Fixed "make check" when using OpenSSL or GNU crypt. + Bug #787. + + * Fixed CVE-2017-1000367, a bug parsing /proc/pid/stat on Linux + when the process name contains spaces. Since the user has control + over the command name, this could potentially be used by a user + with sudo access to overwrite an arbitrary file on systems with + SELinux enabled. Also stop performing a breadth-first traversal + of /dev when looking for the device; only a hard-coded list of + directories are checked, + +What's new in Sudo 1.8.20 + + * Added support for SASL_MECH in ldap.conf. Bug #764 + + * Added support for digest matching when the command is a glob-style + pattern or a directory. Previously, only explicit path matches + supported digest checks. + + * New "fdexec" Defaults option to control whether a command + is executed by path or by open file descriptor. + + * The embedded copy of zlib has been upgraded to version 1.2.11. + + * Fixed a bug that prevented sudoers include files with a relative + path starting with the letter 'i' from being opened. Bug #776. + + * Added support for command timeouts in sudoers. The command will + be terminated if the timeout expires. + + * The SELinux role and type are now displayed in the "sudo -l" + output for the LDAP and SSSD back-ends, just as they are in the + sudoers back-end. + + * A new command line option, -T, can be used to specify a command + timeout as long as the user-specified timeout is not longer than + the timeout specified in sudoers. This option may only be + used when the "user_command_timeouts" flag is enabled in sudoers. + + * Added NOTBEFORE and NOTAFTER command options to the sudoers + back-end similar to what is already available in the LDAP back-end. + + * Sudo can now optionally use the SHA2 functions in OpenSSL or GNU + crypt instead of the SHA2 implementation bundled with sudo. + + * Fixed a compilation error on systems without the stdbool.h header + file. Bug #778. + + * Fixed a compilation error in the standalone Kerberos V authentication + module. Bug #777. + + * Added the iolog_flush flag to sudoers which causes I/O log data + to be written immediately to disk instead of being buffered. + + * I/O log files are now created with group ID 0 by default unless + the "iolog_user" or "iolog_group" options are set in sudoers. + + * It is now possible to store I/O log files on an NFS-mounted + file system where uid 0 is remapped to an unprivileged user. + The "iolog_user" option must be set to a non-root user and the + top-level I/O log directory must exist and be owned by that user. + + * Added the restricted_env_file setting to sudoers which is similar + to env_file but its contents are subject to the same restrictions + as variables in the invoking user's environment. + + * Fixed a use after free bug in the SSSD back-end when the fqdn + sudoOption is enabled and no hostname value is present in + /etc/sssd/sssd.conf. + + * Fixed a typo that resulted in a compilation error on systems + where the killpg() function is not found by configure. + + * Fixed a compilation error with the included version of zlib + when sudo was built outside the source tree. + + * Fixed the exit value of sudo when the command is terminated by + a signal other than SIGINT. This was broken in sudo 1.8.15 by + the fix for Bug #722. Bug #784. + + * Fixed a regression introduced in sudo 1.8.18 where the "lecture" + option could not be used in a positive boolean context, only + a negative one. + + * Fixed an issue where sudo would consume stdin if it was not + connected to a tty even if log_input is not enabled in sudoers. + Bug #786. + + * Clarify in the sudoers manual that the #includedir directive + diverts control to the files in the specified directory and, + when parsing of those files is complete, returns control to the + original file. Bug #775. + +What's new in Sudo 1.8.19p2 + + * Fixed a crash in visudo introduced in sudo 1.8.9 when an IP address + or network is used in a host-based Defaults entry. Bug #766 + + * Added a missing check for the ignore_iolog_errors flag when + the sudoers plugin generates the I/O log file path name. + + * Fixed a typo in sudo's vsyslog() replacement that resulted in + garbage being logged to syslog. + +What's new in Sudo 1.8.19p1 + + * Fixed a bug introduced in sudo 1.8.19 that resulted in the wrong + syslog priority and facility being used. + +What's new in Sudo 1.8.19 + + * New "syslog_maxlen" Defaults option to control the maximum size of + syslog messages generated by sudo. + + * Sudo has been run against PVS-Studio and any issues that were + not false positives have been addressed. + + * I/O log files are now created with the same group ID as the + parent directory and not the invoking user's group ID. + + * I/O log permissions and ownership are now configurable via the + "iolog_mode", "iolog_user" and "iolog_group" sudoers Defaults + variables. + + * Fixed configuration of the sudoers I/O log plugin debug subsystem. + Previously, I/O log information was not being written to the + sudoers debug log. + + * Fixed a bug in visudo that broke editing of files in an include + dir that have a syntax error. Normally, visudo does not edit + those files, but if a syntax error is detected in one, the user + should get a chance to fix it. + + * Warnings about unknown or unparsable sudoers Defaults entries now + include the file and line number of the problem. + + * Visudo will now use the file and line number information about an + unknown or unparsable Defaults entry to go directly to the file + with the problem. + + * Fixed a bug in the sudoers LDAP back-end where a negated sudoHost + entry would prevent other sudoHost entries following it from matching. + + * Warnings from visudo about a cycle in an Alias entry now include the + file and line number of the problem. + + * In strict mode, visudo will now use the file and line number + information about a cycle in an Alias entry to go directly to the + file with the problem. + + * The sudo_noexec.so file is now linked with -ldl on systems that + require it for the wordexp() wrapper. + + * Fixed linking of sudo_noexec.so on macOS systems where it must be + a dynamic library and not a module. + + * Sudo's "make check" now includes a test for sudo_noexec.so + working. + + * The sudo front-end now passes the user's umask to the plugin. + Previously the plugin had to determine this itself. + + * Sudoreplay can now display the stdin and ttyin streams when they + are explicitly added to the filter list. + + * Fixed a bug introduced in sudo 1.8.17 where the "all" setting + for verifypw and listpw was not being honored. Bug #762. + + * The syslog priority (syslog_goodpri and syslog_badpri) can now + be negated or set to "none" to disable logging of successful or + unsuccessful sudo attempts via syslog. + +What's new in Sudo 1.8.18p1 + + * When sudo_noexec.so is used, the WRDE_NOCMD flag is now added + if the wordexp() function is called. This prevents commands + from being run via wordexp() without disabling it entirely. + + * On Linux systems, sudo_noexec.so now uses a seccomp filter to + disable execute access if the kernel supports seccomp. This is + more robust than the traditional method of using stub functions + that return an error. + +What's new in Sudo 1.8.18 + + * The sudoers locale is now set before parsing the sudoers file. + If sudoers_locale is set in sudoers, it is applied before + evaluating other Defaults entries. Previously, sudoers_locale + was used when evaluating sudoers but not during the initial parse. + Bug #748. + + * A missing or otherwise invalid #includedir is now ignored instead + of causing a parse error. + + * During "make install", backup files are only used on HP-UX where + it is not possible to unlink a shared object that is in use. + This works around a bug in ldconfig on Linux which could create + links to the backup shared library file instead of the current + one. + + * Fixed a bug introduced in 1.8.17 where sudoers entries with long + commands lines could be truncated, preventing a match. Bug #752. + + * The fqdn, runas_default and sudoers_locale Defaults settings are + now applied before any other Defaults settings since they can + change how other Defaults settings are parsed. + + * On systems without the O_NOFOLLOW open(2) flag, when the NOFOLLOW + flag is set, sudoedit now checks whether the file is a symbolic link + before opening it as well as after the open. Bug #753. + + * Sudo will now only resolve a user's group IDs to group names + when sudoers includes group-based permissions. Group lookups + can be expensive on some systems where the group database is + not local. + + * If the file system holding the sudo log file is full, allow + the command to run unless the new ignore_logfile_errors Defaults + option is disabled. Bug #751. + + * The ignore_audit_errors and ignore_iolog_errors Defaults options + have been added to control sudo's behavior when it is unable to + write to the audit and I/O logs. + + * Fixed a bug introduced in 1.8.17 where the SIGPIPE signal handler + was not being restored when sudo directly executes the command. + + * Fixed a bug where "sudo -l command" would indicate that a command + was runnable even when denied by sudoers when using the LDAP or + SSSD back-ends. + + * The match_group_by_gid Defaults option has been added to allow + sites where group name resolution is slow and where sudoers only + contains a small number of groups to match groups by group ID + instead of by group name. + + * Fixed a bug on Linux where a 32-bit sudo binary could fail with + an "unable to allocate memory" error when run on a 64-bit system. + Bug #755 + + * When parsing ldap.conf, sudo will now only treat a '#' character + as the start of a comment when it is at the beginning of the + line. + + * Fixed a potential crash when auditing is enabled and the audit + function fails with an error. Bug #756 + + * Norwegian Nynorsk translation for sudo from translationproject.org. + + * Fixed a typo that broke short host name matching when the fqdn + flag is enabled in sudoers. Bug #757 + + * Negated sudoHost attributes are now supported by the LDAP and + SSSD back-ends. + + * Fixed matching entries in the LDAP and SSSD back-ends when a + RunAsGroup is specified but no RunAsUser is present. + + * Fixed "sudo -l" output in the LDAP and SSSD back-ends when a + RunAsGroup is specified but no RunAsUser is present. + +What's new in Sudo 1.8.17p1 + + * Fixed a bug introduced in 1.8.17 where the user's groups were + not set on systems that don't use PAM. Bug #749. + +What's new in Sudo 1.8.17 + + * On AIX, if /etc/security/login.cfg has auth_type set to PAM_AUTH + but pam_start(3) fails, fall back to AIX authentication. + Bug #740. + + * Sudo now takes all sudoers sources into account when determining + whether or not "sudo -l" or "sudo -v" should prompt for a password. + In other words, if both file and ldap sudoers sources are in + specified in /etc/nsswitch.conf, "sudo -v" will now require that + all entries in both