[sudo-workers] sudo 1.8.23rc2 released

Todd C. Miller Todd.Miller at sudo.ws
Tue Apr 24 14:38:27 MDT 2018

The second release candidate of sudo 1.8.23 is now available.
In addition to bug fixes, sudo 1.8.23 introduces the cvtsudoers
utility which can convert between sudoers formats and perform some
basic filtering.

Unless a show stopper is found, sudo 1.8.23 will be released on the
week of April 30.


SHA256 checksum:
MD5 checksum:

Binary packages:

For a list of download mirror sites, see:

Sudo web site:

Sudo web site mirrors:

Major changes between sudo 1.8.23rc2 and 1.8.23rc1:

 * Fixed the execution of scripts with an associated digest (checksum)
   in sudoers on FreeBSD systems.  FreeBSD does not have a full
   /dev/fd directory mounted by default and its fexecve(2) is not
   fully POSIX compliant when executing scripts.  Bug #831.

 * Chinese(Taiwan) translation for sudo from translationproject.org.

Major changes between sudo 1.8.23rc1 and 1.8.23b4:

 * Sudo now includes an optional set of Monty Python-inspired insults.

 * Fixed a minor memory leak discovered with address sanitizer.

 * Manual page updates.

 * Updated translations from translationproject.org.

 * Fixed a hang in cvtsudoers converting LDIF input when the -b
   option was specified.

Major changes between sudo 1.8.23b4 and 1.8.23b3:

 * Fixes for cvtsudoers bugs exposed by the new cvtsudoers regression

 * Updated translations from translationproject.org.

Major changes between sudo 1.8.23b3 and 1.8.23b2:

 * The cvtsudoers utility now supports setting defaults types and
   the suppression list in its config file.

 * The cvtsudoers utility has a new "-p" option to prune non-matching
   entries from the output when the "-m" option is also used.

 * Fixed a problem with the process start time test in "make check"
   when run in a Linux container.  The test now uses the "btime"
   field in /proc/stat to get the system start time instead of using
   /proc/uptime, which is the container uptime.  Bug #829.

 * Sudoedit now checks the writability of a temporary directory
   before using it.  For example, if /var/tmp is not writable but
   /tmp is, then /tmp will be used.

 * If the cvtsudoers utility is given the -d option, any aliases
   used by Defaults entries that are not being converted are omitted
   from the output if they are otherwise unused.

 * Updated translations from translationproject.org.

Major changes between sudo 1.8.23b2 and 1.8.23b1:

 * Fixed a bug on some systems where sudo could hang on command
   exit when I/O logging was enabled.  Bug #826.

 * The cvtsudoers utility has gained an option to control what type
   of Defaults entries are translated.

 * The sudoers.ldap manual now has a section on converting from
   file-based sudoers to LDAP-based.

Major changes between sudo 1.8.23b1 and 1.8.22:

 * PAM account management modules and BSD auto approval modules are
   now run even when no password is required.

 * For kernel-based time stamps, if no terminal is present, fall
   back to parent-pid style time stamps.

 * The new cvtsudoers utility replaces both the "sudoers2ldif" script
   and the "visudo -x" functionality.  It can read a file in either
   sudoers or LDIF format and produce JSON, LDIF or sudoers output.
   It is also possible to filter the generated output file by user,
   group or host name.

 * The file, ldap and sss sudoers backends now share a common set
   of formatting functions for "sudo -l" output, which is also used
   by the cvtsudoers utility.

 * The /run directory is now used in preference to /var/run if it
   exists. Bug #822.

 * More accurate descriptions of the --with-rundir and --with-vardir
   configure options.  Bug #823.

 * The setpassent() and setgroupent() functions are now used on systems
   that support them to keep the passwd and group database open.
   Sudo performs a lot of passwd and group lookups so it can be
   beneficial to avoid opening and closing the files each time.

 * The new case_insensitive_user and case_insensitive_group sudoers
   options can be used to control whether sudo does case-sensitive
   matching of users and groups in sudoers.  Case insensitive
   matching is now the default.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://www.sudo.ws/pipermail/sudo-workers/attachments/20180424/1f8f332b/attachment.bin>

More information about the sudo-workers mailing list