[sudo-users] new sudo 1.8.5 release candidate available
Todd C. Miller
Todd.Miller at courtesan.com
Wed Apr 25 12:46:16 EDT 2012
A new release candidate for sudo 1.8.5 is now available. Unless a
show stopper is found, the only differences between the release
candidate and the final version will be documentation and translation
What's new in Sudo 1.8.5rc3?
* The policy plugin's init_session function is now called by the
parent sudo process, not the child process that executes the
command. This allows the PAM session to be open and closed in
the same process, which some PAM modules require.
* The PAM credentials set during PAM session setup are now deleted
when the PAM session is closed.
* Setting the SSL parameter to start_tls in ldap.conf now works
properly when using Mozilla-based SDKs that support the
* The TLS_CHECKPEER parameter in ldap.conf now works when the
Mozilla NSS crypto backend is used with OpenLDAP.
What's new in Sudo 1.8.5rc2?
* When "noexec" is enabled, sudo_noexec.so will now be prepended
to any existing LD_PRELOAD variable instead of replacing it.
* The sudo_noexec.so shared library now wraps the execvpe(),
exect(), posix_spawn() and posix_spawnp() functions.
* The user/group/mode checks on sudoers files have been relaxed.
As long as the file is owned by the sudoers uid, not world-writable
and not writable by a group other than the sudoers gid, the file
is considered OK. Note that visudo will still set the mode to
the value specified at configure time.
* It is now possible to specify the sudoers path, uid, gid and
file mode as options to the plugin in the sudo.conf file.
* Croatian, Galician, Lithuanian, Swedish and Vietnamese translations
* /etc/environment is no longer read directly on Linux systems
when PAM is used. Sudo now merges the PAM environment into the
user's environment which is typically set by the pam_env module.
* The initial evironment created when env_reset is in effect now
includes the contents of /etc/environment on AIX systems and the
"setenv" and "path" entries from /etc/login.conf on BSD systems.
* The plugin API has been extended in three ways. First, options
specified in sudo.conf after the plugin pathname are passed to
the plugin's open function. Second, sudo has limited support
for hooks that can be used by plugins. Currently, the hooks are
limited to environment handling functions. Third, the init_session
policy plugin function is passed a pointer to the user environment
which can be updated during session setup. The plugin API version
has been incremented to version 1.2. See the sudo_plugin manual
for more information.
* Fixed parsing of "Path askpass" and "Path noexec" in sudo.conf,
which was broken in version 1.8.4.
* On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
file is now uses to determine the controlling terminal, if possible.
This allows tty-based tickets to work properly even when, e.g.
standard input, output and error are redirected to /dev/null.
* The output of "sudoreplay -l" is now sorted by file name (or
sequence number). Previously, entries were displayed in the
order in which they were found on the file system.
* Sudo now behaves properly when I/O logging is enabled and the
controlling terminal is revoked (e.g. the running sshd is killed).
Previously, sudo may have exited without calling the I/O plugin's
close function which can lead to an incomplete I/O log.
* Sudo can now detect when a user has logged out and back in again
on Solaris 11, just like it can on Solaris 10.
* The built-in zlib included with Sudo has been upgraded to version
More information about the sudo-users