[sudo-users] Fwd: sudo 1.9.10b3 released
Todd C. Miller
Todd.Miller at sudo.ws
Tue Feb 22 18:56:32 MST 2022
[ Copying this to sudo-users since regex support has been before. ]
The third beta version of sudo 1.9.10 is now available.
In addition to bug fixes, sudo 1.9.10 introduces support for using
regular expressions in the sudoers file. Either the command, the
arguments, or both may be (separate) regular expressions.
Source:
https://www.sudo.ws/dist/beta/sudo-1.9.10b3.tar.gz
ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.10b3.tar.gz
SHA256 checksum:
d3bb280bb6783c71880ba565e767f0527ba9d2198d7c6c6188b05738d46ab663
MD5 checksum:
3248d0ba03bcacc98fba4e238d25df0f
Binary packages:
https://www.sudo.ws/getting/beta_packages/
For a list of download mirror sites, see:
https://www.sudo.ws/getting/download_mirrors/
Sudo web site:
https://www.sudo.ws/
Major changes between sudo 1.9.10b3 and 1.9.10b2:
* Restored the warning when a user is not allowed to run a command.
Previously, the warning was displayed when a user was not in the
sudoers file, or was present but not listed for the local host. The
new behavior is to display the warning if a command is denied *and*
mail is sent to the administrator. Whether or not mail is sent is
controlled by the "mail_*" flags in sudoers. The warning text is now
"This incident has been reported to the administrator." which is
hopefully less confusing. The message will not be printed if either
the "mailto" or "mailerpath" sudoers settings are disabled.
* The sudo lecture is now displayed immediately before the password
prompt. As a result, sudo will no longer display the lecture
unless the user needs to enter a password. Authentication methods
that don't interact with the user via a terminal do not trigger
the lecture.
Major changes between sudo 1.9.10b2 and 1.9.10b1:
* A user may now only run "sudo -U otheruser -l" if they have a
"sudo ALL" privilege where the RunAs user contains either "root"
or "otheruser". Previously, having "sudo ALL" was sufficient,
regardless of the RunAs user. GitHub issue #134.
* Documentation updates.
* Fixed a bug in the heuristic used to decide when to disable
password filtering when "log_input" is enabled and "log_passwords"
is disabled. Also added regession tests for password filtering.
* Updated translations from translationproject.org.
Major changes between sudo 1.9.10b1 and 1.9.9:
* Added new "log_passwords" and "passprompt_regex" sudoers options.
If "log_passwords" is disabled, sudo will attempt to prevent passwords
from being logged. If sudo detects any of the regular expressions in
the "passprompt_regex" list in the terminal output, sudo will log '*'
characters instead of the terminal input until a newline or carriage
return is found in the input or an output character is received.
* Added new "log_passwords" and "passprompt_regex" settings to
sudo_logsrvd that operate like the sudoers options when logging
terminal input.
* Fixed several few bugs in the cvtsudoers utility when merging
multiple sudoers sources.
* Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf
file, where the "retry_interval" in the [relay] section was not
being recognized.
* Restored the pre-1.9.9 behavior of not performing authentication
when sudo's -n option is specified. A new "noninteractive_auth"
sudoers option has been added to enable PAM authentication in
non-interactive mode. GitHub issue #131.
* On systems with /proc, if the /proc/self/stat (Linux) or
/proc/pid/psinfo (other systems) file is missing or invalid,
sudo will now check file descriptors 0-2 to determine the user's
terminal. Bug #1020.
* Fixed a compilation problem on Debian kFreeBSD. Bug #1021.
* Fixed a crash in sudo_logsrvd when running in relay mode if
an alert message is received.
* Fixed an issue that resulting in "problem with defaults entries"
email to be sent if a user ran sudo when the sudoers entry in
the nsswitch.conf file includes "sss" but no sudo provider is
configured in /etc/sssd/sssd.conf. Bug #1022.
* Removed the text "This incident will be reported." from warnings
when the invoking user is not listed in sudoers. This warning
is confusing to users and may not be accurate now that the email
settings are configurable in the sudoers file. GitHub issue #48.
* Fixed a bug where the user-specified command timeout was not
being honored if the sudoers rule did not also specify a timeout.
* Added support for using POSIX extended regular expressions in
sudoers rules. A command and/or arguments in sudoers are treated
as a regular expression if they start with a '^' character and
end with a '$'. The command and arguments are matched separately,
either one (or both) may be a regular expression.
Bug #578, GitHub issue #15.
More information about the sudo-users
mailing list