sudo

Fixed package builds on RedHat Enterprise Linux 8.

The configure script now uses pkg-config to find the openssl cflags and libs where possible.

The contents of the log.json I/O log file is now documented in the sudoers manual.

The sudoers plugin now properly exports the sudoers_audit symbol on systems where the compiler lacks symbol visibility controls. This caused a regression in 1.9.1 where a successful sudo command was not logged due to the missing audit plugin. Bug #931.

Fixed a regression introduced in 1.9.1 that can result in crash when there is a syntax error in the sudoers file. Bug #934.

Fixed an AIX-specific problem when I/O logging was enabled. The terminal device was not being properly set to raw mode. Bug #927.

Corrected handling of sudo_logsrvd connections without associated I/O log data. This fixes support for RejectMessage as well as AcceptMessage when the expect_iobufs flag is not set.

Added an iolog_path entry to the JSON-format event log produced by sudo_logsrvd. Previously, it was only possible to determine the I/O log file an event belonged to using sudo-format logs.

Fixed the bundle IDs for sudo-logsrvd and sudo-python macOS packages.

I/O log files produced by the sudoers plugin now clear the write bits on the I/O log timing file when the log is complete. This is consistent with how sudo_logsrvd indicates that a log is complete.

The sudoreplay utility has a new -F (follow) command line option to allow replaying a session that is still in progress, similar to tail -f.

The @include and @includedir directives can be used in sudoers instead of #include and #includedir. In addition, include paths may now have embedded white space by either using a double-quoted string or escaping the space characters with a backslash.

Fixed some Solaris 11.4 compilation errors.

When running a command in a pty, sudo will no longer try to suspend itself if the user's tty has been revoked (for instance when the parent ssh daemon is killed). This fixes a bug where sudo would continuously suspend the command (which would succeed), then suspend itself (which would fail due to the missing tty) and then resume the command.

If sudo's event loop fails due to the tty being revoked, remove the user's tty events and restart the event loop (once). This fixes a problem when running sudo reboot in a pty on some systems. When the event loop exited unexpectedly, sudo would kill the command running in the pty, which in the case of reboot, could lead to the system being in a half-rebooted state.

Fixed a regression introduced in sudo 1.8.23 in the LDAP and SSSD back-ends where a missing sudoHost attribute was treated as an ALL wildcard value. A sudoRole with no sudoHost attribute is now ignored as it was prior to version 1.8.23.

The audit plugin API has been changed slightly. The sudo front-end now audits an accept event itself after all approval plugins are run and the I/O logging plugins (if any) are opened. This makes it possible for an audit plugin to only log a single overall accept event if desired.

The sudoers plugin can now be loaded as an audit plugin. Logging of successful commands is now performed in the audit plugin's accept function. As a result, commands are now only logged if allowed by sudoers and all approval plugins. Commands rejected by an approval plugin are now also logged by the sudoers plugin.

Romanian translation for sudo and sudoers from translationproject.org.

Fixed a regression introduced in sudo 1.9.0 where sudoedit did not remove its temporary files after installing them. Bug #929.

Fixed a regression introduced in sudo 1.9.0 where the iolog_file setting in sudoers and sudo_logsrvd.conf caused an error if the file name ended in six or more X's.

Sudo command line options that take a value may only be specified once. This is to help guard against problems caused by poorly written scripts that invoke sudo with user-controlled input. Bug #924.

When running a command in a pty, sudo will no longer try to suspend itself if the user's tty has been revoked (for instance when the parent ssh daemon is killed). This fixes a bug where sudo would continuously suspend the command (which would succeed), then suspend itself (which would fail due to the missing tty) and then resume the command.

If sudo's event loop fails due to the tty being revoked, remove the user's tty events and restart the event loop (once). This fixes a problem when running sudo reboot in a pty on some systems. When the event loop exited unexpectedly, sudo would kill the command running in the pty, which in the case of reboot, could lead to the system being in a half-rebooted state.

Fixed a regression introduced in sudo 1.8.23 in the LDAP and SSSD back-ends where a missing sudoHost attribute was treated as an ALL wildcard value. A sudoRole with no sudoHost attribute is now ignored as it was prior to version 1.8.23.

Fixed a test failure in the strsig_test regress test on FreeBSD.

Sudo now includes a logging daemon, sudo_logsrvd, which can be used to implement centralized logging of I/O logs. TLS connections are supported when sudo is configured with the --enable-openssl option. For more information, see the sudo_logsrvd, logsrvd.conf and sudo_logsrv.proto manuals as well as the log_servers setting in the sudoers manual.

