[sudo-workers] sudo 1.7b2 released

Todd C. Miller Todd.Miller at courtesan.com
Mon Jan 21 10:45:05 EST 2008

This is the second beta version of sudo version 1.7.  I'd love to
hear reports of success (or even failure!) in real-world environments.

Also, the support for authenticated LDAP connections using Kerberos
5 and SASL needs testing.

Download links:

Changes from Sudo 1.7b1:

 * Fixed an alignment issue on Solaris.

 * Added a sudoers.ldap man page (still a work in progress).

 * Sync with Sudo 1.6.9p12

What's new in Sudo 1.7?

 * Rewritten parser that converts sudoers into a set of data structures.
   This eliminates a number of ordering issues and makes it possible to
   apply sudoers Defaults entries before searching for the command.
   It also adds support for per-command Defaults specifications.

 * Sudoers now supports a #include facility to allow the inclusion of other
   sudoers-format files.

 * Sudo's -l (list) flag has been enhanced:
    o applicable Defaults options are now listed
    o a command argument can be specified for testing whether a user
      may run a specific command.
    o a new -U flag can be used in conjunction with "sudo -l" to allow
      root (or a user with "sudo ALL") list another user's privileges.

 *  A new -g flag has been added to allow the user to specify a
    primary group to run the command as.  The sudoers syntax has been
    extended to include a group section in the Runas specification.

 * A uid may now be used anywhere a username is valid.

 * The "secure_path" run-time Defaults option has been restored.

 * Password and group data is now cached for fast lookups.

 * The file descriptor at which sudo starts closing all open files is now
   configurable via sudoers and, optionally, the command line.

 * Visudo will now warn about aliases that are defined but not used.

 * The -i and -s command line flags now take an optional command
   to be run via the shell.  Previously, the argument was passed
   to the shell as a script to run.

 * Improved LDAP support.  SASL authentication may now be used in
   conjunction when connecting to an LDAP server.  The krb5_ccname
   parameter in ldap.conf may be used to enable Kerberos.

 * Support for /etc/nsswitch.conf.  LDAP users may now use nsswitch.conf
   to specify the sudoers order.  E.g.:

	sudoers: ldap files

   to check LDAP, then /etc/sudoers.  The default is <tt>files</tt>,
   even when LDAP support is compiled in.  This differs from sudo 1.6
   where LDAP was always consulted first.

 * Support for /etc/environment.  If sudo is run with the -i flag,
   the contents of /etc/environment are used to populate the new
   environment that is passed to the command being run.

 * Sudo now ignores user .ldaprc files as well as system LDAP defaults.
   All LDAP configuration is now in /etc/ldap.conf (or whichever
   file was specified by configure's --with-ldap-conf-file option).
   If you are using TLS, you may now need to specify:

	tls_checkpeer no

   in sudo's ldap.conf unless ldap.conf references a valid certificate
   authority file(s).

For full details see the ChangeLog file included with the release.

More information about the sudo-workers mailing list