From Todd.Miller at courtesan.com  Thu Mar  6 13:15:38 2008
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Thu, 06 Mar 2008 13:15:38 -0500
Subject: [sudo-workers] sudo 1.7b3 released
Message-ID: <200803061815.m26IFcwG029626@tex.courtesan.com>

This is the third beta version of sudo version 1.7.  I'd love to
hear reports of success (or failure!) in real-world environments.

Also, the support for setting AIX resource limits needs testing as
I don't have access to an AIX system of my own.

Download links:
    http://www.sudo.ws/sudo/dist/beta/sudo-1.7b3.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7b3.tar.gz

Changes from Sudo 1.7b2:

 * Fixed a bug in the sudoers option parsing that was causing
   some options to be ignored.

 * Unified "sudo -l" output that uses the same format for both
   file and LDAP sudoers.  For a longer listing, the "-ll" flag
   can be used or the "-l" flag may be specified multiple times.

 * Improvements to the sudoers.ldap man page.

 * Resource limits are now set to the default value for the
   user the command is being run as on AIX systems.

 * If no terminal is available or if the new -A flag is specified,
   sudo will use a helper program to read the password if one is
   configured.  Typically, this is a graphical password prompter
   such as ssh-askpass.

 * A new Defaults option, "mailfrom" that sets the value of the
   "From:" field in the warning/error mail.  If unspecified, the
   login name of the invoking user is used.

 * Sync with Sudo 1.6.9p14

What's new in Sudo 1.7?

 * Rewritten parser that converts sudoers into a set of data structures.
   This eliminates a number of ordering issues and makes it possible to
   apply sudoers Defaults entries before searching for the command.
   It also adds support for per-command Defaults specifications.

 * Sudoers now supports a #include facility to allow the inclusion of other
   sudoers-format files.

 * Sudo's -l (list) flag has been enhanced:
    o applicable Defaults options are now listed
    o a command argument can be specified for testing whether a user
      may run a specific command.
    o a new -U flag can be used in conjunction with "sudo -l" to allow
      root (or a user with "sudo ALL") list another user's privileges.

 * A new -g flag has been added to allow the user to specify a
   primary group to run the command as.  The sudoers syntax has been
   extended to include a group section in the Runas specification.

 * A uid may now be used anywhere a username is valid.

 * The "secure_path" run-time Defaults option has been restored.

 * Password and group data is now cached for fast lookups.

 * The file descriptor at which sudo starts closing all open files is now
   configurable via sudoers and, optionally, the command line.

 * Visudo will now warn about aliases that are defined but not used.

 * The -i and -s command line flags now take an optional command
   to be run via the shell.  Previously, the argument was passed
   to the shell as a script to run.

 * Improved LDAP support.  SASL authentication may now be used in
   conjunction when connecting to an LDAP server.  The krb5_ccname
   parameter in ldap.conf may be used to enable Kerberos.

 * Support for /etc/nsswitch.conf.  LDAP users may now use nsswitch.conf
   to specify the sudoers order.  E.g.:
	sudoers: ldap files
   to check LDAP, then /etc/sudoers.  The default is "files", even
   when LDAP support is compiled in.  This differs from sudo 1.6
   where LDAP was always consulted first.

 * Support for /etc/environment on AIX and Linux.  If sudo is run
   with the -i flag, the contents of /etc/environment are used to
   populate the new environment that is passed to the command being
   run.

For full details see the ChangeLog file included with the release.


From Todd.Miller at courtesan.com  Thu Mar  6 16:09:57 2008
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Thu, 06 Mar 2008 16:09:57 -0500
Subject: [sudo-workers] sudo 1.7b3 released
In-Reply-To: Your message of "Thu, 06 Mar 2008 13:15:38 EST."
	<200803061815.m26IFcwG029626@tex.courtesan.com> 
References: <200803061815.m26IFcwG029626@tex.courtesan.com> 
Message-ID: <200803062109.m26L9vB5032464@tex.courtesan.com>

In message <200803061815.m26IFcwG029626 at tex.courtesan.com>
	so spake "Todd C. Miller" (Todd.Miller):

> This is the third beta version of sudo version 1.7.  I'd love to
> hear reports of success (or failure!) in real-world environments.
> 
> Also, the support for setting AIX resource limits needs testing as
> I don't have access to an AIX system of my own.

The AIX resource limit setting has been tested.  I had to make some
minor changes to get it working and have re-rolled the sudo 1.7b3
tarball with those changes.

