summaryrefslogtreecommitdiffstats
path: root/docs/UPGRADE.md
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--docs/UPGRADE.md636
1 files changed, 636 insertions, 0 deletions
diff --git a/docs/UPGRADE.md b/docs/UPGRADE.md
new file mode 100644
index 0000000..1e2cb5f
--- /dev/null
+++ b/docs/UPGRADE.md
@@ -0,0 +1,636 @@
+Notes on upgrading from an older release
+========================================
+
+ * Upgrading from a version prior to 1.9.15:
+
+ The sudoers plugin now uses a time stamp path name that is based
+ on the user-ID instead of the user name. For example, a time
+ stamp file that was /var/run/sudo/ts/root in sudo 1.9.14 will
+ now be /var/run/sudo/ts/0. The lecture flag file name is now
+ also based on the user-ID, which will result in users receiving
+ the sudo lecture again on upgrade to sudo 1.9.15.
+
+ * Upgrading from a version prior to 1.9.14:
+
+ Sudo now runs commands in a new pseudo-terminal by default. This
+ can prevent a malicious program run via sudo from accessing the
+ user's terminal device after the command completes.
+
+ When sudo runs a command in a new pseudo-terminal, an additional
+ process is created to monitor the command's status and pass
+ terminal control signals between the two terminals. See the
+ "Process model" subsection in the sudo manual and the description
+ of the "use_pty" option in the sudoers manual for more information.
+
+ A side effect of running the command in a new pseudo-terminal
+ is that sudo must pass input from the user's terminal to the
+ pseudo-terminal, even if the command being run does not require
+ the input. The "exec_background" option in sudoers can be used
+ to prevent this, but some screen-oriented commands may not operate
+ properly when run as a background process.
+
+ To restore the historic behavior where a command is run in the
+ user's terminal, add the following line to the sudoers file:
+
+ Defaults !use_pty
+
+ * Upgrading from a version prior to 1.9.13:
+
+ Sudo now builds AIX-style shared libraries and dynamic shared
+ objects by default instead of svr4-style. This means that the
+ default sudo plugins are now .a (archive) files that contain a
+ .so shared object file instead of bare .so files. This was done
+ to improve compatibility with the AIX Freeware ecosystem,
+ specifically, the AIX Freeware build of OpenSSL. When loading
+ a .a file as a plugin the name of the included .so file must
+ also be specified, for example /usr/libexec/sudo/sudoers.a(sudoers.so).
+
+ Sudo is still capable of loading svr4-style .so plugins and if
+ a .so file is requested, either via sudo.conf or the sudoers
+ file, and only the .a file is present, sudo will convert the
+ path from plugin.so to plugin.a(plugin.so). This ensures
+ compatibility with existing configurations. To restore the old,
+ pre-1.9.13 behavior, run configure using the --with-aix-soname=svr4
+ option.
+
+ * Upgrading from a version prior to 1.9.10:
+
+ Sudo now interprets a command line argument in sudoers that
+ begins with a '^' character as a regular expression. To start
+ a command argument with a literal '^' character, it must be
+ escaped with a backslash ('\'). This may result in a syntax
+ error after upgrading for existing sudoers rules where the command
+ line arguments begin with a '^'.
+
+ A user may now only run "sudo -U otheruser -l" if they have a
+ "sudo ALL" privilege where the RunAs user contains either "root"
+ or "otheruser". Previously, having "sudo ALL" was sufficient,
+ regardless of the RunAs user.
+
+ * Upgrading from a version prior to 1.9.9:
+
+ Sudo now runs commands with the core limit resource limit set
+ to 0 by default. While most operating systems restrict core
+ dumps of set-user-ID programs like sudo, this protection is
+ lost when sudo executes a command. By disabling core dumps by
+ default, it is possible to avoid potential security problems
+ such as those seen with the Linux logrotate utility, which could
+ interpret a core dump as a valid configuration file.
