Notes on upgrading from an older release
========================================
+o Upgrading from a version prior to 1.7.4:
+
+ Starting with sudo 1.7.4, the time stamp files have moved from
+ /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo.
+ The directories are checked for existence in that order. This
+ prevents users from receiving the sudo lecture every time the
+ system reboots. Time stamp files older than the boot time are
+ ignored on systems where it is possible to determine this.
+
o Upgrading from a version prior to 1.7.0:
- Starting with sudo 1.7.0 comments in the sudoers file must not
+ Starting with sudo 1.7.0, comments in the sudoers file must not
have a digit or minus sign immediately after the comment character
('#'). Otherwise, the comment may be interpreted as a user or
group ID.
o Upgrading from a version prior to 1.6.8:
Prior to sudo 1.6.8, if /var/run did not exist, sudo would put
- the timestamp files in /tmp/.odus. As of sudo 1.6.8, the
- timestamp files will be placed in /var/adm/sudo or /usr/adm/sudo
+ the time stamp files in /tmp/.odus. As of sudo 1.6.8, the
+ time stamp files will be placed in /var/adm/sudo or /usr/adm/sudo
if there is no /var/run directory. This directory will be
created if it does not already exist.
millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, \
(root) PASSWD:/bin/ls, /sbin/dump
- Additionally, sudo now uses a per-user timestamp directory
- instead of a timestamp file. This allows tty timestamps to
- simply be files within the user's timestamp dir. For the
- default, non-tty case, the timestamp on the directory itself
+ Additionally, sudo now uses a per-user time stamp directory
+ instead of a time stamp file. This allows tty time stamps to
+ simply be files within the user's time stamp dir. For the
+ default, non-tty case, the time stamp on the directory itself
is used.
Also, the temporary file used by visudo is now /etc/sudoers.tmp
])dnl
dnl
-dnl Where the timestamp files go, use /var/run/sudo if /var/run exists,
-dnl else /{var,usr}/adm/sudo
+dnl Where the timestamp files go.
dnl
AC_DEFUN(SUDO_TIMEDIR, [AC_MSG_CHECKING(for timestamp file location)
-if test -n "$with_timedir"; then
- AC_MSG_RESULT($with_timedir)
- SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$with_timedir")
- timedir="$with_timedir"
-elif test -d "/var/run"; then
- AC_MSG_RESULT(/var/run/sudo)
- SUDO_DEFINE(_PATH_SUDO_TIMEDIR, "/var/run/sudo")
- timedir="/var/run/sudo"
-elif test -d "/var/adm"; then
- AC_MSG_RESULT(/var/adm/sudo)
- SUDO_DEFINE(_PATH_SUDO_TIMEDIR, "/var/adm/sudo")
- timedir="/var/adm/sudo"
-else
- AC_MSG_RESULT(/usr/adm/sudo)
- SUDO_DEFINE(_PATH_SUDO_TIMEDIR, "/usr/adm/sudo")
- timedir="/usr/adm/sudo"
+timedir="$with_timedir"
+if test -z "$timedir"; then
+ for d in /var/db /var/lib /var/adm /usr/adm; do
+ if test -d "$d"; then
+ timedir="$d/sudo"
+ break;
+ fi
+ done
fi
+AC_MSG_RESULT([$timedir])
+SUDO_DEFINE_UNQUOTED(_PATH_SUDO_TIMEDIR, "$timedir")
])dnl
dnl
#
# Begin initial values for man page substitution
#
-timedir=/var/run/sudo
+timedir=/var/adm/sudo
timeout=5
password_timeout=5
sudo_umask=0022
CHECKSHADOW="false"
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
: ${with_logincap='yes'}
- # Apple sudo timedir location
- : ${with_timedir='/var/db/sudo'}
;;
*-*-nextstep*)
# lockf() on is broken on the NeXT -- use flock instead
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for timestamp file location" >&5
$as_echo_n "checking for timestamp file location... " >&6; }
-if test -n "$with_timedir"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_timedir" >&5
-$as_echo "$with_timedir" >&6; }
- cat >>confdefs.h <<EOF
-#define _PATH_SUDO_TIMEDIR "$with_timedir"
-EOF
-
- timedir="$with_timedir"
-elif test -d "/var/run"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: /var/run/sudo" >&5
-$as_echo "/var/run/sudo" >&6; }
- cat >>confdefs.h <<\EOF
-#define _PATH_SUDO_TIMEDIR "/var/run/sudo"
-EOF
-
- timedir="/var/run/sudo"
-elif test -d "/var/adm"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: /var/adm/sudo" >&5
-$as_echo "/var/adm/sudo" >&6; }
- cat >>confdefs.h <<\EOF
-#define _PATH_SUDO_TIMEDIR "/var/adm/sudo"
-EOF
-
- timedir="/var/adm/sudo"
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: /usr/adm/sudo" >&5
-$as_echo "/usr/adm/sudo" >&6; }
- cat >>confdefs.h <<\EOF
-#define _PATH_SUDO_TIMEDIR "/usr/adm/sudo"
+timedir="$with_timedir"
+if test -z "$timedir"; then
+ for d in /var/db /var/lib /var/adm /usr/adm; do
+ if test -d "$d"; then
+ timedir="$d/sudo"
+ break;
+ fi
+ done
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $timedir" >&5
+$as_echo "$timedir" >&6; }
+cat >>confdefs.h <<EOF
+#define _PATH_SUDO_TIMEDIR "$timedir"
EOF
- timedir="/usr/adm/sudo"
-fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for I/O log dir location" >&5
#
# Begin initial values for man page substitution
#
-timedir=/var/run/sudo
+timedir=/var/adm/sudo
timeout=5
password_timeout=5
sudo_umask=0022
CHECKSHADOW="false"
test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
: ${with_logincap='yes'}
- # Apple sudo timedir location
- : ${with_timedir='/var/db/sudo'}
;;
*-*-nextstep*)
# lockf() on is broken on the NeXT -- use flock instead
-1.7.4 July 12, 2010 1
+1.7.4 July 14, 2010 1
-1.7.4 July 12, 2010 2
+1.7.4 July 14, 2010 2
-1.7.4 July 12, 2010 3
+1.7.4 July 14, 2010 3
-1.7.4 July 12, 2010 4
+1.7.4 July 14, 2010 4
-1.7.4 July 12, 2010 5
+1.7.4 July 14, 2010 5
-1.7.4 July 12, 2010 6
+1.7.4 July 14, 2010 6
program that s\bsu\bud\bdo\bo executes.
s\bsu\bud\bdo\bo will check the ownership of its time stamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
not owned by root or if it is writable by a user other than root. On
systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
the time stamp directory is located in a directory writable by anyone
by root and inaccessible by any other user, the user placing files
there would be unable to get them back out. To get around this issue
you can use a directory that is not world-writable for the time stamps
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo with the
appropriate owner (root) and permissions (0700) in the system startup
files.
-1.7.4 July 12, 2010 7
+1.7.4 July 14, 2010 7
-1.7.4 July 12, 2010 8
+1.7.4 July 14, 2010 8
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
+ _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
_\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
AIX
-1.7.4 July 12, 2010 9
+1.7.4 July 14, 2010 9
-1.7.4 July 12, 2010 10
+1.7.4 July 14, 2010 10
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "July 12, 2010" "1.7.4" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "July 14, 2010" "1.7.4" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
interpreted. Defaults to "C".
timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
- The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
+ The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
timestampowner The owner of the timestamp directory and the timestamps
stored therein. The default is root.
projects / sudo / commitdiff