[sudo-workers] sudo 1.9.10b4 released

Todd C. Miller Todd.Miller at sudo.ws
Thu Feb 24 11:47:45 MST 2022

The fourth beta version of sudo 1.9.10 is now available.

In addition to bug fixes, sudo 1.9.10 introduces support for using
regular expressions in the sudoers file.  Either the command, the
arguments, or both may be (separate) regular expressions.


SHA256 checksum:

MD5 checksum:

Binary packages:

For a list of download mirror sites, see:

Sudo web site:

Major changes between sudo 1.9.10b4 and 1.9.10b3:

 * Fixed issues found by the Coverity Scan static analyzer,

Major changes between sudo 1.9.10b3 and 1.9.10b2:

 * Restored the warning when a user is not allowed to run a command.
   Previously, the warning was displayed when a user was not in the
   sudoers file, or was present but not listed for the local host. The
   new behavior is to display the warning if a command is denied *and*
   mail is sent to the administrator. Whether or not mail is sent is
   controlled by the "mail_*" flags in sudoers. The warning text is now
   "This incident has been reported to the administrator." which is
   hopefully less confusing. The message will not be printed if either
   the "mailto" or "mailerpath" sudoers settings are disabled.

 * The sudo lecture is now displayed immediately before the password
   prompt.  As a result, sudo will no longer display the lecture
   unless the user needs to enter a password.  Authentication methods
   that don't interact with the user via a terminal do not trigger
   the lecture.

Major changes between sudo 1.9.10b2 and 1.9.10b1:

 * A user may now only run "sudo -U otheruser -l" if they have a
   "sudo ALL" privilege where the RunAs user contains either "root"
   or "otheruser".  Previously, having "sudo ALL" was sufficient,
   regardless of the RunAs user.  GitHub issue #134.

 * Documentation updates.

 * Fixed a bug in the heuristic used to decide when to disable
   password filtering when "log_input" is enabled and "log_passwords"
   is disabled.  Also added regession tests for password filtering.

 * Updated translations from translationproject.org.

Major changes between sudo 1.9.10b1 and 1.9.9:

 * Added new "log_passwords" and "passprompt_regex" sudoers options.
   If "log_passwords" is disabled, sudo will attempt to prevent passwords
   from being logged.  If sudo detects any of the regular expressions in
   the "passprompt_regex" list in the terminal output, sudo will log '*'
   characters instead of the terminal input until a newline or carriage
   return is found in the input or an output character is received.

 * Added new "log_passwords" and "passprompt_regex" settings to
   sudo_logsrvd that operate like the sudoers options when logging
   terminal input.

 * Fixed several few bugs in the cvtsudoers utility when merging
   multiple sudoers sources.

 * Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf
   file, where the "retry_interval" in the [relay] section was not
   being recognized.

 * Restored the pre-1.9.9 behavior of not performing authentication
   when sudo's -n option is specified.  A new "noninteractive_auth"
   sudoers option has been added to enable PAM authentication in
   non-interactive mode.  GitHub issue #131.

 * On systems with /proc, if the /proc/self/stat (Linux) or
   /proc/pid/psinfo (other systems) file is missing or invalid,
   sudo will now check file descriptors 0-2 to determine the user's
   terminal.  Bug #1020.

 * Fixed a compilation problem on Debian kFreeBSD.  Bug #1021.

 * Fixed a crash in sudo_logsrvd when running in relay mode if
   an alert message is received.

 * Fixed an issue that resulting in "problem with defaults entries"
   email to be sent if a user ran sudo when the sudoers entry in
   the nsswitch.conf file includes "sss" but no sudo provider is
   configured in /etc/sssd/sssd.conf.  Bug #1022.

 * Removed the text "This incident will be reported." from warnings
   when the invoking user is not listed in sudoers.  This warning
   is confusing to users and may not be accurate now that the email
   settings are configurable in the sudoers file.  GitHub issue #48.

 * Fixed a bug where the user-specified command timeout was not
   being honored if the sudoers rule did not also specify a timeout.

 * Added support for using POSIX extended regular expressions in
   sudoers rules.  A command and/or arguments in sudoers are treated
   as a regular expression if they start with a '^' character and
   end with a '$'.  The command and arguments are matched separately,
   either one (or both) may be a regular expression.
   Bug #578, GitHub issue #15.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.sudo.ws/pipermail/sudo-workers/attachments/20220224/aaf80538/attachment.bin>

More information about the sudo-workers mailing list