Annotation of src/usr.bin/sudo/CHANGES, Revision 1.20
1.1 millert 1: CHANGES since sudo 1.2
2:
3: 01) sudo now works under hpux, aix, sunos, bsd43, ultrix, linux, osf and irix.
4:
5: 02) Files w/o the executable bit will be ignored if they are in your PATH.
6:
7: 03) If execv() fails, perror is called (which prints out an error based on
8: errno) and sudo exits with -1.
9:
10: 04) Included in this shar should also be a version of getpass() derived from
11: the bsd net-2 source which works on bsd, ultrix, hpux, aix, and irix
12: at least. The latter three unixes have what i consider to be a broken
13: getpass() in that if /dev/tty can't be opened it doesn't just use stdin
14: like bsd getpass(). This means you cannot do: rsh host "sudo command"
15: and have it work if your ticket has expired.
16:
17: 05) The Makefile has changed significantly. It now has defines for all
18: supported architectures.
19:
20: 06) Changed MAXCOMMANDLENGTH from 48 bytes to MAXPATHLEN and included
21: sys/param.h where appropriate.
22:
23: 07) Rewrote the code that expands links & paths. It now works correctly.
24: (rewrote find_path.c)
25:
26: 08) Added a define NEED_STRDUP so we don't conflict with the system's strdup(3)
27:
28: 09) Now does *not* pass LD_* environmental vars on to programs that get
29: exec'd. Also removes SHLIB_PATH for hpux and _RLD_* for dec osf.
30:
31: 10) Now searches current dir last if '.' or '' are in PATH. Misses braindeath
32: like './' but if that's in your path you deserve all the trojans you get.
33:
34: 11) Added in linux patches from drew + flex support.
35:
36: 12) Added insults back in from original sudo(8) (define USE_INSULTS).
37:
38: 13) visudo now uses EDITOR envar (from John_Rouillard@dl5000.bc.edu)
39:
40: 14) you can now specify a dir containing commands that a sudoer can do.
41: (from John_Rouillard@dl5000.bc.edu)
42:
43: 15) Ported to Solaris 2.x (based on a port of sudo 1.1 done by UnixOps).
44:
45: 16) Took out setuid(0); setruid(uid); pairs that bracketed calls to
46: update_timestamp() since they are unnecessary and setruid() is
47: broken on systems without a setreuid(2) or setresuid(2) system call.
48: (Ie: AIX and Solaris 2.x).
49:
50: 17) The bulk of sudo now runs with the caller's real uid. Grep for
51: be_root() to find the exceptions.
52:
53: CHANGES from sudo 1.3
54:
55: 18) Added SECURE_PATH as suggested by russells@ccu1.auckland.ac.nz.
56:
57: 19) Reworked clean_envp() to modify environ (not envp) so we can use
58: execvp() safely.
59:
60: 20) Now use execvp() instead of execve() so sudo /bin/kill works under
61: broken solaris. This also fixed sudo /etc/fastboot under stock
62: 4.3 BSD. Basically, this means that any executable shell script that
63: lacks a '#!/bin/sh' magic number will now work with sudo. Personally
64: I think that the broken scripts should be fixed rather than changing
65: sudo, but vendors will be broken. Sigh.
66:
67: 21) Added USE_EXECV define so you can make sudo use execv() if you
68: want. Using execvp() shouldn't be a problem since it is always
69: handed a non-relative path that begins with '/' but some people
70: may not trust execvp().
71:
72: 22) Log file lines will no longer get truncated. Syslog entries that
73: would overrun the syslog(3) line limit are continued on another entry.
74:
75: 23) When logging to a log file, long entries are indented to improve
76: readability.
77:
78: 24) Whenever the umask is changed, it is changed back to what it was
79: before.
80:
81: 25) Log file is written as mode 600 instead of 644
82:
83: 26) Umask that sudo runs with may now be specified.
84:
85: 27) There is now a "configure" script.
86:
87: 28) Sudo will use ultra fast crypt (ufc) if it finds it for systems w/o
88: a real crypt(3) (non-US ConvexOS/Secure for instance).
89:
90: 29) _BSD_COMPAT is now defined for Irix.
91:
92: 30) The global variable uid is now initialized to -2 because I'm paranoid.
93:
94: 31) Native Solaris 2 port from Matthew.Stier@aisg.com
95:
96: 32) Now use sysconf(2) instead of getdtablesize(2) if it is available
97: (see change #31). Because of the the getdtablesize() emulation for
98: hpux is no longer necessary.
99:
100: 33) Now only do a getcwd(3) or getwd(3) once and do it as the real user.
101: Sudo should no longer complain that it can't get the cwd unless
102: there is a real problem.
103:
104: 34) Changed some malloc'd globals of fixed length to be allocated from
105: the stack instead as there was no win in allocating them from the
106: heap.
107:
108: 35) Fixed AIX STATIC_FLAGS as per the AIX faq.
109:
110: 36) Added -V flag to sudo and visudo (for version)
111:
112: 37) Now treat EACCESS like EPERM when doing stat(2) in find_path.c
113:
114: 38) Added prototypes for sudo functions (via __P macro)
115:
116: 39) configure now uses uname(1) if it exists
117:
118: 40) gethostbyname(3) is now only called if you define FQDN. There's really
119: no reason to not trust gethostname(2) and this way if name service is
120: hosed sudo isn't...
121:
122: 41) added -v (validate) flag to sudo to update a timestamp w/o running
123: a command
124:
125: 42) now use tgetpass() (getpass with a timeout)
126:
127: 43) find_path() now uses realpath(3)
128:
129: 44) wrote versions of realpath(3) and getcwd(3) for those without
130:
131: 45) wrote tgetpass()--a getpass() that times out via select(2)
132:
133: 46) sudo now uses posix signals if available
134:
135: 47) Finally added ConvexOS C2 security support from
136: "Peter A. Nikitser, Systems Software Support, QUT" <P.NIKITSER@qut.edu.au>
137:
138: 48) You can now #undef MAILER if you don't run sendmail or the equivalent.
139:
140: 49) AFS support from adamh@austin.ibm.com
141:
142: 50) If you define BOTH_LOGS in sudo.h you can log both via syslog(3) *ans*
143: to a log file.
144:
145: 51) Added ultrix /etc/auth (enhanced security) support.
146:
147: 52) Sudo now will work with a 4.2BSD syslog (SunOS < 4 && ultrix).
148: Personally, I'd say you are better off logging to a file if
149: your syslog is this ancient.
150:
151: 53) Changed realpath(3) to sudo_realpath() since we need to do the
152: chdir(2) with the invoking uid. sudo_realpath() should be
153: faster than vendor-supplied realpath(3)'s anyway...
154:
155: 54) No longer create a static binary on AIX since it reportedly
156: causes problem on newer versions on AIX 3.x.
157:
158: 55) If sudo_realpath cannot chdir() back to cwd sudo will print
159: and error and exit. Previously it would either fail silently
160: or print an incorrect error message.
161:
162: 56) Moved code to send error mail to be after the log message.
163: From rouilj@cs.umb.edu.
164:
165: 57) Added SUDO_USER and SUDO_UID envars. Suggested by John P. Rouillard
166: (<rouilj@cs.umb.edu).
167:
168: 58) Added -k and -h options and rearranged some of the code to be
169: more modular and less braindamaged. This introduces the concept
170: of "run modes" to sudo.
171:
172: 59) Fixed visudo and flex. visudo now calls yyrestart() if you are using
173: flex instead of lex. From bostley@cs.colorado.edu.
174:
175: 60) Added a "cat page" for systems w/o nroff.
176:
177: 61) Fixed a bug whereby only the last directory specified in a Cmnd_Alias
178: was checked. Reported by "James R. Hendrick" <hendrick@ctron.com>.
179:
180: 62) All .{c,lex,yacc} files now include both sys/types.h and unistd.h so
181: we are sure to get the typedef of uid_t.
182:
183: CHANGES from sudo 1.3.1
184:
185: 63) Added preliminary support for DEC OSF/1 protected passwords
186: (shadow passwords).
187:
188: CHANGES from sudo 1.3.1pl1
189:
190: 64) More support for DEC OSF/1 protected passwords (shadow passwords).
191:
192: CHANGES from sudo 1.3.1pl2
193:
194: 65) Fixed mail logging to include the username as it should have.
195:
196: 66) Added hostname to log message in error mail.
197:
198: 67) Added -l flag to sudo to list the allowed/forbidden commands.
199: Suggested by matthew@gateway.bsis.com (Matthew Stier)
200:
201: 68) Fixed bison warnings for parse.yacc and visudo.yacc.
202: Pointed out by alfie@dcs.warwick.ac.uk (Nick Holloway).
203:
204: CHANGES from sudo 1.3.1pl3
205:
206: 69) Sudo will now exit with an error if the command to be run is > MAXPATHLEN.