The --disable-log-server and --disable-log-client configure options can be used to disable building the I/O log server and/or remote I/O log support in the sudoers plugin.

The new sudo_sendlog utility can be used to test sudo_logsrvd or send existing sudo I/O logs to a centralized server.

It is now possible to write sudo plugins in Python 3 when sudo is configured with the --enable-python option. See the sudo_plugin_python manual for details.

Sudo 1.9.0 comes with several Python example plugins that get installed sudo's examples directory.

The sudo blog article What's new in sudo 1.9: Python includes a simple tutorial on writing python plugins.

Sudo now supports an audit plugin type. An audit plugin receives accept, reject, exit and error messages and can be used to implement custom logging that is independent of the underlying security policy. Multiple audit plugins may be specified in the sudo.conf file. A sample audit plugin is included that writes logs in JSON format.

Sudo now supports an approval plugin type. An approval plugin is run only after the main security policy (such as sudoers) accepts a command to be run. The approval policy may perform additional checks, potentially interacting with the user. Multiple approval plugins may be specified in the sudo.conf file. Only if all approval plugins succeed will the command be allowed.

Sudo's -S command line option now causes the sudo conversation function to write to the standard output or standard error instead of the terminal device.

It is now possible to use Cmd_Alias instead of Cmnd_Alias for people who find the former more natural.

The new pam_ruser and pam_rhost sudoers settings can be used to enable or disable setting the PAM remote user and/or host values during PAM session setup.

More than one SHA-2 digest may now be specified for a single command. Multiple digests must be separated by a comma.

It is now possible to specify a SHA-2 digest in conjunction with the ALL reserved word in a command specification. This allows one to give permission to run any command that matches the specified digest, regardless of its path.

sudo and sudo_logsrvd now create an extended I/O log info file in JSON format that contains additional information about the command that was run, such as the host name. The sudoreplay utility uses this file in preference to the legacy log file.

The sudoreplay utility can now match on a host name in list mode. The list output also now includes the host name if one is present in the log file.

For sudo -i, if the target user's home directory does not exist, sudo will now warn about the problem but run the command in the current working directory. Previously, this was a fatal error. Debian bug #598519.

The command line arguments in the SUDO_COMMAND environment variable are now truncated at 4096 characters. This avoids an "Argument list too long" error when executing a command with a large number of arguments. Bug #923 (Debian bug #596631).

Sudo now properly ends the PAM transaction when the user authenticates successfully but sudoers denies the command. Debian bug #669687.

The sudoers grammar in the manual now indicates that "sudoedit" requires one or more arguments. Debian bug #571621.

When copying the edited files to the original path, sudoedit now allocates any additional space needed before writing. Previously, it could truncate the destination file if the file system was full. Bug #922.

Fixed an issue where PAM session modules could be called with the wrong user name when multiple users in the passwd database share the the same user-ID. Debian bug #734752.

Sudo command line options that take a value may only be specified once. This is to help guard against problems caused by poorly written scripts that invoke sudo with user-controlled input. Bug #924.

Fixed CVE-2019-18634, a buffer overflow when the pwfeedback sudoers option is enabled on systems with uni-directional pipes.

The sudoedit_checkdir option now treats a user-owned directory as writable, even if it does not have the write bit set at the time of check. Symbolic links will no longer be followed by sudoedit in any user-owned directory. Bug #912.

Fixed sudoedit on macOS 10.15 and above where the root file system is mounted read-only. Bug #913.

Fixed a crash introduced in sudo 1.8.30 when suspending sudo at the password prompt. Bug #914.

Fixed compilation on systems where the mmap MAP_ANON flag is not available. Bug #915.

Fixed a warning on macOS introduced in sudo 1.8.29 when sudo attempts to set the open file limit to unlimited. Bug #904.

Sudo now closes file descriptors before changing uids. This prevents a non-root process from interfering with sudo's ability to close file descriptors on systems that support the prlimit(2) system call.

Sudo now treats an attempt to run sudo sudoedit as simply sudoedit. If the sudoers file contains a fully-qualified path to sudoedit, sudo will now treat it simply as sudoedit (with no path). Visudo will will now treat a fully-qualified path to sudoedit as an error. Bug #871.

Fixed a bug introduced in sudo 1.8.28 where sudo would warn about a missing /etc/environment file on AIX and Linux when PAM is not enabled. Bug #907.

