Bot releases are visible (Hide)
Published by millert about 4 years ago
Fixed package builds on RedHat Enterprise Linux 8.
The configure
script now uses pkg-config
to find the openssl cflags
and libs
where possible.
The contents of the log.json
I/O log file is now documented in the sudoers manual.
The sudoers plugin now properly exports the sudoers_audit
symbol on systems where the compiler lacks symbol visibility controls. This caused a regression in 1.9.1 where a successful sudo command was not logged due to the missing audit plugin. Bug #931.
Fixed a regression introduced in 1.9.1 that can result in crash when there is a syntax error in the sudoers file. Bug #934.
Published by millert over 4 years ago
Fixed an AIX-specific problem when I/O logging was enabled. The terminal device was not being properly set to raw mode. Bug #927.
Corrected handling of sudo_logsrvd
connections without associated I/O log data. This fixes support for RejectMessage as well as AcceptMessage when the expect_iobufs flag is not set.
Added an iolog_path entry to the JSON-format event log produced by sudo_logsrvd
. Previously, it was only possible to determine the I/O log file an event belonged to using sudo-format logs.
Fixed the bundle IDs for sudo-logsrvd
and sudo-python
macOS packages.
I/O log files produced by the sudoers plugin now clear the write bits on the I/O log timing file when the log is complete. This is consistent with how sudo_logsrvd
indicates that a log is complete.
The sudoreplay
utility has a new -F (follow) command line option to allow replaying a session that is still in progress, similar to tail -f
.
The @include
and @includedir
directives can be used in sudoers instead of #include
and #includedir
. In addition, include paths may now have embedded white space by either using a double-quoted string or escaping the space characters with a backslash.
Fixed some Solaris 11.4 compilation errors.
When running a command in a pty, sudo will no longer try to suspend itself if the user's tty has been revoked (for instance when the parent ssh daemon is killed). This fixes a bug where sudo would continuously suspend the command (which would succeed), then suspend itself (which would fail due to the missing tty) and then resume the command.
If sudo's event loop fails due to the tty being revoked, remove the user's tty events and restart the event loop (once). This fixes a problem when running sudo reboot
in a pty on some systems. When the event loop exited unexpectedly, sudo would kill the command running in the pty, which in the case of reboot
, could lead to the system being in a half-rebooted state.
Fixed a regression introduced in sudo 1.8.23 in the LDAP and SSSD back-ends where a missing sudoHost
attribute was treated as an ALL
wildcard value. A sudoRole
with no sudoHost
attribute is now ignored as it was prior to version 1.8.23.
The audit plugin API has been changed slightly. The sudo front-end now audits an accept event itself after all approval plugins are run and the I/O logging plugins (if any) are opened. This makes it possible for an audit plugin to only log a single overall accept event if desired.
The sudoers plugin can now be loaded as an audit plugin. Logging of successful commands is now performed in the audit plugin's accept function. As a result, commands are now only logged if allowed by sudoers and all approval plugins. Commands rejected by an approval plugin are now also logged by the sudoers plugin.
Romanian translation for sudo and sudoers from translationproject.org.
Fixed a regression introduced in sudo 1.9.0 where sudoedit
did not remove its temporary files after installing them. Bug #929.
Fixed a regression introduced in sudo 1.9.0 where the iolog_file setting in sudoers
and sudo_logsrvd.conf
caused an error if the file name ended in six or more X's.
Published by millert over 4 years ago
Sudo command line options that take a value may only be specified once. This is to help guard against problems caused by poorly written scripts that invoke sudo with user-controlled input. Bug #924.
When running a command in a pty, sudo will no longer try to suspend itself if the user's tty has been revoked (for instance when the parent ssh daemon is killed). This fixes a bug where sudo would continuously suspend the command (which would succeed), then suspend itself (which would fail due to the missing tty) and then resume the command.