207:
208: 70) Test in configure for termios support was insufficient. It thought
209: Nextstep 3.2 had termios just because it as termios.h (need to link
210: with -posix for termios on NeXT's)
211:
212: CHANGES from sudo 1.3.1pl4
213:
214: 71) First stab at Skey support.
215:
216: 72) Sudo now sets IFS to be SPACE, TAB, NEWLINE.
217:
218: 73) Sudo now sets the real and effective gid to root's group
219: (based on passwd file).
220:
221: 74) Sudo now checks that the sudoers file is owned by a certain user
222: and not readable or writable by anyone else.
223: (based on a suggestion by Joerg Schumacher <schuma@ips.cs.tu-bs.de>)
224:
225: 75) Visudo now sets the owner on the new sudoers file based on #74
226:
227: 76) Sudo and visudo will now compile with byacc (Berkeley yacc).
228:
229: 77) If the rename(2) of stmp -> sudoers fails /bin/mv is executed before
230: bailing. Based on code from Case Larsen <clarsen@mh1.lbl.gov>.
231:
232: 78) User-level configuration is now done in options.h.
233:
234: 79) Moved all compatibility #defines to compat.h
235:
236: 80) Incorporated new parsing code from Chris Jepeway <jepeway@cs.utk.edu>.
237: This is much better than the previous parser.
238:
239: 81) Rewrote visudo.c and tickled parse.yacc to work with it. Visudo
240: now gives you options if a parse error occurs rather than blindly
241: dumping you back in the editor.
242:
243: 82) Took out all references to realpath since we are now checking based
244: in inode and device (with Chris' new parser). The upshot of this
245: is that path matches are done safely and the symlink problem has
246: gone away.
247:
248: 83) Fixed bison warnings from new parse.yacc.
249:
250: 84) Added a default case to parse.lex to error on unmatched tokens as Chris
251: suggested.
252:
253: 85) Converted configure.in and acsite.m4 to autoconf 2.1.
254:
255: 86) Added lsearch.c and search.h for os's w/o lsearch()/lfind().
256:
257: 87) Sudo now checks to see that the file it is executing is a regular file
258: (was just checking the execute bit so dirs slipped through).
259: Pointed out by Barb Dijker <barb@labyrinth.com>.
260:
261: 88) Fixed a problem on HP-UX trusted systems with getpwuid() returning "*"
262: unless the real uid is 0. Reported by Brian Cunnie (cunnie@nyc.hp.com).
263:
264: 89) configure now checks for size_t and ssize_t in unistd.h as well
265: as sys/types.h.
266:
267: 90) configure now checks for egrep before actually using it.
268:
269: 91) configure now checks for a working void implementation (ie: void * as
270: a generic pointer) and sets VOID to void or char accordingly.
271:
272: 92) Added support for SunOS 4.x C2 security (shadow passwords) from
273: Kendall Libby (fubar@shore.net)
274:
275: 93) Changed all occurrences of bzero() to memset() and bcopy() to
276: memmove().
277:
278: 94) Fixed a bug in sudo.c. If a user has no passwd entry sudo would
279: dump core (writing to a garbage pointer). Pointed out by
280: Stephen Schaefer <sps@gateway.bsis.com>.
281:
282: 95) Worked around a bug in AIX's lex in parse.c. AIX lex doesn't seem
283: to handle {x,y} range notation correctly. Bleah.
284:
1.2 millert 285: 96) Sudo would not report a failed attempt if the user entered return
1.1 millert 286: at the 2nd password: prompt so someone trying to guess a password
287: could just invoked sudo multiple times and try one passwd at a time.
288: Reported by Jonathan Adams <jonathan@smada.com>.
289:
290: 97) Added User_Alias facility.
291:
292: 98) Rewrote most of the ip address / network support. Now works on all
293: systems sudo has currently been tested on.
294:
295: 99) Sudo now sets SUDO_COMMAND and SUDO_GID envariables in addition to
296: SUDO_USER and SUDO_UID.
297:
298: 100) Added changes to configure.in for UnixWare.
299: (from John Warburton <jwarb@SACBH.com.au>)
300:
301: 101) Merged in changes for Interactive Unix and RISCos.
302: (from Andy Smith <abs@maunsell.co.uk>)
303:
304: 102) Added testsudoers (from Chris Jepeway <jepeway@cs.utk.edu>).
305:
306: 103) Added fix for parse.yacc to avoid the kludge I was doing.
307: (from Chris Jepeway <jepeway@cs.utk.edu>)
308:
309: 104) Now remove the IFS envar if set instead of setting it to a "safe"
310: value to avoid problems with make and others.
311:
312: 105) Added FAST_MATCH option to check basenames of sudo command and
313: paths listed in sudoers file. If the basename doesn't match
314: then it is not a match. If the basename matches, then do
315: a stat to make sure it is a valid match.
316:
317: 106) Now only stat(2) cmnd once in path_matches() (in parse.c). Sudo
318: was stating cmnd for *every* attempted match. Now the stat struct
319: is cached (ie: the var is a static).
320:
321: 107) Signal handlers in visudo are now only installed after the stmp
322: file is opened. Previously, it was possible to erase an open
323: stmp file by sending visudo a signal within a small window.
324:
325: 108) Added Goon Show insults from Russell Street <r.street@auckland.ac.nz>.
326:
327: 109) Broke out the insults into separate include files (insults.h
328: is the master and includes the appropriate one).
329:
330: 110) Now use getwd() instead of getcwd() and provide emulation for
331: OS's w/o it. This was done since some OS's with getwd()
332: implement getcwd() via a pipe to pwd(1). By emulating getwd()
333: by calling getcwd() on OS's w/o getwd() we lose nothing since
334: the compiler should optimize away the extra function call.
335:
336: 111) Added crypt() for DEC OSF/1 3.x enhanced security.
337: From "Richard L Jackson Jr" <rjackson@osf1.gmu.edu>.
338:
339: 112) Added an option to run the command in the background (-b) as
340: suggested by Jonathan Adams <jonathan@smada.com>
341:
342: 113) First stab at kerberos support. I'm not really sure it is
343: possible to do this in a sane manor. Sigh.
344:
345: 114) Better kerberos support. Had to use setreuid(2) but falls
346: back on a kludge if that does not exist or is broken.
347:
348: 115) Added -p (password prompt) support.
349: Suggested by "David W. Cooley" <dwcooley@COLBY.EDU>
350:
351: 116) Added partial implementation of -l (list) flag.
352: This is probably as good as it will get until sudo:tng.
353:
354: 117) Added anti-spoofing code to tighten up a race condition
355: where a user could run sudo some_link and then change
356: where the link pointed after the old link had been
357: validated but before the exec().
358:
359: 118) Now update timestamp file via utime() (and emulate via utimes()
360: if necessary) to eliminate a small race. Works with
361: both POSIX utime() as well as old utime() in BSD <= 4.3.
362:
363: 119) Kerberos ticket file now lives in same dirs as sudo timestamp
364: files (to avoid trouncing on normal ticket file) and is removed
365: after validation.
366:
367: 120) Now log tty user is on as well as pwd in sudo logs.
368:
369: CHANGES from sudo 1.3.2 BETA
370:
371: 121) Fixed a bug in the anti-spoofing check.
372:
373: 122) Fixed up ISC support so that it works and looks like non-streams
374: stuff in interfaces.c.
375:
376: 123) Now deal correctly with ip implementations that has an sa_len
377: field in struct sockaddr.
378:
379: 124) Check ownership and permissions on timestamp dir and ignore if
380: not owned by root and mode 0700. Problem pointed out by Larry Auton
381: <lda@research.AT&T.com> and Navjot Singh <singh@research.AT&T.com>.
382:
383: 125) Ignore timestamp files with preposterous dates to keep people from
384: faking out sudo on OS's that allow you to give away files to root.
385: Problem pointed out by Larry Auton <lda@research.AT&T.com> and
386: Navjot Singh <singh@research.AT&T.com>.
387:
388: 126) A timeout of 0 will now cause a password to be entered every
389: time. Based on a suggestion by Larry Auton <lda@research.AT&T.com>
390: and Navjot Singh <singh@research.AT&T.com>.
391:
392: CHANGES from sudo 1.3.3 BETA
393:
394: 127) Cleaned up interfaces.c so that it is more readable.
395:
396: 128) Added support for syslog()'s that don't guarantee delivery
397: of a message. HP-UX is the only known offender.
398:
399: 129) No longer use memmove() since memcpy() does what we need and
400: configure doesn't always catch memmove() even when it is
401: there (may be a library problem).
402:
403: 130) Updated man page to reflect two more security issues.
404:
405: 131) Cleaned up shadow password support in check.c. It should now
406: be readable.
407:
408: 132) Added SCO support.
409:
410: 133) Added check to configure to find the max length of a uid_t
411: in characters.
