sudo-1.8.22

[bdubbs@…]

New point version.

[bdubbs@…]

What's new in Sudo 1.8.22

• Commands run in the background from a script run via sudo will no longer receive SIGHUP when the parent exits and I/O logging is enabled. Bug #502

• A particularly offensive insult is now disabled by default. Bug #804

• The description of "sudo -i" now correctly documents that the "env_keep" and "env_check" sudoers options are applied to the environment. Bug #806

• Fixed a crash when the system's host name is not set. Bug #807

• The sudoers2ldif script now handles #include and #includedir directives.

• Fixed a bug where sudo would silently exit when the command was not allowed by sudoers and the "passwd_tries" sudoers option was set to a value less than one.

• Fixed a bug with the "listpw" and "verifypw" sudoers options and multiple sudoers sources. If the option is set to "all", a password should be required unless none of a user's sudoers entries from any source require authentication.

• Fixed a bug with the "listpw" and "verifypw" sudoers options in the LDAP and SSSD back-ends. If the option is set to "any", and the entry contained multiple rules, only the first matching rule was checked. If an entry contained more than one matching rule and the first rule required authentication but a subsequent rule did not, sudo would prompt for a password when it should not have.

• When running a command as the invoking user (not root), sudo would execute the command with the same group vector it was started with. Sudo now executes the command with a new group vector based on the group database which is consistent with how su(1) operates.

• Fixed a double free in the SSSD back-end that could occur when ipa_hostname is present in sssd.conf and is set to an unqualified host name.

• When I/O logging is enabled, sudo will now write to the terminal even when it is a background process. Previously, sudo would only write to the tty when it was the foreground process when I/O logging was enabled. If the TOSTOP terminal flag is set, sudo will suspend the command (and then itself) with the SIGTTOU signal.
• A new "authfail_message" sudoers option that overrides the default "N incorrect password attempt(s)".

• An empty sudoRunAsUser attribute in the LDAP and SSSD backends will now match the invoking user. This is more consistent with how an empty runas user in the sudoers file is treated.

• Documented that in check mode, visudo does not check the owner/mode on files specified with the -f flag. Bug #809.

• It is now an error to specify the runas user as an empty string on the command line. Previously, an empty runas user was treated the same as an unspecified runas user. Bug #817.

• When "timestamp_type" option is set to "tty" and a terminal is present, the time stamp record will now include the start time of the session leader. When the "timestamp_type" option is set to "ppid" or when no terminal is available, the start time of the parent process is used instead. This significantly reduces the likelihood of a time stamp record being re-used when a user logs out and back in again. Bug #818.

• The sudoers time stamp file format is now documented in the new sudoers_timestamp manual.

• The "timestamp_type" option now takes a "kernel" value on OpenBSD systems. This causes the tty-based time stamp to be stored in the kernel instead of on the file system. If no tty is present, the time stamp is considered to be invalid.

• Visudo will now use the SUDO_EDITOR environment variable (if present) in addition to VISUAL and EDITOR.

[bdubbs@…]

Fixed at revision 19677.