[sudo-workers] sudo 1.8.6rc2 available

Todd C. Miller Todd.Miller at courtesan.com
Tue Aug 28 15:12:08 EDT 2012

A new sudo 1.8.6 release candidate is available.


Binary packages:

Major changes between sudo 1.8.6rc2 and 1.8.6rc1:

 * Fixed a race condition that could cause sudo to receive SIGTTOU
   (and stop) when resuming a shell that was run via sudo when I/O
   logging (and use_pty) is not enabled.

 * Sending SIGTSTP directly to the sudo process will now suspend the
   running command when I/O logging (and use_pty) is not enabled.

Major changes between sudo 1.8.6rc1 and 1.8.6b4:

 * Fixed a crash introduced in 1.8.4b4 when the matching entry
   in sudoers lacks a Runas_Spec.

 * Visudo will now warn about unknown Defaults entries that are
   per-host, per-user, per-runas or per-command.

 * Updated translations from translationproject.org.

 * Avoid printing an error message in yyerror() if we are unable
   to open a file included by sudoers, the message is already
   displayed by open_sudoers().

 * Modified yyerror() so that tokenizer regress tests pass again.

 * The sudo manual page now contains a COMMAND EXECUTION section
   that describes how sudo runs the command, the extra sudo processes
   and signal handling.

Major changes between sudo 1.8.6b4 and 1.8.6b3:

 * New support for Solaris privilege sets.  This makes it possible
   to specify fine-grained privileges in the sudoers file on Solaris
   10 and above.  A Runas_Spec that contains no Runas_Lists can be
   used to give a user the ability to run a command as themselves
   but with an expanded privilege set.

 * Fixed a problem with the reboot and shutdown commands on some
   systems (such as HP-UX and BSD).  On these systems, reboot sends
   all processes (except itself) SIGTERM.  When sudo received
   SIGTERM, it would relay it to the reboot process, thus killing
   reboot before it had a chance to actually reboot the system.

 * Support for using the System Security Services Daemon (SSSD) as
   a source of sudoers data.

 * Slovenian translation for sudo and sudoers from translationproject.org.

Major changes between sudo 1.8.6b3 and 1.8.6b2:

 * If a user fails to authenticate and the command would be rejected
   by sudoers, it is now logged with "command not allowed" instead
   of "N incorrect password attempts".  Likewise, the "mail_no_perms"
   sudoers option now takes precedence over "mail_badpass".

 * The sudo manuals are now formatted in mdoc.  Versions using the
   legacy man macros are provided for systems that lack mdoc.

Major changes between sudo 1.8.6b2 and 1.8.6b1:

 * Worked around an issue with libtool removing the -fstack-protector
   flag when linking.

 * Sudo is now built as a position independent executable (PIE) if
   there is compiler and linker support for it.  This may be disabled
   using the --disable-pie configure option.

Major changes between sudo 1.8.6b1 and 1.8.5p2:

 * Sudo is now built with the -fstack-protector flag if the the
   compiler supports it.  Also, the -zrelro linker flag is used if
   supported.  The --disable-hardening configure option can be used
   to build sudo without stack smashing support.

 * If the user is a member of the "exempt" group in sudoers, they
   will no longer be prompted for a password even if the -k flag
   is specified with the command.  This makes "sudo -k command"
   consistent with the behavior one would get if the user ran "sudo
   -k" immediately before running the command.

 * The sudoers file may now be a symbolic link.  Previously, sudo
   would refuse to read sudoers unless it was a regular file.

 * The sudoreplay command can now properly replay sessions where
   no tty was present.

 * The sudoers plugin now takes advantage of symbol visibility
   controls when supported by the compiler or linker.  As a result,
   only a small number of symbols are exported which significantly
   reduces the chances of a conflict with other shared objects.

 * Improved support for the Tivoli Directory Server LDAP client
   libraries.  This includes support for using LDAP over SSL (ldaps)
   as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS
   ldap.conf options.  A new ldap.conf option, TLS_KEYPW can be
   used to specify a password to decrypt the key database.

More information about the sudo-workers mailing list