+
+ To restore the historic core dump file size behavior, add the
+ following line to the sudoers file:
+
+ Defaults rlimit_core=default
+
+ * Upgrading from a version prior to 1.9.7:
+
+ Sudo now links with OpenSSL 1.0.1 or higher by default if it
+ is present on the system unless it is explicitly disabled (via
+ `--disable-openssl`), or unless the sudo log client and server
+ code is disabled (via `--disable-log-client` and `--disable-log-server`).
+ As a result, the sudo log server (and the client built into the
+ sudoers plugin) now support TLS connections by default.
+
+ * Upgrading from a version prior to 1.9.3:
+
+ Due to the addition of the CHROOT and CWD options, it is no
+ longer possible to declare an alias with one of those names.
+ If a sudoers file has an alias with one of those names, sudo
+ and visudo will report a syntax error with a message like
+ "syntax error: unexpected CHROOT, expecting ALIAS".
+
+ Starting with version 1.9.3, sudoers rules must end in either
+ a newline or the end-of-file. This makes it possible to provide
+ better error messages. Previously, it was possible to include
+ multiple rules on a single line, separated by white space.
+
+ Starting with version 1.9.3, sudo will attempt to recover from
+ a syntax error in the sudoers file by discarding the portion
+ of the line that contains the error until the end of the line.
+ To restore the historic behavior of refusing to run when a
+ syntax error is encountered, add `error_recovery=false` as a
+ plugin option in sudo.conf for the "sudoers_audit" plugin, (or
+ "sudoers_policy" if there is no "sudoers_audit" plugin configured).
+
+ * Upgrading from a version prior to 1.9.1:
+
+ Starting with version 1.9.1, sudoers plugin arguments in sudo.conf
+ should be specified for the "sudoers_audit" plugin, not
+ "sudoers_policy". This is because the sudoers file is now
+ opened and parsed by the "sudoers_audit" plugin. Previously,
+ this was done by the "sudoers_policy" plugin. The use of an
+ audit plugin makes it possible for the sudoers module to detect
+ when a command has been rejected by an approval plugin and only
+ log commands that are allowed by both policy and approval
+ plugins.
+
+ * Upgrading from a version prior to 1.8.30:
+
+ Starting with version 1.8.30, sudo will no longer allow commands
+ to be run as a user or group ID that is not in the password or
+ group databases by default. Previously, sudo would always allow
+ unknown user or group IDs if the sudoers entry permitted it,
+ including via the _ALL_ alias. The old behavior can be restored
+ by setting the new "allow_unknown_runas_id" Defaults setting
+ in the sudoers file.
+
+ * Upgrading from a version prior to 1.8.29:
+
+ Starting with version 1.8.29, if the umask is explicitly set
+ in sudoers, that value is used regardless of the umask specified
+ by PAM or login.conf. However, if the umask is not explicitly
+ set in sudoers, PAM, or login.conf may now override the default
+ sudoers umask. Previously, the sudoers umask always overrode
+ the umask set by PAM, which was not the documented behavior.
+
+ * Upgrading from a version prior to 1.8.28:
+
+ Starting with version 1.8.28, sudo stores the signal that caused
+ a command to be suspended or resumed as a string in the I/O log
+ timing file. The version of sudoreplay included with sudo
+ 1.8.28 can process either type of I/O log file but older versions
+ of sudoreplay are unable to replay the newer logs.
+
+ Starting with version 1.8.28, sudoedit honors the umask and
+ umask_override settings in sudoers. Previously, the user's
+ umask was used as-is.
+
+ * Upgrading from a version prior to 1.8.26:
+
+ Starting with version 1.8.26, sudo no long sets the USERNAME
+ environment variable when running commands. This is a non-standard
+ environment variable that was set on some older Linux systems.
+ Sudo still sets the LOGNAME, USER, and, on AIX systems, LOGIN
+ environment variables.
+
+ Handling of the LOGNAME, USER (and on AIX, LOGIN) environment
+ variables has changed slightly in version 1.8.26. Sudo now
+ treats those variables as a single unit. This means that if
+ one variable is preserved or removed from the environment using
+ env_keep, env_check, or env_delete, the others are too.
