Sudo Development

Current Version

The current development version of sudo is 1.7.4b3.

For full details see the ChangeLog file or view the commit logs of the 1.7 branch in mercurial.

If you plan to use a development version of sudo, please subscribe to the sudo-workers mailing list so that you will receive updates on bug fixes and related announcements. You may also be interested in the sudo-commits mailing list which receives a message for each commit to the sudo source tree.

Major changes between version 1.7.4rc1 and 1.7.4rc2:

Packaging fixes.
Added support for Ubuntu-style admin flag dot files.

Major changes between version 1.7.4b5 and 1.7.4rc1:

Sudo now performs I/O logging in the C locale. This avoids locale-related issues when parsing floating point numbers in the timing file.

Major changes between version 1.7.4b4 and 1.7.4b5:

Fixed a build problem on Solaris.
Fixed "sudo -i -u user" where user has no shell listed in the password database.
When logging I/O, sudo now handles pty read/write returning ENXIO, as seen on FreeBSD when the login session has been killed.

Major changes between version 1.7.4b3 and 1.7.4b4:

Documentation updates.
If pam is in use, wait until the process has finished before closing the PAM session.
The WHATSNEW file has been renamed NEWS.
Compilation fix for mkstemps.c on some systems.

Major changes between version 1.7.4b2 and 1.7.4b3:

The tty_tickets option is now on by default.
Fixed a problem in the restoration of the AIX authdb registry setting.

Major changes between version 1.7.4b1 and 1.7.4b2:

Visudo will now treat an unrecognized Defaults entry as a parse error (sudo will warn but still run).
The HOME and MAIL environment variables are now reset based on the target user's password database entry when the env_reset sudoers option is enabled (which is the case in the default configuration). Users wishing to preserve the original values should use a sudoers entry like:
```
	Defaults env_keep += HOME
```
to preserve the old value of HOME and
```
	Defaults env_keep += MAIL
```
to preserve the old value of MAIL.
Fixed a build problem with boottime.c on some systems.

Major changes between version 1.7.3 and 1.7.4b1:

Sudoedit will now preserve the file extension in the name of the temporary file being edited. The extension is used by some editors (such as emacs) to choose the editing mode.
Time stamp files have moved from /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo. The directories are checked for existence in that order. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this.
Ancillary documentation (README files, LICENSE, etc) is now installed in a sudo documentation directory.
Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile" in ldap.conf.
Defaults settings that are tied to a user, host or command may now include the negation operator. For example: Defaults:!millert lecture will match any user but millert.
The default PATH environment variable, used when no PATH variable exists, now includes /usr/sbin and /sbin.
Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/) for cross-platform packing.
On Linux, sudo will now restore the nproc resource limit before executing a command, unless the limit appears to have been modified by pam_limits. This avoids a problem with bash scripts that open more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX) will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).

Major changes between version 1.7.3b4 and 1.7.3rc1:

Password and group name cache lookups are now done in a case insensitive fashion.
URI entries in ldap.conf may now be specified multiple times.
Fixed a problem with the environment handling on OpenBSD.
Sudo now supports AIX per-user password database sources via the registry parameter in /etc/security/user. In 1.7.3b4 sudo uses the SYSTEM parameter.

Major changes between version 1.7.3b3 and 1.7.3b4:

Sudo will now use the Linux audit system with configure with the --with-linux-audit flag.
When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password.
Negating the fqdn option in sudoers now works correctly when sudo is configured with the --with-fqdn option. In previous versions of sudo the fqdn was set before sudoers was parsed.
Repaired the -i optino which was broken in 1.7.3b3.
On AIX, sudo now sets the userinfo like login(1) does when running a command.
Sudo now supports AIX per-user password database sources via the SYSTEM parameter in /etc/security/user.

Major changes between version 1.7.2p7 and 1.7.3b3:

Support for logging I/O for the command being run. For more information, see the documentation for the log_input and log_output Defaults options in the sudoers manual. Also see the sudoreplay manual for how to replay I/O log sessions.
The use_pty sudoers option can be used to force a command to be run in a pseudo-pty, even when I/O logging is not enabled.
On some systems, sudo can now detect when a user has logged out and back in again when tty-based time stamps are in use. Supported systems include Solaris systems with the devices file system, Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys only).
Sudo's SELinux support should now function correctly when running commands as a non-root user and when one of stdin, stdout or stderr is not a terminal.
Sudo now uses mbr_check_membership() on systems that support it to determine group membership. Currently, only Darwin (Mac OS X) supports this.
The passwd_timeout and timestamp_timeout options may now be specified as floating point numbers for more granular timeout values.