Sudo Development Releases

Current Development Release

The current development release of sudo is 1.9.8rc2.
Binary packages are also available for the development releases.

For full details see the ChangeLog file or view the commit history in mercurial or GitHub.

If you plan to use a development release of sudo, please subscribe to the sudo-workers mailing list so that you will receive updates on bug fixes and related announcements. You may also be interested in the sudo-commits mailing list which receives a message for each commit to the sudo source tree.

---

Major changes between version 1.9.8rc2 and 1.9.8rc1:

• Added intercept support for the execl(), execle(), execlp(), execvp(), and execvpe() functions.

---

Major changes between version 1.9.8rc1 and 1.9.8b4:

• Fixed a bug introduced in 1.9.8b4 that could result in a buffer overflow if the intercept token is not read all at once.

• Updated translations from translationproject.org.

---

Major changes between version 1.9.8b4 and 1.9.8b3:

• The runcwd entry in the event log is now updated when the intercept or log_runcmds settings are enabled in sudoers.

• Sudo is now built with the -fstack-clash-protection and -Wl,-z,noexecstack options by default if they are supported.

• The random token shared between sudo and sudo_intercept.so has been increased to 128 bits and is now tranferred before the actual protocol begins. Connections that don't start with the proper token are dropped immediately.

• Fixed UUID generation and added a regression test.

• SELinux RBAC cannot be used with the intercept or log_subcmds sudoers settings. They are fundamentally incompatible and are now documented as such.

• When configure is run with the --disable-intercept option, the intercept support code is no longer compiled.

---

Major changes between version 1.9.8b3 and 1.9.8b2:

• The log_children sudoers setting has been renamed to log_subcmds.

• The execv() function can now be intercepted as well.

• Rewrote the sudo_intercept.so <-> sudo interprocess communication. It now uses a localhost TCP socket instead of an inherited file descriptor. Some shells close all open file descriptors greater than 2 when they start up which did not work with the old scheme. In the new scheme, the inherited file descriptor is only used to retrieve a shared secret and port number, after which is is closed. The actual policy decision is made over a new TCP connection in the intercepted execve() call.

• Fixed formatting for bound defaults with multiple entries in the binding. The entries in the binding were separated with " ," instead of ", ".

• Fixed logging of the command name for log_children. Previously, the parent process name was logged (though the logged argv was correct).

• Updated translations from translationproject.org.

---

Major changes between version 1.9.8b2 and 1.9.8b1:

• Sudo will no longer permit a set-user-ID or set-group-ID program to be run in intercept mode unless the new intercept_allow_setid sudoers setting is enabled.

• The mksigname and mksiglist helper programs are now built with the host compiler, not the target compiler, when cross-compiling. Bug #989.

---

Major changes between version 1.9.8b1 and 1.9.7p2:

• It is now possible to transparently intercepting sub-commands executed by the original command run via sudo. Intercept support is implemented using LD_PRELOAD (or the equivalent supported by the system) and so has some limitations. The two main limitations are that only dynamic executables are supported and only the execve() system call is currently intercepted. Its main use case is to support restricting privileged shells run via sudo.

  To support this, there is a new intercept Defaults setting and an INTERCEPT command tag that can be used in sudoers. For example:

  	Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
  	Defaults!SHELLS intercept
  	

  would cause sudo to run the listed shells in intercept mode. This can also be set on a per-rule basis. For example:

  	Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
  	chuck ALL = INTERCEPT: SHELLS
  	

  would only apply intercept mode to user chuck when running one of the listed shells.

• The new log_children sudoers setting can be used to log commands run in a privileged shell. It uses the same mechanism as the intercept support described above and has the same limitations.

• Support for logging sudo_logsrvd errors via syslog or to a file. Previously, most sudo_logsrvd errors were only visible in the debug log.

• Better diagnostics when there is a TLS certificate validation error.

• Using the += or -= operators in a Defaults setting that takes a string, not a list, now produces a warning from sudo and a syntax error from inside visudo.

• Fixed a bug where the iolog_mode setting in sudoers and sudo_logsrvd had no effect when creating I/O log parent directories if the I/O log file name ended with the string XXXXXX.

• Fixed a bug in the sudoers custom prompt code where the size parameter that was passed to the strlcpy() function was incorrect. No overflow was possible since the correct amount of memory was already pre-allocated.