Fixed a bug on Linux introduced in sudo 1.8.29 that prevented the askpass program from running due to an unlimited stack size resource limit. Bug #908.

If a group provider plugin has optional arguments, the argument list passed to the plugin is now NULL terminated as per the documentation.

The user's time stamp file is now only updated if both authentication and approval phases succeed. This is consistent with the behavior of sudo prior to version 1.8.23. Bug #910.

The new allow_unknown_runas_id sudoers setting can be used to enable or disable the use of unknown user or group IDs. Previously, sudo would always allow unknown user or group IDs if the sudoers entry permitted it, including via the ALL alias. As of sudo 1.8.30, the admin must explicitly enable support for unknown IDs.

The new runas_check_shell sudoers setting can be used to require that the runas user have a shell listed in the /etc/shells file. On many systems, users such as bin, do not have a valid shell and this flag can be used to prevent commands from being run as those users.

Fixed a problem restoring the SELinux tty context during reboot if mctransd is killed before sudo finishes. GitHub Issue #17.

Fixed an intermittent warning on NetBSD when sudo restores the initial stack size limit.

The cvtsudoers command will now reject non-LDIF input when converting from LDIF format to sudoers or JSON formats.

The new log_allowed and log_denied sudoers settings make it possible to disable logging and auditing of allowed and/or denied commands.

The umask is now handled differently on systems with PAM or login.conf. If the umask is explicitly set in sudoers, that value is used regardless of what PAM or login.conf may specify. However, if the umask is not explicitly set in sudoers, PAM or login.conf may now override the default sudoers umask. Bug #900.

For make install, the sudoers file is no longer checked for syntax errors when DESTDIR is set. The default sudoers file includes the contents of /etc/sudoers.d which may not be readable as non-root. Bug #902.

Sudo now sets most resource limits to their maximum value to avoid problems caused by insufficient resources, such as an inability to allocate memory or open files and pipes.

Fixed a regression introduced in sudo 1.8.28 where sudo would refuse to run if the parent process was not associated with a session . This was due to sudo passing a session ID of -1 to the plugin.

Sudo will now only set PAM_TTY to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY is not set.

The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878.

Sudo will now filter out last login messages on HP-UX unless it a shell is being run via sudo -s or sudo -i. Otherwise, when trusted mode is enabled, these messages will be displayed for each command.

On AIX, when the user's password has expired and PAM is not in use, sudo will now allow the user to change their password. Bug #883.

Sudo has a new -B command line option that will ring the terminal bell when prompting for a password.

Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty. This allows sudo to function on systems where /proc is unavailable, such as when running in a chroot environment.

The env_editor sudoers flag is now on by default. This makes source builds more consistent with the packages generated by sudo's mkpkg script.

Sudo no longer ships with pre-formatted copies of the manual pages. These were included for systems like IRIX that don't ship with an nroff utility. There are now multiple Open Source nroff replacements so this should no longer be an issue.

Fixed a bad interaction with configure's --prefix and --disable-shared options. Bug #886.

More verbose error message when a password is required and no terminal is present. Bug #828.

Command tags, such as NOPASSWD, are honored when a user tries to run a command that is allowed by sudoers but which does not actually exist on the file system. Bug #888.

Asturian translation for sudoers from translationproject.org.

I/O log timing files now store signal suspend and resume information in the form of a signal name instead of a number.

Fixed a bug introduced in 1.8.24 that prevented sudo from honoring the value of ipa_hostname from sssd.conf, if specified, when matching the host name.

Fixed a bug introduced in 1.8.21 that prevented the core dump resource limit set in the pam_limits module from taking effect. Bug #894.

Fixed parsing of double-quoted Defaults group and netgroup bindings.

The user ID is now used when matching sudoUser attributes in LDAP. Previously, the user name, group name and group IDs were used when matching but not the user ID.

Sudo now writes PAM messages to the user's terminal, if available, instead of the standard output or standard error. This prevents PAM output from being intermixed with that of the command when output is sent to a file or pipe. Bug #895.

Sudoedit now honors the umask and umask_override settings in sudoers. Previously, the user's umask was used as-is.

Fixed a bug where the terminal's file context was not restored when using SELinux RBAC. Bug #898.

Fixed CVE-2019-14287, a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first.

Fixed a bug introduced in sudo 1.8.20 that broke formatting of
I/O log timing file entries on systems without a C99-compatible
snprintf() function. Our replacement snprintf() doesn't support
floating point so we can't use the "%f" format directive.

