[sudo-announce] sudo 1.8.4p4 released

Todd C. Miller Todd.Miller at courtesan.com
Tue Mar 13 11:07:00 EDT 2012

Sudo version 1.8.4p4 is now available.  See the list of major changes
below for details.


Binary packages:

For a list of download mirror sites, see:

Sudo web site:

Sudo web site mirrors:

Major changes between sudo 1.8.4p4 and 1.8.4p3:

 * Fixed a bug introduced in Sudo 1.8.4 which prevented "sudo -v"
   from working.

Major changes between sudo 1.8.4p3 and 1.8.4p2:

 * Fixed a crash on FreeBSD when no tty is present.

 * Fixed a bug introduced in Sudo 1.8.4 that allowed users to
   specify environment variables to set on the command line without
   having sudo "ALL" permissions or the "SETENV" tag.

 * When visudo is run with the -c (check) option, the sudoers
   file(s) owner and mode are now also checked unless the -f option
   was specified.

Major changes between sudo 1.8.4p2 and 1.8.4p1:

 * Fixed a bug introduced in Sudo 1.8.4 where insufficient space
   was allocated for group IDs in the LDAP filter.

 * Fixed a bug introduced in Sudo 1.8.4 where the path to sudo.conf
   was "/sudo.conf" instead of "/etc/sudo.conf".

 * Fixed a bug introduced in Sudo 1.8.4 which could cause a hang
   when I/O logging is enabled and input is from a pipe or file.

Major changes between sudo 1.8.4p1 and 1.8.4:

 * Fixed a bug introduced in sudo 1.8.4 that broke adding to or
   deleting from the env_keep, env_check and env_delete lists in
   sudoers on some platforms.

Major changes between sudo 1.8.4 and 1.8.3p2:

 * The -D flag in sudo has been replaced with a more general debugging
   framework that is configured in sudo.conf.

 * Fixed a false positive in visudo strict mode when aliases are
   in use.

 * Fixed a crash with "sudo -i" when a runas group was specified
   without a runas user.

 * The line on which a syntax error is reported in the sudoers file
   is now more accurate.  Previously it was often off by a line.

 * Fixed a bug where stack garbage could be printed at the end of
   the lecture when the "lecture_file" option was enabled.

 * "make install" now honors the LINGUAS environment variable.

 * The #include and #includedir directives in sudoers now support
   relative paths.  If the path is not fully qualified it is expected
   to be located in the same directory of the sudoers file that is
   including it.

 * Serbian and Spanish translations for sudo from translationproject.org.

 * LDAP-based sudoers may now access by group ID in addition to
   group name.

 * visudo will now fix the mode on the sudoers file even if no changes
   are made unless the -f option is specified.

 * The "use_loginclass" sudoers option works properly again.

 * On systems that use login.conf, "sudo -i" now sets environment
   variables based on login.conf.

 * For LDAP-based sudoers, values in the search expression are now
   escaped as per RFC 4515.

 * The plugin close function is now properly called when a login
   session is killed (as opposed to the actual command being killed).
   This can happen when an ssh session is disconnected or the
   terminal window is closed.

 * The deprecated "noexec_file" sudoers option is no longer supported.

 * Fixed a race condition when I/O logging is not enabled that could
   result in tty-generated signals (e.g. control-C) being received
   by the command twice.

 * If none of the standard input, output or error are connected to
   a tty device, sudo will now check its parent's standard input,
   output or error for the tty name on systems with /proc and BSD
   systems that support the KERN_PROC_PID sysctl.  This allows
   tty-based tickets to work properly even when, e.g. standard
   input, output and error are redirected to /dev/null.

 * Added the --enable-kerb5-instance configure option to allow
   people using Kerberos V authentication to specify a custom
   instance so the principal name can be, e.g. "username/sudo"
   similar to how ksu uses "username/root".

 * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
   the results, which would be incorrectly be interpreted as if the
   sudoers file had specified a directory.

 * "visudo -c" will now list any include files that were checked
   in addition to the main sudoers file when everything parses OK.

 * Users that only have read-only access to the sudoers file may
   now run "visudo -c".  Previously, write permissions were required
   even though no writing is down in check-only mode.

 * It is now possible to prevent the disabling of core dumps from
   within sudo itself by adding a line to the sudo.conf file like
   "Set disable_coredump false".

More information about the sudo-announce mailing list