+
+ * Upgrading from a version prior to 1.8.23:
+
+ In sudo 1.8.23 the "sudoers2ldif" script and the `visudo -x`
+ functionality has been superseded by the "cvtsudoers" utility.
+ The cvtsudoers utility is intended to be a drop-in replacement
+ for "sudoers2ldif". Because it uses the same parser as sudo
+ and visudo, cvtsudoers can perform a more accurate conversion
+ than sudoers2ldif could.
+
+ To convert a sudoers file to JSON, the format option must be
+ specified. For example, instead of:
+
+ visudo -f sudoers_file -x output_file
+
+ one would use:
+
+ cvtsudoers -f json -o output_file sudoers_file
+
+ Unlike "visudo -x", "cvtsudoers" reads from the standard input
+ by default. Also, the base DN may be specified on the command
+ line, if desired, using the -b option.
+
+ * Upgrading from a version prior to 1.8.20:
+
+ Due to the addition of the TIMEOUT, NOTBEFORE, and NOTAFTTER
+ options, it is no longer possible to declare an alias with one
+ of those names. If a sudoers file has an alias with one of
+ those names, sudo, and visudo will report a syntax error with a
+ message like "syntax error: unexpected TIMEOUT, expecting ALIAS".
+
+ Prior to version 1.8.20, when log_input, log_output, or use_pty
+ were enabled, if any of the standard input, output, or error
+ were not connected to a terminal, sudo would use a pipe. The
+ pipe allows sudo to interpose itself between the old standard
+ input, output, or error and log the contents. Beginning with
+ version 1.8.20, a pipe is only used when I/O logging is enabled.
+ If use_pty is set without log_input or log_output, no pipe will
+ be used. Additionally, if log_input is set without log_output,
+ a pipe is only used for the standard input. Likewise, if
+ log_output is set without log_input, a pipe is only used for
+ the standard output and standard error. This results in a
+ noticeable change in behavior if the use_pty flag is set and no
+ terminal is present when running commands such as scripts that
+ execute other commands asynchronously (in the background).
+ Previously, sudo would exit immediately, causing background
+ commands to terminate with a broken pipe if they attempt to
+ write to the standard output or standard error. As of version
+ 1.8.20, a pipe will not be used in this case so the command
+ will no longer be terminated.
+
+ * Upgrading from a version prior to 1.8.16:
+
+ When editing files with sudoedit, files in a directory that is
+ writable by the invoking user may no longer be edited by default.
+ Also, sudoedit will refuse to follow a symbolic link in the
+ path to be edited if that directory containing the link is
+ writable by the user. This behavior can be disabled by negating
+ the sudoedit_checkdir sudoers option, which is now enabled by
+ default.
+
+ * Upgrading from a version prior to 1.8.15:
+
+ Prior to version 1.8.15, when env_reset was enabled (the default)
+ and the -s option was not used, the SHELL environment variable
+ was set to the shell of the invoking user. In 1.8.15 and above,
+ when env_reset is enabled and the -s option is not used, SHELL
+ is set based on the target user.
+
+ When editing files with sudoedit, symbolic links will no longer
+ be followed by default. The old behavior can be restored by
+ enabling the sudoedit_follow option in sudoers or on a per-command
+ basis with the FOLLOW and NOFOLLOW tags.
+
+ Prior to version 1.8.15, groups listed in sudoers that were not
+ found in the system group database were passed to the group
+ plugin, if any. Starting with 1.8.15, only groups of the form
+ %:group are resolved via the group plugin by default. The old
+ behavior can be restored by using the always_query_group_plugin
+ sudoers option.
+
+ Locking of the time stamp file has changed in sudo 1.8.15.
+ Previously, the user's entire time stamp file was locked while
+ retrieving and updating a time stamp record. Now, only a single
+ record, specific to the tty or parent process ID, is locked.
+ This lock is held while the user enters their password. If
+ sudo is suspended at the password prompt (or run in the
+ background), the lock is dropped until sudo is resumed, at which
+ point it will be reacquired. This allows sudo to be used in a
+ pipeline even when a password is required--only one instance
+ of sudo will prompt for a password.