412:
413: 134) Removed uid2str() since we now know how big a uid_t/gid_t
414: can be. This elminates a few malloc()'s.
415:
416: 135) Added support for multiple insult types. Based on code and
417: a suggestion from Dieter Dworkin Muller <dworkin@village.org>.
418:
419: 136) Replaced clean_env() and rmenv() with a rewritten clean_env()
420: that should be a little faster. This also makes it easier to
421: add to the list of "dangerous" envariables.
422:
423: 137) Added netgroup support. Netgroups must start with a leading
424: "+" to that sudo knows it is a netgroup.
425:
426: 138) Split out sudoers file format into its own man page.
427: As suggested by Andy Smith <abs@maunsell.co.uk>.
428:
429: 139) Updated testsudoers.c to grok netgroups.
430:
431: CHANGES from sudo 1.3.4 BETA
432:
433: 140) Added SecurID support from Giles Todd <giles@gt.demon.co.uk>.
434:
435: 141) Added -s flag to start a root shell and -- to signify end of args.
436:
437: 142) Sped up logging routines by replacing strncpy()'s with strcat()'s.
438: This is safe because we dyanically allocate logline to be big enough.
439:
440: 143) Now support command line arguments in the sudoers file.
441:
442: 144) Sped up the loading on command line arguments. This fixes the
443: "commands with large argc's take forever to run" bug.
444:
445: 145) Expanded MAXCOMMANDLEN to 8K since we now have to deal with
446: command line arguments. Added bounds checking in fill() and
447: append() so we don't drop core.
448: XXX - 8k makes sudo *SLOW*
449:
450: 146) Added support in the lexer for "termination characters" to be
451: escaped. Ie: you can now use [\,:=] in command line args
452: as long as you escape with a \.
453:
454: 147) Testsudoers can now deal with commands that have arguments.
455:
456: 148) If a file is not executable or not a regular file sudo will
457: now give the appropriate error message instead of just
458: "command not found" which is misleading.
459:
460: 149) Fixed a bug where if FQDN is set, load_interfaces() was never
461: called.
462:
463: 150) tty is now a global so it can be used in the ticket file
464: at a later date.
465:
466: 151) Strings in the parser are now allocated dynamically. This results
467: in a large speedup as compared to a 1K array on the stack. I
468: have freed the strings in the parser where appropriate but that
469: may not catch all instances. Even so, the average sudo now
470: takes up less memory than the 1K array version.
471:
472: 152) Fixed a bug in tgetpass() and configure that broke termio/termios
473: support for some OS's.
474:
475: 153) Added cheapo implementation of tty-based timestamps. The correct
476: way is to have username be a directory with the tty tickets
477: inside. However, the current code does not take to that very
478: well, and it does not allow the two systems to coexist. Therefore,
479: instead of timestampdir/user/tty it is timestampdir/user.tty.
480:
481: 154) Added support for building in other than the source directory.
482: Based on changes from "Simon J. Gerraty" <sjg@frodo.dn.itg.telecom.com.au>
483:
484: 155) options.h and pathnames.h are now included via angle brackets
485: (<>) so as to use the -I include path. This way, those using
486: a shadow build tree may have local copies of these headers
487: w/o clobbering the distribution ones.
488:
489: 156) EXEMPTGROUP is now a string (group name) and user_is_exempt()
490: is now less of a hack. It uses getgrnam(EXEMPTGROUP) to
491: get a list of users in the exempted group.
492:
493: 157) --prefix and --exe_prefix are now honored in the Makefile.
494:
495: 158) Sudo will now behave reasonably in the case where the sudoers
496: file location is mounted via NFS and the client does not
497: have "root" NFS privs.
498:
499: 159) _PATH_SUDO_SUDOERS, _PATH_SUDO_STMP, and SUDOERS_OWNER are
500: now set via the Makefile since that appears to be what
501: most people expect...
502:
503: 160) Now include a pre-generated version of parse.lex since so many
504: versions of lex are brain damaged. If parse.lex is changed
505: a new lex.yy.c will be generated. The distribution copy is
506: sudo-lex.yy.c.
507:
508: 161) Upgraded to GNU autoconf version 1.5. There are now even
509: *more* options.
510:
511: CHANGES from sudo 1.3.5 BETA
512:
513: 162) Fixed S/Key support.
514:
515: 163) Cleaned up shadow password support further by moving much of
516: it to getspwuid.c.
517:
518: 164) First cut at DCE support. [needs work to be functional]
519:
520: 165) New Digital UNIX C2 support based on code from
521: "Randy M. Hayman" <haymanr@icefog.sois.alaska.edu>
522:
523: 166) S/key support now works with the generic bellcore s/key
524: as well as the s/key from Wietse Venema's logdaemon.
525: (Previously only worked with the logdaemon s/key).
526: As an added bonus the s/key challenge is now embedded
527: in the password prompt for a cleaner look.
528:
529: 167) lsearch.c will now compile on a strict ANSI C compiler.
530: ANSI doesn't allow pointer arithmetic on a "void *"
531: but gcc does.
532:
533: 168) Bought back latest HP-UX DCE support from Jeff Earickson
534: <jaearick@colby.edu>.
535:
536: 169) configure now comletely groks $SUDO_LIBS and $VISUDO_LIBS.
537: Plain old $LIBS is no longer used. LDFLAGS has also been
538: split up into $SUDO_LDFLAGS and $VISUDO_LDFLAGS.
539: The reason for this is that sudo often needs extra libs
540: for alternate authentication schemes but visudo rarely does.
541:
542: 170) The code to copy command arguments flaied for large values of
543: argc due to realloc() lossage. We now cheat and treat argv[]
544: as a flat string (since that's what it is) and use pointer
545: arithmetic to compute the length. Kind of sneaky but it
546: works (and is relatively fast).
547:
548: CHANGES from sudo 1.3.6 BETA
549:
550: 171) Added support for UN*X groups in sudoers based on code from
551: Dougal Scott <dwagon@aaii.oz.au>.
552:
553: 172) interfaces.c should work on ISC UN*X again.
554:
555: 173) All source files are <= 14 characters for old SYSV filesystems.
556:
557: CHANGES from sudo 1.3.7 GAMMA
558:
559: 174) Minor configure[.in] fixes.
560:
561: 175) tgetpass.c now compiles on OS's that put the definition of
562: fd_set in <sys/bsdtypes.h>
563:
564: CHANGES from sudo 1.4
565:
566: 176) Command args in sudoers are now stored in an argument vector
567: instead of a flat string to make wildcard matching simpler.
568:
569: 177) Added NewArgv and NewArgc that describe the command to be
570: executed. The copy of args in cmnd_args is no longer necessary
571: and has been removed.
572:
573: 178) Using strcmp(3) for argument matching in command_matches()
574: (was path_matches()) is no longer sufficient since we don't
575: have a flat string. compare_args() is used instead which
576: calls either strcmp(3) or wildmat(3l) depending on whether
577: there are shell-style meta chars (wildcards) present.
578:
579: 179) Shell-style wildcard matches are now available in the sudoers
580: file. Matches are done via Rich $alz's wildmat(3).
581: This required the tweaks described in #176-178 as well as
582: other, more minor, changes.
583:
584: 180) Commented out rule to build lex.yy.c from parse.lex since
585: we ship with a pre-flex'd parser and can't rely on file
586: dates being set correctly.
587:
588: 181) Fixed visudo and testsudoers to deal with new argument
589: vector handling.
590:
591: 182) A null string ("") as shell in passwd file (or $SHELL) is
592: now treated as the bourne shell.
593:
594: 183) Converted *.man to pod format for easy conversion to man,
595: html, latex, and just plain text. Tried to make the
596: sudoers manual easier to read in the process.
597:
598: 184) Updated sample.sudoers and sudoers.pod to include info
599: on wildcards.
600:
601: CHANGES from sudo 1.4.1
602:
603: 185) compat.h now defines _PASSWD_LEN based on PASS_MAX if it
604: is defined (from limits.h on SYSV).
605:
606: 186) Both short and long hostnames may now be used in the sudoers
607: file if FQDN is defined. From patches submitted by
608: Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.
609:
610: 187) Now use skeylookup() instead of skeychallenge(). Hopefully
611: this will work around a problem some people have reported
612: on Solaris 2.5 with sudo and logdaemon 5.0's skey.
613:
614: 188) Now uses /var/run to hold timestamp files if it exists. This
615: is more secure.
616:
617: 189) configure now puts the timestamp dir in /var/run if it exists.
618: Sugestion by Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.
619:
620: 190) Both short and long hostnames now exist even if FQDN is not set.
621: This allows machines with fully qualified hostnames set via
622: hostname(1) to use them in the sudoers file.
623:
624: 191) sudo was not honoring "." in $PATH due to a bug in find_path().
625:
626: 192) Added IGNORE_DOT_PATH option to ignore "." in $PATH.