sources be have NOPASSWD (file) or !authenticate + (ldap) in the entries. + + * Sudo now ignores SIGPIPE until the command is executed. Previously, + SIGPIPE was only ignored in a few select places. Bug #739. + + * Fixed a bug introduced in sudo 1.8.14 where (non-syslog) log + file entries were missing the newline when loglinelen is set to + a non-positive number. Bug #742. + + * Unix groups are now set before the plugin session initialization + code is run. This makes it possible to use dynamic groups with + the Linux-PAM pam_group module. + + * Fixed a bug where a debugging statement could dereference a NULL + pointer when looking up a group that doesn't exist. Bug #743. + + * Sudo has been run through the Coverity code scanner. A number of + minor bugs have been fixed as a result. None were security issues. + + * SELinux support, which was broken in 1.8.16, has been repaired. + + * Fixed a bug when logging I/O where all output buffers might not + get flushed at exit. + + * Forward slashes are no longer escaped in the JSON output of + "visudo -x". This was never required by the standard and not + escaping them improves readability of the output. + + * Sudo no longer treats PAM_SESSION_ERR as a fatal error when + opening the PAM session. Other errors from pam_open_session() + are still treated as fatal. This avoids the "policy plugin + failed session initialization" error message seen on some systems. + + * Korean translation for sudo and sudoers from translationproject.org. + + * Fixed a bug on AIX where the stack size hard resource limit was + being set to 2GB instead of 4GB on 64-bit systems. + + * The SSSD back-end now properly supports "sudo -U otheruser -l". + + * The SSSD back-end now uses the value of "ipa_hostname" + from sssd.conf, if specified, when matching the host name. + + * Fixed a hang on some systems when the command is being run in + a pty and it failed to execute. + + * When performing a wildcard match in sudoers, check for an exact + string match if the user command was fully-qualified (or resolved + via the PATH). This fixes an issue executing scripts on Linux + when there are multiple wildcard matches with the same base name. + Bug #746. + +What's new in Sudo 1.8.16 + + * Fixed a compilation error on Solaris 10 with Stun Studio 12. + Bug #727. + + * When preserving variables from the invoking user's environment, if + there are duplicates sudo now only keeps the first instance. + + * Fixed a bug that could cause warning mail to be sent in list + mode (sudo -l) for users without sudo privileges when the + LDAP and sssd back-ends are used. + + * Fixed a bug that prevented the "mail_no_user" option from working + properly with the LDAP back-end. + + * In the LDAP and sssd back-ends, white space is now ignored between + an operator (!, +, +=, -=) when parsing a sudoOption. + + * It is now possible to disable Path settings in sudo.conf + by omitting the path name. + + * The sudoedit_checkdir Defaults option is now enabled by default + and has been extended. When editing files with sudoedit, each + directory in the path to be edited is now checked. If a directory + is writable by the invoking user, symbolic links will not be + followed. If the parent directory of the file to be edited is + writable, sudoedit will refuse to edit it. + Bug #707. + + * The netgroup_tuple Defaults option has been added to enable matching + of the entire netgroup tuple, not just the host or user portion. + Bug #717. + + * When matching commands based on the SHA2 digest, sudo will now + use fexecve(2) to execute the command if it is available. This + fixes a time of check versus time of use race condition when the + directory holding the command is writable by the invoking user. + + * On AIX systems, sudo now caches the auth registry string along + with password and group information. This fixes a potential + problem when a user or group of the same name exists in multiple + auth registries. For example, local and LDAP. + + * Fixed a crash in the SSSD back-end when the invoking user is not + found. Bug #732. + + * Added the --enable-asan configure flag to enable address sanitizer + support. A few minor memory leaks have been plugged to quiet + the ASAN leak detector. + + * The value of _PATH_SUDO_CONF may once again be overridden via + the Makefile. Bug #735. + + * The sudoers2ldif script now handles multiple roles with same name. + + * Fixed a compilation error on systems that have the posix_spawn() + and posix_spawnp() functions but an unusable spawn.h header. + Bug #730. + + * Fixed support for negating character classes in sudo's version + of the fnmatch() function. + + * Fixed a bug in the LDAP and SSSD back-ends that could allow an + unauthorized user to list another user's privileges. Bug #738. + + * The PAM conversation function now works around an ambiguity in the + PAM spec with respect to multiple messages. Bug #726. + +What's new in Sudo 1.8.15 + + * Fixed a bug that prevented sudo from building outside the source tree + on some platforms. Bug #708. + + * Fixed the location of the sssd library in the RHEL/Centos packages. + Bug #710. + + * Fixed a build problem on systems that don't implicitly include + sys/types.h from other header files. Bug #711. + + * Fixed a problem on Linux using containers where sudo would ignore + signals sent by a process in a different container. + + * Sudo now refuses to run a command if the PAM session module + returns an error. + + * When editing files with sudoedit, symbolic links will no longer + be followed by default. The old behavior can be restored by + enabling the sudoedit_follow option in sudoers or on a per-command + basis with the FOLLOW and NOFOLLOW tags. Bug #707. + + * Fixed a bug introduced in version 1.8.14 that caused the last + valid editor in the sudoers "editor" list to be used by visudo + and sudoedit instead of the first. Bug #714. + + * Fixed a bug in visudo that prevented the addition of a final + newline to edited files without one. + + * Fixed a bug decoding certain base64 digests in sudoers when the + intermediate format included a '=' character. + + * Individual records are now locked in the time stamp file instead + of the entire file. This allows sudo to avoid prompting for a + password multiple times on the same terminal when used in a + pipeline. In other words, "sudo cat foo | sudo grep bar" now + only prompts for the password once. Previously, both sudo + processes would prompt for a password, often making it impossible + to enter. + + * Fixed a bug where sudo would fail to run commands as a non-root + user on systems that lack both setresuid() and setreuid(). + Bug #713. + + * Fixed a bug introduced in sudo 1.8.14 that prevented visudo from + re-editing the correct file when a syntax error was detected. + + * Fixed a bug where sudo would not relay a SIGHUP signal to the + command when the terminal is closed and the command is not run + in its own pseudo-tty. Bug #719 + + * If some, but not all, of the LOGNAME, USER or USERNAME environment + variables have been preserved from the invoking user's environment, + sudo will now use the preserved value to set the remaining variables + instead of using the runas user. This ensures that if, for example, + only LOGNAME is present in the env_keep list, that sudo will not + set USER and USERNAME to the runas user. + +* When the command sudo is running dies due to a signal, sudo will + now send itself that same signal with the default signal handler + installed instead of exiting. The bash shell appears to ignore + some signals, e.g. SIGINT, unless the command being run is killed + by that signal. This makes the behavior of commands run under + sudo the same as without sudo when bash is the shell. Bug #722 + + * Slovak translation for sudo from translationproject.org. + + * Hungarian and Slovak translations for sudoers from translationproject.org. + + * Previously, when env_reset was enabled (the default) and the -s + option was not used, the SHELL environment variable was set to the + shell of the invoking user. Now, when env_reset is enabled and + the -s option is not used, SHELL is set based on the target user. + + * Fixed challenge/response style BSD authentication. + + * Added the sudoedit_checkdir Defaults option to prevent sudoedit + from editing files located in a directory that is writable by + the invoking user. + + * Added the always_query_group_plugin Defaults option to control + whether groups not found in the system group database are passed + to the group plugin. Previously, unknown system groups were + always passed to the group plugin. + + * When creating a new file, sudoedit will now check that the file's + parent directory exists before running the editor. + + * Fixed the compiler stack protector test in configure for compilers + that support -fstack-protector but don't actually have the ssp + library available. + +What's new in Sudo 1.8.14p3 + + * Fixed a bug introduced in sudo 1.8.14p2 that prevented sudo + from working when no tty was present. + + * Fixed tty detection on newer AIX systems where dev_t is 64-bit. + +What's new in Sudo 1.8.14p2 + + * Fixed a bug introduced in sudo 1.8.14 that prevented the lecture + file from being created. Bug #704. + +What's new in Sudo 1.8.14p1 + + * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd + back-end from working. Bug #703. + +What's new in Sudo 1.8.14 + + * Log messages on Mac OS X now respect sudoers_locale when sudo + is build with NLS support. + + * The sudo manual pages now pass "mandoc -Tlint" with no warnings. + + * Fixed a compilation problem on systems with the sig2str() function + that do not define SIG2STR_MAX in signal.h. + + * Worked around a compiler bug that resulted in unexpected behavior + when returning an int from a function declared to return bool + without an explicit cast. + + * Worked around a bug in Mac OS X 10.10 BSD auditing where the + au_preselect() fails for AUE_sudo events but succeeds for + AUE_DARWIN_sudo. + + * Fixed a hang on Linux systems with glibc when sudo is linked with + jemalloc. + + * When the user runs a command as a user ID that is not present in + the password database via the -u flag, the command is now run + with the group ID of the invoking user instead of group ID 0. + + * Fixed a compilation problem on systems that don't pull in + definitions of uid_t and gid_t without sys/types.h or unistd.h. + + * Fixed a compilation problem on newer AIX systems which use a + struct st_timespec for time stamps in struct stat that differs + from struct timespec. Bug #702. + + * The example directory is now configurable via --with-exampledir + and defaults to DATAROOTDIR/examples/sudo on BSD systems. + + * The /usr/lib/tmpfiles.d/sudo.conf file is now installed as part + of "make install" when systemd is in use. + + * Fixed a linker problem on some systems with libintl. Bug #690. + + * Fixed compilation with compilers that don't support __func__ + or __FUNCTION__. + + * Sudo no longer needs to uses weak symbols to support localization + in the warning functions. A registration function is used instead. + + * Fixed a setresuid() failure in sudoers on Linux kernels where + uid changes take the nproc resource limit into account. + + * Fixed LDAP netgroup queries on AIX. + + * Sudo will now display the custom prompt on Linux systems with PAM + even if the "Password: " prompt is not localized by the PAM module. + Bug #701. + + * Double-quoted values in an LDAP sudoOption are now supported + for consistency with file-based sudoers. + + * Fixed a bug that prevented the btime entry in /proc/stat from + being parsed on Linux. + +What's new in Sudo 1.8.13 + + * The examples directory is now a subdirectory of the doc dir to + conform to Debian guidelines. Bug #682. + + * Fixed a compilation error for siglist.c and signame.c on some + systems. Bug #686 + + * Weak symbols are now used for sudo_warn_gettext() and + sudo_warn_strerror() in libsudo_util to avoid link errors when + -Wl,--no-undefined is used in LDFLAGS. The --disable-weak-symbols + configure option can be used to disable the user of weak symbols. + + * Fixed a bug in sudo's mkstemps() replacement function that + prevented the file extension from being preserved in sudoedit. + + * A new mail_all_cmnds sudoers flag will send mail when a user runs + a command (or tries to). The behavior of the mail_always flag has + been restored to always send mail when sudo is run. + + * New "MAIL" and "NOMAIL" command tags have been added to toggle + mail sending behavior on a per-command (or Cmnd_Alias) basis. + + * Fixed matching of empty passwords when sudo is configured to + use passwd (or shadow) file authentication on systems where the + crypt() function returns NULL for invalid salts. + + * On AIX, sudo now uses the value of the auth_type setting in + /etc/security/login.cfg to determine whether to use LAM or PAM + for user authentication. + + * The "all" setting for listpw and verifypw now works correctly + with LDAP and sssd sudoers. + + * The sudo timestamp directory is now created at boot time on + platforms that use systemd. + + * Sudo will now restore the value of the SIGPIPE handler before + executing the command. + + * Sudo now uses "struct timespec" instead of "struct timeval" for + time keeping when possible. If supported, sudoedit and visudo + now use nanosecond granularity time stamps. + + * Fixed a symbol name collision with systems that have their own + SHA2 implementation. This fixes a problem where PAM could use + the wrong SHA2 implementation on Solaris 10 systems configured + to use SHA512 for passwords. + + * The editor invoked by sudoedit once again uses an unmodified + copy of the user's environment as per the documentation. This + was inadvertently changed in sudo 1.8.0. Bug #688. + +What's new in Sudo 1.8.12 + + * The embedded copy of zlib has been upgraded to version 1.2.8 and + is now installed as a shared library where supported. + + * Debug settings for the sudo front end and sudoers plugin are now + configured separately. + + * Multiple sudo.conf Debug entries may now be specified per program + (or plugin). + + * The plugin API has been extended such that the path to the plugin + that was loaded is now included in the settings array. This + path can be used to register with the debugging subsystem. The + debug_flags setting is now prefixed with a file name and may be + specified multiple times if there is more than one matching Debug + setting in sudo.conf. + + * The sudoers regression tests now run with the locale set to C + since some of the tests compare output that includes locale-specific + messages. Bug #672 + + * Fixed a bug where sudo would not run commands on Linux when + compiled with audit support if audit is disabled. Bug #671 + + * Added __BASH_FUNC<* to the environment blacklist to match + Apple's syntax for newer-style bash functions. + + * The default password prompt now includes a trailing space after + "Password:" for consistency with su(1) on most systems. + Bug #663 + + * Fixed a problem on DragonFly BSD where SIGCHLD could be ignored, + preventing sudo from exiting. Bug #676 + + * Visudo will now use the optional sudoers_file, sudoers_mode, + sudoers_uid and sudoers_gid arguments if specified on the + sudoers.so Plugin line in the sudo.conf file. + + * Fixed a problem introduced in sudo 1.8.8 that prevented the full + host name from being used when the "fqdn" sudoers option is used. + Bug #678 + + * French and Russian translations for sudoers from translationproject.org. + + * Sudo now installs a handler for SIGCHLD signal handler immediately + before stating the process that will execute the command (or + start the monitor). The handler used to be installed earlier + but this causes problems with poorly behaved PAM modules that + install their own SIGCHLD signal handler and neglect to restore + sudo's original handler. Bug #657 + + * Removed a limit on the length of command line arguments expanded + by a wild card using sudo's version of the fnmatch() function. + This limit was introduced when sudo's version of fnmatch() + was replaced in sudo 1.8.4. + + * LDAP-based sudoers can now query an LDAP server for a user's + netgroups directly. This is often much faster than fetching + every sudoRole object containing a sudoUser that begins with a + `+' prefix and checking whether the user is a member of any of + the returned netgroups. + + * The mail_always sudoers option no longer sends mail for "sudo -l" + or "sudo -v" unless the user is unable to authenticate themselves. + + * Fixed a crash when sudo is run with an empty argument vector. + + * Fixed two potential crashes when sudo is run with very low + resource limits. + + * The TZ environment variable is now checked for safety instead + of simply being copied to the environment of the command. + +What's new in Sudo 1.8.11p2 + + * Fixed a bug where dynamic shared objects loaded from a plugin + could use the hooked version of getenv() but not the hooked + versions of putenv(), setenv() or unsetenv(). This can cause + problems for PAM modules that use those functions. + +What's new in Sudo 1.8.11p1 + + * Fixed a compilation problem on some systems when the + --disable-shared-libutil configure option was specified. + + * The user can no longer interrupt the sleep after an incorrect + password on PAM systems using pam_unix. + Bug #666 + + * Fixed a compilation problem on Linux systems that do not use PAM. + Bug #667 + + * "make install" will now work with the stock GNU autotools + install-sh script. Bug #669 + + * Fixed a crash with "sudo -i" when the current working directory + does not exist. Bug #670 + + * Fixed a potential crash in the debug subsystem when logging a message + larger that 1024 bytes. + + * Fixed a "make check" failure for ttyname when stdin is closed and + stdout and stderr are redirected to a different tty. Bug #643 + + * Added BASH_FUNC_* to the environment blacklist to match newer-style + bash functions. + +What's new in Sudo 1.8.11 + + * The sudoers plugin no longer uses setjmp/longjmp to recover + from fatal errors. All errors are now propagated to the caller + via return codes. + + * When running a command in the background, sudo will now forward + SIGINFO to the command (if supported). + + * Sudo will now use the system versions of the sha2 functions from + libc or libmd if available. + + * Visudo now works correctly on GNU Hurd. Bug #647 + + * Fixed suspend and resume of curses programs on some system when + the command is not being run in a pseudo-terminal. Bug #649 + + * Fixed a crash with LDAP-based sudoers on some systems when + Kerberos was enabled. + + * Sudo now includes optional Solaris audit support. + + * Catalan translation for sudoers from translationproject.org. + + * Norwegian Bokmaal translation for sudo from translationproject.org. + + * Greek translation for sudoers from translationproject.org + + * The sudo source tree has been reorganized to more closely resemble + that of other gettext-enabled packages. + + * Sudo and its associated programs now link against a shared version + of libsudo_util. The --disable-shared-libutil configure option + may be used to force static linking if the --enable-static-sudoers + option is also specified. + + * The passwords in ldap.conf and ldap.secret may now be encoded + in base64. + + * Audit updates. SELinux role changes are now audited. For + sudoedit, we now audit the actual editor being run, instead of + just the sudoedit command. + + * Fixed bugs in the man page post-processing that could cause + portions of the manuals to be removed. + + * Fixed a crash in the system_group plugin. Bug #653. + + * Fixed sudoedit on platforms without a system version of the + getprogname() function. Bug #654. + + * Fixed compilation problems with some pre-C99 compilers. + + * Fixed sudo's -C option which was broken in version 1.8.9. + + * It is now possible to match an environment variable's value as + well as its name using env_keep and env_check. This can be used + to preserve bash functions which would otherwise be removed from + the environment. + + * New files created via sudoedit as a non-root user now have the + proper group id. Bug #656 + + * Sudoedit now works correctly in conjunction with sudo's SELinux + RBAC support. Temporary files are now created with the proper + security context. + + * The sudo I/O logging plugin API has been updated. If a logging + function returns an error, the command will be terminated and + all of the plugin's logging functions will be disabled. If a + logging function rejects the command's output it will no longer + be displayed to the user's terminal. + + * Fixed a compilation error on systems that lack openpty(), _getpty() + and grantpt(). Bug #660 + + * Fixed a hang when a sudoers source is listed more than once in + a single sudoers nsswitch.conf entry. + + * On AIX, shell scripts without a #! magic number are now passed to + /usr/bin/sh, not /usr/bin/bsh. This is consistent with what the + execvp() function on AIX does and matches historic sudo behavior. + Bug #661 + + * Fixed a cross-compilation problem building mksiglist and mksigname. + Bug #662 + +What's new in Sudo 1.8.10p3? + + * Fixed expansion of %p in the prompt for "sudo -l" when rootpw, + runaspw or targetpw is set. Bug #639 + + * Fixed matching of UIDs and GIDs which was broken in version 1.8.9. + Bug #640 + + * PAM credential initialization has been re-enabled. It was + unintentionally disabled by default in version 1.8.8. The way + credentials are initialized has also been fixed. Bug #642. + + * Fixed a descriptor leak on Linux when determining boot time. Sudo + normally closes extra descriptors before running a command so + the impact is limited. Bug #645 + + * Fixed flushing of the last buffer of data when I/O logging is + enabled. This bug, introduced in version 1.8.9, could cause + incomplete command output on some systems. Bug #646 + +What's new in Sudo 1.8.10p2? + + * Fixed a hang introduced in sudo 1.8.10 when timestamp_timeout + is set to zero. + +What's new