+
+ * Upgrading from a version prior to 1.8.14:
+
+ On HP-UX, sudo will no longer check for "plugin.sl" if "plugin.so"
+ is specified but does not exist. This was a temporary hack for
+ backward compatibility with Sudo 1.8.6 and below when the
+ plugin path name was not listed in sudo.conf. A plugin path
+ name that explicitly ends in ".sl" will still work as expected.
+
+ * Upgrading from a version prior to 1.8.12:
+
+ On Solaris, sudo is now able to determine the NIS domain name.
+ As a result, if you had previously been using netgroups that
+ do not include the domain, you will need to either set the
+ domain in the entry or leave the domain part of the tuple blank.
+
+ For example, the following will no longer work:
+
+ my-hosts (foo,-,-) (bar,-,-) (baz,-,-)
+
+ and should be changed to:
+
+ my-hosts (foo,-,) (bar,-,) (baz,-,)
+
+ * Upgrading from a version prior to 1.8.10:
+
+ The time stamp file format has changed in sudo 1.8.10. There
+ is now a single time stamp file for each user, even when tty-based
+ time stamps are used. Each time stamp file may contain multiple
+ records to support tty-based time stamps as well as multiple
+ authentication users. On systems that support it, monotonic
+ time is stored instead of wall clock time. As a result, it is
+ important that the time stamp files not persist when the system
+ reboots. For this reason, the default location for the time
+ stamp files has changed back to a directory located in `/var/run`.
+ Systems that do not have `/var/run` (e.g. AIX) or that do not clear
+ it on boot (e.g. HP-UX) will need to clear the time stamp
+ directory via a start up script. Such a script is installed by
+ default on AIX and HP-UX systems.
+
+ Because there is now a single time stamp file per user, the -K
+ option will remove all of the user's time stamps, not just the
+ time stamp for the current terminal.
+
+ Lecture status is now stored separately from the time stamps in a
+ separate directory: `/var/db/sudo/lectured`, `/var/lib/sudo/lectured`
+ or `/var/adm/sudo/lectured` depending on what is present on the system.
+
+ LDAP-based sudoers now uses a default search filter of
+ (objectClass=sudoRole) for more efficient queries. It is
+ possible to disable the default search filter by specifying
+ SUDOERS_SEARCH_FILTER in ldap.conf but omitting a value.
+
+ * Upgrading from a version prior to 1.8.7:
+
+ Sudo now stores its libexec files in a "sudo" sub-directory
+ instead of in libexec itself. For backward compatibility, if
+ the plugin is not found in the default plugin directory, sudo
+ will check the parent directory default directory ends in `/sudo`.
+
+ The default sudo plugins now all use the .so extension, regardless
+ of the extension used by system shared libraries. For backward
+ compatibility, sudo on HP-UX will also search for a plugin with
+ an .sl extension if the .so version is not found.
+
+ Handling of users belonging to a large number of groups has
+ changed. Previously, sudo would only use the group list from
+ the kernel unless the system_group plugin was enabled in sudoers.
+ Now, sudo will query the groups database if the user belongs
+ to the maximum number of groups supported by the kernel. See
+ the group_source and max_groups settings in the sudo.conf manual
+ for details.
+
+ * Upgrading from a version prior to 1.8.2:
+
+ When matching Unix groups in the sudoers file, sudo will now
+ match based on the name of the group as it appears in sudoers
+ instead of the group-ID. This can substantially reduce the
+ number of group lookups for sudoers files that contain a large
+ number of groups. There are a few side effects of this change.
+
+ 1) Unix groups with different names but the same group-ID are
+ can no longer be used interchangeably. Sudo will look up all
+ of a user's groups by group-ID and use the resulting group
+ names when matching sudoers entries. If there are multiple
+ groups with the same ID, the group name returned by the
+ system getgrgid() library function is the name that will be
+ used when matching sudoers entries.