If sudo's event loop fails due to the tty being revoked, remove the user's tty events and restart the event loop (once). This fixes a problem when running sudo reboot
in a pty on some systems. When the event loop exited unexpectedly, sudo would kill the command running in the pty, which in the case of reboot
, could lead to the system being in a half-rebooted state.
Fixed a regression introduced in sudo 1.8.23 in the LDAP and SSSD back-ends where a missing sudoHost
attribute was treated as an ALL
wildcard value. A sudoRole
with no sudoHost
attribute is now ignored as it was prior to version 1.8.23.
Published by millert over 4 years ago
Fixed a test failure in the strsig_test
regress test on FreeBSD.
Sudo now includes a logging daemon, sudo_logsrvd
, which can be used to implement centralized logging of I/O logs. TLS connections are supported when sudo is configured with the --enable-openssl
option. For more information, see the sudo_logsrvd, logsrvd.conf and sudo_logsrv.proto manuals as well as the log_servers
setting in the sudoers manual.
The --disable-log-server
and --disable-log-client
configure options can be used to disable building the I/O log server and/or remote I/O log support in the sudoers plugin.
The new sudo_sendlog
utility can be used to test sudo_logsrvd
or send existing sudo I/O logs to a centralized server.
It is now possible to write sudo plugins in Python 3 when sudo is configured with the --enable-python
option. See the sudo_plugin_python manual for details.
Sudo 1.9.0 comes with several Python example plugins that get installed sudo's examples directory.
The sudo blog article What's new in sudo 1.9: Python includes a simple tutorial on writing python plugins.
Sudo now supports an audit plugin type. An audit plugin receives accept, reject, exit and error messages and can be used to implement custom logging that is independent of the underlying security policy. Multiple audit plugins may be specified in the sudo.conf
file. A sample audit plugin is included that writes logs in JSON format.
Sudo now supports an approval plugin type. An approval plugin is run only after the main security policy (such as sudoers) accepts a command to be run. The approval policy may perform additional checks, potentially interacting with the user. Multiple approval plugins may be specified in the sudo.conf
file. Only if all approval plugins succeed will the command be allowed.
Sudo's -S
command line option now causes the sudo conversation function to write to the standard output or standard error instead of the terminal device.
It is now possible to use Cmd_Alias
instead of Cmnd_Alias
for people who find the former more natural.
The new pam_ruser
and pam_rhost
sudoers settings can be used to enable or disable setting the PAM remote user and/or host values during PAM session setup.
More than one SHA-2 digest may now be specified for a single command. Multiple digests must be separated by a comma.
It is now possible to specify a SHA-2 digest in conjunction with the ALL
reserved word in a command specification. This allows one to give permission to run any command that matches the specified digest, regardless of its path.
sudo
and sudo_logsrvd
now create an extended I/O log info file in JSON format that contains additional information about the command that was run, such as the host name. The sudoreplay
utility uses this file in preference to the legacy log file.
The sudoreplay
utility can now match on a host name in list mode. The list output also now includes the host name if one is present in the log file.
For sudo -i
, if the target user's home directory does not exist, sudo will now warn about the problem but run the command in the current working directory. Previously, this was a fatal error. Debian bug #598519.
The command line arguments in the SUDO_COMMAND environment variable are now truncated at 4096 characters. This avoids an "Argument list too long" error when executing a command with a large number of arguments. Bug #923 (Debian bug #596631).
Sudo now properly ends the PAM transaction when the user authenticates successfully but sudoers denies the command. Debian bug #669687.
The sudoers grammar in the manual now indicates that "sudoedit" requires one or more arguments. Debian bug #571621.
When copying the edited files to the original path, sudoedit now allocates any additional space needed before writing. Previously, it could truncate the destination file if the file system was full. Bug #922.
Fixed an issue where PAM session modules could be called with the wrong user name when multiple users in the passwd database share the the same user-ID. Debian bug #734752.