I/O log timing file entries now use a monotonic timer and include
nanosecond precision. A monotonic timer that does not increment
while the system is sleeping is used where available.

Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP
backend was not being properly parsed. Bug #845.

When sudo runs a command in a pseudo-tty, the slave device is
now closed in the main process immediately after starting the
monitor process. This removes the need for an AIX-specific
workaround that was added in sudo 1.8.24.

Added support for monotonic timers on HP-UX.

Fixed a bug displaying timeout values the "sudo -V" output.
The value displayed was 3600 times the actual value. Bug #846.

Fixed a build issue on AIX 7.1 BOS levels that include memset_s()
and define rsize_t in string.h. Bug #847.

The testsudoers utility now supports querying an LDIF-format
policy.

Sudo now sets the LOGIN environment variable to the same value as
LOGNAME on AIX systems. Bug #848.

Fixed a regression introduced in sudo 1.8.24 where the LDAP and
SSSD backends evaluated the rules in reverse sudoOrder. Bug #849.

Fixed a bug in cvtsudoers when converting to JSON format when
alias expansion is enabled. Bug #853.

Sudo no long sets the USERNAME environment variable when running
commands. This is a non-standard environment variable that was
set on some older Linux systems.

Sudo now treats the LOGNAME and USER environment variables (as
well as the LOGIN variable on AIX) as a single unit. If one is
preserved or removed from the environment using env_keep, env_check
or env_delete, so is the other.

Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf.

Sudo now logs when the command was suspended and resumed in the
I/O logs. This information is used by sudoreplay to skip the
time suspended when replaying the session unless the new -S flag
is used.

Fixed documentation problems found by the igor utility. Bug #854.

Sudo now prints a warning message when there is an error or end
of file while reading the password instead of exiting silently.

Fixed a bug in the sudoers LDAP back-end parsing the command_timeout,
role, type, privs and limitprivs sudoOptions. This also affected
cvtsudoers conversion from LDIF to sudoers or JSON.

Fixed a bug that prevented timeout settings in sudoers from
functioning unless a timeout was also specified on the command
line.

Asturian translation for sudo from translationproject.org.

When generating LDIF output, cvtsudoers can now be configured
to pad the sudoOrder increment such that the start order is used
as a prefix. Bug #856.

Fixed a bug introduced in sudo 1.8.25 that prevented sudo from
properly setting the user's groups on AIX. Bug #857.

If the user specifies a group via sudo's -g option that matches
any of the target user's groups, it is now allowed even if no
groups are present in the Runas_Spec. Previously, it was only
allowed if it matched the target user's primary group.

The sudoers LDAP back-end now supports negated sudoRunAsUser and
sudoRunAsGroup entries.

Sudo now provides a proper error message when the "fqdn" sudoers
option is set and it is unable to resolve the local host name.
Bug #859.

Portuguese translation for sudo and sudoers from translationproject.org.

Sudo now includes sudoers LDAP schema for the on-line configuration
supported by OpenLDAP.

On HP-UX, sudo will now update the utmps file when running a command
in a pseudo-tty. Previously, only the utmp and utmpx files were
updated.

Nanosecond precision file time stamps are now supported in HP-UX.

Fixes and clarifications to the sudo plugin documentation.

The sudo manuals no longer require extensive post-processing to
hide system-specific features. Conditionals in the roff source
are now used instead. This fixes corruption of the sudo manual
on systems without BSD login classes. Bug #861.

If an I/O logging plugin is configured but the plugin does not
actually log any I/O, sudo will no longer force the command to
be run in a pseudo-tty.

The fix for bug #843 in sudo 1.8.24 was incomplete. If the
user's password was expired or needed to be updated, but no sudo
password was required, the PAM handle was freed too early,
resulting in a failure when processing PAM session modules.

In visudo, it is now possible to specify the path to sudoers
without using the -f option. Bug #864.

Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx)
file would not be updated when a command was run in a pseudo-tty.
Bug #865.

Sudo now sets the silent flag when opening the PAM session except
when running a shell via "sudo -s" or "sudo -i". This prevents
the pam_lastlog module from printing the last login information
for each sudo command. Bug #867.

Fixed the default AIX hard resource limit for the maximum number
of files a user may have open. If no hard limit for "nofiles"
is explicitly set in /etc/security/limits, the default should
be "unlimited". Previously, the default hard limit was 8196.