[sudo-workers] sudo 1.8.7rc4 available

Todd C. Miller Todd.Miller at courtesan.com
Thu May 30 19:17:10 MDT 2013

The fourth and (hopefully) final release candidate of sudo 1.8.7
is now available.


Binary packages:

Major changes between sudo 1.8.7rc4 and 1.8.7rc3:

 * Sudo now only builds Position Independent Executables (PIE)
   by default on Linux systems and verifies that a trivial test
   program builds and runs.

 * On Solaris 11.1 and higher, sudo binaries will now have the
   ASLR tag enabled if supported by the linker.

Major changes between sudo 1.8.7rc3 and 1.8.7rc2:

 * Fixed a problem resolving the tty name on file systems that
   return DT_UNKNOWN for the d_type field in struct dirent.

Major changes between sudo 1.8.7rc2 and 1.8.7rc1:

 * Quiet a few -Wunused-result compiler warnings.

 * Position independent executables appear to be broken on FreeBSD/arm
   so imply --disable-pie on that platform.

 * Sudoers no longer stores the tty's ctime in the tty-specific
   time stamp file on Linux systems using devpts.  In the past, the
   ctime never changed on devpts device nodes but newer Linux kernels
   follow POSIX and update the ctime.

Major changes between sudo 1.8.7rc1 and 1.8.7b3:

 * Updated translations and minor documentation tweaks.

Major changes between sudo 1.8.7b3 and 1.8.7b2:

 * The paths to ldap.conf and ldap.secret may now be specified in
   sudo.conf as arguments to the sudoers plugin.

 * When the process has no controlling tty, sudo no longer
   checks to see if the parent process has a tty.  If the process
   has disassociated from its tty it is better to just treat the
   tty as "unknown".

 * Updated translations from translationproject.org.

 * Documentation updates.

Major changes between sudo 1.8.7b2 and 1.8.7b1:

 * New support for specifying a SHA-2 digest along with the command
   in sudoers.  Supported hash types are sha224, sha256, sha384 and
   sha512.  See the description of Digest_Spec in the sudoers manual
   or the description of sudoCommand in the sudoers.ldap manual for

Major changes between sudo 1.8.7b1 and 1.8.6p7:

 * The non-Unix group plugin is now supported when sudoers data
   is stored in LDAP.

 * Sudo now uses a workaround for a locale bug on Solaris 11.0
   that prevents setuid programs like sudo from fully using locales.

 * User messages are now always displayed in the user's locale,
   even when the same message is being logged or mailed in a
   different locale.

 * Log files created by sudo now explicitly have the group set
   to group ID 0 rather than relying on BSD group semantics (which
   may not be the default).

 * A new "exec_background" sudoers option can be used to initially
   run the command without read access to the terminal when running
   a command in a pseudo-tty.  If the command tries to read from
   the terminal it will be stopped by the kernel (via SIGTTIN or
   SIGTTOU) and sudo will immediately restart it as the forground
   process (if possible).  This allows sudo to only pass terminal
   input to the program if the program actually is expecting it.
   Unfortunately, a few poorly-behaved programs (like "su" on most
   Linux systems) do not handle SIGTTIN and SIGTTOU properly.

 * Sudo now uses an efficient group query to get all the groups
   for a user instead of iterating over every record in the group
   database on HP-UX and Solaris.

 * Sudo now produces better error messages when there is an error
   in the sudo.conf file.

 * Two new settings have been added to sudo.conf to give the admin
   better control of how group database queries are performed.  The
   "group_source" specifies how the group list for a user will be
   determined.  Legal values are "static" (use the kernel groups
   list), "dynamic" (perform a group database query) and "adaptive"
   (only perform a group database query if the kernel list is full).
   The "max_groups" specifies the maximum number of groups a user may
   belong to when performing a group database query.

 * The sudo.conf file now supports line continuation by using a
   backslash as the last character on the line.

 * There is now a standalone sudo.conf manual page.

 * Sudo now stores its libexec files in a "sudo" subdirectory instead
   of in libexec itself. For backwards compatibility, if the plugin
   is not found in the default plugin directory, sudo will check
   the parent directory if the default directory ends in "/sudo".

 * The sudoers I/O logging plugin now logs the terminal size.

 * A new sudoers option "maxseq" can be used to limit the number of
   I/O log entries that are stored.

 * The "system_group" and "group_file" sudoers group provider plugins
   are now installed by default.

 * The list output (sudo -l) output from the sudoers plugin is now
   less ambiguous when an entry includes different runas users.
   The long list output (sudo -ll) for file-based sudoers is now
   more consistent with the format of LDAP-based sudoers.

 * A uid may now be used in the sudoRunAsUser attributes for LDAP

 * Minor plugin API change: the close and version functions are now
   optional.  If the policy plugin does not provide a close function
   and the command is not being run in a new pseudo-tty, sudo may
   now execute the command directly instead of in a child process.

 * A new sudoers option "pam_session" can be used to disable sudo's
   PAM session support.

 * On HP-UX systems, sudo will now use the pstat() function to
   determine the tty instead of ttyname().

 * Turkish translation for sudo from translationproject.org.

 * Dutch translation for sudo and sudoers from translationproject.org.

 * Tivoli Directory Server client libraries may now be used with
   HP-UX where libibmldap has a hidden dependency on libCsup.

 * The sudoers plugin will now ignore invalid domain names when
   checking netgroup membership.  Some Linux systems use the string
   "(none)" for the NIS-style domain name instead of an empty string.

More information about the sudo-workers mailing list