[sudo-announce] sudo 1.8.5p1 released

Todd C. Miller Todd.Miller at courtesan.com
Fri May 18 08:51:27 EDT 2012

Sudo version 1.8.5p1 is now available.  See the list of major changes
below for details.


Binary packages:

For a list of download mirror sites, see:

Sudo web site:

Sudo web site mirrors:

Major changes between sudo 1.8.5p1 and 1.8.5:

 * Fixed a bug that prevented files in an include directory from
   being evaluated.

Major changes between sudo 1.8.5 and 1.8.4p5:

 * When "noexec" is enabled, sudo_noexec.so will now be prepended
   to any existing LD_PRELOAD variable instead of replacing it.

 * The sudo_noexec.so shared library now wraps the execvpe(),
   exect(), posix_spawn() and posix_spawnp() functions.

 * The user/group/mode checks on sudoers files have been relaxed.
   As long as the file is owned by the sudoers uid, not world-writable
   and not writable by a group other than the sudoers gid, the file
   is considered OK.  Note that visudo will still set the mode to
   the value specified at configure time.

 * It is now possible to specify the sudoers path, uid, gid and
   file mode as options to the plugin in the sudo.conf file.

 * Croatian, Galician, German, Lithuanian, Swedish and Vietnamese
   translations from translationproject.org.

 * /etc/environment is no longer read directly on Linux systems
   when PAM is used.  Sudo now merges the PAM environment into the
   user's environment which is typically set by the pam_env module.

 * The initial evironment created when env_reset is in effect now
   includes the contents of /etc/environment on AIX systems and the
   "setenv" and "path" entries from /etc/login.conf on BSD systems.

 * The plugin API has been extended in three ways.  First, options
   specified in sudo.conf after the plugin pathname are passed to
   the plugin's open function.  Second, sudo has limited support
   for hooks that can be used by plugins.  Currently, the hooks are
   limited to environment handling functions.  Third, the init_session
   policy plugin function is passed a pointer to the user environment
   which can be updated during session setup.  The plugin API version
   has been incremented to version 1.2.  See the sudo_plugin manual
   for more information.

 * The policy plugin's init_session function is now called by the
   parent sudo process, not the child process that executes the
   command.  This allows the PAM session to be open and closed in
   the same process, which some PAM modules require.

 * Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf,
   which was broken in version 1.8.4.

 * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
   file is now uses to determine the controlling terminal, if possible.
   This allows tty-based tickets to work properly even when, e.g.
   standard input, output and error are redirected to /dev/null.

 * The output of "sudoreplay -l" is now sorted by file name (or
   sequence number).  Previously, entries were displayed in the
   order in which they were found on the file system.

 * Sudo now behaves properly when I/O logging is enabled and the
   controlling terminal is revoked (e.g. the running sshd is killed).
   Previously, sudo may have exited without calling the I/O plugin's
   close function which can lead to an incomplete I/O log.

 * Sudo can now detect when a user has logged out and back in again
   on Solaris 11, just like it can on Solaris 10.

 * The built-in zlib included with Sudo has been upgraded to version

 * Setting the SSL parameter to start_tls in ldap.conf now works
   properly when using Mozilla-based SDKs that support the
   ldap_start_tls_s() function.

 * The TLS_CHECKPEER parameter in ldap.conf now works when the
   Mozilla NSS crypto backend is used with OpenLDAP.

 * A new group provider plugin, system_group, is included which
   performs group look ups by name using the system groups database.
   This can be used to restore the pre-1.7.3 sudo group lookup

More information about the sudo-announce mailing list