+
+ 2) Unix group names specified in the sudoers file that are
+ longer than the system maximum will no longer match. For
+ instance, if there is a Unix group "fireflie" on a system
+ where group names are limited to eight characters, "%fireflies"
+ in sudoers will no longer match "fireflie". Previously, a
+ lookup by name of the group "fireflies" would have matched
+ the "fireflie" group on most systems.
+
+ The legacy group matching behavior may be restored by enabling
+ the match_group_by_gid Defaults option in sudoers available
+ in sudo 1.8.18 and higher.
+
+ * Upgrading from a version prior to 1.8.1:
+
+ Changes in the sudoers parser could result in parse errors for
+ existing sudoers file. These changes cause certain erroneous
+ entries to be flagged as errors where before they allowed.
+ Changes include:
+
+ Combining multiple Defaults entries with a backslash. E.g.
+
+ Defaults set_path \
+ Defaults syslog
+
+ which should be:
+
+ Defaults set_path
+ Defaults syslog
+
+ Also, double-quoted strings with a missing end-quote are now
+ detected and result in an error. Previously, text starting a
+ double quote and ending with a newline was ignored. E.g.
+
+ Defaults set_path"foo
+
+ In previous versions of sudo, the _"foo_ portion would have
+ been ignored.
+
+ To avoid problems, sudo 1.8.1's `make install` will not install
+ a new sudo binary if the existing sudoers file has errors.
+
+ In Sudo 1.8.1 the _noexec_ functionality has moved out of the
+ sudoers policy plugin and into the sudo front-end. As a result,
+ the path to the noexec file is now specified in the sudo.conf
+ file instead of the sudoers file. If you have a sudoers file
+ that uses the "noexec_file" option, you will need to move the
+ definition to the sudo.conf file instead.
+
+ Old style in `/etc/sudoers`:
+
+ Defaults noexec_file=/usr/local/libexec/sudo_noexec.so
+
+ New style in `/etc/sudo.conf`:
+
+ Path noexec /usr/local/libexec/sudo_noexec.so
+
+ * Upgrading from a version prior to 1.8.0:
+
+ Starting with version 1.8.0, sudo uses a modular framework to
+ support policy and I/O logging plugins. The default policy
+ plugin is "sudoers" which provides the traditional sudoers
+ evaluation and I/O logging. Plugins are typically located in
+ `/usr/libexec` or `/usr/local/libexec`, though this is system-dependent.
+ The sudoers plugin is named "sudoers.so" on most systems.
+
+ The sudo.conf file, usually stored in `/etc`, is used to configure
+ plugins. This file is optional--if no plugins are specified
+ in sudo.conf, the "sudoers" plugin is used. See the example
+ sudo.conf file in the docs directory or refer to the updated
+ sudo manual to see how to configure sudo.conf.
+
+ The "askpass" setting has moved from the sudoers file to the
+ sudo.conf file. If you have a sudoers file that uses the
+ "askpass" option, you will need to move the definition to the
+ sudo.conf file.
+
+ Old style in `/etc/sudoers`:
+
+ Defaults askpass=/usr/X11R6/bin/ssh-askpass
+
+ New style in `/etc/sudo.conf`:
+
+ Path askpass /usr/X11R6/bin/ssh-askpass
+
+ * Upgrading from a version prior to 1.7.5:
+
+ Sudo 1.7.5 includes an updated LDAP schema with support for
+ the sudoNotBefore, sudoNotAfter, and sudoOrder attributes.
+
+ The sudoNotBefore and sudoNotAfter attribute support is only
+ used when the SUDOERS_TIMED setting is enabled in ldap.conf.
+ If enabled, those attributes are used directly when constructing
+ an LDAP filter. As a result, your LDAP server must have the
+ updated schema if you want to use sudoNotBefore and sudoNotAfter.
+
+ The sudoOrder support does not affect the LDAP filter sudo
+ constructs and so there is no need to explicitly enable it in
+ ldap.conf. If the sudoOrder attribute is not present in an
+ entry, a value of 0 is used. If no entries contain sudoOrder
+ attributes, the results are in whatever order the LDAP server
+ returns them, as in past versions of sudo.