 - todd


From Todd.Miller at courtesan.com  Fri Mar  7 09:55:55 2008
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Fri, 07 Mar 2008 09:55:55 -0500
Subject: [sudo-workers] LDAP issue
In-Reply-To: Your message of "Tue, 22 Jan 2008 14:49:37 EST."
	<E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com> 
References: <E5F741E838FC2043A0B843E481818138084D7934@MLNYC730MB.amrs.win.ml.com>
Message-ID: <200803071455.m27EttGG004648@tex.courtesan.com>

In message <E5F741E838FC2043A0B843E481818138084D7934 at MLNYC730MB.amrs.win.ml.com
>
	so spake "Newman, Edward \(GTI\)" (edward_newman):

> One additional comment - I find the LDAP display confusing compared to
> file display. Is there anyway to show consolidated rights from file and
> ldap in one view rather than two separate sections and align formatting?
> This might require some significant changes based on current code paths.

FYI, 1.7b3 has a consolidated "sudo -l" listing for LDAP + sudoers.
The longer form is still available via "sudo -ll" or "sudo -l -l".

 - todd


From ted at midg3t.net  Thu Mar 27 22:24:30 2008
From: ted at midg3t.net (Ted Percival)
Date: Fri, 28 Mar 2008 12:24:30 +1000
Subject: [sudo-workers] pam_sudo module
Message-ID: <47EC56DE.7090906@midg3t.net>

Rob Braun has written a PAM module for unlocking sudo (touching the 
timestamp file) upon login which would be useful to distribute with sudo.


http://www.synack.net/~bbraun/WebSVN/filedetails.php?repname=bbraun&path=%2Fpam_modules%2Fpam_sudo.c

There is also a brief manpage: 
http://www.synack.net/~bbraun/WebSVN/filedetails.php?repname=bbraun&path=%2Fpam_modules%2Fpam_sudo.8

-- 
\0



From Todd.Miller at courtesan.com  Sat Mar 29 08:21:52 2008
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Sat, 29 Mar 2008 08:21:52 -0400
Subject: [sudo-workers] sudo 1.7b4 released
Message-ID: <200803291221.m2TCLqdw006876@tex.courtesan.com>

This is the fourth beta version of sudo version 1.7.  I'd love to
hear reports of success (or failure!) in real-world environments.

Download links:
    http://www.sudo.ws/sudo/dist/beta/sudo-1.7b4.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7b4.tar.gz

Changes from Sudo 1.7b3:

 * A new flag, -n, may be used to indicate that sudo should not
   prompt the user for a password and, instead, exit with an error
   if authentication is required.

 * Revamped AIX resource limit setting code to better match the behavior
   of the AIX login program.

 * Sync with Sudo 1.6.9p15

What's new in Sudo 1.7?

 * Rewritten parser that converts sudoers into a set of data structures.
   This eliminates a number of ordering issues and makes it possible to
   apply sudoers Defaults entries before searching for the command.
   It also adds support for per-command Defaults specifications.

 * Sudoers now supports a #include facility to allow the inclusion of other
   sudoers-format files.

 * Sudo's -l (list) flag has been enhanced:
    o applicable Defaults options are now listed
    o a command argument can be specified for testing whether a user
      may run a specific command.
    o a new -U flag can be used in conjunction with "sudo -l" to allow
      root (or a user with "sudo ALL") list another user's privileges.

 * A new -g flag has been added to allow the user to specify a
   primary group to run the command as.  The sudoers syntax has been
   extended to include a group section in the Runas specification.

 * A uid may now be used anywhere a username is valid.

 * The "secure_path" run-time Defaults option has been restored.

 * Password and group data is now cached for fast lookups.

 * The file descriptor at which sudo starts closing all open files is now
   configurable via sudoers and, optionally, the command line.

 * Visudo will now warn about aliases that are defined but not used.

 * The -i and -s command line flags now take an optional command
   to be run via the shell.  Previously, the argument was passed
   to the shell as a script to run.

 * Improved LDAP support.  SASL authentication may now be used in
   conjunction when connecting to an LDAP server.  The krb5_ccname
   parameter in ldap.conf may be used to enable Kerberos.

 * Support for /etc/nsswitch.conf.  LDAP users may now use nsswitch.conf
   to specify the sudoers order.  E.g.:
	sudoers: ldap files
   to check LDAP, then /etc/sudoers.  The default is "files", even
   when LDAP support is compiled in.  This differs from sudo 1.6
   where LDAP was always consulted first.

 * Support for /etc/environment on AIX and Linux.  If sudo is run
   with the -i flag, the contents of /etc/environment are used to
   populate the new environment that is passed to the command being
   run.

 * If no terminal is available or if the new -A flag is specified,
   sudo will use a helper program to read the password if one is
   configured.  Typically, this is a graphical password prompter
   such as ssh-askpass.

 * A new Defaults option, "mailfrom" that sets the value of the
   "From:" field in the warning/error mail.  If unspecified, the
   login name of the invoking user is used.

 * A new flag, -n, may be used to indicate that sudo should not
   prompt the user for a password and, instead, exit with an error
   if authentication is required.