isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sudo 1.8.22

Browse Source
This commit is contained in:
Todd C. Miller
2017-12-01 14:35:34 -07:00
parent c2eee7904d
commit e8532bdcee
3 changed files with 80 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
NEWS
View File

@@ -1,3 +1,55 @@
What's new in Sudo 1.8.22
* Commands run in the background from a script run via sudo will
no longer receive SIGHUP when the parent exits and I/O logging
is enabled. Bug #502
* A particularly offensive insult is now disabled by default.
Bug #804
* The description of "sudo -i" now correctly documents that
the "env_keep" and "env_check" sudoers options are applied to
the environment. Bug #806
* Fixed a crash when the system's host name is not set.
Bug #807
* The sudoers2ldif script now handle #include and #includedir
directives.
* Fixed a bug where sudo would silently exit when the command was
not allowed by sudoers and the "passwd_tries" sudoers option
was set to a value less than 1.
* Fixed a bug with the "listpw" and "verifypw" sudoers options and
multiple sudoers sources. If the option is set to "all", a
password should be required unless none of a user's sudoers
entries from any source require authentication.
* Fixed a bug with the "listpw" and "verifypw" sudoers options in
the LDAP and SSSD back-ends. If the option is set to "any", and
the entry contained multiple rules, only the first matching rule
was checked. If an entry contained more than one matching rule
and the first rule required authentication but a subsequent rule
did not, sudo would prompt for a password when it should not have.
* When running a command as the invoking user (not root), sudo
would execute the command with the same group vector it was
started with. Sudo now executes the command with a new group
vector based on the group database which is consistent with
how su(1) operates.
* Fixed a double free in the SSSD back-end that could occur when
ipa_hostname is present in sssd.conf and is set to an unqualified
host name.
* When I/O logging is enabled, sudo will now write to the terminal
even when it is a background process. Previously, sudo would
only write to the tty when it was the foreground process when
I/O logging was enabled. If the TOSTOP terminal flag is set,
sudo will suspend the command (and then itself) with the SIGTTOU
signal.
What's new in Sudo 1.8.21p2 What's new in Sudo 1.8.21p2
* Fixed a bug introduced in version 1.8.21 which prevented sudo * Fixed a bug introduced in version 1.8.21 which prevented sudo
@@ -34,7 +86,7 @@ What's new in Sudo 1.8.21p1
playback would hang for I/O logs that contain terminal input. playback would hang for I/O logs that contain terminal input.
* Sudo 1.8.18 contained an incomplete fix for the matching of * Sudo 1.8.18 contained an incomplete fix for the matching of
entries in the LDAP and SSSD backends when a sudoRunAsGroup is entries in the LDAP and SSSD back-ends when a sudoRunAsGroup is
specified but no sudoRunAsUser is present in the sudoRole. specified but no sudoRunAsUser is present in the sudoRole.
What's new in Sudo 1.8.21 What's new in Sudo 1.8.21
@@ -140,8 +192,8 @@ What's new in Sudo 1.8.20
be terminated if the timeout expires. be terminated if the timeout expires.
* The SELinux role and type are now displayed in the "sudo -l" * The SELinux role and type are now displayed in the "sudo -l"
output for the LDAP and SSSD backends, just as they are in the output for the LDAP and SSSD back-ends, just as they are in the
sudoers backend. sudoers back-end.
* A new command line option, -T, can be used to specify a command * A new command line option, -T, can be used to specify a command
timeout as long as the user-specified timeout is not longer than timeout as long as the user-specified timeout is not longer than
@@ -149,7 +201,7 @@ What's new in Sudo 1.8.20
used when the "user_command_timeouts" flag is enabled in sudoers. used when the "user_command_timeouts" flag is enabled in sudoers.
* Added NOTBEFORE and NOTAFTER command options to the sudoers * Added NOTBEFORE and NOTAFTER command options to the sudoers
backend similar to what is already available in the LDAP backend. back-end similar to what is already available in the LDAP back-end.
* Sudo can now optionally use the SHA2 functions in OpenSSL or GNU * Sudo can now optionally use the SHA2 functions in OpenSSL or GNU
crypt instead of the SHA2 implementation bundled with sudo. crypt instead of the SHA2 implementation bundled with sudo.
@@ -175,7 +227,7 @@ What's new in Sudo 1.8.20
to env_file but its contents are subject to the same restrictions to env_file but its contents are subject to the same restrictions
as variables in the invoking user's environment. as variables in the invoking user's environment.
* Fixed a use after free bug in the SSSD backend when the fqdn * Fixed a use after free bug in the SSSD back-end when the fqdn
sudoOption is enabled and no hostname value is present in sudoOption is enabled and no hostname value is present in
/etc/sssd/sssd.conf. /etc/sssd/sssd.conf.
@@ -338,7 +390,7 @@ What's new in Sudo 1.8.18