+
+ Older versions of sudo will simply ignore the new attributes
+ if they are present in an entry. There are no compatibility
+ problems using the updated schema with older versions of sudo.
+
+ * Upgrading from a version prior to 1.7.4:
+
+ Starting with sudo 1.7.4, the time stamp files have moved from
+ `/var/run/sudo` to either `/var/db/sudo`, `/var/lib/sudo`, or
+ `/var/adm/sudo`. The directories are checked for existence in
+ that order. This prevents users from receiving the sudo lecture
+ every time the system reboots. Time stamp files older than the
+ boot time are ignored on systems where it is possible to determine
+ this.
+
+ Additionally, the tty_tickets sudoers option is now enabled by
+ default. To restore the old behavior (single time stamp per user),
+ add a line like:
+
+ Defaults !tty_tickets
+
+ to sudoers or use the `--without-tty-tickets` configure option.
+
+ The HOME and MAIL environment variables are now reset based on the
+ target user's password database entry when the env_reset sudoers option
+ is enabled (which is the case in the default configuration). Users
+ wishing to preserve the original values should use a sudoers entry like:
+
+ Defaults env_keep += HOME
+
+ to preserve the old value of HOME and
+
+ Defaults env_keep += MAIL
+
+ to preserve the old value of MAIL.
+
+ Preserving HOME has security implications since many programs
+ use it when searching for configuration files. Adding HOME to
+ env_keep may enable a user to run unrestricted commands via sudo.
+
+ The default syslog facility has changed from "local2" to "authpriv"
+ (or "auth" if the operating system doesn't have "authpriv").
+ The `--with-logfac` configure option can be used to change this
+ or it can be changed in the sudoers file.
+
+ * Upgrading from a version prior to 1.7.0:
+
+ Starting with sudo 1.7.0, comments in the sudoers file must not
+ have a digit or minus sign immediately after the comment character
+ ('#'). Otherwise, the comment may be interpreted as a user or
+ group-ID.
+
+ When sudo is build with LDAP support the `/etc/nsswitch.conf` file is
+ now used to determine the sudoers sea ch order. sudo will default to
+ only using `/etc/sudoers` unless `/etc/nsswitch.conf` says otherwise.
+ This can be changed with an nsswitch.conf line, e.g.:
+
+ sudoers: ldap files
+
+ Would case LDAP to be searched first, then the sudoers file.
+ To restore the pre-1.7.0 behavior, run configure with the
+ `--with-nsswitch=no` flag.
+
+ Sudo now ignores user .ldaprc files as well as system LDAP defaults.
+ All LDAP configuration is now in `/etc/ldap.conf` (or whichever file
+ was specified by configure's `--with-ldap-conf-file` option).
+ If you are using TLS, you may now need to specify:
+
+ tls_checkpeer no
+
+ in sudo's ldap.conf unless ldap.conf references a valid certificate
+ authority file(s).
+
+ * Upgrading from a version prior to 1.6.9:
+
+ Starting with sudo 1.6.9, if an OS supports a modular authentication
+ method such as PAM, it will be used by default by configure.
+
+ Environment variable handling has changed significantly in sudo
+ 1.6.9. Prior to version 1.6.9, sudo would preserve the user's
+ environment, pruning out potentially dangerous variables.
+ Beginning with sudo 1.6.9, the environment is reset to a default
+ set of values with only a small number of "safe" variables
+ preserved. To preserve specific environment variables, add
+ them to the "env_keep" list in sudoers. E.g.
+
+ Defaults env_keep += "EDITOR"
+
+ The old behavior can be restored by negating the "env_reset"
+ option in sudoers. E.g.
+
+ Defaults !env_reset
+
+ There have also been changes to how the "env_keep" and
+ "env_check" options behave.