in Sudo 1.8.10p1? + + * Fixed a bug introduced in sudo 1.8.10 that prevented the disabling + of tty-based tickets. + + * Fixed a bug with negated commands in "sudo -l command" that + could cause the command to be listed even when it was explicitly + denied. This only affected list mode when a command was specified. + Bug #636 + +What's new in Sudo 1.8.10? + + * It is now possible to disable network interface probing in + sudo.conf by changing the value of the probe_interfaces + setting. + + * When listing a user's privileges (sudo -l), the sudoers plugin + will now prompt for the user's password even if the targetpw, + rootpw or runaspw options are set. + + * The sudoers plugin uses a new format for its time stamp files. + Each user now has a single file which may contain multiple records + when per-tty time stamps are in use (the default). The time + stamps use a monotonic timer where available and are once again + located in a directory under /var/run. The lecture status is + now stored separately from the time stamps in a different directory. + Bug #616 + + * sudo's -K option will now remove all of the user's time stamps, + not just the time stamp for the current terminal. The -k option + can be used to only disable time stamps for the current terminal. + + * If sudo was started in the background and needed to prompt for + a password, it was not possible to suspend it at the password + prompt. This now works properly. + + * LDAP-based sudoers now uses a default search filter of + (objectClass=sudoRole) for more efficient queries. The netgroup + query has been modified to avoid falling below the minimum length + for OpenLDAP substring indices. + + * The new "use_netgroups" sudoers option can be used to explicitly + enable or disable netgroups support. For LDAP-based sudoers, + netgroup support requires an expensive substring match on the + server. If netgroups are not needed, this option can be disabled + to reduce the load on the LDAP server. + + * Sudo is once again able to open the sudoers file when the group + on sudoers doesn't match the expected value, so long as the file + is not group writable. + + * Sudo now installs an init.d script to clear the time stamp + directory at boot time on AIX and HP-UX systems. These systems + either lack /var/run or do not clear it on boot. + + * The JSON format used by "visudo -x" now properly supports the + negation operator. In addition, the Options object is now the + same for both Defaults and Cmnd_Specs. + + * Czech and Serbian translations for sudoers from translationproject.org. + + * Catalan translation for sudo from translationproject.org. + +What's new in Sudo 1.8.9p5? + + * Fixed a compilation error on AIX when LDAP support is enabled. + + * Fixed parsing of the "umask" defaults setting in sudoers. Bug #632. + + * Fixed a failed assertion when the "closefrom_override" defaults + setting is enabled in sudoers and sudo's -C flag is used. Bug #633. + +What's new in Sudo 1.8.9p4? + + * Fixed a bug where sudo could consume large amounts of CPU while + the command was running when I/O logging is not enabled. Bug #631 + + * Fixed a bug where sudo would exit with an error when the debug + level is set to util@debug or all@debug and I/O logging is not + enabled. The command would continue running after sudo exited. + +What's new in Sudo 1.8.9p3? + + * Fixed a bug introduced in sudo 1.8.9 that prevented the tty name + from being resolved properly on Linux systems. Bug #630. + +What's new in Sudo 1.8.9p2? + + * Updated config.guess, config.sub and libtool to support the ppc64le + architecture (IBM PowerPC Little Endian). + +What's new in Sudo 1.8.9p1? + + * Fixed a problem with gcc 4.8's handling of bit fields that could + lead to the noexec flag being enabled even when it was not + explicitly set. + +What's new in Sudo 1.8.9? + + * Reworked sudo's main event loop to use a simple event subsystem + using poll(2) or select(2) as the back end. + + * It is now possible to statically compile the sudoers plugin into + the sudo binary without disabling shared library support. The + sudo.conf file may still be used to configure other plugins. + + * Sudo can now be compiled again with a C preprocessor that does + not support variadic macros. + + * Visudo can now export a sudoers file in JSON format using the + new -x flag. + + * The locale is now set correctly again for visudo and sudoreplay. + + * The plugin API has been extended to allow the plugin to exclude + specific file descriptors from the "closefrom" range. + + * There is now a workaround for a Solaris-specific problem where + NOEXEC was overriding traditional root DAC behavior. + + * Add user netgroup filtering for SSSD. Previously, rules for + a netgroup were applied to all even when they did not belong + to the specified netgroup. + + * On systems with BSD login classes, if the user specified a group + (not a user) to run the command as, it was possible to specify + a different login class even when the command was not run as the + super user. + + * The closefrom() emulation on Mac OS X now uses /dev/fd if possible. + + * Fixed a bug where sudoedit would not update the original file + from the temporary when PAM or I/O logging is not enabled. + + * When recycling I/O logs, the log files are now truncated properly. + + * Fixes bugs #617, #621, #622, #623, #624, #625, #626 + +What's new in Sudo 1.8.8? + + * Removed a warning on PAM systems with stacked auth modules + where the first module on the stack does not succeed. + + * Sudo, sudoreplay and visudo now support GNU-style long options. + + * The -h (--host) option may now be used to specify a host name. + This is currently only used by the sudoers plugin in conjunction + with the -l (--list) option. + + * Program usage messages and manual SYNOPSIS sections have been + simplified. + + * Sudo's LDAP SASL support now works properly with Kerberos. + Previously, the SASL library was unable to locate the user's + credential cache. + + * It is now possible to set the nproc resource limit to unlimited + via pam_limits on Linux (bug #565). + + * New "pam_service" and "pam_login_service" sudoers options + that can be used to specify the PAM service name to use. + + * New "pam_session" and "pam_setcred" sudoers options that + can be used to disable PAM session and credential support. + + * The sudoers plugin now properly supports UIDs and GIDs + that are larger than 0x7fffffff on 32-bit platforms. + + * Fixed a visudo bug introduced in sudo 1.8.7 where per-group + Defaults entries would cause an internal error. + + * If the "tty_tickets" sudoers option is enabled (the default), + but there is no tty present, sudo will now use a ticket file + based on the parent process ID. This makes it possible to support + the normal timeout behavior for the session. + + * Fixed a problem running commands that change their process + group and then attempt to change the terminal settings when not + running the command in a pseudo-terminal. Previously, the process + would receive SIGTTOU since it was effectively a background + process. Sudo will now grant the child the controlling tty and + continue it when this happens. + + * The "closefrom_override" sudoers option may now be used in + a command-specified Defaults entry (bug #610). + + * Sudo's BSM audit support now works on Solaris 11. + + * Brazilian Portuguese translation for sudo and sudoers from + translationproject.org. + + * Czech translation for sudo from translationproject.org. + + * French translation for sudo from translationproject.org. + + * Sudo's noexec support on Mac OS X 10.4 and above now uses dynamic + symbol interposition instead of setting DYLD_FORCE_FLAT_NAMESPACE=1 + which causes issues with some programs. + + * Fixed visudo's -q (--quiet) flag, broken in sudo 1.8.6. + + * Root may no longer change its SELinux role without entering + a password. + + * Fixed a bug introduced in Sudo 1.8.7 where the indexes written + to the I/O log timing file are two greater than they should be. + Sudoreplay now contains a work-around to parse those files. + + * In sudoreplay's list mode, the "this" qualifier in "fromdate" + or "todate" expressions now behaves more sensibly. Previously, + it would often match a date that was "one more" than expected. + For example, "this week" now matches the current week instead + of the following week. + +What's new in Sudo 1.8.7? + + * The non-Unix group plugin is now supported when sudoers data + is stored in LDAP. + + * Sudo now uses a workaround for a locale bug on Solaris 11.0 + that prevents setuid programs like sudo from fully using locales. + + * User messages are now always displayed in the user's locale, + even when the same message is being logged or mailed in a + different locale. + + * Log files created by sudo now explicitly have the group set + to group ID 0 rather than relying on BSD group semantics (which + may not be the default). + + * A new "exec_background" sudoers option can be used to initially + run the command without read access to the terminal when running + a command in a pseudo-tty. If the command tries to read from + the terminal it will be stopped by the kernel (via SIGTTIN or + SIGTTOU) and sudo will immediately restart it as the foreground + process (if possible). This allows sudo to only pass terminal + input to the program if the program actually is expecting it. + Unfortunately, a few poorly-behaved programs (like "su" on most + Linux systems) do not handle SIGTTIN and SIGTTOU properly. + + * Sudo now uses an efficient group query to get all the groups + for a user instead of iterating over every record in the group + database on HP-UX and Solaris. + + * Sudo now produces better error messages when there is an error + in the sudo.conf file. + + * Two new settings have been added to sudo.conf to give the admin + better control of how group database queries are performed. The + "group_source" specifies how the group list for a user will be + determined. Legal values are "static" (use the kernel groups + list), "dynamic" (perform a group database query) and "adaptive" + (only perform a group database query if the kernel list is full). + The "max_groups" setting specifies the maximum number of groups + a user may belong to when performing a group database query. + + * The sudo.conf file now supports line continuation by using a + backslash as the last character on the line. + + * There is now a standalone sudo.conf manual page. + + * Sudo now stores its libexec files in a "sudo" sub-directory instead + of in libexec itself. For backward compatibility, if the plugin + is not found in the default plugin directory, sudo will check + the parent directory if the default directory ends in "/sudo". + + * The sudoers I/O logging plugin now logs the terminal size. + + * A new sudoers option "maxseq" can be used to limit the number of + I/O log entries that are stored. + + * The "system_group" and "group_file" sudoers group provider plugins + are now installed by default. + + * The list output (sudo -l) output