[sudo-workers] sudo 1.9.9b4 released

Todd C. Miller Todd.Miller at sudo.ws
Tue Jan 18 19:29:55 MST 2022 

The third beta release of sudo 1.9.9 is now available.

In addition to bug fixes, sudo 1.9.9 extends the cvtsudoers utility
in several ways.  With sudo 1.9.9, cvtsudoers now supports csv
output, can merge multiple sudoers files and can perform filtering
based on commands.

Source:
    https://www.sudo.ws/dist/beta/sudo-1.9.9b4.tar.gz
    ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.9.9b4.tar.gz

SHA256 checksum:
    e1b528933e483b73061d1e69c0eee0302fadf45999d95ce3b83856680fc21851

MD5 checksum:
    9cd39258b48e2fd1265f4bf9e504ce25

Binary packages:
    https://www.sudo.ws/dist/beta/packages/

For a list of download mirror sites, see:
    https://www.sudo.ws/getting/download_mirrors/

Sudo web site:
    https://www.sudo.ws/

Major changes between sudo 1.9.9b4 and 1.9.9b3:

 * Fixed a regression introduced in version 1.9.1 when sudo is
   built with the --with-fqdn configure option.  The local host
   name was being resolved before the sudoers file was processed,
   making it impossible to disable DNS lookups by negating the
   "fqdn" sudoers option.  Bug #1016.

 * Added support for negated sudoUser attributes in the LDAP and
   SSSD sudoers back ends.  A matching sudoUser that is negated
   will cause the sudoRole containing it to be ignored.

 * Fixed a bug where the stack resource limit could be set to a
   value smaller than that of the invoking user and not be reset
   before the command was run.  Bug #1017.

Major changes between sudo 1.9.9b3 and 1.9.9b2:

 * When sudo is run in non-interactive mode (with the -n option), it
   will now attempt PAM authentication and only exit with an error
   if user interaction is required.  This allows PAM modules that
   don't interact with the user to succeed.  Previously, sudo
   would not attempt authentication if the -n option was specified.
   Bug #956 and GitHub issue #83.

 * Removed a workaround for old PAM modules that misbehaved when
   PAM_TTY is not set.  This was primarily obsolete versions
   of Linux-PAM, so it should now be safe to remove this.
   GitHub issue #84.

 * Better support for merging Defaults and UserSpecs in cvtsudoers
   when a host is specified along with the sudoers source.

 * Backed out the changes to enabled SELinux RBAC by default, it
   is likely to cause problems.  The existing SELinux behavior has
   been in place for well over a decade.

 * Updated translations from https://translationproject.org.

Major changes between sudo 1.9.9b2 and 1.9.9b1:

 * Sudo was parsing but not applying the "deref" and "tls_reqcert"
   ldap.conf settings.  This meant the options were effectively
   ignored which broke dereferencing of aliases in LDAP.  Bug #1013.

 * Clarified in the sudo man page that the security policy may
   override the user's PATH environment variable.  Bug #1014.

 * Silenced CodeQL "Multiplication result converted to larger type"
   warnings.

 * Fixed a potential TOCTOU issue in sudo_mkdir_parents() when
   creating the final directory component.  This is not a problem
   in practice since the directory is root-owned.

 * Updated translations from https://translationproject.org.

Major changes between sudo 1.9.9 and 1.9.8p2:

 * Sudo can now be built with OpenSSL 3.0 without generating warnings
   about deprecated OpenSSL APIs.

 * A digest can now be specified along with the "ALL" command in
   the LDAP and SSSD back-ends.  Sudo 1.9.0 introduced support for
   this in the sudoers file but did not include corresponding changes
   for the other back-ends.

 * visudo now only warns about an undefined alias or a cycle in an
   alias once for each alias.

 * The sudoRole cn was truncated by a single character in warning messages.
   GitHub issue #115.

 * The cvtsudoers utility has new --group-file and --passwd-file options
   to use a custom passwd or group file when the --match-local option is
   also used.

 * The cvtsudoers utility can now filter or match based on a command.

 * The cvtsudoers utility can now produce output in csv (comma-separated
   value) format.  This can be used to help generate entitlement reports.

 * Fixed a bug in sudo_logsrvd that could result in the connection being
   dropped for very long command lines.

 * Fixed a bug where sudo_logsrvd would not accept a restore point
   of zero.

 * Fixed a bug in visudo where the value of the "editor" setting was not
   used if it did not match the user's EDITOR environment variable.
   This was only a problem if the "env_editor" setting was not enabled.
   Bug #1000.

 * Sudo now builds with the -fcf-protection compiler option and the
   "-z now" linker option if supported.

 * The output of "sudoreplay -l" now more closely matches the
   traditional sudo log format.

 * The sudo_sendlog utility will now use the full contents of the log.json
   file, if present.  This makes it possible to send sudo-format I/O logs
   that use the newer log.json format to sudo_logsrvd without losing any
   information.

 * Fixed compilation of the arc4random_buf() replacement on systems with
   arc4random() but no arc4random_buf().  Bug #1008.

 * Sudo now uses its own getentropy() by default on Linux.  The GNU libc
   version of getentropy() will fail on older kernels that don't support
   the getrandom() system call.

 * It is now possible to build sudo with WolfSSL's OpenSSL compatibility
   layer by using the --enable-wolfssl configure option.

 * Fixed a bug related to Daylight Saving Time when parsing timestamps
   in Generalized Time format.  This affected the NOTBEFORE and
   NOTAFTER options in sudoers.  Bug #1006

 * On systems where SELinux is enabled and sudo is built with SELinux
   support, if the user's role is not "unconfined_r" sudo will always
   execute commands via the "sesh" helper program.  Previously, commands
   were only executed via "sesh" if a role was specified in the sudoers
   file rule or by the user on the command line.

 * Added the -O and -P options to visudo, which can be used to check
   or set the owner and permissions.  This can be used in conjunction
   with the -c option to check that the sudoers file ownership and
   permissions are correct.  Bug #1007.

 * It is now possible to set resource limits in the sudoers file itself.
   The special values "default" and "user" refer to the default system
   limit and invoking user limit respectively.  The core dump size limit
   is now set to 0 by default unless overridden by the sudoers file.

 * The cvtsudoers utility can now merge multiple sudoers sources into
   a single, combined sudoers file.  If there are conflicting entries,
   cvtsudoers will attempt to resolve them but manual intervention
   may be required.  The merging of sudoers rules is currently fairly
   simplistic but will be improved in a future release.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://www.sudo.ws/pipermail/sudo-workers/attachments/20220118/5f415556/attachment.bin>

More information about the sudo-workers mailing list