* Fixed a bug where "sudo -l command" would indicate that a command * Fixed a bug where "sudo -l command" would indicate that a command
was runnable even when denied by sudoers when using the LDAP or was runnable even when denied by sudoers when using the LDAP or
SSSD backends. SSSD back-ends.
* The match_group_by_gid Defaults option has been added to allow * The match_group_by_gid Defaults option has been added to allow
sites where group name resolution is slow and where sudoers only sites where group name resolution is slow and where sudoers only
@@ -362,12 +414,12 @@ What's new in Sudo 1.8.18
flag is enabled in sudoers. Bug #757 flag is enabled in sudoers. Bug #757
* Negated sudoHost attributes are now supported by the LDAP and * Negated sudoHost attributes are now supported by the LDAP and
SSSD backends. SSSD back-ends.
* Fixed matching entries in the LDAP and SSSD backends when a * Fixed matching entries in the LDAP and SSSD back-ends when a
RunAsGroup is specified but no RunAsUser is present. RunAsGroup is specified but no RunAsUser is present.
* Fixed "sudo -l" output in the LDAP and SSSD backends when a * Fixed "sudo -l" output in the LDAP and SSSD back-ends when a
RunAsGroup is specified but no RunAsUser is present. RunAsGroup is specified but no RunAsUser is present.
What's new in Sudo 1.8.17p1 What's new in Sudo 1.8.17p1
@@ -424,9 +476,9 @@ What's new in Sudo 1.8.17
* Fixed a bug on AIX where the stack size hard resource limit was * Fixed a bug on AIX where the stack size hard resource limit was
being set to 2GB instead of 4GB on 64-bit systems. being set to 2GB instead of 4GB on 64-bit systems.
* The SSSD backend now properly supports "sudo -U otheruser -l". * The SSSD back-end now properly supports "sudo -U otheruser -l".
* The SSSD backend now uses the value of "ipa_hostname" * The SSSD back-end now uses the value of "ipa_hostname"
from sssd.conf, if specified, when matching the host name. from sssd.conf, if specified, when matching the host name.
* Fixed a hang on some systems when the command is being run in * Fixed a hang on some systems when the command is being run in
@@ -448,12 +500,12 @@ What's new in Sudo 1.8.16
* Fixed a bug that could cause warning mail to be sent in list * Fixed a bug that could cause warning mail to be sent in list
mode (sudo -l) for users without sudo privileges when the mode (sudo -l) for users without sudo privileges when the
LDAP and sssd backends are used. LDAP and sssd back-ends are used.
* Fixed a bug that prevented the "mail_no_user" option from working * Fixed a bug that prevented the "mail_no_user" option from working
properly with the LDAP backend. properly with the LDAP back-end.
* In the LDAP and sssd backends, white space is now ignored between * In the LDAP and sssd back-ends, white space is now ignored between
an operator (!, +, +=, -=) when parsing a sudoOption. an operator (!, +, +=, -=) when parsing a sudoOption.
* It is now possible to disable Path settings in sudo.conf * It is now possible to disable Path settings in sudo.conf
@@ -481,7 +533,7 @@ What's new in Sudo 1.8.16
problem when a user or group of the same name exists in multiple problem when a user or group of the same name exists in multiple
auth registries. For example, local and LDAP. auth registries. For example, local and LDAP.
* Fixed a crash in the SSSD backend when the invoking user is not * Fixed a crash in the SSSD back-end when the invoking user is not
found. Bug #732. found. Bug #732.
* Added the --enable-asan configure flag to enable address sanitizer * Added the --enable-asan configure flag to enable address sanitizer
@@ -500,7 +552,7 @@ What's new in Sudo 1.8.16
* Fixed support for negating character classes in sudo's version * Fixed support for negating character classes in sudo's version
of the fnmatch() function. of the fnmatch() function.
* Fixed a bug in the LDAP and SSSD backends that could allow an * Fixed a bug in the LDAP and SSSD back-ends that could allow an
unauthorized user to list another user's privileges. Bug #738. unauthorized user to list another user's privileges. Bug #738.
* The PAM conversation function now works around an ambiguity in the * The PAM conversation function now works around an ambiguity in the
@@ -613,7 +665,7 @@ What's new in Sudo 1.8.14p2
What's new in Sudo 1.8.14p1 What's new in Sudo 1.8.14p1
* Fixed a bug introduced in sudo 1.8.14 that prevented the sssd * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd
backend from working. Bug #703. back-end from working. Bug #703.
What's new in Sudo 1.8.14 What's new in Sudo 1.8.14
@@ -1522,7 +1574,7 @@ What's new in Sudo 1.8.5?
ldap_start_tls_s() function. ldap_start_tls_s() function.
* The TLS_CHECKPEER parameter in ldap.conf now works when the * The TLS_CHECKPEER parameter in ldap.conf now works when the
Mozilla NSS crypto backend is used with OpenLDAP. Mozilla NSS crypto back-end is used with OpenLDAP.
* A new group provider plugin, system_group, is included which * A new group provider plugin, system_group, is included which
performs group look ups by name using the system groups database. performs group look ups by name using the system groups database.