from the sudoers plugin is now + less ambiguous when an entry includes different runas users. + The long list output (sudo -ll) for file-based sudoers is now + more consistent with the format of LDAP-based sudoers. + + * A UID may now be used in the sudoRunAsUser attributes for LDAP + sudoers. + + * Minor plugin API change: the close and version functions are now + optional. If the policy plugin does not provide a close function + and the command is not being run in a new pseudo-tty, sudo may + now execute the command directly instead of in a child process. + + * A new sudoers option "pam_session" can be used to disable sudo's + PAM session support. + + * On HP-UX systems, sudo will now use the pstat() function to + determine the tty instead of ttyname(). + + * Turkish translation for sudo and sudoers from translationproject.org. + + * Dutch translation for sudo and sudoers from translationproject.org. + + * Tivoli Directory Server client libraries may now be used with + HP-UX where libibmldap has a hidden dependency on libCsup. + + * The sudoers plugin will now ignore invalid domain names when + checking netgroup membership. Most Linux systems use the string + "(none)" for the NIS-style domain name instead of an empty string. + + * New support for specifying a SHA-2 digest along with the command + in sudoers. Supported hash types are sha224, sha256, sha384 and + sha512. See the description of Digest_Spec in the sudoers manual + or the description of sudoCommand in the sudoers.ldap manual for + details. + + * The paths to ldap.conf and ldap.secret may now be specified as + arguments to the sudoers plugin in the sudo.conf file. + + * Fixed potential false positives in visudo's alias cycle detection. + + * Fixed a problem where the time stamp file was being treated + as out of date on Linux systems where the change time on the + pseudo-tty device node can change after it is allocated. + + * Sudo now only builds Position Independent Executables (PIE) + by default on Linux systems and verifies that a trivial test + program builds and runs. + + * On Solaris 11.1 and higher, sudo binaries will now have the + ASLR tag enabled if supported by the linker. + +What's new in Sudo 1.8.6p8? + + * Terminal detection now works properly on 64-bit AIX kernels. + This was broken by the removal of the ttyname() fallback in Sudo + 1.8.6p6. Sudo is now able to map an AIX 64-bit device number + to the corresponding device file in /dev. + + * Sudo now checks for crypt() returning NULL when performing + passwd-based authentication. + +What's new in Sudo 1.8.6p7? + + * A time stamp file with the date set to the epoch by "sudo -k" + is now completely ignored regardless of what the local clock is + set to. Previously, if the local clock was set to a value between + the epoch and the time stamp timeout value, a time stamp reset + by "sudo -k" would be considered current. + + * The tty-specific time stamp file now includes the session ID + of the sudo process that created it. If a process with the same + tty but a different session ID runs sudo, the user will now be + prompted for a password (assuming authentication is required for + the command). + +What's new in Sudo 1.8.6p6? + + * On systems where the controlling tty can be determined via /proc + or sysctl(), sudo will no longer fall back to using ttyname() + if the process has no controlling tty. This prevents sudo from + using a non-controlling tty for logging and time stamp purposes. + +What's new in Sudo 1.8.6p5? + + * Fixed a potential crash in visudo's alias cycle detection. + + * Improved performance on Solaris when retrieving the group list + for the target user. On systems with a large number of groups + where the group database is not local (NIS, LDAP, AD), fetching + the group list could take a minute or more. + +What's new in Sudo 1.8.6p4? + + * The -fstack-protector is now used when linking visudo, sudoreplay + and testsudoers. + + * Avoid building PIE binaries on FreeBSD/ia64 as they don't run + properly. + + * Fixed a crash in visudo strict mode when an unknown Defaults + setting is encountered. + + * Do not inform the user that the command was not permitted by the + policy if they do not successfully authenticate. This is a + regression introduced in sudo 1.8.6. + + * Allow sudo to be build with sss support without also including + ldap support. + + * Fixed running commands that need the terminal in the background + when I/O logging is enabled. E.g. "sudo vi &". When the command + is foregrounded, it will now resume properly. + +What's new in Sudo 1.8.6p3? + + * Fixed post-processing of the man pages on systems with legacy + versions of sed. + + * Fixed "sudoreplay -l" on Linux systems with file systems that + set DT_UNKNOWN in the d_type field of struct dirent. + +What's new in Sudo 1.8.6p2? + + * Fixed suspending a command after it has already been resumed + once when I/O logging (or use_pty) is not enabled. + This was a regression introduced in version 1.8.6. + +What's new in Sudo 1.8.6p1? + + * Fixed the setting of LOGNAME, USER and USERNAME variables in the + command's environment when env_reset is enabled (the default). + This was a regression introduced in version 1.8.6. + + * Sudo now honors SUCCESS=return in /etc/nsswitch.conf. + +What's new in Sudo 1.8.6? + + * Sudo is now built with the -fstack-protector flag if the the + compiler supports it. Also, the -zrelro linker flag is used if + supported. The --disable-hardening configure option can be used + to build sudo without stack smashing protection. + + * Sudo is now built as a Position Independent Executable (PIE) + if supported by the compiler and linker. + + * If the user is a member of the "exempt" group in sudoers, they + will no longer be prompted for a password even if the -k flag + is specified with the command. This makes "sudo -k command" + consistent with the behavior one would get if the user ran "sudo + -k" immediately before running the command. + + * The sudoers file may now be a symbolic link. Previously, sudo + would refuse to read sudoers unless it was a regular file. + + * The sudoreplay command can now properly replay sessions where + no tty was present. + + * The sudoers plugin now takes advantage of symbol visibility + controls when supported by the compiler or linker. As a result, + only a small number of symbols are exported which significantly + reduces the chances of a conflict with other shared objects. + + * Improved support for the Tivoli Directory Server LDAP client + libraries. This includes support for using LDAP over SSL (ldaps) + as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS + ldap.conf options. A new ldap.conf option, TLS_KEYPW can be + used to specify a password to decrypt the key database. + + * When constructing a time filter for use with LDAP sudoNotBefore + and sudoNotAfter attributes, the current time now includes tenths + of a second. This fixes a problem with timed entries on Active + Directory. + + * If a user fails to authenticate and the command would be rejected + by sudoers, it is now logged with "command not allowed" instead + of "N incorrect password attempts". Likewise, the "mail_no_perms" + sudoers option now takes precedence over "mail_badpass". + + * The sudo manuals are now formatted using the mdoc macros. Versions + using the legacy man macros are provided for systems that lack mdoc. + + * New support for Solaris privilege sets. This makes it possible + to specify fine-grained privileges in the sudoers file on Solaris + 10 and above. A Runas_Spec that contains no Runas_Lists can be + used to give a user the ability to run a command as themselves + but with an expanded privilege set. + + * Fixed a problem with the reboot and shutdown commands on some + systems (such as HP-UX and BSD). On these systems, reboot sends + all processes (except itself) SIGTERM. When sudo received + SIGTERM, it would relay it to the reboot process, thus killing + reboot before it had a chance to actually reboot the system. + + * Support for using the System Security Services Daemon (SSSD) as + a source of sudoers data. + + * Slovenian translation for sudo and sudoers from translationproject.org. + + * Visudo will now warn about unknown Defaults entries that are + per-host, per-user, per-runas or per-command. + + * Fixed a race condition that could cause sudo to receive SIGTTOU + (and stop) when resuming a shell that was run via sudo when I/O + logging (and use_pty) is not enabled. + + * Sending SIGTSTP directly to the sudo process will now suspend the + running command when I/O logging (and use_pty) is not enabled. + +What's new in Sudo 1.8.5p3? + + * Fixed the loading of I/O plugins that conform to a plugin API + version older than 1.2. + +What's new in Sudo 1.8.5p2? + + * Fixed use of the SUDO_ASKPASS environment variable which was + broken in Sudo 1.8.5. + + * Fixed a problem reading the sudoers file when the file mode is + more restrictive than the expected mode. For example, when the + expected sudoers file mode is 0440 but the actual mode is 0400. + +What's new in Sudo 1.8.5p1? + + * Fixed a bug that prevented files in an include directory from + being evaluated. + +What's new in Sudo 1.8.5? + + * When "noexec" is enabled, sudo_noexec.so will now be prepended + to any existing LD_PRELOAD variable instead of replacing it. + + * The sudo_noexec.so shared library now wraps the execvpe(), + exect(), posix_spawn() and posix_spawnp() functions. + + * The user/group/mode checks on sudoers files have been relaxed. + As long as the file is owned by the sudoers UID, not world-writable + and not writable by a group other than the sudoers GID, the file + is considered OK. Note that visudo will still set the mode to + the value specified at configure time. + + * It is now possible to specify the sudoers path, UID, GID and + file mode as options to the plugin in the sudo.conf file. + + * Croatian, Galician, German, Lithuanian, Swedish and Vietnamese + translations from translationproject.org. + + * /etc/environment is no longer read directly on Linux systems + when PAM is used. Sudo now merges the PAM environment into the + user's environment which is typically set by the pam_env module. + + * The initial environment created when env_reset is in effect now + includes the contents of /etc/environment on AIX systems and the + "setenv" and "path" entries from /etc/login.conf on BSD systems. + + * The plugin API has been extended in three ways. First, options + specified in sudo.conf after the plugin pathname are passed to + the plugin's open function. Second, sudo has limited support + for hooks that can be used by plugins. Currently, the hooks are + limited to environment handling functions. Third, the init_session + policy plugin function is passed a pointer to the user environment + which can be updated during session setup. The plugin API version + has been incremented to version 1.2. See the sudo_plugin manual + for more information. + + * The policy plugin's init_session function is now called by the + parent