sudo/WHATSNEW

What's new in Sudo 1.7.0?

 * Rewritten parser that converts sudoers into a set of data structures.
   This eliminates a number of ordering issues and makes it possible to
   apply sudoers Defaults entries before searching for the command.
   It also adds support for per-command Defaults specifications.

 * Sudoers now supports a #include facility to allow the inclusion of other
   sudoers-format files.

 * Sudo's -l (list) flag has been enhanced:
    o applicable Defaults options are now listed
    o a command argument can be specified for testing whether a user
      may run a specific command.
    o a new -U flag can be used in conjunction with "sudo -l" to allow
      root (or a user with "sudo ALL") list another user's privileges.

 * A new -g flag has been added to allow the user to specify a
   primary group to run the command as.  The sudoers syntax has been
   extended to include a group section in the Runas specification.

 * A uid may now be used anywhere a username is valid.

 * The "secure_path" run-time Defaults option has been restored.

 * Password and group data is now cached for fast lookups.

 * The file descriptor at which sudo starts closing all open files is now
   configurable via sudoers and, optionally, the command line.

 * Visudo will now warn about aliases that are defined but not used.

 * The -i and -s command line flags now take an optional command
   to be run via the shell.  Previously, the argument was passed
   to the shell as a script to run.

 * Improved LDAP support.  SASL authentication may now be used in
   conjunction when connecting to an LDAP server.  The krb5_ccname
   parameter in ldap.conf may be used to enable Kerberos.

 * Support for /etc/nsswitch.conf.  LDAP users may now use nsswitch.conf
   to specify the sudoers order.  E.g.:
	sudoers: ldap files
   to check LDAP, then /etc/sudoers.  The default is "files", even
   when LDAP support is compiled in.  This differs from sudo 1.6
   where LDAP was always consulted first.

 * Support for /etc/environment on AIX and Linux.  If sudo is run
   with the -i flag, the contents of /etc/environment are used to
   populate the new environment that is passed to the command being
   run.

 * If no terminal is available or if the new -A flag is specified,
   sudo will use a helper program to read the password if one is
   configured.  Typically, this is a graphical password prompter
   such as ssh-askpass.

 * A new Defaults option, "mailfrom" that sets the value of the
   "From:" field in the warning/error mail.  If unspecified, the
   login name of the invoking user is used.

 * A new Defaults option, "env_file" that refers to a file containing
   environment variables to be set in the command being run.

 * A new flag, -n, may be used to indicate that sudo should not
   prompt the user for a password and, instead, exit with an error
   if authentication is required.

 * If sudo needs to prompt for a password and it is unable to disable
   echo (and no askpass program is defined), it will refuse to run
   unless the "visiblepw" Defaults option has been specified.

 * Prior to version 1.7.0, hitting enter/return at the Password: prompt
   would exit sudo.  In sudo 1.7.0 and beyond, this is treated as
   an empty password.  To exit sudo, the user must press ^C or ^D
   at the prompt.
change version to 1.7.0 2008-05-02 20:38:08 +00:00			`What's new in Sudo 1.7.0?`
What's new in sudo 1.7, based on the 1.7 CHANGES entries. 2005-02-12 21:16:34 +00:00
			`* Rewritten parser that converts sudoers into a set of data structures.`
			`This eliminates a number of ordering issues and makes it possible to`
			`apply sudoers Defaults entries before searching for the command.`
			`It also adds support for per-command Defaults specifications.`

			`* Sudoers now supports a #include facility to allow the inclusion of other`
			`sudoers-format files.`

			`* Sudo's -l (list) flag has been enhanced:`
			`o applicable Defaults options are now listed`
			`o a command argument can be specified for testing whether a user`
			`may run a specific command.`
			`o a new -U flag can be used in conjunction with "sudo -l" to allow`
			`root (or a user with "sudo ALL") list another user's privileges.`

Add support for runas groups. This allows the user to run a command with a different effective group. If the -g option is specified without -u the command will be run as the current user (only the group will change). the -g and -u options may be used together. TODO: implement runas group for ldap improve runas group documentation add testsudoers support 2007-11-21 20:12:00 +00:00			`* A new -g flag has been added to allow the user to specify a`
			`primary group to run the command as. The sudoers syntax has been`
			`extended to include a group section in the Runas specification.`

mention better uid support 2007-08-22 22:56:56 +00:00			`* A uid may now be used anywhere a username is valid.`

What's new in sudo 1.7, based on the 1.7 CHANGES entries. 2005-02-12 21:16:34 +00:00			`* The "secure_path" run-time Defaults option has been restored.`

Glob support was back-ported to 1.6.9 2007-08-21 00:43:19 +00:00			`* Password and group data is now cached for fast lookups.`
What's new in sudo 1.7, based on the 1.7 CHANGES entries. 2005-02-12 21:16:34 +00:00
			`* The file descriptor at which sudo starts closing all open files is now`
			`configurable via sudoers and, optionally, the command line.`

			`* Visudo will now warn about aliases that are defined but not used.`
The -i and -s flags can now take an optional command. 2007-12-03 16:36:49 +00:00
			`* The -i and -s command line flags now take an optional command`
minor update 2007-12-10 22:12:34 +00:00			`to be run via the shell. Previously, the argument was passed`
			`to the shell as a script to run.`

reword LDAP SASL 2007-12-20 15:02:51 +00:00			`* Improved LDAP support. SASL authentication may now be used in`
			`conjunction when connecting to an LDAP server. The krb5_ccname`
			`parameter in ldap.conf may be used to enable Kerberos.`
Update to reflect recent developments. 2008-01-01 21:43:26 +00:00
			`* Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf`
			`to specify the sudoers order. E.g.:`
			`sudoers: ldap files`
			`to check LDAP, then /etc/sudoers. The default is "files", even`
			`when LDAP support is compiled in. This differs from sudo 1.6`
			`where LDAP was always consulted first.`

mention askpass 2008-03-05 14:36:27 +00:00			`* Support for /etc/environment on AIX and Linux. If sudo is run`
			`with the -i flag, the contents of /etc/environment are used to`
			`populate the new environment that is passed to the command being`
			`run.`

			`* If no terminal is available or if the new -A flag is specified,`
			`sudo will use a helper program to read the password if one is`
			`configured. Typically, this is a graphical password prompter`
			`such as ssh-askpass.`
mention mailfrom 2008-03-06 17:21:17 +00:00
			`* A new Defaults option, "mailfrom" that sets the value of the`
			`"From:" field in the warning/error mail. If unspecified, the`
			`login name of the invoking user is used.`
Add -n (non-interactive) flag. 2008-03-18 20:04:41 +00:00
Add env_file Defaults option that is similar to /etc/environment on some systems. 2008-05-03 00:53:21 +00:00			`* A new Defaults option, "env_file" that refers to a file containing`
			`environment variables to be set in the command being run.`

Add -n (non-interactive) flag. 2008-03-18 20:04:41 +00:00			`* A new flag, -n, may be used to indicate that sudo should not`
			`prompt the user for a password and, instead, exit with an error`
			`if authentication is required.`
add sections on tgetpass changes 2008-11-08 15:31:47 +00:00
			`* If sudo needs to prompt for a password and it is unable to disable`
			`echo (and no askpass program is defined), it will refuse to run`
			`unless the "visiblepw" Defaults option has been specified.`

			`* Prior to version 1.7.0, hitting enter/return at the Password: prompt`
			`would exit sudo. In sudo 1.7.0 and beyond, this is treated as`
			`an empty password. To exit sudo, the user must press ^C or ^D`
			`at the prompt.`