627:
628: 193) tgetpass() now uses raw read(2) and write(2) instead of stdio.
629: This should make it work on more OS's. Previously, it used
630: stdio (buffered) fgets(3) and fputs(3) with select(2) which
631: may not be legal. Also got rid of the nasty goto's and
632: generally simplified the code.
633:
634: 194) Parser now supports hostnames like UPPERCASE.foo.com. Previously,
635: `UPPERCASE' was interpreted as an Alias. This means that
636: the `fqdn' stuff has been moved to the lexer (FQHOST is used
637: to avoid collision with FQDN option).
638:
639: 195) Reworked --with-FOO in configure.in to support --without-FOO.
640: Made shadow passwords the default for appropriate OS's. They
641: can be turned off with --without-C2.
642:
643: 196) Added NO_PASSWD option for those who don't want to be bothered
644: by a password prompt from sudo. This is really just a hack.
645:
646: 197) Added support for double quotes to mean "treat these words as one
647: argument". This is similar to what most shells do.
648:
649: 198) Added mkinstalldirs to make install destination dirs if
650: they do not already exist.
651:
652: CHANGES from sudo 1.4.2
653:
654: 199) Added support for --with-CC (which C compiler to use).
655:
656: 200) Added support for NOPASSWD token and running commands a
657: specified users (sudo -u) from Keith Garry Boyce
658: <garp@opustel.com>
659:
660: 201) Only link with -lshadow for Linux if libc lacks getspnam(). Problem
661: pointed out by Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.
662:
663: 202) Replaced SUDOERS_OWNER with SUDOERS_UID and SUDOERS_GID. Added
664: SUDOERS_MODE and changed the default to 0440 (from 0400).
665: It is now possible to NFS-mount sudoers without doing anything fancy.
666:
667: 202) If a runas list is specified, a user may only run commands as
668: "root" if "root" is a member of the runas list. The old behavior
669: was to always allow commands to be run as root, even if a runas
670: list was specified. Now you can give someone "sudo -u operator"
671: and not have the equivalent of "sudo -u root" as well.
672:
673: 203) Added "USER=%s" to logging functions.
674:
675: 204) configure will now add -lPW to (VI)?SUDO_LIBS if using bison
676: or DCE and alloca(3) is not in libc (or provided by gcc) but
677: is in libPW.a.
678:
679: 205) sudo would give an incorrect error message if the sudoers file
680: didn't exist due to close() stomping errno if the open() failed.
681:
682: 206) Fixed "shell" mode (sudo -s). When building NewArgv sudo was
683: not allocating space for the NULL.
684:
685: 207) Added support for wildcards in the pathname. Ie: /bin/*.
686:
687: 208) 'command ""' in sudoers now means no args allowed.
688:
689: 209) Added command line args to SUDO_COMMAND envariable.
690:
691: 210) HP-UX 10.x with C2 now uses bigcrypt().
692: Changes from david_dill@Merck.Com (David Dill).
693:
694: 211) lsearch.c will now compile w/o compiler warnings.
695: (Updated from NetBSD lsearch.c)
696:
697: 212) Now uses POSIX fnmatch(3) (which uses ! instead of ^ in ranges)
698:
699: CHANGES from sudo 1.4.3
700:
701: 213) Now allows network/netmask in sudoers to override per-interface
702: netmask.
703:
704: 214) Fixed -u support with multiple user lists on a line.
705:
706: 215) Fixed a core dump problem when built with -DSHELL_IF_NO_ARGS.
707:
708: 216) Fixed 2 typos in parse.yacc and removed some unnecessary if's.
709:
710: 217) Now always use install-sh since SunOS install can't do uid/gid's.
711: Other BSD installs are probably similarly afflicted.
712:
713: 218) Fixed NFS-mounted sudoers file under solaris both uid *and* gid
714: were being set to -2. Now set uid to 1 to avoid group being
715: remapped.
716:
717: 219) Now includes alloca.c (from gcc) for those w/o it. Linking
718: against -lPW breaks visudo on HP-UX and probably others.
719:
720: 220) Added --with-libpath, --with-libraries, --with-incpath options
721: to configure.
722:
723: 221) configure now uses shicc instead of gcc on BSD/OS >= 2.0 to
724: generate binaries linked with shared libs.
725:
726: 222) The parser was setting no_passwd even if there wasn't a
727: runas match. I reordered some things in parse.yacc
728: to fix this.
729:
730: 223) `sudo -v' (validate) wasn't paying attention to NOPASSWD.
731: Now it does.
732:
733: 224) testsudoers now groks "-u user".
734:
735: 225) Updated AFS support based on what tcsh 6.06 does.
736:
737: 226) Fixed a typo/thinko that broke BSD > 4.3reno wrt interfaces.c.
738:
739: 227) HPUX 10.X shadow password stuff now uses SecureWare routines.
740:
741: 228) SecureWare passwd checking now uses bigcrypt() if available.
742: Now uses AUTH_MAX_PASSWD_LENGTH if defined.
743:
744: 229) configure now makes sure you don't have a config.cache file
745: from another OS.
746:
747: 230) Added better shadow password detection.
748: BSD >= 4.3reno -> /etc/master.passwd
749: hpux9: getspwnam() -> /.secure/etc/passwd
750: hpux10: getspnam() or getprpwnam() -> /tcb/files/auth/*/* (link with -lsec)
751: SVR4: getspnam() -> /etc/shadow
752: solaris: getspnam() -> /etc/shadow
753: irix[56].x: getspnam() -> /etc/shadow
754: sunos 4.x: getpwanam() -> /etc/security/passwd.adjunct
755: DUNIX: getprpwnam() -> /tcb/files/auth/*/* (link with -lsecurity)
756: SecureWare: getprpwnam() -> /tcb/files/auth/*/*
757: ultrix 4.x: getauthuid() -> /etc/auth.{pag,dir}
758:
759: 231) '(' in command args no longer are a syntax error.
760:
761: 232) '!command' now works in the presence of a runas or NOPASSWD token.
762: Simplified parse rules wrt runas and NOPASSWD (more consistent).
763:
764: 233) Command args and now compared as a flat string again. This makes
765: wildcard matches more consistent.
766:
767: 234) DUNIX C2 support now groks AUTH_CRYPT_OLDCRYPT and AUTH_CRYPT_C1CRYPT.
768:
769: 235) configure now uses config.{sub,guess} to guess OS type.
770: Sudo should work out of the box on more OS's now.
771:
772: 236) Got rid of HAVE_C2_SECURITY, now just use SHADOW_TYPE.
773:
774: 237) Fixed race in tgetpass() where echo can be turned off and
775: left off if sudo is used in a pipeline and a password is
776: required.
777:
778: CHANGES from sudo 1.4.4
779:
780: 238) `sudo -l' output now includes runas and NOPASSWD info and
781: asks for a password unless NOPASSWD for ALL is set.
782:
783: 239) Sudo can now deal with all-caps user and host names.
784:
785: 240) Sudo will now remove the "ENV" and "BASH_ENV" envariables.
786: From Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.
787:
788: 241) `sudo -l' will now expand Cmnd_Alias's (could be prettier).
789:
790: 242) `sudo -s' will now set $HOME to root's homedir (or that of
791: the user specified -u) so dot files get sourced.
792:
793: CHANGES from sudo 1.4.5
794:
795: 243) $HOME was always being set, not just with `-s'.
796:
797: 244) In visudo, the owner and group of the sudoers file were
798: being set too early; an editor could change them and change
799: the owner/group of the resulting sudoers file.
800:
801: CHANGES from sudo 1.5
802:
803: 245) Added SHELL_SETS_HOME option.
804:
805: 246) Added NO_MESSAGE option.
806:
807: 247) Added %u and %h escapes in PASSPROMPT to expand to user's name
808: and host.
809:
810: 248) Added "SUDO_PROMPT" envariable.
811:
812: 249) Usernames may now begin with a digit. Gross, but people do it.
813:
814: Sudo 1.5.1 released.
815:
816: 250) Added `opie' support.
817:
818: 251) Added check to make sure fnmatch() really works.
819:
820: 252) Now use the prompt S/Key gives us instead of rolling our own.
821:
822: 253) Added -H flag from Danny Barron <dcbarro@nppd.com>.
823:
824: 254) Add SUDO_PS1 envariable support.
825:
826: 255) Attempt at sequent support.
827:
828: Sudo 1.5.2 released.
829:
830: 256) visudo acts sanely when there is no sudoers file.
831:
832: 257) Added Runas_Alias support.
833:
834: 258) Sudo will now work with SUDOERS_MODE == 400 and SUDO_UID = 0.
835:
836: 259) Alias's in a runas list are now expanded.
837:
838: 260) Fixed bug with > 32 saved aliases. Reported by BHH@capgroup.com.
839:
840: 261) Code that uses sprintf() is now more paranoid about buffer
841: overflows.
