Major changes since Sudo 1.6.9p7:
o Fixed a bug where a sudoers entry with no runas user specified
was treated differently from a line with the default runas user
explicitly specified.
pkgsrc change: added DESTDIR support.
Major changes since Sudo 1.6.9p6:
o Reverted back to to using TCSAFLUSH instead of TCSADRAIN when
turning off echo during password reading.
o Fixed a configure bug that was preventing the addition of -lutil for
login.conf support on FreeBSD and NetBSD.
o Added a configure check for struct in6_addr since some systems
define AF_INET6 but have no real IPv6 support.
Major changes since Sudo 1.6.9p5:
o Worked around bugs in the session support of some PAM implementations.
The full tty path is now passed to PAM as well.
o Sudo now only prints the password prompt if the process is in the
foreground.
o inttypes.h is now included when appropriate if it is present.
o Simplified alias allocation in the parser.
617) Fixed a bug in the IP address matching introduced by the IPV6 merge.
618) For "visudo -f file" we now use the permissions of the original file
and not the hard-coded sudoers owner/group/mode. This makes
it possible to use visudo with a revision control system.
619) Fixed sudoedit when used on a non-existent file.
620) Regenerated configure using autoconf 2.6.1 and libtool 1.5.24.
621) Groups and netgroups are now valid in an LDAP sudoRunas statement.
pkgsrc change:
Make these options mutual exclusive: kerberos pam skey.
(Really, combinations of kerberos and pam, pam and skey are conflicts.)
CHANGES:
609) Worked around a bug ins some PAM implementations that caused a crash
when no tty was present.
610) Fixed a crash on some platforms in the error logging function.
611) Documentation improvements.
Sudo 1.6.9p1 released.
612) Fixed updating of the saved environment when the environ pointer
gets changed out from underneath us.
Sudo 1.6.9p2 released.
613) Fixed a bug related to supplemental group matching introduced
in 1.6.9.
Sudo 1.6.9p3 released.
614) Added IPv6 support from YOSHIFUJI Hideaki.
615) Fixed sudo_noexec installation path.
616) Fixed a K&R compilation error.
Sudo 1.6.9p4 released.
(in fact, it's not clear that there is a good way to do so). The resulting
configuration works fine *except* if it encounters a host that has 3DES
but no DES service keys in its keytab.
Fix this by explicitly passing 0 ("default enctype") to Kerberos.
install script. The latter are special install-sh script options that
check whether the invoking user is the root user or not, which is
completely unnecessary.
cleanse environment of variables that alter behavior of Kerberos library
so the user can't override the default keytab location, and do *not*
ignore missing keytab errors. Prevents root compromise via spoofed KDC
on systems with Kerberos libraries but no host key in keytab, no keytab,
or keytab overidden via environment.
Don't insist that the keytab key be DES -- some Kerberos sites are 3DES/AES
only.
Somewhat less invasive than the fix Todd incorporated into the 1.6.9 branch
of sudo (presently beta) but equivalent (though not as clean).
long. PR#32378 by Stefan Krüger.
Changes:
Added PS4 and SHELLOPTS to the list of variables to remove from
the environment. (Already in pkgsrc)
Added JAVA_TOOL_OPTIONS to the list of variables to remove from
the environment.
Added PERLLIB, PERL5LIB and PERL5OPT to the list of variables to
remove from the environment. (Already in pkgsrc)
1.6.8p7 include:
562) Fixed noexec functionality on Linux.
564) Fixed a bug that prevented Heimdal authentication from working.
566) A sudoers entry with sudo ALL no longer overwrites the value of
safe_cmnd. This fixes the privilege escalation vulnerability
noted in http://www.courtesan.com/sudo/alerts/path_race.html
Changes:
557) Added a set of missing braces needed for MacOS X / Darwin.
558) Define LDAP_OPT_SUCCESS for those without it.
559) Warn if the user tries to use the -u option when not running a command.
560) Better PAM error handling and messages.
561) Fixed setting of $USER when env_reset is enabled.
Changes:
o Added a configure check for systems with a 2-argument version of
timespecsub (like BSD/OS).
o Added stub struct defintions to sudo.h to quiet compiler warnings
on some systems.
o In sudoers Defaults lines, tuples like "lecture" may now be used
without a value, restoring their old boolean-like nature.
o Invalid values for a tuple are now handled correctly.
