From: Todd C. Miller Date: Tue, 1 Jan 2008 21:43:26 +0000 (+0000) Subject: Update to reflect recent developments. X-Git-Tag: SUDO_1_7_0~273 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=685d9d2dabe6c9d09c8c11c4c41bc928dc77b454;p=sudo Update to reflect recent developments. --- diff --git a/README.LDAP b/README.LDAP index 1f74f8de6..39d47f66f 100644 --- a/README.LDAP +++ b/README.LDAP @@ -79,12 +79,14 @@ Design Features If you want to specify lots of commands, use directories or wildcards, or just paste them all into LDAP. That's what it's for. - * The /etc/sudoers file can be disabled. Paranoid security administrators - can now disallow parsing of any local /etc/sudoers file by an LDAP - sudoOption 'ignore_local_sudoers'. This way all sudoers can be controlled - and audited in one place because local entries are not allowed. - In fact, if this option is included in the cn=defaults object of LDAP, - sudo won't even look for a /etc/sudoers file. + * nsswitch.conf support. Sudo now reads /etc/nsswitch.conf and looks + for a line begining with "sudoers:" and uses this to determine the + search order for sudoers. To consult LDAP first, falling back on + a local sudoers file, use: + sudoers: ldap files + + The local sudoers file can be ignored completely by using: + sudoers: ldap * The sudo binary compiled with LDAP support should be totally backward compatible and be syntactically and source code equivalent to its non diff --git a/UPGRADE b/UPGRADE index 3db01070b..9db649bd6 100644 --- a/UPGRADE +++ b/UPGRADE @@ -5,7 +5,25 @@ o Upgrading from a version prior to 1.7.0: Starting with sudo 1.7.0 comments in the sudoers file must not have a digit or minus sign immediately after the comment character - ('#'). Otherwise, the comment may be interpreted as a user ID. + ('#'). Otherwise, the comment may be interpreted as a user or + group ID. + + When sudo is build with LDAP support the /etc/nsswitch.conf file is + now used to determine the sudoers seach order. sudo will default to + only using /etc/sudoers unless /etc/nsswitch.conf says otherwise. + This can be changed with an nsswitch.conf line, e.g.: + sudoers: ldap files + Would case LDAP to be searched first, then the sudoers file. + To restore the pre-1.7 behavior, run configure with the + --with-nsswitch=no flag. + + Sudo now ignores user .ldaprc files as well as system LDAP defaults. + All LDAP configuration is now in /etc/ldap.conf (or whichever file + was specified by configure's --with-ldap-conf-file option). + If you are using TLS, you may now need to specify: + tls_checkpeer no + in sudo's ldap.conf unless ldap.conf references a valid certificate + authority file(s). o Upgrading from a version prior to 1.6.9: diff --git a/WHATSNEW b/WHATSNEW index 0b226d97d..d6b28b964 100644 --- a/WHATSNEW +++ b/WHATSNEW @@ -37,3 +37,15 @@ What's new in Sudo 1.7? * Improved LDAP support. SASL authentication may now be used in conjunction when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf may be used to enable Kerberos. + + * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf + to specify the sudoers order. E.g.: + sudoers: ldap files + to check LDAP, then /etc/sudoers. The default is "files", even + when LDAP support is compiled in. This differs from sudo 1.6 + where LDAP was always consulted first. + + * Support for /etc/environment. If sudo is run with the -i flag, + the contents of /etc/environment are used to populate the new + environment that is passed to the command being run. +