Annotation of src/usr.bin/sudo/WHATSNEW, Revision 1.2
1.2 ! millert 1: What's new in Sudo 1.7.1?
! 2:
! 3: * A new Defaults option "pwfeedback" will cause sudo to provide visual
! 4: feedback when the user is entering a password.
! 5:
! 6: * A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
! 7: function for file name globbing instead of glob(). When this option
! 8: is enabled, sudo will not check the file system when expanding wildcards.
! 9: This is faster but a side effect is that relative paths with wildcard
! 10: will no longer work.
! 11:
! 12: * New BSM audit support for systems that support it such as FreeBSD
! 13: and Mac OS X.
! 14:
! 15: * The file name specified with the #include directive may now include
! 16: a %h escape which is expanded to the short form of hostname.
! 17:
! 18: * The -k flag may now be specified along with a command, causing the
! 19: user's timestamp file to be ignored.
! 20:
! 21: * New support for Tivoli-based LDAP START_TLS, present in AIX.
! 22:
! 23: * New support for /etc/netsvc.conf on AIX.
! 24:
! 25: * The unused alias checks in visudo now handle the case of an alias
! 26: referring to another alias.
! 27:
1.1 millert 28: What's new in Sudo 1.7.0?
29:
30: * Rewritten parser that converts sudoers into a set of data structures.
31: This eliminates a number of ordering issues and makes it possible to
32: apply sudoers Defaults entries before searching for the command.
33: It also adds support for per-command Defaults specifications.
34:
35: * Sudoers now supports a #include facility to allow the inclusion of other
36: sudoers-format files.
37:
38: * Sudo's -l (list) flag has been enhanced:
39: o applicable Defaults options are now listed
40: o a command argument can be specified for testing whether a user
41: may run a specific command.
42: o a new -U flag can be used in conjunction with "sudo -l" to allow
43: root (or a user with "sudo ALL") list another user's privileges.
44:
45: * A new -g flag has been added to allow the user to specify a
46: primary group to run the command as. The sudoers syntax has been
47: extended to include a group section in the Runas specification.
48:
49: * A uid may now be used anywhere a username is valid.
50:
51: * The "secure_path" run-time Defaults option has been restored.
52:
53: * Password and group data is now cached for fast lookups.
54:
55: * The file descriptor at which sudo starts closing all open files is now
56: configurable via sudoers and, optionally, the command line.
57:
58: * Visudo will now warn about aliases that are defined but not used.
59:
60: * The -i and -s command line flags now take an optional command
61: to be run via the shell. Previously, the argument was passed
62: to the shell as a script to run.
63:
64: * Improved LDAP support. SASL authentication may now be used in
65: conjunction when connecting to an LDAP server. The krb5_ccname
66: parameter in ldap.conf may be used to enable Kerberos.
67:
68: * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
69: to specify the sudoers order. E.g.:
70: sudoers: ldap files
71: to check LDAP, then /etc/sudoers. The default is "files", even
72: when LDAP support is compiled in. This differs from sudo 1.6
73: where LDAP was always consulted first.
74:
75: * Support for /etc/environment on AIX and Linux. If sudo is run
76: with the -i flag, the contents of /etc/environment are used to
77: populate the new environment that is passed to the command being
78: run.
79:
80: * If no terminal is available or if the new -A flag is specified,
81: sudo will use a helper program to read the password if one is
82: configured. Typically, this is a graphical password prompter
83: such as ssh-askpass.
84:
85: * A new Defaults option, "mailfrom" that sets the value of the
86: "From:" field in the warning/error mail. If unspecified, the
87: login name of the invoking user is used.
88:
89: * A new Defaults option, "env_file" that refers to a file containing
90: environment variables to be set in the command being run.
91:
92: * A new flag, -n, may be used to indicate that sudo should not
93: prompt the user for a password and, instead, exit with an error
94: if authentication is required.
95:
96: * If sudo needs to prompt for a password and it is unable to disable
97: echo (and no askpass program is defined), it will refuse to run
98: unless the "visiblepw" Defaults option has been specified.
99:
100: * Prior to version 1.7.0, hitting enter/return at the Password: prompt
101: would exit sudo. In sudo 1.7.0 and beyond, this is treated as
102: an empty password. To exit sudo, the user must press ^C or ^D
103: at the prompt.
104:
105: * visudo will now check the sudoers file owner and mode in -c (check)
106: mode when the -s (strict) flag is specified.