Just as for pl2, changes are about environment sanitizing, meaning there
are possible security issues with current versions.
Changes:
550) The CDPATH variable is now stripped from the environment passed
to the program to be executed.
551) Fix temp file generation on systems where the _PATH_VARTMP macro
lacks a trailing slash.
552) The KRB5CCNAME environment variable is preserved during sudo
execution for password lookups that use GSSAPI.
bash-as-sh (and people allowing bash scripts to be run through sudo). The
user could override commands by functions of her own.
ChangeLog:
549) Bash exported functions and the CDPATH variable are now stripped from
the environment passed to the program to be executed.
at:
http://www.sudo.ws/sudo/alerts/sudoedit.html
Major changes since Sudo 1.6.8:
o Sudoedit now re-opens the temp file as the invoking user
and will only open regular files.
o Better detection of unchanged files in sudoedit.
o The path to ldap.conf is now configurable.
o Added SSL tls_* certificate checking options when using LDAP.
o The sample pam config file has been updated.
adds two new options, ldap and pam.
Changes:
* Sudo now supports storing sudoers info in LDAP (optionally using TLS).
* There is a new -e option to edit files the with uid of the invoking
user. This makes it possible to give users to ability to safely edit
files without the possibility of editing other files or running commands
as the target user. If sudo is run as "sudoedit" the -e flag is implied.
* A new tag, NOEXEC, will prevent a dynamically-linked program being run
by sudo from executing another program (think shell escapes). Because
this uses LD_PRELOAD it has no effect on static binaries.
* A uid specified in sudoers now matches the user specified by the -u flag
even if the -u flag specified a name, not a uid.
* Added a -i option to simulate an initial login similar to "su -".
* If sudo is used to run as root shell, further sudo commands will be logged
as run by the user specified by the SUDO_USER environment variable. In -e
mode (sudoedit), SUDO_USER is used to determine what user to run the editor
when the real uid is 0.
* The sudoers file is now parsed as the runas user in all cases instead of
root. This fixes some issues with running NFS-mounted commands.
* If the target user == invoking user a password is no longer required.
* Sudo now produces a sensible error message when the targetpw Defaults option
is set and a non-existent uid is specified via the -u option.
* A negated user/uid in a runas list is now treated the same as a negated
command and overrides a previously allowed entry.
* PAM support now uses Use pam_acct_mgmt() to check for disabled accounts.
* Added a check in visudo for runas_default being used before it was set.
* Fixed several issues when closing all open descriptors. Sudo now uses
closefrom() if it exists, otherwise it uses /proc/$$/fd if that exists
with a fallback of closing all possible descriptors.
* Quoting globbing characters with a backslash now works as documented.
* Fixed a problem on FreeBSD (and perhaps others) when the user is only
listed in NIS (not master.passwd) and netgroups are used in the
master.passwd file.
* The username in a log entry is no longer truncated at 8 characters.
* Added a "sudo_lecture" option that can point to a file containing a
custom lecture.
* The timeout for password reading is now done via alarm(), not select().
* /tmp/.odus is no longer used for timestamps by default.
* Sudo now works on the nsr-tandem-nsk platform.
* Fixed the --with-stow configure option.
* TIS fwtk authentication now supports fwtk 2.0 and higher.
* Added Stan Lee / Uncle Ben quote to the lecture from RedHat.
* Added the --with-pc-insults configure to replace politically incorrect
insults with other ones.
509) Fixed a typo that caused a compilation error on Heimdal.
510) Darwin (MacOS X) doesn't have a real setreuid() system call.
511) Fixed a problem with large numbers of environment variables.
Changes since Sudo 1.6.7p1:
o Fixed an unterminated comment that broke Kerberos V authentication.
o The krb5-config script is now used to determine Kerberos V
CPPFLAGS and LDFLAGS/LIBS if it exists.
o Backed out changes to mkinstalldirs from autoconf 2.57 that
caused problems on Tru64 Unix.
478) Wildcards now work correctly in the env_keep Defaults directive.
479) Added support for non-root timestamp dirs. This allows the timestamp
dir to be shared via NFS (though this is not recommended).
480) Removed double printing of bad environment variable table in -V mode.
481) configure script has been regenerated with autoconf 2.5.7.
This required some changes to configure.in.
482) Fixed a compilation problem on SunOS; thanks to Alek O. Komarnitsky.
483) SecurID 5.0 API support from Michael Stroucken.
