Skip to content

Releases: sudo-project/sudo

Sudo 1.8.28

14 Oct 16:31
@millert millert
SUDO_1_8_28
b84e16e
Compare
Choose a tag to compare
Sudo 1.8.28

  • Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set.

  • The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878.

  • Sudo will now filter out last login messages on HP-UX unless it a shell is being run via sudo -s or sudo -i. Otherwise, when trusted mode is enabled, these messages will be displayed for each command.

  • On AIX, when the user's password has expired and PAM is not in use, sudo will now allow the user to change their password. Bug #883.

  • Sudo has a new -B command line option that will ring the terminal bell when prompting for a password.

  • Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment.

  • The env_editor sudoers flag is now on by default. This makes source builds more consistent with the packages generated by sudo's mkpkg script.

  • Sudo no longer ships with pre-formatted copies of the manual pages. These were included for systems like IRIX that don't ship with an nroff utility. There are now multiple Open Source nroff replacements so this should no longer be an issue.

  • Fixed a bad interaction with configure's --prefix and --disable-shared options. Bug #886.

  • More verbose error message when a password is required and no terminal is present. Bug #828.

  • Command tags, such as NOPASSWD, are honored when a user tries to run a command that is allowed by sudoers but which does not actually exist on the file system. Bug #888.

  • Asturian translation for sudoers from translationproject.org.

  • I/O log timing files now store signal suspend and resume information in the form of a signal name instead of a number.

  • Fixed a bug introduced in 1.8.24 that prevented sudo from honoring the value of ipa_hostname from sssd.conf, if specified, when matching the host name.

  • Fixed a bug introduced in 1.8.21 that prevented the core dump resource limit set in the pam_limits module from taking effect. Bug #894.

  • Fixed parsing of double-quoted Defaults group and netgroup bindings.

  • The user ID is now used when matching sudoUser attributes in LDAP. Previously, the user name, group name and group IDs were used when matching but not the user ID.

  • Sudo now writes PAM messages to the user's terminal, if available, instead of the standard output or standard error. This prevents PAM output from being intermixed with that of the command when output is sent to a file or pipe. Bug #895.

  • Sudoedit now honors the umask and umask_override settings in sudoers. Previously, the user's umask was used as-is.

  • Fixed a bug where the terminal's file context was not restored when using SELinux RBAC. Bug #898.

  • Fixed CVE-2019-14287, a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first.

Assets 48
Loading

Sudo 1.8.27

17 Sep 04:39
@TylerReese TylerReese
SUDO_1_8_27
33fc64d
Compare
Choose a tag to compare
Sudo 1.8.27

  • On HP-UX, sudo will now update the utmps file when running a command
    in a pseudo-tty. Previously, only the utmp and utmpx files were
    updated.

  • Nanosecond precision file time stamps are now supported in HP-UX.

  • Fixes and clarifications to the sudo plugin documentation.

  • The sudo manuals no longer require extensive post-processing to
    hide system-specific features. Conditionals in the roff source
    are now used instead. This fixes corruption of the sudo manual
    on systems without BSD login classes. Bug #861.

  • If an I/O logging plugin is configured but the plugin does not
    actually log any I/O, sudo will no longer force the command to
    be run in a pseudo-tty.

  • The fix for bug #843 in sudo 1.8.24 was incomplete. If the
    user's password was expired or needed to be updated, but no sudo
    password was required, the PAM handle was freed too early,
    resulting in a failure when processing PAM session modules.

  • In visudo, it is now possible to specify the path to sudoers
    without using the -f option. Bug #864.

  • Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx)
    file would not be updated when a command was run in a pseudo-tty.
    Bug #865.

  • Sudo now sets the silent flag when opening the PAM session except
    when running a shell via "sudo -s" or "sudo -i". This prevents
    the pam_lastlog module from printing the last login information
    for each sudo command. Bug #867.

  • Fixed the default AIX hard resource limit for the maximum number
    of files a user may have open. If no hard limit for "nofiles"
    is explicitly set in /etc/security/limits, the default should
    be "unlimited". Previously, the default hard limit was 8196.