sudo process, not the child process that executes the + command. This allows the PAM session to be open and closed in + the same process, which some PAM modules require. + + * Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf, + which was broken in version 1.8.4. + + * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo + file is now uses to determine the controlling terminal, if possible. + This allows tty-based tickets to work properly even when, e.g. + standard input, output and error are redirected to /dev/null. + + * The output of "sudoreplay -l" is now sorted by file name (or + sequence number). Previously, entries were displayed in the + order in which they were found on the file system. + + * Sudo now behaves properly when I/O logging is enabled and the + controlling terminal is revoked (e.g. the running sshd is killed). + Previously, sudo may have exited without calling the I/O plugin's + close function which can lead to an incomplete I/O log. + + * Sudo can now detect when a user has logged out and back in again + on Solaris 11, just like it can on Solaris 10. + + * The built-in zlib included with Sudo has been upgraded to version + 1.2.6. + + * Setting the SSL parameter to start_tls in ldap.conf now works + properly when using Mozilla-based SDKs that support the + ldap_start_tls_s() function. + + * The TLS_CHECKPEER parameter in ldap.conf now works when the + Mozilla NSS crypto back-end is used with OpenLDAP. + + * A new group provider plugin, system_group, is included which + performs group look ups by name using the system groups database. + This can be used to restore the pre-1.7.3 sudo group lookup + behavior. + +What's new in Sudo 1.8.4p5? + + * Fixed a bug when matching against an IP address with an associated + netmask in the sudoers file. In certain circumstances, this + could allow users to run commands on hosts they are not authorized + for. + +What's new in Sudo 1.8.4p4? + + * Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v" + from working. + +What's new in Sudo 1.8.4p3? + + * Fixed a crash on FreeBSD when no tty is present. + + * Fixed a bug introduced in Sudo 1.8.4 that allowed users to + specify environment variables to set on the command line without + having sudo "ALL" permissions or the "SETENV" tag. + + * When visudo is run with the -c (check) option, the sudoers + file(s) owner and mode are now also checked unless the -f option + was specified. + +What's new in Sudo 1.8.4p2? + + * Fixed a bug introduced in Sudo 1.8.4 where insufficient space + was allocated for group IDs in the LDAP filter. + + * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf + was "/sudo.conf" instead of "/etc/sudo.conf". + + * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang + when I/O logging is enabled and input is from a pipe or file. + +What's new in Sudo 1.8.4p1? + + * Fixed a bug introduced in sudo 1.8.4 that broke adding to or + deleting from the env_keep, env_check and env_delete lists in + sudoers on some platforms. + +What's new in Sudo 1.8.4? + + * The -D flag in sudo has been replaced with a more general debugging + framework that is configured in sudo.conf. + + * Fixed a false positive in visudo strict mode when aliases are + in use. + + * Fixed a crash with "sudo -i" when a runas group was specified + without a runas user. + + * The line on which a syntax error is reported in the sudoers file + is now more accurate. Previously it was often off by a line. + + * Fixed a bug where stack garbage could be printed at the end of + the lecture when the "lecture_file" option was enabled. + + * "make install" now honors the LINGUAS environment variable. + + * The #include and #includedir directives in sudoers now support + relative paths. If the path is not fully qualified it is expected + to be located in the same directory of the sudoers file that is + including it. + + * Serbian and Spanish translations for sudo from translationproject.org. + + * LDAP-based sudoers may now access by group ID in addition to + group name. + + * visudo will now fix the mode on the sudoers file even if no changes + are made unless the -f option is specified. + + * The "use_loginclass" sudoers option works properly again. + + * On systems that use login.conf, "sudo -i" now sets environment + variables based on login.conf. + + * For LDAP-based sudoers, values in the search expression are now + escaped as per RFC 4515. + + * The plugin close function is now properly called when a login + session is killed (as opposed to the actual command being killed). + This can happen when an ssh session is disconnected or the + terminal window is closed. + + * The deprecated "noexec_file" sudoers option is no longer supported. + + * Fixed a race condition when I/O logging is not enabled that could + result in tty-generated signals (e.g. control-C) being received + by the command twice. + + * If none of the standard input, output or error are connected to + a tty device, sudo will now check its parent's standard input, + output or error for the tty name on systems with /proc and BSD + systems that support the KERN_PROC_PID sysctl. This allows + tty-based tickets to work properly even when, e.g. standard + input, output and error are redirected to /dev/null. + + * Added the --enable-kerb5-instance configure option to allow + people using Kerberos V authentication to specify a custom + instance so the principal name can be, e.g. "username/sudo" + similar to how ksu uses "username/root". + + * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in + the results, which would be incorrectly be interpreted as if the + sudoers file had specified a directory. + + * "visudo -c" will now list any include files that were checked + in addition to the main sudoers file when everything parses OK. + + * Users that only have read-only access to the sudoers file may + now run "visudo -c". Previously, write permissions were required + even though no writing is down in check-only mode. + + * It is now possible to prevent the disabling of core dumps from + within sudo itself by adding a line to the sudo.conf file like + "Set disable_coredump false". + +What's new in Sudo 1.8.3p2? + + * Fixed a format string vulnerability when the sudo binary (or a + symbolic link to the sudo binary) contains printf format escapes + and the -D (debugging) flag is used. + +What's new in Sudo 1.8.3p1? + + * Fixed a crash in the monitor process on Solaris when NOPASSWD + was specified or when authentication was disabled. + + * Fixed matching of a Runas_Alias in the group section of a + Runas_Spec. + +What's new in Sudo 1.8.3? + + * Fixed expansion of strftime() escape sequences in the "log_dir" + sudoers setting. + + * Esperanto, Italian and Japanese translations from translationproject.org. + + * Sudo will now use PAM by default on AIX 6 and higher. + + * Added --enable-werror configure option for gcc's -Werror flag. + + * Visudo no longer assumes all editors support the +linenumber + command line argument. It now uses a allowlist of editors known + to support the option. + + * Fixed matching of network addresses when a netmask is specified + but the address is not the first one in the CIDR block. + + * The configure script now check whether or not errno.h declares + the errno variable. Previously, sudo would always declare errno + itself for older systems that don't declare it in errno.h. + + * The NOPASSWD tag is now honored for denied commands too, which + matches historic sudo behavior (prior to sudo 1.7.0). + + * Sudo now honors the "DEREF" setting in ldap.conf which controls + how alias dereferencing is done during an LDAP search. + + * A symbol conflict with the pam_ssh_agent_auth PAM module that + would cause a crash been resolved. + + * The inability to load a group provider plugin is no longer + a fatal error. + + * A potential crash in the utmp handling code has been fixed. + + * Two PAM session issues have been resolved. In previous versions + of sudo, the PAM session was opened as one user and closed as + another. Additionally, if no authentication was performed, the + PAM session would never be closed. + + * Sudo will now work correctly with LDAP-based sudoers using TLS + or SSL on Debian systems. + + * The LOGNAME, USER and USERNAME environment variables are preserved + correctly again in sudoedit mode. + +What's new in Sudo 1.8.2? + + * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural + language support (NLS). This can be disabled by passing configure + the --disable-nls option. Sudo will use gettext(), if available, + to display translated messages. All translations are coordinated + via The Translation Project, http://translationproject.org/. + + * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of + RTLD_LOCAL. This fixes missing symbol problems in PAM modules + on certain platforms, such as FreeBSD and SuSE Linux Enterprise. + + * I/O logging is now supported for commands run in background mode + (using sudo's -b flag). + + * Group ownership of the sudoers file is now only enforced when + the file mode on sudoers allows group readability or writability. + + * Visudo now checks the contents of an alias and warns about cycles + when the alias is expanded. + + * If the user specifies a group via sudo's -g option that matches + the target user's group in the password database, it is now + allowed even if no groups are present in the Runas_Spec. + + * The sudo Makefiles now have more complete dependencies which are + automatically generated instead of being maintained manually. + + * The "use_pty" sudoers option is now correctly passed back to the + sudo front end. This was missing in previous versions of sudo + 1.8 which prevented "use_pty" from being honored. + + * "sudo -i command" now works correctly with the bash version + 2.0 and higher. Previously, the .bash_profile would not be + sourced prior to running the command unless bash was built with + NON_INTERACTIVE_LOGIN_SHELLS defined. + + * When matching groups in the sudoers file, sudo will now match + based on the name of the group instead of the group ID. This can + substantially reduce the number of group lookups for sudoers + files that contain a large number of groups. + + * Multi-factor authentication is now supported on AIX. + + * Added support for non-RFC 4517 compliant LDAP servers that require + that seconds be present in a timestamp, such as Tivoli Directory Server. + + * If the group vector is to be preserved, the PATH search for the + command is now done with the user's original group vector. + + * For LDAP-based sudoers, the "runas_default" sudoOption now works + properly in a sudoRole that contains a sudoCommand. + + * Spaces in command line arguments for "sudo -s" and "sudo -i" are + now escaped with a backslash when checking the security policy. + +What's new in Sudo 1.8.1p2? + + * Two-character CIDR-style IPv4 netmasks are now matched correctly + in the sudoers file. + + * A build error with MIT Kerberos V has been resolved. + + * A crash on HP-UX in the sudoers plugin when wildcards are + present in the sudoers file has been resolved. + + * Sudo now works correctly on Tru64 Unix again. + +What's new in Sudo 1.8.1p1? + + * Fixed a problem on AIX where sudo was unable to set the final + UID if the PAM module modified the effective UID. + + * A non-existent includedir is now treated the same as an empty + directory and not reported as an error. + + * Removed extraneous parens in LDAP filter when sudoers_search_filter + is enabled that can cause an LDAP search error. + + * Fixed a "make -j" problem for "make install". + +What's new in Sudo 1.8.1? + + * A new LDAP setting, sudoers_search_filter, has been added to + ldap.conf. This setting can be used to restrict the set of + records returned by the LDAP query. Based on changes from Matthew + Thomas. + + * White space is now permitted within a User_List when used in + conjunction with a per-user Defaults definition. + + * A group ID (%#GID) may now be specified in a User_List or Runas_List. + Likewise, for non-Unix groups the syntax is %:#GID. + + * Support for double-quoted words in the sudoers file has been fixed. + The change in 1.7.5 for escaping the double quote character + caused the double quoting to only be available at the beginning + of an entry. + + * The fix for resuming a suspended shell in 1.7.5 caused problems + with resuming non-shells on Linux. Sudo will now save the process + group ID of the program it is running on suspend and restore it + when resuming, which fixes both problems. + + * A bug that could result in corrupted output in "sudo -l" has been + fixed. + + * Sudo will now create an entry in the utmp (or utmpx) file when + allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp" + and "utmp_runas" sudoers file options can be used to control this. + Other policy plugins may use the "set_utmp" and "utmp_user" + entries in the command_info list. + + * The sudoers policy now stores the TSID field in the logs + even when the "iolog_file" sudoers option is defined to a value + other than %{sessid}. Previously, the TSID field was only + included in the log file when the "iolog_file" option was set + to its default value. + + * The sudoreplay utility now supports arbitrary session IDs. + Previously, it would only work with the base-36 session IDs + that the sudoers plugin uses by default. + + * Sudo now passes "run_shell=true" to the policy plugin in the + settings list when sudo's -s command line option is specified. + The sudoers policy plugin uses this to implement the "set_home" + sudoers option which was missing from sudo 1.8.0. + + * The "noexec" functionality has been moved out of the sudoers + policy plugin and into the sudo front-end, which matches the + behavior documented in the plugin writer's guide. As a result, + the path to the noexec file is now specified in the sudo.conf + file instead of the sudoers file. + + * On Solaris 10, the PRIV_PROC_EXEC privilege is now used to + implement the "noexec" feature. Previously, this was implemented + via the LD_PRELOAD environment variable. + + * The exit values for "sudo -l", "sudo -v" and "sudo -l command" + have been fixed in the sudoers policy plugin. + + * The sudoers policy plugin now passes the login class, if any, + back to the sudo front-end. + + * The sudoers policy plugin was not being linked with requisite + libraries in certain configurations. + + * Sudo now parses command line arguments before loading any plugins. + This allows "sudo -V" or "sudo -h" to work even if there is a problem + with sudo.conf + + * Plugins are now linked with the static version of libgcc to allow + the plugin to run on a system where no shared libgcc is installed, + or where it is installed in a different location. + +What's new in Sudo 1.8.0? + + * Sudo has been refactored to use a modular framework that can + support third-party policy and I/O logging plugins. The default + plugin is "sudoers" which provides the traditional sudo functionality. + See the sudo_plugin manual for details on the plugin API and the + sample in the plugins directory for a simple example. + +What's new in Sudo 1.7.5? + + * When using visudo in check mode, a file named "-" may be used to + check sudoers data on the standard input. + + * Sudo now only fetches shadow password entries when using the + password database directly for authentication. + + * Password and group entries are now cached using the same key + that was used to look them up. This fixes a problem when looking + up entries by name if the name in the retrieved entry does not + match the name used to look it up. This may happen on some systems + that do case insensitive lookups or that truncate long names. + + * GCC will no longer display warnings on glibc systems that use + the warn_unused_result attribute for write(2) and other system calls. + + * If a PAM account management module denies access, sudo now prints + a more useful error message and stops trying to validate the user. + + * Fixed a potential hang on idle systems when the sudo-run process + exits immediately. + + * Sudo now includes a copy of zlib that will be used on systems + that do not have zlib installed. + + * The --with-umask-override configure flag has been added to enable + the "umask_override" sudoers Defaults option at build time. + + * Sudo now unblocks all signals on startup to avoid problems caused + by the parent process changing the default signal mask. + + * LDAP Sudoers entries may now specify a time period for which + the entry is valid. This requires an updated sudoers schema + that includes the sudoNotBefore and sudoNotAfter attributes. + Support for timed entries must be explicitly enabled in the + ldap.conf file. Based on changes from Andreas Mueller. + + * LDAP Sudoers entries may now specify a sudoOrder attribute that + determines the order in which matching entries are applied. The + last matching entry is used, just like file-based sudoers. This + requires an updated sudoers schema that includes the sudoOrder + attribute. Based on changes from Andreas Mueller. + + * When run as sudoedit, or when given the -e flag, sudo now treats + command line arguments as pathnames. This means that slashes + in the sudoers file entry must explicitly match slashes in + the command line arguments. As a result, and entry such as: + user ALL = sudoedit /etc/* + will allow editing of /etc/motd but not /etc/security/default. + + * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for + compatibility with OpenLDAP configuration files. + + * The LDAP API TIMEOUT parameter is now honored in ldap.conf. + + * The I/O log directory may now be specified in the sudoers file. + + * Sudo will no longer refuse to run if the sudoers file is writable + by root. + + * Sudo now performs command line escaping for "sudo -s" and "sudo -i" + after validating the command so the sudoers entries do not need + to include the backslashes. + + * Logging and email sending are now done in the locale specified + by the "sudoers_locale" setting ("C" by default). Email send by + sudo now includes MIME headers when "sudoers_locale" is not "C". + + * The configure script has a new option, --disable-env-reset, to + allow one to change the default for the sudoers Default setting + "env_reset" at compile time. + + * When logging "sudo -l command", sudo will now prepend "list " + to the command in the log line to distinguish between an + actual command invocation in the logs. + + * Double-quoted group and user names may now include escaped double + quotes as part of the name. Previously this was a parse error. + + * Sudo once again restores the state of the signal handlers it + modifies before executing the command. This allows sudo to be + used with the nohup command. + + * Resuming a suspended shell now works properly when I/O logging + is not enabled (the I/O logging case was already correct). + +What's new in Sudo 1.7.4p6? + + * A bug has been fixed in the I/O logging support that could cause + visual artifacts in full-screen programs such as text editors. + +What's new in Sudo 1.7.4p5? + + * A bug has been fixed that would allow a command to be run without the + user entering a password when sudo's -g flag is used without the -u flag. + + * If user has no supplementary groups, sudo will now fall back on checking + the group file explicitly, which restores historic sudo behavior. + + * A crash has been fixed when sudo's -g flag is used without the -u flag + and the sudoers file contains an entry with no runas user or group listed. + + * A crash has been fixed when the Solaris project support is enabled + and sudo's -g flag is used without the -u flag. + + * Sudo no longer exits with an error when support for auditing is + compiled in but auditing is not enabled. + + * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not + being honored when the "targetpw" sudoers Defaults option was enabled. + + * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly. + + * A crash has been fixed in "sudo -l" when sudo is built with auditing + support and the user is not allowed to run any commands on the host. + +What's new in Sudo 1.7.4p4? + + * A potential security issue has been fixed with respect to the handling + of sudo's -g command line option when -u is also specified. The flaw + may allow an attacker to run commands as a user that is not authorized + by the sudoers file. + + * A bug has been fixed where "sudo -l" output was incomplete if multiple + sudoers sources were defined in nsswitch.conf and there was an error + querying one of the sources. + + * The log_input, log_output, and use_pty sudoers options now work correctly + on AIX. Previously, sudo would hang if they were enabled. + + * The "make install" target now works correctly when sudo is built in a + directory other than the source directory. + + * The "runas_default" sudoers setting now works properly in a per-command + Defaults line. + + * Suspending and resuming the bash shell when PAM is in use now works + correctly. The SIGCONT signal was not propagated to the child process. + +What's new in Sudo 1.7.4p3? + + * A bug has been fixed where duplicate HOME environment variables could be + present when the env_reset setting was disabled and the always_set_home + setting was enabled in sudoers. + + * The value of sysconfdir is now substituted into the path to the sudoers.d + directory in the installed sudoers file. + + * Compilation problems on IRIX and other platforms have been fixed. + + * If multiple PAM "auth" actions are specified and the user enters ^C at + the password prompt, sudo will no longer prompt for a password for any + subsequent "auth" actions. Previously it was necessary to enter ^C for + each "auth" action. + +What's new in Sudo 1.7.4p2? + + * A bug where sudo could spin in a busy loop waiting for the child process + has been fixed. + +What's new in Sudo 1.7.4p1? + + * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from + functioning when the tty_tickets sudoers option is enabled has been fixed. + + * Sudo no longer prints a warning when the -k or -K options are