484) Restore state of signal handlers to what we had upon startup.
Fixes a problem when using sudo with nohup; thanks to Paul Markham.
485) Revamp set_perms() to use setresuid() or setreuid() when available
in preference to POSIX stuff since they allow us to properly
implement "stay_setuid" whereas POSIX does not really.
486) In strict mode sudo did not throw an error for undefined User_Aliases.
487) Fixed a Makefile bug on IRIX.
488) Write the prompt *after* turning off echo to avoid some password
characters being echoed on heavily-loaded machines with fast typists.
489) Added %U and %H escapes in the prompt and fixed treatment of %%.
490) Visudo will now add a final newline to sudoers if the user's editor
not add one before EOF.
491) The lexer state is now reset to its initial value on EOF.
Previously, the state was not reset between parser invocations
which could cause problems for visudo in rare cases.
492) Added support for Defaults that apply based on the RunasUser.
493) Sudo now includes copies of strlc{at,py} and uses them throughout.
494) Sudo is now careful to avoid interger overflow when allocating
memory. This is one of those "should not happen" situations.
495) Added a configure option (--with-stow) to make sudo compatible
with GNU stow.
496) auth/kerb5.c now compiles under Heimdal.
497) The volatile prefix is used in the hopes of preventing compilers
from optimizing away memory zeroing. Unfortunately, this results
in some warnings from gcc.
498) Better Kerberos IV/V support in the configure script.
499) Fixed a logic thinko in the SIGCHLD handler that caused problems
with rlogin on HP-UX.
500) configure now adds -R to LDFLAGS when it adds -L for Solaris and
SVR4. There is a configure option, --with-rpath, to control this.
501) On AIX, configure will pass extra directory paths to the linker
via the -blibpath ld option. This is only active when additional
library paths are used. It may be disabled via the
--without-blibpath configure option.
502) The --with-skey and --with-opie configure options now take
an optional directory argument that should have an include and
lib dir for the skey/opie include file and library respectively.
503) Fixed false positives in the overflow detection of expand_prompt().
469) Older versions of BSDi have getifaddrs() but no freeifaddrs().
470) BSDi has a fake setreuid() as do certain versions of FreeBSD and NetBSD.
471) Ignore the return value of pam_setcred(). In Linux-PAM 0.75,
pam_setcred() will return PAM_PERM_DENIED even if the setcred function
of the module succeeds when pam_authenticate() has not been called.
472) Avoid giving PAM a NULL password response, use the empty string instead.
This avoids a log warning when the user hits ^C at the password prompt
when Linux-PAM is in use. This also prevents older versions of
Linux-PAM from dereferencing the NULL pointer.
473) The user's password was not zeroed after use when AIX authentication,
BSD authentication, FWTK or PAM was in use.
Sudo 1.6.5p2 released.
467) Visudo could access memory that was already freed.
468) If the skey.access file denied use of plaintext passwords sudo
would exit instead of allowing the user to enter an S/Key.
Sudo 1.6.5p1 released.
Added --disable-root-mailer to CONFIGURE_ARGS better security.
Changes from 1.6.3p7 to 1.6.5 is attached bellow.
417) Visudo now checks for the existence of an editor and gives a sensible
error if it does not exist.
418) The path to the editor for visudo is now a colon-separated list of
allowable editors. If the user has $EDITOR set and it matches
one of the allowed editors that editor will be used. If not,
the first editor that actually exists is used.
419) Visudo now does its own fork/exec instead of calling system(3).
420) Allow special characters (including '#') to be embedded in pathnames
if quoted by a '\\'. The quoted chars will be dealt with by fnmatch().
Unfortunately, 'sudo -l' still prints the '\\'.
421) Added the always_set_home option.
422) Strip NLSPATH and PATH_LOCALE out from the environment to prevent
reading of protected files by a less privileged user.
423) Added support for BSD authentication and associated -a flag.
424) Added check for _innetgr(3) since NCR systems have this instead
of innetgr(3).
425) Added stay_setuid option for systems that have libraries that perform
extra paranoia checks in system libraries for setuid programs.
426) Environment munging is now done by hand. The environment is zeroed
upon sudo startup and a new environment is built before the command
is executed. This means we don't rely on getenv(3), putenv(3),
or setenv(3).
427) Added a class of environment variables that are only cleared if they
contain '/' or '%' characters.
