Sudo Development Releases

Current Development Release

The current development release of sudo is 1.9.0b4.
Binary packages are also available for the development releases.

For full details see the ChangeLog file or view the commit history in mercurial.

If you plan to use a development release of sudo, please subscribe to the sudo-workers mailing list so that you will receive updates on bug fixes and related announcements. You may also be interested in the sudo-commits mailing list which receives a message for each commit to the sudo source tree.

Major changes between version 1.9.0b4 and 1.9.0b3:

  • It is now possible to use Cmd_Alias instead of Cmnd_Alias in sudoers for people who find the former more natural.

  • The new pam_ruser and pam_rhost sudoers settings can be used to enable or disable setting the PAM remote user and/or host values during PAM session setup.

  • More than one SHA-2 digest may now be specified for a single command. Multiple digests must be separated by a comma.

  • It is now possible to specify a SHA-2 digest in conjunction with the ALL reserved word in a command specification. This allows one to give permission to run any command that matches the specified digest, regardless of its path.

Major changes between version 1.9.0b3 and 1.9.0b2:

  • Added the --disable-log-server and --disable-log-client configure options. These can be used to optionally disable building sudo_logsrvd and support for remote I/O logging in the sudoers plugin respectively.

  • sudo -S now overrides the SUDO_CONV_PREFER_TTY flag.

  • Python plugin updates.

Major changes between version 1.9.0b2 and 1.9.0b1:

  • Implemented support for audit plugins in sudo. An audit plugin receives accept, reject and error messages and can be used to implement custom logging that is independent of the underlying security policy. Multiple audit plugins may be specified in the sudo.conf file. A sample audit plugin is included that can produce logs in JSON format.

  • Implemented support for approval plugins in sudo. An approval plugin is run only after the main security policy (such as sudoers) accepts a command to be run. The approval policy may perform additional checks, potentially interacting with the user. Multiple approval plugins may be specified in the sudo.conf file. Only if all approval plugins succeed will the command be allowed.

  • Python bindings have been implemented for the audit and approval plugins.

  • Fixed a problem with the log server client where the TLS handshake might fail but a short-lived command could still be run.

  • The sudo_logsrvd daemon now supports logging in JSON format in addition to traditional sudo-style logs.

Major changes between version 1.9.0b1 and 1.8.30:

  • Sudo now includes a logging daemon, sudo_logsrvd, which can be used to implement centralized logging of I/O logs. TLS connections are supported when sudo is configured with the --enable-openssl option. For more information, see the sudo_logsrvd, sudo_logsrvd.conf and sudo_logsrv.proto manuals.

  • The sudoers plugin can be configured to send logs to sudo_logsrvd. See the log_servers, log_server_timeout and log_server_keepalive settings in the sudoers manual.

    TLS connections are supported when sudo is configured with the --enable-openssl option. TLS can be configured using the log_server_cabundle, log_server_peer_cert, and log_server_peer_key settings in the sudoers manual.

  • The new sudo_sendlog utility can be used to test sudo_logsrvd or send existing sudo I/O logs to a centralized server.

  • It is now possible to write sudo plugins in Python when sudo is configured with the --enable-python option. See the sudo_plugin_python manual for details. Sudo 1.9.0 comes with several Python example plugins that get installed sudo's examples directory.

    The sudo blog article What's new in sudo 1.9: Python includes a simple tutorial on writing python plugins.

  • Avoid checking the internal signal SIGLWP in strsig_test on FreeBSD. This fixes a make check failure on FreeBSD.