[sudo-workers] sudo 1.7b2 released
Todd C. Miller
Todd.Miller at courtesan.com
Mon Jan 21 10:45:05 EST 2008
This is the second beta version of sudo version 1.7. I'd love to
hear reports of success (or even failure!) in real-world environments.
Also, the support for authenticated LDAP connections using Kerberos
5 and SASL needs testing.
Download links:
http://www.sudo.ws/sudo/dist/beta/sudo-1.7b2.tar.gz
ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7b2.tar.gz
Changes from Sudo 1.7b1:
* Fixed an alignment issue on Solaris.
* Added a sudoers.ldap man page (still a work in progress).
* Sync with Sudo 1.6.9p12
What's new in Sudo 1.7?
* Rewritten parser that converts sudoers into a set of data structures.
This eliminates a number of ordering issues and makes it possible to
apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications.
* Sudoers now supports a #include facility to allow the inclusion of other
sudoers-format files.
* Sudo's -l (list) flag has been enhanced:
o applicable Defaults options are now listed
o a command argument can be specified for testing whether a user
may run a specific command.
o a new -U flag can be used in conjunction with "sudo -l" to allow
root (or a user with "sudo ALL") list another user's privileges.
* A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
* A uid may now be used anywhere a username is valid.
* The "secure_path" run-time Defaults option has been restored.
* Password and group data is now cached for fast lookups.
* The file descriptor at which sudo starts closing all open files is now
configurable via sudoers and, optionally, the command line.
* Visudo will now warn about aliases that are defined but not used.
* The -i and -s command line flags now take an optional command
to be run via the shell. Previously, the argument was passed
to the shell as a script to run.
* Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
* Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is <tt>files</tt>,
even when LDAP support is compiled in. This differs from sudo 1.6
where LDAP was always consulted first.
* Support for /etc/environment. If sudo is run with the -i flag,
the contents of /etc/environment are used to populate the new
environment that is passed to the command being run.
* Sudo now ignores user .ldaprc files as well as system LDAP defaults.
All LDAP configuration is now in /etc/ldap.conf (or whichever
file was specified by configure's --with-ldap-conf-file option).
If you are using TLS, you may now need to specify:
tls_checkpeer no
in sudo's ldap.conf unless ldap.conf references a valid certificate
authority file(s).
For full details see the ChangeLog file included with the release.
More information about the sudo-workers
mailing list