From Todd.Miller at sudo.ws Mon Sep 21 10:38:28 2020 From: Todd.Miller at sudo.ws (Todd C. Miller) Date: Mon, 21 Sep 2020 10:38:28 -0600 Subject: [sudo-announce] sudo 1.9.3 released Message-ID: <92a7669e51f7cee8@sudo.ws> Sudo version 1.9.3 is now available. In addition to bug fixes, Sudo 1.9.3 adds support for per-command chroot and working directory settings and command line options. Sudo 1.9.3 also features more detailed messages when there is a syntax error in the sudoers file, as well as better recovery from syntax errors. Source: https://www.sudo.ws/dist/sudo-1.9.3.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.3.tar.gz SHA256 checksum: 1d9889cc3b3b15ed8c2c7c3de3aa392a3a726838d020815067c080525c3f5837 MD5 checksum: ecf74b49275f15a3e46f1903c6cb2211 Binary packages: https://www.sudo.ws/download.html#binary For a list of download mirror sites, see: https://www.sudo.ws/download_mirrors.html Sudo web site: https://www.sudo.ws/ Sudo web site mirrors: https://www.sudo.ws/mirrors.html Major changes between sudo 1.9.2 and 1.9.3 * sudoedit will now prompt the user before overwriting an existing file with one that is zero-length after editing. Bug #922. * Fixed building the Python plugin on systems with a compiler that doesn't support symbol hiding. * Sudo now uses a linker script to hide symbols even when the compiler has native symbol hiding support. This should make it easier to detect omissions in the symbol exports file, regardless of the platform. * Fixed the libssl dependency in Debian packages for older releases that use libssl1.0.0. * Sudo and visudo now provide more detailed messages when a syntax error is detected in sudoers. The offending line and token are now displayed. If the parser was generated by GNU bison, additional information about what token was expected is also displayed. Bug #841. * Sudoers rules must now end in either a newline or the end-of-file. Previously, it was possible to have multiple rules on a single line, separated by white space. The use of an end-of-line terminator makes it possible to display accurate error messages. * Sudo no longer refuses to run if a syntax error in the sudoers file is encountered. The entry with the syntax error will be discarded and sudo will continue to parse the file. This makes recovery from a syntax error less painful on systems where sudo is the primary method of superuser access. The historic behavior can be restored by add "error_recovery=false" to the sudoers plugin's optional arguments in sudo.conf. Bug #618. * Fixed the sample_approval plugin's symbol exports file for systems where the compiler doesn't support symbol hiding. * Fixed a regression introduced in sudo 1.9.1 where arguments to the "sudoers_policy" plugin in sudo.conf were not being applied. The sudoers file is now parsed by the "sudoers_audit" plugin, which is loaded implicitly when "sudoers_policy" is listed in sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments for "sudoers_policy" but "sudoers_audit" is not listed, those arguments will be applied to "sudoers_audit" instead. * The user's resource limits are now passed to sudo plugins in the user_info[] list. A plugin cannot determine the limits itself because sudo changes the limits while it runs to prevent resource starvation. * It is now possible to set the working directory or change the root directory on a per-command basis using the CWD and CHROOT options. There are also new Defaults settings, runchroot and runcwd, that can be used to set the working directory or root directory on a more global basis. * New -D (--chdir) and -R (--chroot) command line options can be used to set the working directory or root directory if the sudoers file allows it. This functionality is not enabled by default and must be explicitly enabled in the sudoers file. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From Todd.Miller at sudo.ws Wed Sep 23 19:37:31 2020 From: Todd.Miller at sudo.ws (Todd C. Miller) Date: Wed, 23 Sep 2020 19:37:31 -0600 Subject: [sudo-announce] sudo 1.9.3p1 released Message-ID: <92a78c1654cf0dd4@sudo.ws> Sudo version 1.9.3, patchlevel 1 is now available. This patch release fixes a few small issues found in sudo 1.9.3. Source: https://www.sudo.ws/dist/sudo-1.9.3p1.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.9.3p1.tar.gz SHA256 checksum: dcb9de53e45e1c39042074b847f5e0d8ae1890725dd6a9d9101a81569e6eb49e MD5 checksum: 8f230d0f8994f0b21b109370d1fbcf45 Binary packages: https://www.sudo.ws/download.html#binary For a list of download mirror sites, see: https://www.sudo.ws/download_mirrors.html Sudo web site: https://www.sudo.ws/ Sudo web site mirrors: https://www.sudo.ws/mirrors.html Major changes between sudo 1.9.3 and 1.9.3p1 * Fixed a regression introduced in sudo 1.9.3 where the configure script would not detect the crypt(3) function if it was present in the C library, not an additional library. * Fixed a regression introduced in sudo 1.8.23 with shadow passwd file authentication on OpenBSD. BSD authentication was not affected. * Sudo now logs when a user-specified command-line option is rejected by a sudoers rule. Previously, these conditions were written to the audit log, but the default sudo log file. Affected command line arguments include -C (--close-from), -D (--chdir), -R (--chroot), -g (--group) and -u (--user). Major changes between sudo 1.9.2 and 1.9.3 * sudoedit will now prompt the user before overwriting an existing file with one that is zero-length after editing. Bug #922. * Fixed building the Python plugin on systems with a compiler that doesn't support symbol hiding. * Sudo now uses a linker script to hide symbols even when the compiler has native symbol hiding support. This should make it easier to detect omissions in the symbol exports file, regardless of the platform. * Fixed the libssl dependency in Debian packages for older releases that use libssl1.0.0. * Sudo and visudo now provide more detailed messages when a syntax error is detected in sudoers. The offending line and token are now displayed. If the parser was generated by GNU bison, additional information about what token was expected is also displayed. Bug #841. * Sudoers rules must now end in either a newline or the end-of-file. Previously, it was possible to have multiple rules on a single line, separated by white space. The use of an end-of-line terminator makes it possible to display accurate error messages. * Sudo no longer refuses to run if a syntax error in the sudoers file is encountered. The entry with the syntax error will be discarded and sudo will continue to parse the file. This makes recovery from a syntax error less painful on systems where sudo is the primary method of superuser access. The historic behavior can be restored by add "error_recovery=false" to the sudoers plugin's optional arguments in sudo.conf. Bug #618. * Fixed the sample_approval plugin's symbol exports file for systems where the compiler doesn't support symbol hiding. * Fixed a regression introduced in sudo 1.9.1 where arguments to the "sudoers_policy" plugin in sudo.conf were not being applied. The sudoers file is now parsed by the "sudoers_audit" plugin, which is loaded implicitly when "sudoers_policy" is listed in sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments for "sudoers_policy" but "sudoers_audit" is not listed, those arguments will be applied to "sudoers_audit" instead. * The user's resource limits are now passed to sudo plugins in the user_info[] list. A plugin cannot determine the limits itself because sudo changes the limits while it runs to prevent resource starvation. * It is now possible to set the working directory or change the root directory on a per-command basis using the CWD and CHROOT options. There are also new Defaults settings, runchroot and runcwd, that can be used to set the working directory or root directory on a more global basis. * New -D (--chdir) and -R (--chroot) command line options can be used to set the working directory or root directory if the sudoers file allows it. This functionality is not enabled by default and must be explicitly enabled in the sudoers file. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 801 bytes Desc: not available URL: