From e8532bdceee15f037f682d27c080840bbf634d45 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 1 Dec 2017 14:35:34 -0700 Subject: [PATCH] Sudo 1.8.22 --- NEWS | 88 +++++++++++++++++++++++++++++++++++++++++----------- configure | 18 +++++------ configure.ac | 2 +- 3 files changed, 80 insertions(+), 28 deletions(-) diff --git a/NEWS b/NEWS index 973092cc3..a984ee386 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,55 @@ +What's new in Sudo 1.8.22 + + * Commands run in the background from a script run via sudo will + no longer receive SIGHUP when the parent exits and I/O logging + is enabled. Bug #502 + + * A particularly offensive insult is now disabled by default. + Bug #804 + + * The description of "sudo -i" now correctly documents that + the "env_keep" and "env_check" sudoers options are applied to + the environment. Bug #806 + + * Fixed a crash when the system's host name is not set. + Bug #807 + + * The sudoers2ldif script now handle #include and #includedir + directives. + + * Fixed a bug where sudo would silently exit when the command was + not allowed by sudoers and the "passwd_tries" sudoers option + was set to a value less than 1. + + * Fixed a bug with the "listpw" and "verifypw" sudoers options and + multiple sudoers sources. If the option is set to "all", a + password should be required unless none of a user's sudoers + entries from any source require authentication. + + * Fixed a bug with the "listpw" and "verifypw" sudoers options in + the LDAP and SSSD back-ends. If the option is set to "any", and + the entry contained multiple rules, only the first matching rule + was checked. If an entry contained more than one matching rule + and the first rule required authentication but a subsequent rule + did not, sudo would prompt for a password when it should not have. + + * When running a command as the invoking user (not root), sudo + would execute the command with the same group vector it was + started with. Sudo now executes the command with a new group + vector based on the group database which is consistent with + how su(1) operates. + + * Fixed a double free in the SSSD back-end that could occur when + ipa_hostname is present in sssd.conf and is set to an unqualified + host name. + + * When I/O logging is enabled, sudo will now write to the terminal + even when it is a background process. Previously, sudo would + only write to the tty when it was the foreground process when + I/O logging was enabled. If the TOSTOP terminal flag is set, + sudo will suspend the command (and then itself) with the SIGTTOU + signal. + What's new in Sudo 1.8.21p2 * Fixed a bug introduced in version 1.8.21 which prevented sudo @@ -34,7 +86,7 @@ What's new in Sudo 1.8.21p1 playback would hang for I/O logs that contain terminal input. * Sudo 1.8.18 contained an incomplete fix for the matching of - entries in the LDAP and SSSD backends when a sudoRunAsGroup is + entries in the LDAP and SSSD back-ends when a sudoRunAsGroup is specified but no sudoRunAsUser is present in the sudoRole. What's new in Sudo 1.8.21 @@ -140,8 +192,8 @@ What's new in Sudo 1.8.20 be terminated if the timeout expires. * The SELinux role and type are now displayed in the "sudo -l" - output for the LDAP and SSSD backends, just as they are in the - sudoers backend. + output for the LDAP and SSSD back-ends, just as they are in the + sudoers back-end. * A new command line option, -T, can be used to specify a command timeout as long as the user-specified timeout is not longer than @@ -149,7 +201,7 @@ What's new in Sudo 1.8.20 used when the "user_command_timeouts" flag is enabled in sudoers. * Added NOTBEFORE and NOTAFTER command options to the sudoers - backend similar to what is already available in the LDAP backend. + back-end similar to what is already available in the LDAP back-end. * Sudo can now optionally use the SHA2 functions in OpenSSL or GNU crypt instead of the SHA2 implementation bundled with sudo. @@ -175,7 +227,7 @@ What's new in Sudo 1.8.20 to env_file but its contents are subject to the same restrictions as variables in the invoking user's environment. - * Fixed a use after free bug in the SSSD backend when the fqdn + * Fixed a use after free bug in the SSSD back-end when the fqdn sudoOption is enabled and no hostname value is present in /etc/sssd/sssd.conf. @@ -338,7 +390,7 @@ What's new in Sudo 1.8.18 * Fixed a bug where "sudo -l command" would indicate that a command was runnable even when denied by sudoers when using the LDAP or - SSSD backends. + SSSD back-ends. * The match_group_by_gid Defaults option has been added to allow sites where group name resolution is slow and where sudoers only @@ -362,12 +414,12 @@ What's new in Sudo 1.8.18 flag is enabled in sudoers. Bug #757 * Negated sudoHost attributes are now supported by the LDAP and - SSSD backends. + SSSD back-ends. - * Fixed matching entries in the LDAP and SSSD backends when a + * Fixed matching entries in the LDAP and SSSD back-ends when a RunAsGroup is specified but no RunAsUser is present. - * Fixed "sudo -l" output in the LDAP and SSSD backends when a + * Fixed "sudo -l" output in the LDAP and SSSD back-ends when a RunAsGroup is specified but no RunAsUser is present. What's new in Sudo 1.8.17p1 @@ -424,9 +476,9 @@ What's new in Sudo 1.8.17 * Fixed a bug on AIX where the stack size hard resource limit was being set to 2GB instead of 4GB on 64-bit systems. - * The SSSD backend now properly supports "sudo -U otheruser -l". + * The SSSD back-end now properly supports "sudo -U otheruser -l". - * The SSSD backend now uses the value of "ipa_hostname" + * The SSSD back-end now uses the value of "ipa_hostname" from sssd.conf, if specified, when matching the host name. * Fixed a hang on some systems when the command is being run in @@ -448,12 +500,12 @@ What's new in Sudo 1.8.16 * Fixed a bug that could cause warning mail to be sent in list mode (sudo -l) for users without sudo privileges when the - LDAP and sssd backends are used. + LDAP and sssd back-ends are used. * Fixed a bug that prevented the "mail_no_user" option from working - properly with the LDAP backend. + properly with the LDAP back-end. - * In the LDAP and sssd backends, white space is now ignored between + * In the LDAP and sssd back-ends, white space is now ignored between an operator (!, +, +=, -=) when parsing a sudoOption. * It is now possible to disable Path settings in sudo.conf @@ -481,7 +533,7 @@ What's new in Sudo 1.8.16 problem when a user or group of the same name exists in multiple auth registries. For example, local and LDAP. - * Fixed a crash in the SSSD backend when the invoking user is not + * Fixed a crash in the SSSD back-end when the invoking user is not found. Bug #732. * Added the --enable-asan configure flag to enable address sanitizer @@ -500,7 +552,7 @@ What's new in Sudo 1.8.16 * Fixed support for negating character classes in sudo's version of the fnmatch() function. - * Fixed a bug in the LDAP and SSSD backends that could allow an + * Fixed a bug in the LDAP and SSSD back-ends that could allow an unauthorized user to list another user's privileges. Bug #738. * The PAM conversation function now works around an ambiguity in the @@ -613,7 +665,7 @@ What's new in Sudo 1.8.14p2 What's new in Sudo 1.8.14p1 * Fixed a bug introduced in sudo 1.8.14 that prevented the sssd - backend from working. Bug #703. + back-end from working. Bug #703. What's new in Sudo 1.8.14 @@ -1522,7 +1574,7 @@ What's new in Sudo 1.8.5? ldap_start_tls_s() function. * The TLS_CHECKPEER parameter in ldap.conf now works when the - Mozilla NSS crypto backend is used with OpenLDAP. + Mozilla NSS crypto back-end is used with OpenLDAP. * A new group provider plugin, system_group, is included which performs group look ups by name using the system groups database. diff --git a/configure b/configure index 4146c8813..b97bf34dc 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sudo 1.8.21p2. +# Generated by GNU Autoconf 2.69 for sudo 1.8.22. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.8.21p2' -PACKAGE_STRING='sudo 1.8.21p2' +PACKAGE_VERSION='1.8.22' +PACKAGE_STRING='sudo 1.8.22' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1539,7 +1539,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sudo 1.8.21p2 to adapt to many kinds of systems. +\`configure' configures sudo 1.8.22 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1604,7 +1604,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.8.21p2:";; + short | recursive ) echo "Configuration of sudo 1.8.22:";; esac cat <<\_ACEOF @@ -1863,7 +1863,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.8.21p2 +sudo configure 1.8.22 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2572,7 +2572,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.8.21p2, which was +It was created by sudo $as_me 1.8.22, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -27021,7 +27021,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.8.21p2, which was +This file was extended by sudo $as_me 1.8.22, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27087,7 +27087,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sudo config.status 1.8.21p2 +sudo config.status 1.8.22 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 8924782e3..69f04733a 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl dnl Copyright (c) 1994-1996,1998-2017 Todd C. Miller dnl AC_PREREQ([2.59]) -AC_INIT([sudo], [1.8.21p2], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.8.22], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADER([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) dnl -- 2.50.1