[sudo-workers] sudo 1.8.7rc4 available
Todd C. Miller
Todd.Miller at courtesan.com
Thu May 30 19:17:10 MDT 2013
The fourth and (hopefully) final release candidate of sudo 1.8.7
is now available.
Major changes between sudo 1.8.7rc4 and 1.8.7rc3:
* Sudo now only builds Position Independent Executables (PIE)
by default on Linux systems and verifies that a trivial test
program builds and runs.
* On Solaris 11.1 and higher, sudo binaries will now have the
ASLR tag enabled if supported by the linker.
Major changes between sudo 1.8.7rc3 and 1.8.7rc2:
* Fixed a problem resolving the tty name on file systems that
return DT_UNKNOWN for the d_type field in struct dirent.
Major changes between sudo 1.8.7rc2 and 1.8.7rc1:
* Quiet a few -Wunused-result compiler warnings.
* Position independent executables appear to be broken on FreeBSD/arm
so imply --disable-pie on that platform.
* Sudoers no longer stores the tty's ctime in the tty-specific
time stamp file on Linux systems using devpts. In the past, the
ctime never changed on devpts device nodes but newer Linux kernels
follow POSIX and update the ctime.
Major changes between sudo 1.8.7rc1 and 1.8.7b3:
* Updated translations and minor documentation tweaks.
Major changes between sudo 1.8.7b3 and 1.8.7b2:
* The paths to ldap.conf and ldap.secret may now be specified in
sudo.conf as arguments to the sudoers plugin.
* When the process has no controlling tty, sudo no longer
checks to see if the parent process has a tty. If the process
has disassociated from its tty it is better to just treat the
tty as "unknown".
* Updated translations from translationproject.org.
* Documentation updates.
Major changes between sudo 1.8.7b2 and 1.8.7b1:
* New support for specifying a SHA-2 digest along with the command
in sudoers. Supported hash types are sha224, sha256, sha384 and
sha512. See the description of Digest_Spec in the sudoers manual
or the description of sudoCommand in the sudoers.ldap manual for
Major changes between sudo 1.8.7b1 and 1.8.6p7:
* The non-Unix group plugin is now supported when sudoers data
is stored in LDAP.
* Sudo now uses a workaround for a locale bug on Solaris 11.0
that prevents setuid programs like sudo from fully using locales.
* User messages are now always displayed in the user's locale,
even when the same message is being logged or mailed in a
* Log files created by sudo now explicitly have the group set
to group ID 0 rather than relying on BSD group semantics (which
may not be the default).
* A new "exec_background" sudoers option can be used to initially
run the command without read access to the terminal when running
a command in a pseudo-tty. If the command tries to read from
the terminal it will be stopped by the kernel (via SIGTTIN or
SIGTTOU) and sudo will immediately restart it as the forground
process (if possible). This allows sudo to only pass terminal
input to the program if the program actually is expecting it.
Unfortunately, a few poorly-behaved programs (like "su" on most
Linux systems) do not handle SIGTTIN and SIGTTOU properly.
* Sudo now uses an efficient group query to get all the groups
for a user instead of iterating over every record in the group
database on HP-UX and Solaris.
* Sudo now produces better error messages when there is an error
in the sudo.conf file.
* Two new settings have been added to sudo.conf to give the admin
better control of how group database queries are performed. The
"group_source" specifies how the group list for a user will be
determined. Legal values are "static" (use the kernel groups
list), "dynamic" (perform a group database query) and "adaptive"
(only perform a group database query if the kernel list is full).
The "max_groups" specifies the maximum number of groups a user may
belong to when performing a group database query.
* The sudo.conf file now supports line continuation by using a
backslash as the last character on the line.
* There is now a standalone sudo.conf manual page.
* Sudo now stores its libexec files in a "sudo" subdirectory instead
of in libexec itself. For backwards compatibility, if the plugin
is not found in the default plugin directory, sudo will check
the parent directory if the default directory ends in "/sudo".
* The sudoers I/O logging plugin now logs the terminal size.
* A new sudoers option "maxseq" can be used to limit the number of
I/O log entries that are stored.
* The "system_group" and "group_file" sudoers group provider plugins
are now installed by default.
* The list output (sudo -l) output from the sudoers plugin is now
less ambiguous when an entry includes different runas users.
The long list output (sudo -ll) for file-based sudoers is now
more consistent with the format of LDAP-based sudoers.
* A uid may now be used in the sudoRunAsUser attributes for LDAP
* Minor plugin API change: the close and version functions are now
optional. If the policy plugin does not provide a close function
and the command is not being run in a new pseudo-tty, sudo may
now execute the command directly instead of in a child process.
* A new sudoers option "pam_session" can be used to disable sudo's
PAM session support.
* On HP-UX systems, sudo will now use the pstat() function to
determine the tty instead of ttyname().
* Turkish translation for sudo from translationproject.org.
* Dutch translation for sudo and sudoers from translationproject.org.
* Tivoli Directory Server client libraries may now be used with
HP-UX where libibmldap has a hidden dependency on libCsup.
* The sudoers plugin will now ignore invalid domain names when
checking netgroup membership. Some Linux systems use the string
"(none)" for the NIS-style domain name instead of an empty string.
More information about the sudo-workers