Added support for SASL_MECH in ldap.conf. Bug #764
Added support for digest matching when the command is a glob-style
pattern or a directory. Previously, only explicit path matches
supported digest checks.
New "fdexec" Defaults option to control whether a command
is executed by path or by open file descriptor.
The embedded copy of zlib has been upgraded to version 1.2.11.
Fixed a bug that prevented sudoers include files with a relative
path starting with the letter 'i' from being opened. Bug #776.
Added support for command timeouts in sudoers. The command will
be terminated if the timeout expires.
The SELinux role and type are now displayed in the "sudo -l"
output for the LDAP and SSSD backends, just as they are in the
sudoers backend.
A new command line option, -T, can be used to specify a command
timeout as long as the user-specified timeout is not longer than
the timeout specified in sudoers. This option may only be
used when the "user_command_timeouts" flag is enabled in sudoers.
Added NOTBEFORE and NOTAFTER command options to the sudoers
backend similar to what is already available in the LDAP backend.
Sudo can now optionally use the SHA2 functions in OpenSSL or GNU
crypt instead of the SHA2 implementation bundled with sudo.
Fixed a compilation error on systems without the stdbool.h header
file. Bug #778.
Fixed a compilation error in the standalone Kerberos V authentication
module. Bug #777.
Added the iolog_flush flag to sudoers which causes I/O log data
to be written immediately to disk instead of being buffered.
I/O log files are now created with group ID 0 by default unless
the "iolog_user" or "iolog_group" options are set in sudoers.
It is now possible to store I/O log files on an NFS-mounted
file system where uid 0 is remapped to an unprivileged user.
The "iolog_user" option must be set to a non-root user and the
top-level I/O log directory must exist and be owned by that user.
Added the restricted_env_file setting to sudoers which is similar
to env_file but its contents are subject to the same restrictions
as variables in the invoking user's environment.
Fixed a use after free bug in the SSSD backend when the fqdn
sudoOption is enabled and no hostname value is present in
/etc/sssd/sssd.conf.
Fixed a typo that resulted in a compilation error on systems
where the killpg() function is not found by configure.
Fixed a compilation error with the included version of zlib
when sudo was built outside the source tree.
Fixed the exit value of sudo when the command is terminated by
a signal other than SIGINT. This was broken in sudo 1.8.15 by
the fix for Bug #722. Bug #784.
Fixed a regression introduced in sudo 1.8.18 where the "lecture"
option could not be used in a positive boolean context, only
a negative one.
Fixed an issue where sudo would consume stdin if it was not
connected to a tty even if log_input is not enabled in sudoers.
Bug #786.
Clarify in the sudoers manual that the #includedir directive
diverts control to the files in the specified directory and,
when parsing of those files is complete, returns control to the
original file. Bug #775.
What's new in Sudo 1.8.20