Sudo command line options that take a value may only be specified once. This is to help guard against problems caused by poorly written scripts that invoke sudo with user-controlled input. Bug #924.
Published by millert over 4 years ago
RLIMIT_CORE
resource limit, as it did prior to version 1.8.29. Linux containers don't allow RLIMIT_CORE
to be set back to RLIM_INFINITY
if we set the limit to zero, even for root, which resulted in a warning from sudo.Published by millert over 4 years ago
Fixed CVE-2019-18634, a buffer overflow when the pwfeedback sudoers option is enabled on systems with uni-directional pipes.
The sudoedit_checkdir option now treats a user-owned directory as writable, even if it does not have the write bit set at the time of check. Symbolic links will no longer be followed by sudoedit in any user-owned directory. Bug #912.
Fixed sudoedit on macOS 10.15 and above where the root file system is mounted read-only. Bug #913.
Fixed a crash introduced in sudo 1.8.30 when suspending sudo at the password prompt. Bug #914.
Fixed compilation on systems where the mmap MAP_ANON flag is not available. Bug #915.
Published by millert almost 5 years ago
Fixed a warning on macOS introduced in sudo 1.8.29 when sudo attempts to set the open file limit to unlimited. Bug #904.
Sudo now closes file descriptors before changing uids. This prevents a non-root process from interfering with sudo's ability to close file descriptors on systems that support the prlimit(2) system call.
Sudo now treats an attempt to run sudo sudoedit
as simply sudoedit
. If the sudoers file contains a fully-qualified path to sudoedit, sudo will now treat it simply as sudoedit
(with no path). Visudo will will now treat a fully-qualified path to sudoedit as an error. Bug #871.
Fixed a bug introduced in sudo 1.8.28 where sudo would warn about a missing /etc/environment
file on AIX and Linux when PAM is not enabled. Bug #907.
Fixed a bug on Linux introduced in sudo 1.8.29 that prevented the askpass program from running due to an unlimited stack size resource limit. Bug #908.
If a group provider plugin has optional arguments, the argument list passed to the plugin is now NULL terminated as per the documentation.
The user's time stamp file is now only updated if both authentication and approval phases succeed. This is consistent with the behavior of sudo prior to version 1.8.23. Bug #910.
The new allow_unknown_runas_id sudoers setting can be used to enable or disable the use of unknown user or group IDs. Previously, sudo would always allow unknown user or group IDs if the sudoers entry permitted it, including via the ALL alias. As of sudo 1.8.30, the admin must explicitly enable support for unknown IDs.
The new runas_check_shell sudoers setting can be used to require that the runas user have a shell listed in the /etc/shells
file. On many systems, users such as bin, do not have a valid shell and this flag can be used to prevent commands from being run as those users.
Fixed a problem restoring the SELinux tty context during reboot if mctransd is killed before sudo finishes. GitHub Issue #17.
Fixed an intermittent warning on NetBSD when sudo restores the initial stack size limit.
Published by millert almost 5 years ago
The cvtsudoers command will now reject non-LDIF input when converting from LDIF format to sudoers or JSON formats.
The new log_allowed and log_denied sudoers settings make it possible to disable logging and auditing of allowed and/or denied commands.
The umask is now handled differently on systems with PAM or login.conf. If the umask is explicitly set in sudoers, that value is used regardless of what PAM or login.conf may specify. However, if the umask is not explicitly set in sudoers, PAM or login.conf may now override the default sudoers umask. Bug #900.
For make install, the sudoers file is no longer checked for syntax errors when DESTDIR
is set. The default sudoers file includes the contents of /etc/sudoers.d
which may not be readable as non-root. Bug #902.
Sudo now sets most resource limits to their maximum value to avoid problems caused by insufficient resources, such as an inability to allocate memory or open files and pipes.
Fixed a regression introduced in sudo 1.8.28 where sudo would refuse to run if the parent process was not associated with a session . This was due to sudo passing a session ID of -1 to the plugin.
