ALT Linux repos
| S: | 1.9.14p1-alt2.1 |
| 5.0: | 1.6.8p12-alt5 |
| 4.1: | 1.6.8p12-alt5.M41.1 |
| 4.0: | 1.6.8p12-alt5 |
| +updates: | 1.6.8p12-alt5 |
| 3.0: | 1.6.7p5-alt5 |
Group :: System/Base
RPM: sudo
Navigation
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
22 september 2023 Ivan A. Melnikov <iv at altlinux.org> 1:1.9.14p1-alt2.1
- NMU: Add knobs for building w/o selinux and audit (thx asheplyakov@).
- Disable build of shared libutil.
- Enable build with static sudoers.
- Sudo now requires a C compiler that conforms to ISO C99 or higher to build.
- Fixed a bug where if the "intercept" or "log_subcmds" sudoers option was
enabled and a sub-command was run where the first entry of the argument
vector didn't match the command being run. - The "intercept_verify" sudoers option is now only applied when the "intercept"
option is set in sudoers. Previously, it was also applied when "log_subcmds"
was enabled. - The sudoers plugin now canonicalizes command path names before matchin.
- Improved command matching when a chroot is specified in sudoers.
- The visudo utility now displays a warning when it ignores a file in an
include dir such as /etc/sudoers.d. - When running a command in a pseudo-terminal, sudo will initialize the terminal
settings even if it is the background process. - Fixed a bug where only the first two digits of the TSID field being was logged.
- The "log_pty" sudoers option is now enabled by default. To restore the historic
behavior where a command is run in the user's terminal, add "Defaults !use_pty"
to the sudoers file. - Sudo's "-b" option now works when the command is run in a pseudo-terminal.
- When disabling core dumps, sudo now only modifies the soft limit and leaves
the hard limit as-is. This avoids problems on Linux when sudo does not have
CAP_SYS_RESOURCE, which may be the case when run inside a container. - Sudo configuration file paths have been converted to colon-separated lists of
paths. This makes it possible to have configuration files on a read-only file
system while still allowing for local modifications in a different (writable)
directory. - Fixed a long-standing bug where a sudoers rule without an explicit runas list
allowed the user to run a command as root and any group instead of just one of
the groups that root is a member of. - Fixed a bug where a sudoers rule with an explicit runas list allowed a user to
run sudo commands as themselves. - Fixed a bug that prevented the user from specifying a group on the command line
via "sudo -g" if the rule's Runas_Spec contained a Runas_Alias. - Fixed regressions in sudo 1.9.13:
+ Fixed a bug that resulted in a missing " ; " separator between environment
variables and the command in log entries.
- Update to latest stable release with regressions.
- Fixed a bug that could cause sudo to hang when running a command
in a pseudo-terminal when there is still input buffered after a
command has exited. - Fixed regressions in sudo 1.9.13:
+ Fixed a bug introduced in sudo 1.9.13 that caused a syntax error
when "list" was used as a user or host name (GitHub #246).
+ Fixed "sudo -U otheruser -l command" (GitHub #248).
+ Fixed "sudo -l command args" when matching a command in sudoers
with command line arguments (GitHub #249).
- Update to latest stable release.
- Fix run_time message validation in logsrvd.
- Fixed a potential double-free bug when matching a sudoers rule
that contains a per-command chroot directive (CHROOT=dir).
- Update to latest stable release.
- Fixed potential memory leaks in error paths (GitHub#199, GitHub#202).
- Fixed potential NULL dereferences on memory allocation failure (GitHub#204,
GitHub#211). - A missing include file in sudoers is no longer a fatal error
unless the error_recovery plugin argument has been set to false. - Fixed a bug running relative commands via sudo when "log_subcmds"
is enabled (GitHub#194). - Fixed a signal handling bug when running sudo commands in a shell
script. Signals were not being forwarded to the command when
the sudo process was not run in its own process group. - Added a reminder to the default lecture that the password will
not echo. This line is only displayed when the pwfeedback option
is disabled (GitHub#195). - Regular expressions in sudoers or logsrvd.conf may no longer contain
consecutive repetition operators. This is implementation-specific behavior
according to POSIX, but some implementations will allocate excessive amounts
of memory. This mainly affects the fuzzers. - Sudo no longer checks the ownership and mode of the plugins that it loads.
Plugins are configured via either the sudo.conf or sudoers file which are
trusted configuration files. - Fixed a bug executing a command with a very long argument vector when
"log_subcmds" or "intercept" is enabled on a system where "intercept_type"
is set to "trace" (GitHub#194).
- Update to latest stable bugfix and security release (closes: 44965).
- Fixed a compilation error on Linux/aarch64 (GitHub#197).
