[sudo-announce] Sudo version 1.6.9 now available
Todd C. Miller
Todd.Miller at courtesan.com
Tue Jul 17 11:32:17 EDT 2007
After a long wait, Sudo version 1.6.9 is now available. Version
1.6.9 incorporates a number of features of the Sudo 1.7 development
branch and fixes several bugs.
Major changes since Sudo 1.6.8p12:
o The env_reset option is enabled by default.
Commands run through sudo now receive a minimal environment with
certain variables passed through and/or checked. The list of
variables allowed is configurable via the env_keep and env_check
options in sudoers.
o The new -E option will preserve the environment if the SETENV tag
is set for the command or if the setenv sudoers option is enabled.
o Environment variables may now be set on the command line in
the form VAR=value. They are subject to the same restrictions
as normal environment variables. If the SETENV tag is set for
the command or if the setenv sudoers option is enabled, the user
may set variables that would overwise be forbidden.
o Fixed a file descriptor leak when the lecture file option is enabled.
o Expanded the list of potentially unsafe variables to remove from
the environment if the env_reset option is disabled.
o PAM is now the default on systems that support it.
o Removed POSIX saved uid use; the stay_setuid option now
requires the setreuid() or setresuid() functions to work.
o Reworked configure with up to date autoconf and libtool.
o PAM fixes. If the user enters ^C at the password prompt,
abort instead of trying to authenticate with an empty password
(which causes an annoying delay). Also Call pam_open_session()
and pam_close_session() to give pam_limits a chance to run.
o Security fix for Kerberos5. If we cannot get a valid service
key using the default keytab it is a fatal error. Now uses
krb5_verify_user() and krb5_init_secure_context() if they are
o Fixed securid5 authentication.
o Added fcntl F_CLOSEM support to closefrom().
o Added NOEXEC support for AIX 5.3.
o Sudo now uses the supplemental group vector for matching.
This fixes problems with split group lines in /etc/group as well
as multiple group sources in nsswitch.conf.
o Mail from sudo now includes an Auto-Submitted: auto-generated
header ala rfc 3834.
o Remove the --with-execv option, it was not useful.
o Use TCSADRAIN instead of TCSAFLUSH in tgetpass() since some
operating systems have issues with TCSAFLUSH.
o Use glob(3) instead of fnmatch(3) for matching pathnames and stat()
each result that matches the basename of the user's command.
This makes "cd /usr/bin ; sudo ./blah" work when sudoers allows
o Reworked the syslog long line splitting code.
o Sudo can now with deal more than 32 network interfaces on Solaris.
o Visudo will now honor command line arguments in the EDITOR or
VISUAL environment variables if env_editor is enabled.
o LDAP now honors rootbinddn, timelimit and bind_timelimit in
o For LDAP, do a sub tree search instead of a base search (one
level in the tree only) for sudo right objects. This allows
system administrators to categorize the rights in a tree to make
them easier to manage.
o Added support for Solaris 10 project resource limits.
o The sudoers2ldif script now parses Runas users.
o The -- flag on the command line now behaves as documented.
o sudo -k/-K no longer prints an error if the timestamp is in the future.
o When searching for a command, sudo now uses the effective gid
of the runas user.
o Sudo no longer updates the timestamp if the user was not validated
by the sudoers file.
For a list of download mirror sites, see:
Sudo web site:
Sudo web site mirrors:
More information about the sudo-announce