[sudo-workers] sudo 1.8.20rc3 released

Todd C. Miller Todd.Miller at courtesan.com
Fri May 5 12:39:36 MDT 2017

Hash: SHA1

The third release candidate for sudo 1.8.20 is now available.


SHA256 checksum:
MD5 checksum:

Binary packages:

For a list of download mirror sites, see:

Sudo web site:

Sudo web site mirrors:

Major changes between sudo 1.8.20rc2 and 1.8.20rc3:

 * Fixed some minor coverity warnings.

 * Updated Hungarian translation from translationproject.org.

 * Fixed a regression introduced in sudo 1.8.18 where the "lecture"
   option could not be used in a positive boolean context, only
   a negative one.

Major changes between sudo 1.8.20rc1 and 1.8.20rc2:

 * Fixed exponential behavior in sudo's glob() replacement
   with respect to multiple '*' characters.

 * Sudo no longer needs to display a message when a command
   running in a pseudo-tty is killed by a signal.  Now that
   the main sudo process delivers the same signal to itself
   the parent shell will display the message itself.

Major changes between sudo 1.8.20b2 and 1.8.20rc1:

 * Fixed a typo that resulted in a compilation error on systems
   where the killpg() function is not found by configure.

 * Fixed a compilation error with the included version of zlib
   when sudo was built outside the source tree.

 * Fixed the exit value of sudo when the command is terminated by
   a signal other than SIGINT.  This was broken in sudo 1.8.15 by
   the fix for Bug #722.  Bug #784.

Major changes between sudo 1.8.20b1 and 1.8.20b2:

 * Updated translations from translationproject.org.

 * Fixed a use after free bug in the SSSD backend when the fqdn
   sudoOption is set and no hostname value is present in sssd.conf.

Major changes between sudo 1.8.19p2 and 1.8.20b1:

 * Added support for SASL_MECH in ldap.conf. Bug #764

 * Added support for digest matching when the command is a glob-style
   pattern or a directory. Previously, only explicit path matches
   supported digest checks.

 * New "fdexec" Defaults option to control whether a command
   is executed by path or by open file descriptor.

 * The embedded copy of zlib has been upgraded to version 1.2.11.

 * Fixed a bug that prevented sudoers include files with a relative
   path starting with the letter 'i' from being opened.  Bug #776.

 * Added support for command timeouts in sudoers.  The command will
   be terminated if the timeout expires.

 * The SELinux role and type are now displayed in the "sudo -l"
   output for the LDAP and SSSD backends, just as they are in the
   sudoers backend.

 * A new command line option, -T, can be used to specify a command
   timeout as long as the user-specified timeout is not longer than
   the timeout specified in sudoers.  This option may only be
   used when the "user_command_timeouts" flag is enabled in sudoers.

 * Added NOTBEFORE and NOTAFTER command options to the sudoers
   backend similar to what is already available in the LDAP backend.

 * Sudo can now optionally use the SHA2 functions in OpenSSL or GNU
   crypt instead of the SHA2 implementation bundled with sudo.

 * Fixed a compilation error on systems without the stdbool.h header
   file.  Bug #778.

 * Fixed a compilation error in the standalone Kerberos V authentication
   module.  Bug #777.

 * Added the iolog_flush flag to sudoers which causes I/O log data
   to be written immediately to disk instead of being buffered.

 * I/O log files are now created with group ID 0 by default unless
   the "iolog_user" or "iolog_group" options are set in sudoers.

 * It is now possible to store I/O log files on an NFS-mounted
   file system where uid 0 is remapped to an unprivileged user.
   The "iolog_user" option must be set to a non-root user and the
   top-level I/O log directory must exist and be owned by that user.

 * Added the restricted_env_file setting to sudoers which is similar
   to env_file but its contents are subject to the same restrictions
   as variables in the invoking user's environment.


More information about the sudo-workers mailing list