specified + and the ticket file does not exist. + + * It is now easier to cross-compile sudo. + +What's new in Sudo 1.7.4? + + * Sudoedit will now preserve the file extension in the name of the + temporary file being edited. The extension is used by some + editors (such as emacs) to choose the editing mode. + + * Time stamp files have moved from /var/run/sudo to either /var/db/sudo, + /var/lib/sudo or /var/adm/sudo. The directories are checked for + existence in that order. This prevents users from receiving the + sudo lecture every time the system reboots. Time stamp files older + than the boot time are ignored on systems where it is possible to + determine this. + + * The tty_tickets sudoers option is now enabled by default. + + * Ancillary documentation (README files, LICENSE, etc) is now installed + in a sudo documentation directory. + + * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile" + in ldap.conf. + + * Defaults settings that are tied to a user, host or command may + now include the negation operator. For example: + Defaults:!millert lecture + will match any user but millert. + + * The default PATH environment variable, used when no PATH variable + exists, now includes /usr/sbin and /sbin. + + * Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/) + for cross-platform packing. + + * On Linux, sudo will now restore the nproc resource limit before + executing a command, unless the limit appears to have been modified + by pam_limits. This avoids a problem with bash scripts that open + more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX) + will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1). + + * The HOME and MAIL environment variables are now reset based on the + target user's password database entry when the env_reset sudoers option + is enabled (which is the case in the default configuration). Users + wishing to preserve the original values should use a sudoers entry like: + Defaults env_keep += HOME + to preserve the old value of HOME and + Defaults env_keep += MAIL + to preserve the old value of MAIL. + + * Fixed a problem in the restoration of the AIX authdb registry setting. + + * Sudo will now fork(2) and wait until the command has completed before + calling pam_close_session(). + + * The default syslog facility is now "authpriv" if the operating system + supports it, else "auth". + +What's new in Sudo 1.7.3? + + * Support for logging I/O for the command being run. + For more information, see the documentation for the "log_input" + and "log_output" Defaults options in the sudoers manual. Also + see the sudoreplay manual for how to replay I/O log sessions. + + * The use_pty sudoers option can be used to force a command to be + run in a pseudo-pty, even when I/O logging is not enabled. + + * On some systems, sudo can now detect when a user has logged out + and back in again when tty-based time stamps are in use. Supported + systems include Solaris systems with the devices file system, + Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys + only). + + * On AIX systems, the registry setting in /etc/security/user is + now taken into account when looking up users and groups. Sudo + now applies the correct the user and group ids when running a + command as a user whose account details come from a different + source (e.g. LDAP or DCE vs. local files). + + * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf. + When multiple entries are listed, sudo will try each one in the + order in which they are specified. + + * Sudo's SELinux support should now function correctly when running + commands as a non-root user and when one of stdin, stdout or stderr + is not a terminal. + + * Sudo will now use the Linux audit system with configure with + the --with-linux-audit flag. + + * Sudo now uses mbr_check_membership() on systems that support it + to determine group membership. Currently, only Darwin (Mac OS X) + supports this. + + * When the tty_tickets sudoers option is enabled but there is no + terminal device, sudo will no longer use or create a tty-based + ticket file. Previously, sudo would use a tty name of "unknown". + As a consequence, if a user has no terminal device, sudo will + now always prompt for a password. + + * The passwd_timeout and timestamp_timeout options may now be + specified as floating point numbers for more granular timeout + values. + + * Negating the fqdn option in sudoers now works correctly when sudo + is configured with the --with-fqdn option. In previous versions + of sudo the fqdn was set before sudoers was parsed. + +What's new in Sudo 1.7.2? + + * A new #includedir directive is available in sudoers. This can be + used to implement an /etc/sudo.d directory. Files in an includedir + are not edited by visudo unless they contain a syntax error. + + * The -g option did not work properly when only setting the group + (and not the user). Also, in -l mode the wrong user was displayed + for sudoers entries where only the group was allowed to be set. + + * Fixed a problem with the alias checking in visudo which + could prevent visudo from exiting. + + * Sudo will now correctly parse the shell-style /etc/environment + file format used by pam_env on Linux. + + * When doing password and group database lookups, sudo will only + cache an entry by name or by id, depending on how the entry was + looked up. Previously, sudo would cache by both name and id + from a single lookup, but this breaks sites that have multiple + password or group database names that map to the same UID or + GID. + + * User and group names in sudoers may now be enclosed in double + quotes to avoid having to escape special characters. + + * BSM audit fixes when changing to a non-root UID. + + * Experimental non-Unix group support. Currently only works with + Quest Authorization Services and allows Active Directory groups + fixes for Minix-3. + + * For Netscape/Mozilla-derived LDAP SDKs the certificate and key + paths may be specified as a directory or a file. However, version + 5.0 of the SDK only appears to support using a directory (despite + documentation to the contrary). If SSL client initialization + fails and the certificate or key paths look like they could be + default file name, strip off the last path element and try again. + + * A setenv() compatibility fix for Linux systems, where a NULL + value is treated the same as an empty string and the variable + name is checked against the NULL pointer. + +What's new in Sudo 1.7.1? + + * A new Defaults option "pwfeedback" will cause sudo to provide visual + feedback when the user is entering a password. + + * A new Defaults option "fast_glob" will cause sudo to use the fnmatch() + function for file name globbing instead of glob(). When this option + is enabled, sudo will not check the file system when expanding wildcards. + This is faster but a side effect is that relative paths with wildcard + will no longer work. + + * New BSM audit support for systems that support it such as FreeBSD + and Mac OS X. + + * The file name specified with the #include directive may now include + a %h escape which is expanded to the short form of hostname. + + * The -k flag may now be specified along with a command, causing the + user's timestamp file to be ignored. + + * New support for Tivoli-based LDAP START_TLS, present in AIX. + + * New support for /etc/netsvc.conf on AIX. + + * The unused alias checks in visudo now handle the case of an alias + referring to another alias. + +What's new in Sudo 1.7.0? + + * Rewritten parser that converts sudoers into a set of data structures. + This eliminates a number of ordering issues and makes it possible to + apply sudoers Defaults entries before searching for the command. + It also adds support for per-command Defaults specifications. + + * Sudoers now supports a #include facility to allow the inclusion of other + sudoers-format files. + + * Sudo's -l (list) flag has been enhanced: + o applicable Defaults options are now listed + o a command argument can be specified for testing whether a user + may run a specific command. + o a new -U flag can be used in conjunction with "sudo -l" to allow + root (or a user with "sudo ALL") list another user's privileges. + + * A new -g flag has been added to allow the user to specify a + primary group to run the command as. The sudoers syntax has been + extended to include a group section in the Runas specification. + + * A UID may now be used anywhere a username is valid. + + * The "secure_path" run-time Defaults option has been restored. + + * Password and group data is now cached for fast lookups. + + * The file descriptor at which sudo starts closing all open files is now + configurable via sudoers and, optionally, the command line. + + * Visudo will now warn about aliases that are defined but not used. + + * The -i and -s command line flags now take an optional command + to be run via the shell. Previously, the argument was passed + to the shell as a script to run. + + * Improved LDAP support. SASL authentication may now be used in + conjunction when connecting to an LDAP server. The krb5_ccname + parameter in ldap.conf may be used to enable Kerberos. + + * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf + to specify the sudoers order. E.g.: + sudoers: ldap files + to check LDAP, then /etc/sudoers. The default is "files", even + when LDAP support is compiled in. This differs from sudo 1.6 + where LDAP was always consulted first. + + * Support for /etc/environment on AIX and Linux. If sudo is run + with the -i flag, the contents of /etc/environment are used to + populate the new environment that is passed to the command being + run. + + * If no terminal is available or if the new -A flag is specified, + sudo will use a helper program to read the password if one is + configured. Typically, this is a graphical password prompter + such as ssh-askpass. + + * A new Defaults option, "mailfrom" that sets the value of the + "From:" field in the warning/error mail. If unspecified, the + login name of the invoking user is used. + + * A new Defaults option, "env_file" that refers to a file containing + environment variables to be set in the command being run. + + * A new flag, -n, may be used to indicate that sudo should not + prompt the user for a password and, instead, exit with an error + if authentication is required. + + * If sudo needs to prompt for a password and it is unable to disable + echo (and no askpass program is defined), it will refuse to run + unless the "visiblepw" Defaults option has been specified. + + * Prior to version 1.7.0, hitting enter/return at the Password: prompt + would exit sudo. In sudo 1.7.0 and beyond, this is treated as + an empty password. To exit sudo, the user must press ^C or ^D + at the prompt. + + * visudo will now check the sudoers file owner and mode in -c (check) + mode when the -s (strict) flag is specified. + + * A new Defaults option "umask_override" will cause sudo to set the + umask specified in sudoers even if it is more permissive than the + invoking user's umask. |