842:
843: 262) Whitespace is now allowed after a line continuation character before
844: a newline in sudoers.
845:
846: 263) %h in MAILSUBJECT expands to local hostname.
847:
848: Sudo 1.5.3 released.
849:
850: 264) Don't pass getdtablesize() as first arg to select(2). No need
851: to do this since we only select on one fd--use (fd+1) as nfds
852: and the old way caused problems on some systems (arguably
853: a bug in those OS's). From Marc Slemko marcs@znep.com.
854:
855: 265) Fixed coredump when passwd file is missing or unavailable.
856: Reported by Jason Downs <downsj@teeny.org> and
857: Klee Dienes <klee@mit.edu> (via a Debian Linux bug report).
858:
859: 266) Fixed bug wrt exclusion lists and relative pathnames.
860: Reported by osiris@COURIER.CB.LUCENT.COM.
861:
862: 267) exit(1) if user doesn't enter a passwd.
863: Noted by Alex Parchkov <alexp@ind.tansu.com.au>.
864:
865: Sudo 1.5.4 released.
866:
867: 268) Newer versions of Irix use _RLDN32_* envariables for 32-bit binaries
868: so ignore _RLD* instead of _RLD_*. From tarrall@bamboo.Colorado.EDU.
869:
870: 269) Only open sudoers file once as opposed to once for sanity checks and
871: once for the parser. Also try to open ten times if we get EAGAIN.
872:
873: Sudo 1.5.5 released.
874:
875: 270) Initialize group vector if we are becoming a user other than root.
876: For root, it is often more useful to hang on to our existing group
877: vector.
878:
879: 271) Fix usage of select(2) to deal correctly with a high-numbered fd.
880:
881: 272) Fixed a bug where sudo sometime didn't give the user a chance to
882: enter a password at the prompt.
883:
884: 273) Use a dynamically sized buffer when reading ether interfaces.
885:
886: 274) Fixed configure problems with identification of HP-UX > 10.x and
887: with cc being identified as a cross compiler on some platforms.
888:
889: 275) Fixed a problem with HP-UX 10.x and alloca. Bison does not
890: include alloca.h on HP-UX 10.x even though it uses alloca()
891: (and thus needs the #define of alloca(x) to __builtin_alloca(x)).
892: To fix this we include alloca.h ourselves if using bison and not gcc.
893:
894: 276) Included support for the AIX 4.x authenticate() function from
895: Matt Richards <v2matt@btv.ibm.com>.
896:
897: 277) Fixed an off by one error in the parser. Found by
898: Piete Brooks <Piete.Brooks@cl.cam.ac.uk>
899:
900: 278) Change NewArgv size computation to work on UNICOS.
901: From Mike Kienenberger <mkienenb@arsc.edu>
902:
903: 279) Added --with-logfile and --with-timedir configure options.
904:
905: 280) Use getcwd(3), not getwd(3) to avoid possible buffer overflow.
906: Use BSD getcwd(3) if system lacks one or is SunOS 4.x.
907:
908: 281) Fix 'fprintf' argument mismatches in 'visudo.c'.
909: From ariel@oz.engr.sgi.com (Ariel Faigon)
910:
911: 282) Use waitpid or wait3 to reap children in logging.c.
912: Pointed out by Theo de Raadt <deraadt@theos.com>
913:
914: 283) Sudo should prompt for a password before telling the user that
915: a command could not be found. Noted by rhodie@NAC.NET.
916:
917: 284) Fix OTP_ONLY for opie; "Deven T. Corzine" <deven@fuse.net>.
918:
919: 285) Include pre-yacc'd parse.yacc as sudo.tab.[ch] since more and
920: more vendors are charging for yacc (bad vendor, no cookie).
921:
922: 286) Use MAX*, not MAX*+1
923:
924: 287) Add support for Hitachi SR2201, from b-edgington@hpcc.hitachi-eu.co.uk
925:
926: 288) Added RUNAS_DEFAULT option to allow one to compile sudo with a
927: default runas user other than root.
928:
929: 289) Add options to log the hostname in the file-based log and to not
930: do word wrap in file-based log. From Theo Van Dinter <tvd@chrysalis.com>
931:
932: 290) RedHat Linux pam support, from Gary Calvin <GCalvin@kenwoodusa.com>.
933: pam.sudo goes in /etc/pam.d/sudo on RedHat 5.0 and above.
934:
935: 291) With sudo -s, set command the full path of the shell, not the basename.
936: Noted by Peter W. Osel <pwo@guug.de>
937:
938: Sudo 1.5.6 released.
939:
940: 292) Pam auth now runs as root; necessary for shadow passwords.
941:
942: 293) Shadow password support is now compiled in by default. You can disable
943: it via --disable-shadow.
944:
945: 294) We now remove a timestamp file with a bogus date when it is detected.
946: From Steve Fobes <sfobes@uswest.com>.
947:
948: 295) In tgetpass(), restart select if it is interrupted. This really fixes a
949: problem where a user sometimes is not given a change to enter a password.
950:
951: 296) All options have moved from options.h -> configure.
952:
953: 297) visudo is now installed in /usr/local/sbin where it belongs.
954:
955: 298) Lots of configure changes. Instead of checking for the existence
956: of -lsocket, -lnsl, or -linet, we instead check them for the
957: functions we need only if they are not already in libc.
958:
959: 299) Added DUNIX SIA (Security Integration Architecture) support from
960: Spider Boardman <spider@Orb.Nashua.NH.US>.
961:
962: 300) Added test for broken Digital UNIX 4.0 prot.h.
963:
964: 301) Better support for C2 security on Digital UNIX.
965:
966: 302) Hacked autoconf so that you have have single quotes in
967: --with-passprompt.
968:
969: 303) For SecureWare-style shadow passwords use getprpwnam() instead
970: of getprpwuid() since getprpwuid is broken in HP-UX 10.20 at
971: least (it sleeps for 2 minutes if the shadow files don't exist).
972:
973: 304) We can't really trust UID_MAX or MAXUID since they may only exist for
974: backwards compatibility; spider-both@Orb.Nashua.NH.US
975:
976: 305) Make %groups work as RunAs specifiers; Ray Bellis <rpb@community.net.uk>.
977:
978: 306) Set USER environment variable to target user.
979: Suggested by Ray Bellis <rpb@community.net.uk>.
980:
981: 307) Go back to printing "command not found" unless --disable-path-info
982: specified. Also, tell user when we ignore '.' in their path and it
983: would have been used but for --with-ignore-dot.
984:
985: 308) When using tty tickets make it user:tty not user.tty as a username
986: could have a '.' in it.
987:
988: 309) Define BSD_COMP for svr4 to get BSD ioctl defs. Also, if we have
989: sys/sockio.h but SIOCGIFCONF is not defined by including sys/ioctl.h
990: include sys/sockio.h directly.
991:
992: 310) Fixed a bug that could cause "sudo -l" to segfault or complain
993: about non-existent syntax errors.
994:
995: Sudo 1.5.7 released.
996:
997: 311) Fixed square bracket quoting in configure and moved check for -lnsl
998: to be before -lsocket.
999:
1000: 312) In load_interfaces(), close sock after bwe are done with it. Leak
1001: noticed by Mike Kienenberger <mkienenb@arsc.edu>.
1002:
1003: 313) Missing pieces from change #308; from Mike Kienenberger.
1004:
1005: 314) Real Kerberos 5 support from Frank Cusack <fcusack@iconnet.net>.
1006:
1007: 315) FWTK 'authsrv' support from Kevin Kadow <kadow@MSG.NET>.
1008:
1009: 316) Fixed handling and documentation of -with-umask.
1010:
1011: 317) If the check for socket() or inet_addr() fails, retry, this time
1012: linking with both -lsocket and -lnsl for those systems that
1013: have interlibrary dependencies.
1014:
1015: Sudo 1.5.8 released.
1016:
1017: 318) Add dirfd() macro for systems without it.
1018:
1019: 319) Better check for socket() in -lsocket -lnsl in configure.
1020:
1021: 320) Minor configure fixes.
1022:
1023: Sudo 1.5.8p1 released.
1024:
1025: 321) Fixed a bug wrt quoting characters in command args.
1026:
1027: 322) Make --without-sendmail work.
1028:
1029: Sudo 1.5.8p2 released.
1030:
1031: 323) Fixed a segv if HOST_IN_LOG defined and gethostbyname() fails.
1032: Reported by Gero Treuner <gero@faveve.uni-stuttgart.de>.
1033:
1034: 324) Fixed a parse bug wrt the ! operator and runas specs. Noted by
1035: David A Beck <BKD@payserv.telekurs.com>.
1036:
1037: 325) Use new emalloc/erealloc/estrdup functions (catch errors and exit).
1038:
1039: 326) New PAM code that should work on both Solaris and Linux.