Published by millert about 5 years ago
Published by millert about 5 years ago
Sudo will now only set PAM_TTY
to the empty string when no terminal is present on Solaris and Linux. This workaround is only needed on those systems which may have PAM modules that misbehave when PAM_TTY
is not set.
The mailerflags sudoers option now has a default value even if sendmail support was disabled at configure time. Fixes a crash when the mailerpath sudoers option is set but mailerflags is not. Bug #878.
Sudo will now filter out last login messages on HP-UX unless it a shell is being run via sudo -s
or sudo -i
. Otherwise, when trusted mode is enabled, these messages will be displayed for each command.
On AIX, when the user's password has expired and PAM is not in use, sudo will now allow the user to change their password. Bug #883.
Sudo has a new -B command line option that will ring the terminal bell when prompting for a password.
Sudo no longer refuses to prompt for a password when it cannot determine the user's terminal as long as it can open /dev/tty
. This allows sudo to function on systems where /proc
is unavailable, such as when running in a chroot environment.
The env_editor sudoers flag is now on by default. This makes source builds more consistent with the packages generated by sudo's mkpkg script.
Sudo no longer ships with pre-formatted copies of the manual pages. These were included for systems like IRIX that don't ship with an nroff utility. There are now multiple Open Source nroff replacements so this should no longer be an issue.
Fixed a bad interaction with configure's --prefix
and --disable-shared
options. Bug #886.
More verbose error message when a password is required and no terminal is present. Bug #828.
Command tags, such as NOPASSWD
, are honored when a user tries to run a command that is allowed by sudoers but which does not actually exist on the file system. Bug #888.
Asturian translation for sudoers from translationproject.org.
I/O log timing files now store signal suspend and resume information in the form of a signal name instead of a number.
Fixed a bug introduced in 1.8.24 that prevented sudo from honoring the value of ipa_hostname from sssd.conf
, if specified, when matching the host name.
Fixed a bug introduced in 1.8.21 that prevented the core dump resource limit set in the pam_limits module from taking effect. Bug #894.
Fixed parsing of double-quoted Defaults group and netgroup bindings.
The user ID is now used when matching sudoUser attributes in LDAP. Previously, the user name, group name and group IDs were used when matching but not the user ID.
Sudo now writes PAM messages to the user's terminal, if available, instead of the standard output or standard error. This prevents PAM output from being intermixed with that of the command when output is sent to a file or pipe. Bug #895.
Sudoedit now honors the umask and umask_override settings in sudoers. Previously, the user's umask was used as-is.
Fixed a bug where the terminal's file context was not restored when using SELinux RBAC. Bug #898.
Fixed CVE-2019-14287, a bug where a sudo user may be able to run a command as root when the Runas specification explicitly disallows root access as long as the ALL keyword is listed first.
Published by TylerReese about 5 years ago
Fixed a bug introduced in sudo 1.8.20 that broke formatting of
I/O log timing file entries on systems without a C99-compatible
snprintf()
function. Our replacement snprintf()
doesn't support
floating point so we can't use the "%f" format directive.
I/O log timing file entries now use a monotonic timer and include
nanosecond precision. A monotonic timer that does not increment
while the system is sleeping is used where available.
Fixed a bug introduced in sudo 1.8.24 where sudoNotAfter in the LDAP
backend was not being properly parsed. Bug #845.
When sudo runs a command in a pseudo-tty, the slave device is
now closed in the main process immediately after starting the
monitor process. This removes the need for an AIX-specific
workaround that was added in sudo 1.8.24.
Added support for monotonic timers on HP-UX.
Fixed a bug displaying timeout values the "sudo -V" output.
The value displayed was 3600 times the actual value. Bug #846.
Fixed a build issue on AIX 7.1 BOS levels that include memset_s()
and define rsize_t in string.h. Bug #847.
The testsudoers utility now supports querying an LDIF-format
policy.