- Fixed a potential crash introduced in the fix for (GitHub#134):
+ If a user's sudoers entry did not have any RunAs user's set, running
"sudo -U otheruser -l" would dereference a NULL pointer. - Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating
a I/O files when the "iolog_file" sudoers setting contains six or more Xs. - Fixed security issue (fixes: CVE-2023-22809), a flaw in sudo's -e option (aka
sudoedit) that could allow a malicious user with sudoedit privileges to edit
arbitrary files.
- Update to latest stable bugfix and security release (fixes: CVE-2022-43995).
- Major improvements from latest Sisyphus release:
+ For ptrace-based intercept mode, sudo will now attempt to verify that the
command path name, arguments and environment have not changed from the time
when they were authorized by the security policy. The new intercept_verify
sudoers setting can be used to control this behavior.
+ Sudo now supports passing the execve(2) system call the NULL pointer for the
argv and/or envp arguments when in intercept mode. Linux treats a NULL pointer
like an empty array.
+ Neovim has been added to the list of visudo editors that support passing the
line number on the command line.
+ Added a new -N (no-update) command line option to sudo which can be used to
prevent sudo from updating the user's cached credentials.
+ PAM approval modules are no longer invoked when running sub-commands in
intercept mode unless the intercept_authenticate option is set. There is a
substantial performance penalty for calling into PAM for each command run.
PAM approval modules are still called for the initial command.
+ Intercept mode on Linux now uses process_vm_readv(2) and process_vm_writev(2)
if available.
+ The XDG_CURRENT_DESKTOP environment variable is now preserved by default.
This makes it possible for graphical applications to choose the correct theme
when run via sudo.
+ The cvtsudoers manual now documents the JSON and CSV output formats.
+ The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout sudoers
settings can be used to support more fine-grained I/O logging. The sudo
front-end no longer allocates a pseudo-terminal when running a command if the
I/O logging plugin requests logging of stdin, stdout, or stderr but not
terminal input/output.
+ Added the -I option to visudo which only edits the main sudoers file.
Include files are not edited unless a syntax error is found.
- Rebuild with upstream sources from https://github.com/sudo-project/sudo
(manual import of archives no more needed).
- Add sudopw control with rule Defaults for user, root, target or runas type
of user account password credentials that are verified during authentication.
- Fix sudowheel control to be more flexible and supported the default 'ALL:ALL'
Runas_Spec with group alias specified. - Fix initialization error in post-scripts for sudoreplay and sudowheel controls
during first installation process (closes: 41907).
- Update to latest stable release.
- Major improvemnents from latest Sisyphus release:
+ Added new log_passwords and passprompt_regex settings to sudo_logsrvd that
operate like the sudoers options when logging terminal input.
+ A new noninteractive_auth sudoers option has been added to enable PAM
authentication in non-interactive mode.
+ When sudo is run in non-interactive mode (with the -n option), it will now
attempt PAM authentication and only exit with an error if user interaction is
required.
+ The intercept and log_subcmds functionality can now use ptrace(2) on Linux
systems that support seccomp(2) filtering. - Tweak default password prompt as %u doesn't make sense. Improve it by old fix
from Patrick Schoenfeld that adds a %p and uses it by default (closes: 38612).
- Fixed minor troubles and regressions.
- Update to latest stable release with support transparently intercepting
sub-commands executed by the original command run via sudo.
- Update to latest stable release with bugfixes and improvements:
+ Sudo now can handle the getgroups() function returning a different
number of groups for subsequent invocations.
- Fix missing word typo in Russian translation file
- Update to latest stable release
- Update to latest bugfix release of the sudo 1.9
- Set sudo python plugin to be definable and enabled by default
- Update to latest security release (fixes: CVE-2021-3156) (closes: 39615)
- Added sudo-python package with Sudo Python Plugin API
- Added sudo-logsrvd package with High-performance log server
- Update to latest release
- Enable python policy support
- Update to latest release of the sudo 1.9 (Fixes: CVE-2019-19232, CVE-2019-19234)
- Added sudo event and I/O log server
- Added send sudo I/O log to log server utility
- Added selinux support
- Added native audit support
- Update to latest release (Fixes: CVE-2019-18634)
- Update to autumn security release (closes: 37334)
- Code execution with euid==0 in rare box configurations (fixes: CVE-2019-14287)
- Fix post script for sudowheel control in case of upgrade in not default state
- Update to last winter release
- Update to last autumn release
- Fix post script for sudowheel control (closes: 35611)
- Reapply replace libsudo_util.so to libexecdir (avoid rpath in binaries)
- Set sudowheel control with rule "ALL=(ALL) ALL" for wheel users disabled
by default (closes: 18344)
- Update to latest release
- Disable ubt macros due binary package identity change
- Replace libsudo_util.so to libexecdir
- Add new cvtsudoers utility
- Update to latest winter release
- Add sudowheel control with rule "ALL=(ALL) ALL" for wheel users enabled
by default (closes: 18344)
- Update to latest autumn release
- Update to first summer security release
- Update to spring security release ((Fixes: CVE-2017-1000367)
- Update to latest spring release
- Add compatibility trigger for /etc/sudoers.d and /etc/sudo.d
- Avoid sudoreplay pre and post control warnings
- Add warning if /etc/sudo.d directory exixsts
- Disable sudo rule for root by default
- Fixed relaxed control rule for sudoers
- Build without *.la files in modules directory
- Updated to last stable release 1.8.19p1 with sssd features
- Fixed new sudoers template with sudoers.control settings
- Updated to last stable release 1.8.17p1
- Updated to last stable release 1.8.13
- Updated to last stable release 1.8.9p4
- Updated to new relrease 1.8.8
- Updated to 1.8.6p8
- Updated to 1.8.6p6
- Updated to 1.8.6p4
- Updated to 1.8.6p3
- Enabled /etc/sudoers.d by default (for new installations)
- Added sudo-devel package for plugin development
- Dropped /etc/sudo.d from package and Provides, handling left for
compatibility.