+
+ Prior to sudo 1.6.9, the TERM and PATH environment variables
+ would always be preserved even if the env_keep option was
+ redefined. That is no longer the case. Consequently, if
+ env_keep is set with "=" and not simply appended to (i.e. using
+ "+="), PATH and TERM must be explicitly included in the list
+ of environment variables to keep. The LOGNAME, SHELL, USER,
+ and USERNAME environment variables are still always set.
+
+ Additionally, the env_check setting previously had no effect
+ when env_reset was set (which is now on by default). Starting
+ with sudo 1.6.9, environment variables listed in env_check are
+ also preserved in the env_reset case, provided that they do not
+ contain a '/' or '%' character. It is not necessary to also
+ list a variable in env_keep--having it in env_check is sufficient.
+
+ The default lists of variables to be preserved and/or checked
+ are displayed when sudo is run by root with the -V flag.
+
+ * Upgrading from a version prior to 1.6.8:
+
+ Prior to sudo 1.6.8, if `/var/run` did not exist, sudo would put
+ the time stamp files in `/tmp/.odus`. As of sudo 1.6.8, the
+ time stamp files will be placed in `/var/adm/sudo` or `/usr/adm/sudo`
+ if there is no `/var/run directory`. This directory will be
+ created if it does not already exist.
+
+ Previously, a sudoers entry that explicitly prohibited running
+ a command as a certain user did not override a previous entry
+ allowing the same command. This has been fixed in sudo 1.6.8
+ such that the last match is now used (as it is documented).
+ Hopefully no one was depending on the previous (buggy) behavior.
+
+ * Upgrading from a version prior to 1.6:
+
+ As of sudo 1.6, parsing of runas entries and the NOPASSWD tag
+ has changed. Prior to 1.6, a runas specifier applied only to
+ a single command directly following it. Likewise, the NOPASSWD
+ tag only allowed the command directly following it to be run
+ without a password. Starting with sudo 1.6, both the runas
+ specifier and the NOPASSWD tag are "sticky" for an entire
+ command list. So, given the following line in sudo < 1.6
+
+ millert ALL=(daemon) NOPASSWD:/usr/bin/whoami,/bin/ls
+
+ millert would be able to run `/usr/bin/whoami` as user daemon
+ without a password and `/bin/ls` as root with a password.
+
+ As of sudo 1.6, the same line now means that millert is able
+ to run run both `/usr/bin/whoami` and `/bin/ls` as user daemon
+ without a password. To expand on this, take the following
+ example:
+
+ millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, (root) /bin/ls, \
+ /sbin/dump
+
+ millert can run `/usr/bin/whoami` as daemon and `/bin/ls` and
+ `/sbin/dump` as root. No password need be given for either
+ command. In other words, the "(root)" sets the default runas
+ user to root for the rest of the list. If we wanted to require
+ a password for `/bin/ls` and `/sbin/dump` the line could be written
+ as:
+
+ millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, \
+ (root) PASSWD:/bin/ls, /sbin/dump
+
+ Additionally, sudo now uses a per-user time stamp directory
+ instead of a time stamp file. This allows tty time stamps to
+ simply be files within the user's time stamp dir. For the
+ default, non-tty case, the time stamp on the directory itself
+ is used.
+
+ Also, the temporary file used by visudo is now `/etc/sudoers.tmp`
+ since some versions of vipw on systems with shadow passwords use
+ `/etc/stmp` for the temporary shadow file.
+
+ * Upgrading from a version prior to 1.5:
+
+ By default, sudo expects the sudoers file to be mode 0440 and
+ to be owned by user and group 0. This differs from version 1.4
+ and below which expected the sudoers file to be mode 0400 and
+ to be owned by root. Doing a `make install` will set the sudoers
+ file to the new mode and group. If sudo encounters a sudoers
+ file with the old permissions it will attempt to update it to
+ the new scheme. You cannot, however, use a sudoers file with
+ the new permissions with an old sudo binary. It is suggested
+ that if have a means of distributing sudo you distribute the
+ new binaries first, then the new sudoers file (or you can leave
+ sudoers as is and sudo will fix the permissions itself as long
+ as sudoers is on a local file system).