[sudo-workers] sudo 1.9.10rc1 released
Todd C. Miller
Todd.Miller at sudo.ws
Mon Feb 28 07:40:11 MST 2022
The first release candidate for sudo 1.9.10 is now available.
In addition to bug fixes, sudo 1.9.10 introduces support for using
regular expressions in the sudoers file. Either the command, the
arguments, or both may be (separate) regular expressions.
Source:
https://www.sudo.ws/dist/beta/sudo-1.9.10rc1.tar.gz
ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.10rc1.tar.gz
SHA256 checksum:
f3e3cd24e28e16410354a661294b47d458bd1d10d0f092cff48bc4622d089b64
MD5 checksum:
abe7e9495459b4188382ccf28fd179aa
Binary packages:
https://www.sudo.ws/getting/beta_packages/
For a list of download mirror sites, see:
https://www.sudo.ws/getting/download_mirrors/
Sudo web site:
https://www.sudo.ws/
Major changes between sudo 1.9.10rc1 and 1.9.10b4:
* Fixed a test failure on Alpine Linux.
* In fuzz_logsrvd_conf, avoid fuzzing the system's regular expression
implementation.
* Added a configure check for gzclearerr() when using the system zlib.
Older versions of zlib do not include gzclearerr() but sudo now needs it.
Major changes between sudo 1.9.10b4 and 1.9.10b3:
* Fixed issues found by the Coverity Scan static analyzer,
https://scan.coverity.com/.
Major changes between sudo 1.9.10b3 and 1.9.10b2:
* Restored the warning when a user is not allowed to run a command.
Previously, the warning was displayed when a user was not in the
sudoers file, or was present but not listed for the local host. The
new behavior is to display the warning if a command is denied *and*
mail is sent to the administrator. Whether or not mail is sent is
controlled by the "mail_*" flags in sudoers. The warning text is now
"This incident has been reported to the administrator." which is
hopefully less confusing. The message will not be printed if either
the "mailto" or "mailerpath" sudoers settings are disabled.
* The sudo lecture is now displayed immediately before the password
prompt. As a result, sudo will no longer display the lecture
unless the user needs to enter a password. Authentication methods
that don't interact with the user via a terminal do not trigger
the lecture.
Major changes between sudo 1.9.10b2 and 1.9.10b1:
* A user may now only run "sudo -U otheruser -l" if they have a
"sudo ALL" privilege where the RunAs user contains either "root"
or "otheruser". Previously, having "sudo ALL" was sufficient,
regardless of the RunAs user. GitHub issue #134.
* Documentation updates.
* Fixed a bug in the heuristic used to decide when to disable
password filtering when "log_input" is enabled and "log_passwords"
is disabled. Also added regession tests for password filtering.
* Updated translations from translationproject.org.
Major changes between sudo 1.9.10b1 and 1.9.9:
* Added new "log_passwords" and "passprompt_regex" sudoers options.
If "log_passwords" is disabled, sudo will attempt to prevent passwords
from being logged. If sudo detects any of the regular expressions in
the "passprompt_regex" list in the terminal output, sudo will log '*'
characters instead of the terminal input until a newline or carriage
return is found in the input or an output character is received.
* Added new "log_passwords" and "passprompt_regex" settings to
sudo_logsrvd that operate like the sudoers options when logging
terminal input.
* Fixed several few bugs in the cvtsudoers utility when merging
multiple sudoers sources.
* Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf
file, where the "retry_interval" in the [relay] section was not
being recognized.
* Restored the pre-1.9.9 behavior of not performing authentication
when sudo's -n option is specified. A new "noninteractive_auth"
sudoers option has been added to enable PAM authentication in
non-interactive mode. GitHub issue #131.
* On systems with /proc, if the /proc/self/stat (Linux) or
/proc/pid/psinfo (other systems) file is missing or invalid,
sudo will now check file descriptors 0-2 to determine the user's
terminal. Bug #1020.
* Fixed a compilation problem on Debian kFreeBSD. Bug #1021.
* Fixed a crash in sudo_logsrvd when running in relay mode if
an alert message is received.
* Fixed an issue that resulting in "problem with defaults entries"
email to be sent if a user ran sudo when the sudoers entry in
the nsswitch.conf file includes "sss" but no sudo provider is
configured in /etc/sssd/sssd.conf. Bug #1022.
* Removed the text "This incident will be reported." from warnings
when the invoking user is not listed in sudoers. This warning
is confusing to users and may not be accurate now that the email
settings are configurable in the sudoers file. GitHub issue #48.
* Fixed a bug where the user-specified command timeout was not
being honored if the sudoers rule did not also specify a timeout.
* Added support for using POSIX extended regular expressions in
sudoers rules. A command and/or arguments in sudoers are treated
as a regular expression if they start with a '^' character and
end with a '$'. The command and arguments are matched separately,
either one (or both) may be a regular expression.
Bug #578, GitHub issue #15.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.sudo.ws/pipermail/sudo-workers/attachments/20220228/44062ac9/attachment.bin>
More information about the sudo-workers
mailing list