- Implemented /etc/sudoers.d support to provide upstream-compatibility
/etc/sudo.d support left for backward compatibility.
- Fixed generation of man pages (by george@; closes: #27479).
- Relocated sudo timestamp directory: /var/run/sudo -> /var/lib/sudo.
- Backported upstream fix for CVE-2010-1163 (env_reset, ignore_dot and
secure_path sudoers options all had to be explicitly disabled
to make an attack possible). - Backported upstream fix for CVE-2010-1646 (env_reset sudoers option
had to be explicitly disabled to make an attack possible).
- Backported upstream fix for CVE-2010-0426 (a flaw in sudoedit could
give a user with permission to run sudoedit the ability to run
arbitrary commands; env_reset sudoers option had to be
explicitly disabled to make an attack possible).
- Fixed build with fresh libtool.
- Documented that set_home is on by default due to --enable-shell-sets-home.
- Configured less confusing default password prompt (#13719).
- Fixed build with autoconf-2.61.
- Fixed typo in configure check (george, #12449, #12462).
- sudoers (#11753):
+ Added DISPLAY and XAUTHORITY to env_keep for "xgrp" group members.
+ Added "!env_reset" example.
+ Added sudoers environment control.
- Forced manpage generation from .pod files.
- sudoers: Added "DISPLAY" to env_keep.
- Reverted change to requiretty default value.
- Resurrected tgetpass fix from 1.6.6-alt3.
- Updated to 1.6.8p12 with backports from HEAD.
- Enabled env_reset, requiretty and tty_tickets options by default.
- Rebuilt for new style PAM dependencies generated by rpm-build-4.0.4-alt55.
- Added system logger initialization, removed closelog() calls.
- Backported upstream fix so a sudoers entry with sudo ALL no longer
overwrites the value of safe_cmnd (CAN-2005-1993).
- Backported upstream fix that restricts exporting of shell functions
and CDPATH shell variable (CAN-2004-1051). - Added help to control.
- Changed "listpw" default value from "any" to "all".
- Fixed build with fresh autotools.
- Updated to 1.6.7p5.
- PAM configuration policy enforcement.
- Updated to 1.6.7p2, updated patches.
- Enable setting $HOME to target user in shell mode.
- Keep sudo at mode "restricted" in the package, but default it
to "wheelonly" in %post when the package is first installed.
This avoids a race and fail-open behavior (like in su package).
- Added control support for sudo.
- tgetpass: The /dev/tty _must_ be opened for reading/writing unless
requested to use stdin/stderr.
- Set default visudo(8) editor to vitmp(1).
- 1.6.6
- Applied patch from Tom Parker.
- Added /etc/sudo.d
- 1.6.5p2.
- Built with --disable-saved-ids.
- Rebuilt with bison-1.31-alt2.
- 1.6.5p1.
- 1.6.5 final.
- Fixed nasty typo in description.
- 1.6.4 final.
- 1.6.4rc4, which fixes set_perms_posix problem.
- 1.6.4rc3, updated patches.
- Explicitly set sudoers mode to 0400.
- Disabled broken set_perms_posix introduced in new version.
- Cleaned up list of linked libraries.
- Fixed progname usage.
- Fixed SECURE_PATH.
- Enabled: --with-secure-path --with-env-editor --with-editor=/bin/vi.
- Implemented optional sudoers file for visudo.
- implemented sudoers lookup in /etc/sudo.d directory.
- Corrected license information.
- 1.6.3p7
- 1.6.3p6
- Added set of PAM_TTY.
- Commented out translations in specfile for a while.
- Updated pam configuration.
- Changed syslog facility to log with from local2 to authpriv.
- Russian translations.
- 1.6.3p5
- 1.6.3p4
- 1.6.3p3
- Fandra adaptions
- Group: System/Base
- fixed config files
- Set /etc/sudoers as 0440.
- 1.62p2.
- 1.6.2p1.
- specs teak.
- Mandrake adaptations.
- [cu-sudo-1.5.9p2-1]
- Initial RPM build.
- Installing sample pam file.