1040:
1041: 327) Make sudo's usage info better when mutually exclusive args are given
1042: and don't rely on argument order to detect this. From Nick Andrew.
1043:
1044: 328) In visudo, shift return value of system() by 8 to get the real exit value.
1045:
1046: Sudo 1.5.9 released.
1047:
1048: 329) The runas user and NOPASSWD tags are now persistent across entries
1049: in a command list (ie: cmnd1,cmnd2,cmnd3). A PASSWD tag has been
1050: added to reverse NOPASSWD. The runas user and *PASSWD tags can be
1051: overridden on a per-command basis at which point they become the
1052: new default for the rest of the list.
1053:
1054: 330) It is now possible to use the '!' operator in a runas list as
1055: well as in a Cmnd_Alias, Host_Alias and User_Alias.
1056:
1057: 331) In estrdup(), do the malloc ourselves so we don't need to rely on the
1058: system strdup(3) which may or may not exist. There is now no need to
1059: provide strdup() for those w/o it.
1060:
1061: 332) You can now specify a host list instead of just a host or alias
1062: in a privilege list. Ie: user=host1,host2,ALIAS,!host3 /bin/ls
1063:
1064: 333) Stash the "safe" path to the command instead of stashing the struct
1065: stat. Should be safer.
1066:
1067: 334) Now set $LOGNAME in addition to $USER.
1068:
1069: 335) No longer use stdio in tgetpass()
1070:
1071: 336) Don't use _PASSWD_LEN or PASS_MAX as we can't rely on them corresponding
1072: to anything real. Instead, we just use a max password size of 256
1073: everywhere.
1074:
1075: 337) Block keyboard-generated signals during startup and restore signal
1076: mask before exec'ing the program. We don't want the user to be
1077: able to simply kill us and avoid logging.
1078:
1079: 338) Rewrote timestamp handling. For the default case, a directory is used
1080: instead of a file. For the tty-based case, the timestamp is just a
1081: file in that directory (eg. /var/run/sudo/username/tty). You now only
1082: get the lecture once, even in the tty case. The goal here is to allow
1083: the tty and non-tty schemes to coexist, though it is worth noting that
1084: when you update a tty file, the mtime of the dir gets updated too.
1085:
1086: 339) The meaning of -k has changed to mean "invalidate the timestamp".
1087: There is a new -K option to really remove the timestamp file/dir.
1088:
1089: 340) New modular authentication API. This fixes the rat's nest of
1090: #ifdefs that was the old auth code.
1091:
1092: 341) New logging functions. log_error() now takes a variable number of
1093: args ala printf() and log_auth() reacts to the return value of validate().
1094:
1095: 342) If a user is not in the sudoers file they are still asked for a password.
1096: This keeps someone who finds a user logged in to a terminal from being
1097: able to tell whether or not the user is allowed to use sudo.
1098:
1099: 343) New PAM code again, this time it should be correct.
1100:
1101: 344) tgetpass() now has a flag to specify whether or not to turn
1102: off echo while reading the password. Used by the new PAM and
1103: fwtk code.
1104:
1105: 345) Fixed shadow password dectection on SCO.
1106:
1107: 346) Sudo is now available under a BSD/Apache style license. This is
1108: possible because it no longer contains any of the original 1.1 code.
1109:
1110: 347) Added configuration info when sudo is run with the -V flag by root.
1111:
1112: 348) Change visudo tmp file from /etc/stmp -> /etc/sudoers.tmp since
1113: Solaris uses stmp for shadow temp file. Also rename _PATH_SUDO_SUDOERS
1114: to _PATH_SUDOERS and _PATH_SUDO_STMP to _PATH_SUDOERS_TMP.
1115:
1116: 349) Added configure option to set syslog priorities.
1117:
1118: 350) Sudo now locks its log file to prevent mangled entries.
1119:
1120: 351) Visudo now locks the sudoers temp file instead of bailing when
1121: the temp file already exists. This fixes the problem of stale
1122: temp files but it does *require* that you not try to put the
1123: temp file in a world-writable directory. This shoud not be
1124: an issue as the temp file should live in the same dir as sudoers.
1125:
1126: 352) Fixed crypt() check in libufc.
1127:
1128: 353) It is now possible to put a list of users as the first thing in a
1129: user specification. I don't suggest this but it makes the grammar
1130: more uniform.
1131:
1132: 354) Visudo will now warn about what it thinks are undefined aliases.
1133: Since it can't be 100% sure these are just warnings, not errors.
1134:
1135: 355) Add a --without-passwd option to configure that turns off
1136: passwd/shadow file authentication. Only usable with an alternate
1137: authentication scheme.
1138:
1139: 356) Add a --disable-authentication option to configure that causes sudo
1140: to not require authentication by default. The PASSWD tag can be
1141: used to require authentication for an entry.
1142:
1143: 357) Add a --with-devel option to add -Wall and uncomment yacc/lex
1144: generation in Makefile.
1145:
1146: 358) Zero out plaintext password after use (should do encrypted as well).
1147:
1148: 359) Added real dependencies in Makefile.
1149:
1150: 360) Deprecated --with-otp-only in favor of --without-passwd.
1151:
1152: 361) Add --with-mail-if-no-host to send mail if a user tries to run sudo on
1153: a host for which he/she is not authorized.
1154:
1155: 362) Most of sudo now runs as root instead of the invoking user to
1156: minimize the possibility of user control via signals or tracing.
1157:
1158: 363) Now Support CIDR-style netmasks (ie: 128.138.0.0/16).
1159:
1160: 364) In "sudo -l" mode, the type of the stored (expanded) alias was not
1161: stored with the contents. This could lead to incorrect output
1162: if the sudoers file had different alias types with the same name.
1163: Normal parsing (ie: not in '-l' mode) is unaffected.
1164:
1165: 365) Now include strcasecmp() for those without it.
1166:
1167: 366) Most compile-time options are now changable at runtime via
1168: the 'Defaults' specification in the sudoers file.
1169:
1170: 367) Added a -L flag to printout all the possible 'Defaults' parameters.
1171:
1172: 368) It is now possible to escape "special" characters in usernames, hostnames,
1173: etc with a backslash.
1174:
1175: 369) Sudo will now accept a hostname/username/netgroupname that contains
1176: almost any character in it. It seems many people want to use '.'
1177: and other non-alphanumerics in usernames.
1178:
1179: 370) Fixed the root_sudo option. Sudo was always complaining that root
1180: was not allowed to run sudo if the root_sudo flag was turned off.
1181:
1182: 371) tgetpass() now uses a function to read up until the end of line.
1183: Fixes problems in a pipeline when a program sets the tty mode
1184: to be character at a time.
1185:
1186: 372) sudo now turns off core dumps via setrlimit (probably paranoia).
1.2 millert 1187:
1188: Sudo 1.6 released.
1189:
1190: 373) Better diagnostics on PAM failure.
1191:
1192: 374) Killed shell_noargs option, it cannot work since the command needs to
1193: be set before sudoers is parsed.
1194:
1195: 375) Fixed the following Defaults options: set_home, fqdn, syslog, tty_tickets,
1196: ticket_dir, insults.
1197:
1198: 376) When using select() in tgetpass(), do a separate select before
1199: each read to be sure we can timeout correctly.
1200:
1201: 377) SecurID support compiles and works again.
1202:
1203: 378) Fixed a bug parsing runas modifiers. If a user spec contained multiple
1204: runas specs, the latter ones may not be applied.
1205:
1206: 379) #uid now works in a RunasAlias
1207:
1208: 380) Don't ask the user for a password if the user is not allowed to run
1209: the command and the authenticate flag (in sudoers) is false.
1210:
1211: 381) Added configure check for initgroups(3).
1212:
1213: 382) Use our own fnmatch() if there is no fnmatch.h, even if there is an
1214: fnmatch() in libc.
1.3 millert 1215:
1216: Sudo 1.6.1 released.
1217:
1218: 383) Better behavior for -l and -v flags in conjunction with NOPASSWD and
1219: added "verifypw" and "listpw" options.
1220:
1221: 384) For HP-UX with cc, add the -Aa flag along with -D_HPUX_SOURCE.
1222:
1223: 385) Fix compilation with K&R compilers.
1224:
1225: 386) For netgroup host matching, match against the short version of the
1226: hostname as well as the long one if they are different.
1227:
1228: 387) Terminate passwd reading on '\r' in addition to '\n'
1229:
1230: 388) Visudo used to loop endlessly if a user entered ^D at the whatnow
1231: prompt. EOF is now treaded as 'x' (exit w/o saving changes).
1232:
1233: 389) The 'shell_noargs' runtime option is back based on a patch from
1234: bguillory@email.com.
1235:
1236: 390) Systems that return RLIM_INFINITY for RLIMIT_NOFILE (like AIX)
1237: would loop for a very loing time during sudo startup. A value of
1238: RLIM_INFINITY is now ignored (getdtablesize/sysconf is used instead).
1239:
1240: 391) Locking in visudo was broken. We now lock the sudoers file, not the
1241: sudoers temp file, which should be safe.
1242:
1243: 392) PAM fixups: custom prompts now work correctly and errors are
1244: dealt with more sanely. Patches from Cloyce D. Spradling.
1.4 millert 1245:
1246: Sudo 1.6.2 released.
1247:
1248: 393) Users in the 'exempt' group shouldn't get their $PATH overridden
1249: by 'secure-path'. Patch from jmknoble@pobox.com.
1250:
1251: 394) Pam now works on HP-UX 11.0, thanks to Jeff A. Earickson.
1.5 millert 1252:
1253: 395) Fixed a bug that caused an infinite loop when the password
1254: timeout was disabled.
1.6 millert 1255:
1256: 396) It is now possible to set the path to the editor for visudo as well
1257: as the flag that determines whether or not visudo will look at
1258: $EDITOR in the sudoers file.
1259:
1260: 397) configure now pulls in the values of LIBS, LDFLAGS, CPPFLAGS, etc
1261: as the documentation says it ought to.
1262:
1263: 398) Added rootpw, runaspw, and targetpw to prompt for the root, runas_default
1264: and target user's passwords respectively (instead of the invoking user's
1265: password).
1266:
1267: 399) Added -S flag to force password read from stdin.
1268:
1269: 400) Restore coredumpsize resource limit before exec'ing the child
1270: process (sudo sets it to 0 internally).
1271:
1272: 401) Truncate unencrypted password to 8 chars if encrypted password is exactly
1273: 13 characters (indicateing standard a DES password). Many versions
1274: of crypt() do this for you, but not all (like HP-UX's).
1275:
1276: 402) Fixed a typo/thinko that broke secureware support for long passwords.
1277:
1278: 403) Added a new command line switch '-c' to support BSD login classes.
1279: The '-c' option can be used to sudo a command with specific resource
1280: limits in the login.conf database. This feature is optionally enabled
1281: via the --with-logincap configure switch. Based on a patch from
1282: Michael D. Marchionna.
1283:
1284: 404) Fixed a bug where sudo would hang around and consume CPU if we spawn
1285: a long-running process.
1286:
1287: 405) Deal with HP-UX password aging info tacked on to the end of the
1288: encrypted password.
1289:
1290: 406) Added set_logname run-time option. When unset, sudo will not set
1291: the USER and LOGNAME environment variables.
1292:
1293: 407) Wildcards are now allowed in the hostnames specified in sudoers.
1294: The 'fqdn' option is often required for this to be useful.
1295:
1296: 408) Fixed a bug where host and user qualifiers in a Defaults entry were
1297: not being used correctly and the entry was being applied globally.
1298:
1299: Sudo 1.6.3 released.
1.7 millert 1300:
1301: 409) Fixed targetpw, rootpw, and runaspw options when used with non-passwd
1302: authentication (pam, etc).
1303:
1304: Sudo 1.6.3p1 released.
1305:
1306: 410) When the targetpw flag is set, use the target username as part
1307: of the timestamp path.
1308:
1309: Sudo 1.6.3p2 released.
1310:
1311: 411) Fixed a bug that prevented the -H option from being useful.
1312:
1313: Sudo 1.6.3p3 released.
1314:
1.9 millert 1315: 412) Fixed a case where a string was used after it had been freed.
1.7 millert 1316:
1317: Sudo 1.6.3p4 released.
1.8 millert 1318:
1319: 413) Fixed listpw and verifypw sudoers options.
1320:
1321: 414) Do not write NUL when writing passwd prompt; hag@linnaean.org.
1322:
1323: Sudo 1.6.3p5 released.
1.9 millert 1324:
1.10 millert 1325: 415) Fix word splitting bug that caused a segv for very long command line args.
1326:
1327: Sudo 1.6.3p6 released.
1328:
1329: 416) Fix negation of path-type Defaults entries in a boolean context.
1330:
1331: Sudo 1.6.3p7 released.
1332:
1333: 417) Visudo now checks for the existence of an editor and gives a sensible
1.9 millert 1334: error if it does not exist.
1335:
1.10 millert 1336: 418) The path to the editor for visudo is now a colon-separated list of
1.9 millert 1337: allowable editors. If the user has $EDITOR set and it matches
1338: one of the allowed editors that editor will be used. If not,
1339: the first editor that actually exists is used.
1340:
1.10 millert 1341: 419) Visudo now does its own fork/exec instead of calling system(3).
1.9 millert 1342:
1.12 millert 1343: 420) Allow special characters (including '#') to be embedded in pathnames
1.9 millert 1344: if quoted by a '\\'. The quoted chars will be dealt with by fnmatch().
1345: Unfortunately, 'sudo -l' still prints the '\\'.
1346:
1.12 millert 1347: 421) Added the always_set_home option.
1.9 millert 1348:
1.12 millert 1349: 422) Strip NLSPATH and PATH_LOCALE out from the environment to prevent
1350: reading of protected files by a less privileged user.
1.9 millert 1351:
1.12 millert 1352: 423) Added support for BSD authentication and associated -a flag.
1.9 millert 1353:
1.12 millert 1354: 424) Added check for _innetgr(3) since NCR systems have this instead
1.9 millert 1355: of innetgr(3).
1356:
1.12 millert 1357: 425) Added stay_setuid option for systems that have libraries that perform
1.9 millert 1358: extra paranoia checks in system libraries for setuid programs.
1359:
1.12 millert 1360: 426) Environment munging is now done by hand. The environment is zeroed
1.11 millert 1361: upon sudo startup and a new environment is built before the command
1362: is executed. This means we don't rely on getenv(3), putenv(3),
1363: or setenv(3).
1.9 millert 1364:
1.12 millert 1365: 427) Added a class of environment variables that are only cleared if they
1.10 millert 1366: contain '/' or '%' characters.
1367:
1.12 millert 1368: 428) Use stashed user_gid when checking against exempt gid since sudo
1.10 millert 1369: sets its gid to SUDOERS_GID, making getgid() return that, not the
1370: real gid. Fixes problem with setting exempt group == SUDOERS_GID.
1371: Fix from Paul Kranenburg.
1372:
1.12 millert 1373: 429) Fixed file locking in visudo on NeXT which has a broken lockf().
1.10 millert 1374: Patch from twetzel@gwdg.de.
1375:
1.12 millert 1376: 430) Regenerated configure script with autoconf-2.52 (required some
1.10 millert 1377: tweaking of configure.in and friends).
1378:
1.12 millert 1379: 431) Added mail_badpass option to send mail when the user does not
1.10 millert 1380: authenticate successfully.
1381:
1.12 millert 1382: 432) Added env_reset Defaults option to reset the environment to
1.10 millert 1383: a clean slate. Also implemented env_keep Defaults option
1384: to specify variables to be preserved when resetting the
1385: environment.
1386:
1.12 millert 1387: 433) Added env_check and env_delete Defaults options to allow the admin
1.10 millert 1388: to modify the builtin list of environment variables to remove.
1389:
1.12 millert 1390: 434) If timestamp_timeout < 0 then the timestamp never expires. This
1.10 millert 1391: allows users to manage their own timestamps and create or delete
1392: them via 'sudo -v' and 'sudo -k' respectively.
1393:
1.12 millert 1394: 435) Authentication routines that use sudo's tgetpass() now accept
1.10 millert 1395: ^C or ^Z at the password prompt and sudo will act appropriately.
1396:
1.12 millert 1397: 436) Added a check-only mode to visudo to check an existing sudoers
1.10 millert 1398: file for sanity.
1399:
1.12 millert 1400: 437) Visudo can now edit an alternate sudoers file.
1.10 millert 1401:
1.12 millert 1402: 438) If sudo is configured with S/Key support and the system has
1.10 millert 1403: skeyaccess(3) use that to determine whether or not to allow
1404: a normal Unix password or just S/Key.
1.9 millert 1405:
1.12 millert 1406: 439) Fixed CIDR handling in sudoers.
1.10 millert 1407:
1.12 millert 1408: 440) Fixed a segv if the local hostname is not resolvable and
1.10 millert 1409: the 'fqdn' option is set.
1410:
1.12 millert 1411: 441) "listpw=never" was not having an effect for users who did not
1.10 millert 1412: appear in sudoers--now it does.
1413:
1.12 millert 1414: 442) The --without-sendmail option now works on systems with
1.10 millert 1415: a /usr/include/paths.h file that defines _PATH_SENDMAIL.
1416:
1.12 millert 1417: 443) Removed the "secure_path" Defaults option as it does not work and
1.10 millert 1418: cannot work until the parser is overhauled.
