[sudo-announce] sudo 1.8.5p1 released
Todd C. Miller
Todd.Miller at courtesan.com
Fri May 18 08:51:27 EDT 2012
Sudo version 1.8.5p1 is now available. See the list of major changes
below for details.
For a list of download mirror sites, see:
Sudo web site:
Sudo web site mirrors:
Major changes between sudo 1.8.5p1 and 1.8.5:
* Fixed a bug that prevented files in an include directory from
Major changes between sudo 1.8.5 and 1.8.4p5:
* When "noexec" is enabled, sudo_noexec.so will now be prepended
to any existing LD_PRELOAD variable instead of replacing it.
* The sudo_noexec.so shared library now wraps the execvpe(),
exect(), posix_spawn() and posix_spawnp() functions.
* The user/group/mode checks on sudoers files have been relaxed.
As long as the file is owned by the sudoers uid, not world-writable
and not writable by a group other than the sudoers gid, the file
is considered OK. Note that visudo will still set the mode to
the value specified at configure time.
* It is now possible to specify the sudoers path, uid, gid and
file mode as options to the plugin in the sudo.conf file.
* Croatian, Galician, German, Lithuanian, Swedish and Vietnamese
translations from translationproject.org.
* /etc/environment is no longer read directly on Linux systems
when PAM is used. Sudo now merges the PAM environment into the
user's environment which is typically set by the pam_env module.
* The initial evironment created when env_reset is in effect now
includes the contents of /etc/environment on AIX systems and the
"setenv" and "path" entries from /etc/login.conf on BSD systems.
* The plugin API has been extended in three ways. First, options
specified in sudo.conf after the plugin pathname are passed to
the plugin's open function. Second, sudo has limited support
for hooks that can be used by plugins. Currently, the hooks are
limited to environment handling functions. Third, the init_session
policy plugin function is passed a pointer to the user environment
which can be updated during session setup. The plugin API version
has been incremented to version 1.2. See the sudo_plugin manual
for more information.
* The policy plugin's init_session function is now called by the
parent sudo process, not the child process that executes the
command. This allows the PAM session to be open and closed in
the same process, which some PAM modules require.
* Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf,
which was broken in version 1.8.4.
* On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
file is now uses to determine the controlling terminal, if possible.
This allows tty-based tickets to work properly even when, e.g.
standard input, output and error are redirected to /dev/null.
* The output of "sudoreplay -l" is now sorted by file name (or
sequence number). Previously, entries were displayed in the
order in which they were found on the file system.
* Sudo now behaves properly when I/O logging is enabled and the
controlling terminal is revoked (e.g. the running sshd is killed).
Previously, sudo may have exited without calling the I/O plugin's
close function which can lead to an incomplete I/O log.
* Sudo can now detect when a user has logged out and back in again
on Solaris 11, just like it can on Solaris 10.
* The built-in zlib included with Sudo has been upgraded to version
* Setting the SSL parameter to start_tls in ldap.conf now works
properly when using Mozilla-based SDKs that support the
* The TLS_CHECKPEER parameter in ldap.conf now works when the
Mozilla NSS crypto backend is used with OpenLDAP.
* A new group provider plugin, system_group, is included which
performs group look ups by name using the system groups database.
This can be used to restore the pre-1.7.3 sudo group lookup
More information about the sudo-announce