18
configure vendored
View File

@@ -1,6 +1,6 @@
#! /bin/sh #! /bin/sh
# Guess values for system-dependent variables and create Makefiles. # Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for sudo 1.8.21p2. # Generated by GNU Autoconf 2.69 for sudo 1.8.22.
# #
# Report bugs to <https://bugzilla.sudo.ws/>. # Report bugs to <https://bugzilla.sudo.ws/>.
# #
@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package. # Identity of this package.
PACKAGE_NAME='sudo' PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo' PACKAGE_TARNAME='sudo'
PACKAGE_VERSION='1.8.21p2' PACKAGE_VERSION='1.8.22'
PACKAGE_STRING='sudo 1.8.21p2' PACKAGE_STRING='sudo 1.8.22'
PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
PACKAGE_URL='' PACKAGE_URL=''
@@ -1539,7 +1539,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing. # Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh. # This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF cat <<_ACEOF
\`configure' configures sudo 1.8.21p2 to adapt to many kinds of systems. \`configure' configures sudo 1.8.22 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]... Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1604,7 +1604,7 @@ fi
if test -n "$ac_init_help"; then if test -n "$ac_init_help"; then
case $ac_init_help in case $ac_init_help in
short | recursive ) echo "Configuration of sudo 1.8.21p2:";; short | recursive ) echo "Configuration of sudo 1.8.22:";;
esac esac
cat <<\_ACEOF cat <<\_ACEOF
@@ -1863,7 +1863,7 @@ fi
test -n "$ac_init_help" && exit $ac_status test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then if $ac_init_version; then
cat <<\_ACEOF cat <<\_ACEOF
sudo configure 1.8.21p2 sudo configure 1.8.22
generated by GNU Autoconf 2.69 generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc. Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2572,7 +2572,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake. running configure, to aid debugging if configure makes a mistake.
It was created by sudo $as_me 1.8.21p2, which was It was created by sudo $as_me 1.8.22, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@ $ $0 $@
@@ -27021,7 +27021,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their # report actual input values of CONFIG_FILES etc. instead of their
# values after options handling. # values after options handling.
ac_log=" ac_log="
This file was extended by sudo $as_me 1.8.21p2, which was This file was extended by sudo $as_me 1.8.22, which was
generated by GNU Autoconf 2.69. Invocation command line was generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES CONFIG_FILES = $CONFIG_FILES
@@ -27087,7 +27087,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\ ac_cs_version="\\
sudo config.status 1.8.21p2 sudo config.status 1.8.22
configured by $0, generated by GNU Autoconf 2.69, configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\" with options \\"\$ac_cs_config\\"

2
configure.ac
View File

@@ -4,7 +4,7 @@ dnl
dnl Copyright (c) 1994-1996,1998-2017 Todd C. Miller <Todd.Miller@courtesan.com> dnl Copyright (c) 1994-1996,1998-2017 Todd C. Miller <Todd.Miller@courtesan.com>
dnl dnl
AC_PREREQ([2.59]) AC_PREREQ([2.59])
AC_INIT([sudo], [1.8.21p2], [https://bugzilla.sudo.ws/], [sudo]) AC_INIT([sudo], [1.8.22], [https://bugzilla.sudo.ws/], [sudo])
AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_HEADER([config.h pathnames.h])
AC_CONFIG_SRCDIR([src/sudo.c]) AC_CONFIG_SRCDIR([src/sudo.c])
dnl dnl