[sudo-workers] sudo 1.8.4rc2 available

Todd C. Miller Todd.Miller at courtesan.com
Mon Feb 6 17:04:14 EST 2012

The second release candidate for sudo 1.8.4 is now available.


Binary packages:

Major changes between sudo 1.8.4rc1 and 1.8.4rc2:

 * Fixed the sudoers permission check when the expected sudoers
   mode is owner-writable.

 * Better configure check for PAM headers and libraries.

 * New sudo Spanish translation from translationproject.org.

 * Normally, sudo disables core dumps while it is running.
   This behavior can now be modified at run time with a line in
   sudo.conf like "Set disable_coredumps false".

 * The "noexec" functionality works once again on AIX 5.3 and
   above.  A change in sudo 1.8.1p2 prevented it from working.

 * The sudo process on AIX will now show up in ps(1) as being owned
   by root, not the invoking user.

Major changes between sudo 1.8.4b5 and 1.8.4rc1:

 * Fixed a problem with "sudo -g group" on FreeBSD where
   the kernel stores the effective gid as the first entry in the
   supplemental group list.

 * The NOEXEC option now works when an SELinux role is specified.

 * Fixed a race condition introduced in 1.8.4b1 when I/O logging
   is abled that resulted in the exit value to usually be 1 instead
   of the command's actual exit value.

 * Fixed a potential off-by-one when making a copy of the environment
   for LD_PRELOAD insertion.

 * sudo is now built with _FORTIFY_SOURCE enabled where supported.

Major changes between sudo 1.8.4b4 and 1.8.4b5:

 * "make check" will now only run the compat regress tests for
   compat objects we actually build and not test the system versions.

 * Fixed a regression introduced in 1.8.4b1 that caused a problem
   with pipelines when I/O logging is not enabled.

Major changes between sudo 1.8.4b3 and 1.8.4b4:

 * No longer prepend "/dev/" to the devicename if devname() returns
   a fully-qualified pathname.  This should never happen.

 * The packages now include the parent directories in case they
   don't already exist. This fixes a directory permissions problem
   with the AIX package when the /usr/local directories don't already

Major changes between sudo 1.8.4b2 and 1.8.4b3:

 * The full path to the controlling terminal is once again passed
   to the plugin on BSD systems.  This was broken in sudo 1.8.3b2.

 * The output of "visudo -c" now lists any include files that were
   checked.  Previously, only the main sudoers file was listed.

Major changes between sudo 1.8.4b1 and 1.8.4b2:

 * On BSD systems the controlling terminal is now determined via
   sysctl() when possible.  This usually allows sudo to find the
   tty name even when standard input, output and error are redirected
   to /dev/null.

 * Fixed a compilation error on FreeBSD.

 * The testsudoers program now uses the debugging framework.

 * Updated Esperanto, Finnish, Polish and Ukrainian translations
   from translationproject.org.
Major changes between sudo 1.8.3p1 and 1.8.4b1:

 * The -D flag in sudo has been replaced with a more general debugging
   framework that is configured in sudo.conf.

 * Fixed a false positive in visudo strict mode when aliases are
   in use.

 * Fixed a crash with "sudo -i" when a runas group was specified
   without a runas user.

 * The line on which a syntax error is reported in the sudoers file
   is now more accurate.  Previously it was often off by a line.

 * Fixed a bug where stack garbage could be printed at the end of
   the lecture when the "lecture_file" option was enabled.

 * "make install" now honors the LINGUAS environment variable.

 * The #include and #includedir directives in sudoers now support
   relative paths.  If the path is not fully qualified it is expected
   to be located in the same directory of the sudoers file that is
   including it.

 * Serbian translation for sudo from translationproject.org.

 * LDAP-based sudoers may now access by group ID in addition to
   group name.

 * visudo will now fix the mode on the sudoers file even if no changes
   are made unless the -f option is specified.

 * The "use_loginclass" sudoers option works properly again.

 * On systems that use login.conf, "sudo -i" now sets environment
   variables based on login.conf.

 * For LDAP-based sudoers, values in the search expression are now
   escaped as per RFC 4515.

 * The plugin close function is now properly called when a login
   session is killed (as opposed to the actual command being killed).
   This can happen when an ssh session is disconnected or the
   terminal window is closed.

 * The deprecated "noexec_file" sudoers option is no longer supported.

 * Fixed a race condition when I/O logging is not enabled that could
   result in tty-generated signals (e.g. control-C) being received
   by the command twice.

 * If none of the standard input, output or error are connected to
   a tty device, sudo will now check its parent's standard input,
   output or error for the tty name on systems with /proc.  This
   allow tty-based tickets to work properly even when, e.g. standard
   input, output and error are redirected to /dev/null.

 * Added the --enable-kerb5-instance configure option to allow
   people using Kerberos V authentication to specify a custom
   instance so the principal name can be, e.g. "username/sudo"
   similar to how ksu uses "username/root".

 * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
   the results, which would be incorrectly be interpreted as if the
   sudoers file had specified a directory.

More information about the sudo-workers mailing list