[sudo-workers] sudo 1.6.9 beta 1 is now available

Anthony R Fletcher arif at mail.nih.gov
Tue Jun 19 15:20:11 EDT 2007

Any chance that the -C flag patch can be added? It doesn't seem to be in
this release.

By default sudo closes all file descriptors greater than STDERR. This
flag allows the user (with appropriate controls) to change this value.
One use is to pass X11 cookies. This patch was included at some point
about Jan 2005.


On 19 Jun 2007 at 09:42:30, Todd C. Miller wrote:
> The first beta version of sudo 1.6.9 is now available.  There will
> some changes between now and the final release but they should be
> minor.
> Sudo 1.6.9 is basically 1.6.8p12 with a number of changes from the
> sudo 1.7 tree (those that don't depend on the new parser in 1.7).
> This makes it possible for the major features present in 1.7 be
> tested independently and from the parser changes (and many of
> the changes are things that people have been asking for).
> You can ftp 1.6.9b1 from:
>     ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.6.9b1.tar.gz
> The biggest change to be aware of is that the environment is no
> longer preserved by default.  Commands run through sudo now receive
> a minimal environment with certain variables passed through and/or
> checked.  The list of variables allowed is configurable via the
> env_keep and env_check options in sudoers.
> The other major changes in 1.6.9b1 are:
>  o Fixed a file descriptor leak when the lecture file option is enabled.
>  o Added to the list of variables to remove from the environment.
>  o Fixed a Kerberos V security issue that could allow a
>    user to authenticate using a fake KDC.
>  o Pulled in updated configure and libtool from sudo 1.7.
>  o PAM is now the default on systems where it is supported.
>  o Removed POSIX saved uid use; the stay_setuid option now
>    requires the setreuid() or setresuid() functions to work.
>  o Regenerated configure with up to date autoconf and libtool.
>  o Fixed fd leak when lecture file option is enabled.
>  o Removed used of POSIX saved uids.  The stay_setuid
>    option now requires setreuid() or setresuid().
>  o PAM fixes.  If the user enters ^C at the password prompt,
>    abort instead of trying to authenticate with an empty password
>    (which causes an annoying delay).  Also Call pam_open_session()
>    and pam_close_session() to give pam_limits a chance to run.
>  o Security fix for Kerberos5.  If we cannot get a valid service
>    key using the default keytab it is a fatal error.  Now uses
>    krb5_verify_user() and krb5_init_secure_context() if they
>    are available.
>  o Fixed securid5 authentication.
>  o Added fcntl F_CLOSEM support to closefrom().
>  o Added NOEXEC support for AIX 5.3.
>  o Sudo now uses the supplemental group vector for matching.
>    This fixes problems with split group lines in /etc/group
>    as well as multiple group sources in nsswitch.conf.
>  o Added more environment variables to remove by default.
>  o Mail from sudo now includes an Auto-Submitted: auto-generated
>    header ala rfc 3834.
>  o Reworked the environment handling code.
>  o Remove the --with-execv option, it was not useful.
>  o Use TCSADRAIN instead of TCSAFLUSH in tgetpass() since
>    some OSes have issues with TCSAFLUSH.
>  o Use glob(3) instead of fnmatch(3) for matching pathnames
>    and stat() each result that matches the basename of the user's
>    command.  This makes "cd /usr/bin ; sudo ./blah" work when
>    sudoers allows /usr/bin/blah.
>  o Reworked the syslog long line splitting code based on changes
>    from Eygene Ryabinkin.
>  o Sudo can now with deal more than 32 network interfaces on
>    Solaris.
>  o Visudo will now honor command line arguments in the EDITOR or
>    VISUAL environment variables if env_editor is enabled.
>  o LDAP now honors rootbinddn, timelimit and bind_timelimit in
>    /etc/ldap.conf.
>  o For LDAP, do a sub tree search instead of a base search (one
>    level in the tree only) for sudo right objects.  This allows
>    system administrators to categorize the rights in a tree to
>    make them easier to manage.
>  - todd
> ____________________________________________________________ 
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers

Anthony R Fletcher        
  Room 2033, Building 12A,        http://dcb.cit.nih.gov/~arif
  National Institutes of Health,  arif at mail.nih.gov
  12A South Drive, Bethesda,      Phone: (+1) 301 402 1741.
  MD 20892-5624, USA.

More information about the sudo-workers mailing list