Sudo now sets the LOGIN
environment variable to the same value as
LOGNAME
on AIX systems. Bug #848.
Fixed a regression introduced in sudo 1.8.24 where the LDAP and
SSSD backends evaluated the rules in reverse sudoOrder. Bug #849.
Published by TylerReese about 5 years ago
poll()
function but not the ppoll()
function.Published by TylerReese about 5 years ago
Fixed a bug in cvtsudoers when converting to JSON format when
alias expansion is enabled. Bug #853.
Sudo no long sets the USERNAME environment variable when running
commands. This is a non-standard environment variable that was
set on some older Linux systems.
Sudo now treats the LOGNAME and USER environment variables (as
well as the LOGIN variable on AIX) as a single unit. If one is
preserved or removed from the environment using env_keep, env_check
or env_delete, so is the other.
Added support for OpenLDAP's TLS_REQCERT setting in ldap.conf.
Sudo now logs when the command was suspended and resumed in the
I/O logs. This information is used by sudoreplay to skip the
time suspended when replaying the session unless the new -S flag
is used.
Fixed documentation problems found by the igor utility. Bug #854.
Sudo now prints a warning message when there is an error or end
of file while reading the password instead of exiting silently.
Fixed a bug in the sudoers LDAP back-end parsing the command_timeout,
role, type, privs and limitprivs sudoOptions. This also affected
cvtsudoers conversion from LDIF to sudoers or JSON.
Fixed a bug that prevented timeout settings in sudoers from
functioning unless a timeout was also specified on the command
line.
Asturian translation for sudo from translationproject.org.
When generating LDIF output, cvtsudoers can now be configured
to pad the sudoOrder increment such that the start order is used
as a prefix. Bug #856.
Fixed a bug introduced in sudo 1.8.25 that prevented sudo from
properly setting the user's groups on AIX. Bug #857.
If the user specifies a group via sudo's -g option that matches
any of the target user's groups, it is now allowed even if no
groups are present in the Runas_Spec. Previously, it was only
allowed if it matched the target user's primary group.
The sudoers LDAP back-end now supports negated sudoRunAsUser and
sudoRunAsGroup entries.
Sudo now provides a proper error message when the "fqdn" sudoers
option is set and it is unable to resolve the local host name.
Bug #859.
Portuguese translation for sudo and sudoers from translationproject.org.
Sudo now includes sudoers LDAP schema for the on-line configuration
supported by OpenLDAP.
Published by TylerReese about 5 years ago
On HP-UX, sudo will now update the utmps file when running a command
in a pseudo-tty. Previously, only the utmp and utmpx files were
updated.
Nanosecond precision file time stamps are now supported in HP-UX.
Fixes and clarifications to the sudo plugin documentation.
The sudo manuals no longer require extensive post-processing to
hide system-specific features. Conditionals in the roff source
are now used instead. This fixes corruption of the sudo manual
on systems without BSD login classes. Bug #861.
If an I/O logging plugin is configured but the plugin does not
actually log any I/O, sudo will no longer force the command to
be run in a pseudo-tty.
The fix for bug #843 in sudo 1.8.24 was incomplete. If the
user's password was expired or needed to be updated, but no sudo
password was required, the PAM handle was freed too early,
resulting in a failure when processing PAM session modules.
In visudo, it is now possible to specify the path to sudoers
without using the -f option. Bug #864.
Fixed a bug introduced in sudo 1.8.22 where the utmp (or utmpx)
file would not be updated when a command was run in a pseudo-tty.
Bug #865.
Sudo now sets the silent flag when opening the PAM session except
when running a shell via "sudo -s" or "sudo -i". This prevents
the pam_lastlog module from printing the last login information
for each sudo command. Bug #867.
Fixed the default AIX hard resource limit for the maximum number
of files a user may have open. If no hard limit for "nofiles"
is explicitly set in /etc/security/limits, the default should
be "unlimited". Previously, the default hard limit was 8196.