[sudo-workers] sudo 1.8.15rc2 released
Todd C. Miller
Todd.Miller at courtesan.com
Tue Oct 6 20:57:18 MDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
The second release candidate of sudo 1.8.15 is now available.
In addition to bug fixes, sudo 1.8.15 includes changes to how the
time stamp files are locked which could use some more extensive
testing. The upshot is that sudo can now be used multiple times
in a pipeline even when a password is required and the user will
only be prompted once.
$ sudo -k
$ sudo echo test | sudo cat
I've tested the time stamp changes on Ubuntu 14.04, Solaris 11,
HP-UX 11, AIX 5.3, Mac OS X 10.10 and OpenBSD 5.8. Tests on other
systems would be appreciated, especially backgrounding sudo at the
password prompt (or just running it in the background when a password
is required) and then running sudo again in the same terminal. This
should verify that the time stamp record is unlocked when sudo is
In other words:
$ sudo -k
$ sudo id
$ sudo id
For a list of download mirror sites, see:
Sudo web site:
Sudo web site mirrors:
Major changes between sudo 1.8.15rc2 and 1.8.15rc1:
* Slovak translation for sudo from translationproject.org.
* Hungarian and Slovak translations for sudoers from translationproject.org.
* SIA authentication on Tru64 Unix now uses the conversaton function
when prompting for a password.
* Previously, when env_reset was enabled (the default) and the -s
option was not used, the SHELL environment variable was set to the
shell of the invoking user. Now, when env_reset is enabled and
the -s option is not used, SHELL is set based on the target user.
* Fixed challenge/response style BSD authentication.
Major changes between sudo 1.8.15rc1 and 1.8.15b5:
* Updated translations from translationproject.org.
* Documentation fixes.
* Debugging now works as expected inside the conversation function.
* The popen(3) and system(3) functions are now directly blocked
by sudo_noexec.so instead of relying on blocking of the underlying
execve(2) system call.
Major changes between sudo 1.8.15b5 and 1.8.15b4:
* If some, but not all, of the LOGNAME, USER or USERNAME environment
variables have been preserved from the invoking user's environment,
sudo will now use the preserved value to set the remaining variables
instead of using the runas user. This ensures that if, for example,
only LOGNAME is present in the env_keep list, that sudo will not
set USER and USERNAME to the runas user.
* When the command sudo is running dies due to a signal, sudo will
now send itself that same signal with the default signal handler
installed instead of exiting. The bash shell appears to ignore
some signals, e.g. SIGINT, unless the command being run is killed
by that signal. This makes the behavior of commands run under
sudo the same as without sudo when bash is the shell. Bug #722
Major changes between sudo 1.8.15b4 and 1.8.15b3:
* The callback is now passed correctly to the PAM conversation
function. This allows the on_suspend and on_resume functions to
be called on system using PAM.
* Fixed "sudo -k" on Solaris and probably other systems where
the size of off_t and size_t are different.
Major changes between sudo 1.8.15b3 and 1.8.15b2:
* Fixed a potential double free introduced in 1.8.15b1 when sudo
is suspended at the password prompt.
Major changes between sudo 1.8.15b2 and 1.8.15b1:
* Fixed a bug introduced in sudo 1.8.14 that prevented visudo from
re-editing the correct file when a syntax error was detected.
* Fixed a bug where sudo would not relay a SIGHUP signal to the
command when the terminal is closed and the command is not run
in its own pseudo-tty. Bug #719
Major changes between sudo 1.8.15b1 and 1.8.14p3:
* Fixed a bug that prevented sudo from building outside the source tree
on some platforms. Bug #708.
* Fixed the location of the sssd library in the RHEL/Centos packages.
* Fixed a build problem on systems that don't implicitly include
sys/types.h from other header files. Bug #711.
* Fixed a problem on Linux using containers where sudo would ignore
signals sent by a process in a different container.
* Sudo now refuses to run a command if the PAM session module
returns an error.
* When editing files with sudoedit, symbolic links will no longer
be followed by default. The old behavior can be restored by
enabling the sudoedit_follow option in sudoers or on a per-command
basis with the FOLLOW and NOFOLLOW tags. Bug #707.
* Fixed a bug introduced in version 1.8.14 that caused the last
valid editor in the sudoers "editor" list to be used by visudo
and sudoedit instead of the first. Bug #714.
* Fixed a bug in visudo that prevented the addition of a final
newline to edited files without one.
* Fixed a bug decoding certain base64 digests in sudoers when the
intermediate format included a '=' character.
* Individual records are now locked in the time stamp file instead
of the entire file. This allows sudo to avoid prompting for a
password multiple times on the same terminal when used in a
pipeline. In other words, "sudo cat foo | sudo grep bar" now
only prompts for the password once. Previously, both sudo
processes would prompt for a password, often making it impossible
* Fixed a bug where sudo would fail to run commands as a non-root
user on systems that lack both setresuid() and setreuid().
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the sudo-workers