428) Use stashed user_gid when checking against exempt gid since sudo
sets its gid to SUDOERS_GID, making getgid() return that, not the
real gid. Fixes problem with setting exempt group == SUDOERS_GID.
Fix from Paul Kranenburg.
429) Fixed file locking in visudo on NeXT which has a broken lockf().
Patch from twetzel@gwdg.de.
430) Regenerated configure script with autoconf-2.52 (required some
tweaking of configure.in and friends).
431) Added mail_badpass option to send mail when the user does not
authenticate successfully.
432) Added env_reset Defaults option to reset the environment to
a clean slate. Also implemented env_keep Defaults option
to specify variables to be preserved when resetting the
environment.
433) Added env_check and env_delete Defaults options to allow the admin
to modify the builtin list of environment variables to remove.
434) If timestamp_timeout < 0 then the timestamp never expires. This
allows users to manage their own timestamps and create or delete
them via 'sudo -v' and 'sudo -k' respectively.
435) Authentication routines that use sudo's tgetpass() now accept
^C or ^Z at the password prompt and sudo will act appropriately.
436) Added a check-only mode to visudo to check an existing sudoers
file for sanity.
437) Visudo can now edit an alternate sudoers file.
438) If sudo is configured with S/Key support and the system has
skeyaccess(3) use that to determine whether or not to allow
a normal Unix password or just S/Key.
439) Fixed CIDR handling in sudoers.
440) Fixed a segv if the local hostname is not resolvable and
the 'fqdn' option is set.
441) "listpw=never" was not having an effect for users who did not
appear in sudoers--now it does.
442) The --without-sendmail option now works on systems with
a /usr/include/paths.h file that defines _PATH_SENDMAIL.
443) Removed the "secure_path" Defaults option as it does not work and
cannot work until the parser is overhauled.
444) Added new -P flag and "preserve_groups" sudoers option to cause
sudo to preserve the group vector instead of setting it to that
of the target user. Previously, if the target user was root
the group vector was not changed. Now it is always changed unless
the -P flag or "preserve_groups" option was given.
445) If find_path() fails as root, try again as the invoking user (useful
for NFS). Idea from Chip Capelik.
446) Use setpwent()/endpwent() and its shadow equivalents to be sure
the passwd/shadow file gets closed.
447) Use getifaddrs(3) to get the list of network interfaces if it is
available.
448) Dump list of local IP addresses and environment variables to clear
when 'sudo -V' is run as root.
449) Reorganized the lexer a bit and added more states. Sudo now does a
better job of parsing command arguments in the sudoers file.
450) Wrap each call to syslog() with openlog()/closelog() since some
things (such as PAM) may call closelog(3) behind sudo's back.
451) The LOGNAME and USER environment variables are now set if the user
specified a target uid and that uid exists in the password database.
452) configure will no longer add the -g flag to CFLAGS by default.
453) Now call pam_setcreds() to setup creds for the target user when
PAM is in use. On Linux this often sets resource limits.
454) If "make install" is run by non-root and the destination dir
is writable, install things normally but don't set owner and mode.
455) The Makefile now supports installing in a shadow hierarchy
specified via the DESTDIR variable.
456) config.h.in is now generated by autoheader.
Sudo 1.6.4 released.
457) Move the call to rebuild_env() until after MODE_RESET_HOME is set.
Otherwise, the set_home option has no effect.
458) Fix use of freed memory when the "fqdn" flag is set. This was
introduced by the fix for the "segv when gethostbynam() fails" bug.
459) Add 'continue' statements to optimize the switch statement.
From Solar Designer.
Sudo 1.6.4p1 released.
460) Some special characters were not being escaped properly (e..g '\,')
in command line arguments and would cause a syntax error instead.
461) "sudo -l" would not work if the always_set_home option was set.
462) Added a configure option to disable use of POSIX saved IDs for
operating systems where these are broken.
463) The SHELL environment variable was preserved from the user's environment
instead of being reset based on the passwd database even when the
"env_reset" option was set.
Sudo 1.6.4p2 released.
464) Added a configure option to cause mail sent by sudo to be run as
the invoking user instead of root. Some people consider this to
be safer.
465) If the mailer is being run as root, use a hard-coded environment
that is not influenced in any way by the invoking user's environment.
466) Fixed the call to skeyaccess(). Patch from Phillip E. Lobbes.
Sudo 1.6.5 released.
