[sudo-workers] Sudo versions 1.7.5b3 and 1.8.0b4 available
Todd C. Miller
Todd.Miller at courtesan.com
Sat Feb 5 14:43:09 EST 2011
New beta versions of Sudo 1.7.5 and Sudo 1.8.0 are now available.
Sudo 1.8.0 implements a plugin architecture that allows third-party
policy and I/O logging modules to be used. It includes a "sudoers"
plugin that provides the same security policy functionality present
in Sudo 1.7.5 (both LDAP and /etc/sudoers). You can read about the
plugin API in the sudo_plugin manual included in the sudo-1.8.0b4
tarball or online at http://www.sudo.ws/sudo/sudo_plugin.man.html
Both the 1.7.x and 1.8.x branches of Sudo will be actively maintained
and will have syncronized releases for some time to come.
Major changes between sudo 1.7.5b2 and 1.7.5b3:
* Sudo will no longer refuse to run if the sudoers file is writable
* Sudo now performs command line escaping for "sudo -s" and "sudo -i"
after validating the command so the sudoers entries do not need
to include the backslashes.
* Logging and email sending are now done in the locale specified
by the "sudoers_locale" setting ("C" by default). Email send by
sudo now includes MIME headers when "sudoers_locale" is not "C".
* The configure script has a new option, --disable-env-reset, to
allow one to change the default for the sudoers Default setting
"env_reset" at compile time.
* When logging "sudo -l command", sudo will now prepend "list "
to the command in the log line to distinguish between an
actual command invocation in the logs.
* Double-quoted group and user names may now include escaped double
quotes as part of the name. Previously this was a parse error.
* Sudo once again restores the state of the signal handlers it
modifies before executing the command. This allows sudo to be
used with the nohup command.
* Resuming a suspended shell now works properly when I/O logging
is not enabled (the I/O logging case was already correct).
Major changes between sudo 1.7.5b1 and 1.7.5b2:
* Sync with Sudo 1.7.4p6
* LDAP Sudoers entries may now specify a time period for which
the entry is valid. This requires an updated sudoers schema
that includes the sudoNotBefore and sudoNotAfter attributes.
Support for timed entries must be explicitly enabled in the
ldap.conf file. Based on changes from Andreas Mueller.
* LDAP Sudoers entries may now specify a sudoOrder attribute that
determines the order in which matching entries are applied; the first
matching entry is used. This requires an updated sudoers schema that
includes the sudOrder attribute. Based on changes from Andreas Mueller.
* When run as sudoedit, or when given the -e flag, sudo now treats
command line arguments as pathnames. This means that slashes
in the sudoers file entry must explicitly match slashes in
the command line arguments. As a result, and entry such as:
user ALL = sudoedit /etc/*
will allow editing of /etc/motd but not /etc/security/default.
* NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
compatibility with OpenLDAP configuration files.
* The LDAP API TIMEOUT parameter is now honored in ldap.conf.
More information about the sudo-workers