Assets 47
Loading

Sudo 1.8.26

17 Sep 04:43
@TylerReese TylerReese
SUDO_1_8_26
2ac9985
Compare
Choose a tag to compare
Sudo 1.8.26

  • Fixed a bug in cvtsudoers when converting to JSON format when
    alias expansion is enabled. Bug #853.

  • Sudo no long sets the USERNAME environment variable when running
    commands. This is a non-standard environment variable that was
    set on some older Linux systems.

  • Sudo now treats the LOGNAME and USER environment variables (as
    well as the LOGIN variable on AIX) as a single unit. If one is
    preserved or removed from the environment using env_keep, env_check
    or env_delete, so is the other.

  • Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf.

  • Sudo now logs when the command was suspended and resumed in the
    I/O logs. This information is used by sudoreplay to skip the
    time suspended when replaying the session unless the new -S flag
    is used.

  • Fixed documentation problems found by the igor utility. Bug #854.

  • Sudo now prints a warning message when there is an error or end
    of file while reading the password instead of exiting silently.

  • Fixed a bug in the sudoers LDAP back-end parsing the command_timeout,
    role, type, privs and limitprivs sudoOptions. This also affected
    cvtsudoers conversion from LDIF to sudoers or JSON.

  • Fixed a bug that prevented timeout settings in sudoers from
    functioning unless a timeout was also specified on the command
    line.

  • Asturian translation for sudo from translationproject.org.

  • When generating LDIF output, cvtsudoers can now be configured
    to pad the sudoOrder increment such that the start order is used
    as a prefix. Bug #856.

  • Fixed a bug introduced in sudo 1.8.25 that prevented sudo from
    properly setting the user's groups on AIX. Bug #857.

  • If the user specifies a group via sudo's -g option that matches
    any of the target user's groups, it is now allowed even if no
    groups are present in the Runas_Spec. Previously, it was only
    allowed if it matched the target user's primary group.

  • The sudoers LDAP back-end now supports negated sudoRunAsUser and
    sudoRunAsGroup entries.

  • Sudo now provides a proper error message when the "fqdn" sudoers
    option is set and it is unable to resolve the local host name.
    Bug #859.

  • Portuguese translation for sudo and sudoers from translationproject.org.

  • Sudo now includes sudoers LDAP schema for the on-line configuration
    supported by OpenLDAP.

Assets 42
Loading

Sudo 1.8.25p1

17 Sep 04:44
@TylerReese TylerReese
SUDO_1_8_25p1
f0f115b
Compare
Choose a tag to compare
Sudo 1.8.25p1
  • Fixed a bug introduced in sudo 1.8.25 that caused a crash on
    systems that have the poll() function but not the ppoll() function.
    Bug #851.
Assets 2
Loading

Sudo 1.8.25

17 Sep 04:49
@TylerReese TylerReese
SUDO_1_8_25
ca72941
Compare
Choose a tag to compare
Sudo 1.8.25

  • Fixed a bug introduced in sudo 1.8.20 that broke formatting of
    I/O log timing file entries on systems without a C99-compatible
    snprintf() function. Our replacement snprintf() doesn't support
    floating point so we can't use the "%f" format directive.

  • I/O log timing file entries now use a monotonic timer and include
    nanosecond precision. A monotonic timer that does not increment
    while the system is sleeping is used where available.

  • Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP
    backend was not being properly parsed. Bug #845.

  • When sudo runs a command in a pseudo-tty, the slave device is
    now closed in the main process immediately after starting the
    monitor process. This removes the need for an AIX-specific
    workaround that was added in sudo 1.8.24.

  • Added support for monotonic timers on HP-UX.

  • Fixed a bug displaying timeout values the "sudo -V" output.
    The value displayed was 3600 times the actual value. Bug #846.

  • Fixed a build issue on AIX 7.1 BOS levels that include memset_s()
    and define rsize_t in string.h. Bug #847.

  • The testsudoers utility now supports querying an LDIF-format
    policy.

  • Sudo now sets the LOGIN environment variable to the same value as
    LOGNAME on AIX systems. Bug #848.

  • Fixed a regression introduced in sudo 1.8.24 where the LDAP and
    SSSD backends evaluated the rules in reverse sudoOrder. Bug #849.

Assets 2
Loading