[sudo-workers] Sudo versions 1.7.5b3 and 1.8.0b4 available

Todd C. Miller Todd.Miller at courtesan.com
Sat Feb 5 14:43:09 EST 2011

New beta versions of Sudo 1.7.5 and Sudo 1.8.0 are now available.

Sudo 1.8.0 implements a plugin architecture that allows third-party
policy and I/O logging modules to be used.  It includes a "sudoers"
plugin that provides the same security policy functionality present
in Sudo 1.7.5 (both LDAP and /etc/sudoers).  You can read about the
plugin API in the sudo_plugin manual included in the sudo-1.8.0b4
tarball or online at http://www.sudo.ws/sudo/sudo_plugin.man.html

Both the 1.7.x and 1.8.x branches of Sudo will be actively maintained
and will have syncronized releases for some time to come.

Source tarballs:

Binary packages:

Major changes between sudo 1.7.5b2 and 1.7.5b3:

 * Sudo will no longer refuse to run if the sudoers file is writable
   by root.

 * Sudo now performs command line escaping for "sudo -s" and "sudo -i"
   after validating the command so the sudoers entries do not need
   to include the backslashes.

 * Logging and email sending are now done in the locale specified
   by the "sudoers_locale" setting ("C" by default).  Email send by
   sudo now includes MIME headers when "sudoers_locale" is not "C".

 * The configure script has a new option, --disable-env-reset, to
   allow one to change the default for the sudoers Default setting
   "env_reset" at compile time.

 * When logging "sudo -l command", sudo will now prepend "list "
   to the command in the log line to distinguish between an
   actual command invocation in the logs.

 * Double-quoted group and user names may now include escaped double
   quotes as part of the name.  Previously this was a parse error.

 * Sudo once again restores the state of the signal handlers it
   modifies before executing the command.  This allows sudo to be
   used with the nohup command.

 * Resuming a suspended shell now works properly when I/O logging
   is not enabled (the I/O logging case was already correct).

Major changes between sudo 1.7.5b1 and 1.7.5b2:

 * Sync with Sudo 1.7.4p6

 * LDAP Sudoers entries may now specify a time period for which
   the entry is valid.  This requires an updated sudoers schema
   that includes the sudoNotBefore and sudoNotAfter attributes.
   Support for timed entries must be explicitly enabled in the
   ldap.conf file.  Based on changes from Andreas Mueller.

 * LDAP Sudoers entries may now specify a sudoOrder attribute that
   determines the order in which matching entries are applied; the first
   matching entry is used.  This requires an updated sudoers schema that
   includes the sudOrder attribute.  Based on changes from Andreas Mueller.

 * When run as sudoedit, or when given the -e flag, sudo now treats
   command line arguments as pathnames.  This means that slashes
   in the sudoers file entry must explicitly match slashes in
   the command line arguments.  As a result, and entry such as:
       user ALL = sudoedit /etc/*
   will allow editing of /etc/motd but not /etc/security/default.

 * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
   compatibility with OpenLDAP configuration files.

 * The LDAP API TIMEOUT parameter is now honored in ldap.conf.

More information about the sudo-workers mailing list