[sudo-workers] sudo 1.7b3 released
Todd C. Miller
Todd.Miller at courtesan.com
Thu Mar 6 13:15:38 EST 2008
This is the third beta version of sudo version 1.7. I'd love to
hear reports of success (or failure!) in real-world environments.
Also, the support for setting AIX resource limits needs testing as
I don't have access to an AIX system of my own.
Changes from Sudo 1.7b2:
* Fixed a bug in the sudoers option parsing that was causing
some options to be ignored.
* Unified "sudo -l" output that uses the same format for both
file and LDAP sudoers. For a longer listing, the "-ll" flag
can be used or the "-l" flag may be specified multiple times.
* Improvements to the sudoers.ldap man page.
* Resource limits are now set to the default value for the
user the command is being run as on AIX systems.
* If no terminal is available or if the new -A flag is specified,
sudo will use a helper program to read the password if one is
configured. Typically, this is a graphical password prompter
such as ssh-askpass.
* A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used.
* Sync with Sudo 1.6.9p14
What's new in Sudo 1.7?
* Rewritten parser that converts sudoers into a set of data structures.
This eliminates a number of ordering issues and makes it possible to
apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications.
* Sudoers now supports a #include facility to allow the inclusion of other
* Sudo's -l (list) flag has been enhanced:
o applicable Defaults options are now listed
o a command argument can be specified for testing whether a user
may run a specific command.
o a new -U flag can be used in conjunction with "sudo -l" to allow
root (or a user with "sudo ALL") list another user's privileges.
* A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
* A uid may now be used anywhere a username is valid.
* The "secure_path" run-time Defaults option has been restored.
* Password and group data is now cached for fast lookups.
* The file descriptor at which sudo starts closing all open files is now
configurable via sudoers and, optionally, the command line.
* Visudo will now warn about aliases that are defined but not used.
* The -i and -s command line flags now take an optional command
to be run via the shell. Previously, the argument was passed
to the shell as a script to run.
* Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
* Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is "files", even
when LDAP support is compiled in. This differs from sudo 1.6
where LDAP was always consulted first.
* Support for /etc/environment on AIX and Linux. If sudo is run
with the -i flag, the contents of /etc/environment are used to
populate the new environment that is passed to the command being
For full details see the ChangeLog file included with the release.
More information about the sudo-workers