1419:
1.12 millert 1420: 444) Added new -P flag and "preserve_groups" sudoers option to cause
1.10 millert 1421: sudo to preserve the group vector instead of setting it to that
1422: of the target user. Previously, if the target user was root
1423: the group vector was not changed. Now it is always changed unless
1424: the -P flag or "preserve_groups" option was given.
1425:
1.12 millert 1426: 445) If find_path() fails as root, try again as the invoking user (useful
1.10 millert 1427: for NFS). Idea from Chip Capelik.
1428:
1.12 millert 1429: 446) Use setpwent()/endpwent() and its shadow equivalents to be sure
1.10 millert 1430: the passwd/shadow file gets closed.
1431:
1.12 millert 1432: 447) Use getifaddrs(3) to get the list of network interfaces if it is
1.10 millert 1433: available.
1434:
1.12 millert 1435: 448) Dump list of local IP addresses and environment variables to clear
1.10 millert 1436: when 'sudo -V' is run as root.
1437:
1.12 millert 1438: 449) Reorganized the lexer a bit and added more states. Sudo now does a
1.10 millert 1439: better job of parsing command arguments in the sudoers file.
1440:
1.12 millert 1441: 450) Wrap each call to syslog() with openlog()/closelog() since some
1.10 millert 1442: things (such as PAM) may call closelog(3) behind sudo's back.
1443:
1.12 millert 1444: 451) The LOGNAME and USER environment variables are now set if the user
1.10 millert 1445: specified a target uid and that uid exists in the password database.
1446:
1.12 millert 1447: 452) configure will no longer add the -g flag to CFLAGS by default.
1.10 millert 1448:
1.12 millert 1449: 453) Now call pam_setcreds() to setup creds for the target user when
1.10 millert 1450: PAM is in use. On Linux this often sets resource limits.
1451:
1.12 millert 1452: 454) If "make install" is run by non-root and the destination dir
1.10 millert 1453: is writable, install things normally but don't set owner and mode.
1.9 millert 1454:
1.12 millert 1455: 455) The Makefile now supports installing in a shadow hierarchy
1.10 millert 1456: specified via the DESTDIR variable.
1.9 millert 1457:
1.12 millert 1458: 456) config.h.in is now generated by autoheader.
1459:
1460: Sudo 1.6.4 released.
1.13 millert 1461:
1462: 457) Move the call to rebuild_env() until after MODE_RESET_HOME is set.
1463: Otherwise, the set_home option has no effect.
1464:
1465: 458) Fix use of freed memory when the "fqdn" flag is set. This was
1466: introduced by the fix for the "segv when gethostbynam() fails" bug.
1467:
1468: 459) Add 'continue' statements to optimize the switch statement.
1.14 millert 1469: From Solar Designer.
1.13 millert 1470:
1471: Sudo 1.6.4p1 released.
1.14 millert 1472:
1473: 460) Some special characters were not being escaped properly (e..g '\,')
1474: in command line arguments and would cause a syntax error instead.
1475:
1476: 461) "sudo -l" would not work if the always_set_home option was set.
1477:
1478: 462) Added a configure option to disable use of POSIX saved IDs for
1479: operating systems where these are broken.
1480:
1481: 463) The SHELL environment variable was preserved from the user's environment
1482: instead of being reset based on the passwd database even when the
1483: "env_reset" option was set.
1484:
1485: Sudo 1.6.4p2 released.
1.15 millert 1486:
1487: 464) Added a configure option to cause mail sent by sudo to be run as
1488: the invoking user instead of root. Some people consider this to
1489: be safer.
1490:
1491: 465) If the mailer is being run as root, use a hard-coded environment
1492: that is not influenced in any way by the invoking user's environment.
1493:
1.16 millert 1494: 466) Fixed the call to skeyaccess(). Patch from Phillip E. Lobbes.
1495:
1.15 millert 1496: Sudo 1.6.5 released.
1.16 millert 1497:
1498: 467) Visudo could access memory that was already freed.
1499:
1500: 468) If the skey.access file denied use of plaintext passwords sudo
1501: would exit instead of allowing the user to enter an S/Key.
1502:
1503: Sudo 1.6.5p1 released.
1.17 millert 1504:
1505: 469) Older versions of BSDi have getifaddrs() but no freeifaddrs().
1506:
1507: 470) BSDi has a fake setreuid() as do certain versions of FreeBSD and NetBSD.
1508:
1509: 471) Ignore the return value of pam_setcred(). In Linux-PAM 0.75,
1510: pam_setcred() will return PAM_PERM_DENIED even if the setcred function
1511: of the module succeeds when pam_authenticate() has not been called.
1512:
1513: 472) Avoid giving PAM a NULL password response, use the empty string instead.
1514: This avoids a log warning when the user hits ^C at the password prompt
1515: when Linux-PAM is in use. This also prevents older versions of
1516: Linux-PAM from dereferencing the NULL pointer.
1517:
1518: 473) The user's password was not zeroed after use when AIX authentication,
1519: BSD authentication, FWTK or PAM was in use.
1520:
1521: Sudo 1.6.5p2 released.
1.18 millert 1522:
1523: 474) Fixed compilation problem on HP-UX 9.x.
1524:
1525: 475) Moved call to endpwent() and added a call to endgrent().
1526:
1527: 476) Fixed a warning conflicting declaration of VOID with AFS.
1528:
1529: 477) Fixed a security hole in prompt rewriting found by Global InterSec.
1530:
1531: Sudo 1.6.6 released.
1.19 millert 1532:
1.20 ! millert 1533: 478) Wildcards now work correctly in the env_keep Defaults directive.
1.19 millert 1534:
1535: 479) Added support for non-root timestamp dirs. This allows the timestamp
1536: dir to be shared via NFS (though this is not recommended).
1537:
1538: 480) Removed double printing of bad environment variable table in -V mode.
1539:
1540: 481) configure script has been regenerated with autoconf 2.5.7.
1541: This required some changes to configure.in.
1542:
1543: 482) Fixed a compilation problem on SunOS; thanks to Alek O. Komarnitsky.
1544:
1545: 483) SecurID 5.0 API support from Michael Stroucken.
1546:
1547: 484) Restore state of signal handlers to what we had upon startup.
1548: Fixes a problem when using sudo with nohup; thanks to Paul Markham.
1549:
1550: 485) Revamp set_perms() to use setresuid() or setreuid() when available
1551: in preference to POSIX stuff since they allow us to properly
1552: implement "stay_setuid" whereas POSIX does not really.
1553:
1554: 486) In strict mode sudo did not throw an error for undefined User_Aliases.
1555:
1556: 487) Fixed a Makefile bug on IRIX.
1557:
1558: 488) Write the prompt *after* turning off echo to avoid some password
1559: characters being echoed on heavily-loaded machines with fast typists.
1560:
1561: 489) Added %U and %H escapes in the prompt and fixed treatment of %%.
1562:
1563: 490) Visudo will now add a final newline to sudoers if the user's editor
1564: not add one before EOF.
1565:
1566: 491) The lexer state is now reset to its initial value on EOF.
1567: Previously, the state was not reset between parser invocations
1568: which could cause problems for visudo in rare cases.
1569:
1570: 492) Added support for Defaults that apply based on the RunasUser.
1571:
1572: 493) Sudo now includes copies of strlc{at,py} and uses them throughout.
1573:
1574: 494) Sudo is now careful to avoid interger overflow when allocating
1575: memory. This is one of those "should not happen" situations.
1576:
1.20 ! millert 1577: 495) Added a configure option (--with-stow) to make sudo compatible
! 1578: with GNU stow.
1.19 millert 1579:
1580: 496) auth/kerb5.c now compiles under Heimdal.
1581:
1582: 497) The volatile prefix is used in the hopes of preventing compilers
1583: from optimizing away memory zeroing. Unfortunately, this results
1584: in some warnings from gcc.
1585:
1.20 ! millert 1586: 498) Better Kerberos IV/V support in the configure script.
! 1587:
! 1588: 499) Fixed a logic thinko in the SIGCHLD handler that caused problems
! 1589: with rlogin on HP-UX.
! 1590:
! 1591: 500) configure now adds -R to LDFLAGS when it adds -L for Solaris and
! 1592: SVR4. There is a configure option, --with-rpath, to control this.
! 1593:
! 1594: 501) On AIX, configure will pass extra directory paths to the linker
! 1595: via the -blibpath ld option. This is only active when additional
! 1596: library paths are used. It may be disabled via the
! 1597: --without-blibpath configure option.
! 1598:
! 1599: 502) The --with-skey and --with-opie configure options now take
! 1600: an optional directory argument that should have an include and
! 1601: lib dir for the skey/opie include file and library respectively.
! 1602:
1.19 millert 1603: Sudo 1.6.7 released.
1.20 ! millert 1604:
! 1605: 503) Fixed false positives in the overflow detection of expand_prompt().
! 1606:
! 1607: Sudo 1.6.7p1 released.