[sudo-announce] sudo 1.7.4p6 released

Todd C. Miller Todd.Miller at courtesan.com
Wed Jan 19 09:27:52 EST 2011

Sudo version 1.7.4p6 is now available.

This release fixes a bug in the I/O logging support that could cause
visual artifacts in full-screen programs such as text editors.  This
bug was listed as fixed in sudo 1.7.4p5 but the fix was merged


Binary packages:

For a list of download mirror sites, see:

Sudo web site:

Sudo web site mirrors:

Major changes between sudo 1.7.4p5 and 1.7.4p6:

 * A bug has been fixed in the I/O logging support that could cause
   visual artifacts in full-screen programs such as text editors.

Major changes between sudo 1.7.4p4 and 1.7.4p5:

 * A bug has been fixed that would allow a command to be run without the
   user entering a password when sudo's -g flag is used without the -u flag.

 * If user has no supplementary groups, sudo will now fall back on checking
   the group file explicitly, which restores historic sudo behavior.

 * A crash has been fixed when sudo's -g flag is used without the -u flag
   and the sudoers file contains an entry with no runas user or group listed.

 * A crash has been fixed when the Solaris project support is enabled
   and sudo's -g flag is used without the -u flag.

 * Sudo no longer exits with an error when support for auditing is
   compiled in but auditing is not enabled.

 * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
   being honored when the "targetpw" sudoers Defaults option was enabled.

 * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.

 * A crash has been fixed in "sudo -l" when sudo is built with auditing
   support and the user is not allowed to run any commands on the host.

Major changes between sudo 1.7.4p3 and 1.7.4p4:

 * A potential security issue has been fixed with respect to the
   handling of sudo's -g command line option when -u is also
   specified.  The flaw may allow an attacker to run commands as a
   user that is not authorized by the sudoers file.

 * A bug has been fixed where "sudo -l" output was incomplete
   if multiple sudoers sources were defined in nsswitch.conf
   and there was an error querying one of the sources.

 * The log_input, log_output, and use_pty sudoers options now
   work correctly on AIX.  Previously, sudo would hang if
   they were enabled.

 * Fixed "make install" when sudo is built in a directory
   other than the directory that holds the sources.

 * The "runas_default" sudoers setting now works properly in a
   per-command Defaults line.

 * Suspending and resuming the bash shell when PAM is in use now
   works properly.  The SIGCONT signal was not being propagated
   to the child process.

Major changes between sudo 1.7.4p2 and 1.7.4p3:

 * A bug has been fixed where duplicate HOME environment
   variables could be set when the env_reset setting was disabled
   and the always_set_home setting was enabled in sudoers.

 * The value of sysconfdir is now substituted into the path
   to the sudoers.d directory in the installed sudoers file.

 * Fixed compilation problems on Irix and other platforms.

 * If multiple PAM "auth" actions are specified and the user
   enters ^C at the password prompt, sudo will now abort any
   subsequent "auth" actions.  Previously it was necessary to
   enter ^C once for each "auth" action.

Major changes between sudo 1.7.4p1 and 1.7.4p2:

 * Fixed a bug where sudo could spin in a busy loop waiting for the
   child process.

 * Packaging fixes for sudo.pp to better handle patchlevels.

Major changes between sudo 1.7.4 and 1.7.4p1:

 * Fixed a bug introduced in sudo 1.7.3 that prevented the -k and
   -K options from functioning when the tty_tickets sudoers option
   is enabled.

 * Sudo no longer prints a warning when the -k or -K options are
   specified and the ticket file does not exist.

 * Changes to the configure script to enable cross-compilation of Sudo.

Major changes between sudo 1.7.3 and 1.7.4:

 * Sudoedit will now preserve the file extension in the name of the
   temporary file being edited.  The extension is used by some
   editors (such as emacs) to choose the editing mode.

 * Time stamp files have moved from /var/run/sudo to either /var/db/sudo,
   /var/lib/sudo or /var/adm/sudo.  The directories are checked for
   existence in that order.  This prevents users from receiving the
   sudo lecture every time the system reboots.  Time stamp files older
   than the boot time are ignored on systems where it is possible to
   determine this.

 * Ancillary documentation (README files, LICENSE, etc) is now installed
   in a sudo documentation directory.

 * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
   in ldap.conf.

 * Defaults settings that are tied to a user, host or command may
   now include the negation operator.  For example:
        Defaults:!millert lecture
   will match any user but millert.

 * The default PATH environment variable, used when no PATH variable
    exists, now includes /usr/sbin and /sbin.

 * Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/)
   for cross-platform packing.

 * On Linux, sudo will now restore the nproc resource limit before
   executing a command, unless the limit appears to have been modified
   by pam_limits.  This avoids a problem with bash scripts that open
   more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
   will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).

 * Visudo will now treat an unrecognized Defaults entry as a parse
   error (sudo will warn but still run).

 * The HOME and MAIL environment variables are now reset based on
   the target user's password database entry when the env_reset
   sudoers option is enabled (which is the case in the default
   configuration).  Users wishing to preserve the original values
   should use a sudoers entry like:

        Defaults env_keep += HOME

   to preserve the old value of HOME and 

        Defaults env_keep += MAIL

   to preserve the old value of MAIL. 

 * The tty_tickets option is now on by default.

 * Fixed a problem in the restoration of the AIX authdb registry setting.

 * If PAM is in use, sudo will wait until the process has finished
   before closing the PAM session.

 * Fixed "sudo -i -u user" where user has no shell listed in the
   password database.

 * When logging I/O, sudo now handles pty read/write returning ENXIO,
   as seen on FreeBSD when the login session has been killed.

 * Sudo now performs I/O logging in the C locale.  This avoids
   locale-related issues when parsing floating point
   numbers in the timing file.

 * Added support for Ubuntu-style admin flag dot files.

More information about the sudo-announce mailing list