diff --git a/NEWS b/NEWS index bdf6cc4c0..a8824c448 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,69 @@ +What's new in Sudo 1.9.14 + + * The sudoers plugin now canonicalizes command path names before + matching (where possible). This fixes a bug where sudo could + execute the wrong path if there are multiple symbolic links with + the same target and the same base name in sudoers that a user is + allowed to run. GitHub issue #228. + + * Improved command matching when a chroot is specified in sudoers. + The sudoers plugin will now change the root directory id needed + before performing command matching. Previously, the root directory + was simply prepended to the path that was being processed. + + * When NETGROUP_BASE is set in the ldap.conf file, sudo will now + perform its own netgroup lookups of the host name instead of + using the system innetgr(3) function. This guarantees that user + and host netgroup lookups are performed using the same LDAP + server (or servers). + + * Fixed a bug introduced in sudo 1.9.13 that resulted in a missing + " ; " separator between environment variables and the command + in log entries. + + * The visudo utility now displays a warning when it ignores a file + in an include dir such as /etc/sudoers.d. + + * When running a command in a pseudo-terminal, sudo will initialize + the terminal settings even if it is the background process. + Previously, sudo only initialized the pseudo-terminal when running + in the foreground. This fixes an issue where a program that + checks the window size would read the wrong value when sudo was + running in the background. + + * Fixed a bug where only the first two digits of the TSID field + being was logged. Bug #1046. + + * The "log_pty" sudoers option is now enabled by default. To + restore the historic behavior where a command is run in the + user's terminal, add "Defaults !use_pty" to the sudoers file. + GitHub issue #258. + + * Sudo's "-b" option now works when the command is run in a + pseudo-terminal. + + * When disabling core dumps, sudo now only modifies the soft limit + and leaves the hard limit as-is. This avoids problems on Linux + when sudo does not have CAP_SYS_RESOURCE, which may be the case + when run inside a container. GitHub issue #42. + + * Sudo configuration file paths have been converted to colon-separated + lists of paths. This makes it possible to have configuration + files on a read-only file system while still allowing for local + modifications in a different (writable) directory. The new + --enable-adminconf configure option can be used to specify a + directory that is searched for configuration files in preference + to the sysconfdir (which is usually /etc). + + * The "intercept_verify" sudoers option is now only applied when + the "intercept" option is set in sudoers. Previously, it was + also applied when "log_subcmds" was enabled. + + * The NETGROUP_QUERY ldap.conf parameter can now be disabled for + LDAP servers that do not support querying the nisNetgroup object + by its nisNetgroupTriple attribute, while still allowing sudo to + query the LDAP server directly to determine netgroup membership. + What's new in Sudo 1.9.13p3 * Fixed a bug introduced in sudo 1.9.13 that caused a syntax error diff --git a/configure b/configure index 0fb10272c..fc1201988 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72c for sudo 1.9.13p3. +# Generated by GNU Autoconf 2.72c for sudo 1.9.14. # # Report bugs to . # @@ -614,8 +614,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sudo' PACKAGE_TARNAME='sudo' -PACKAGE_VERSION='1.9.13p3' -PACKAGE_STRING='sudo 1.9.13p3' +PACKAGE_VERSION='1.9.14' +PACKAGE_STRING='sudo 1.9.14' PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/' PACKAGE_URL='' @@ -1639,7 +1639,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -'configure' configures sudo 1.9.13p3 to adapt to many kinds of systems. +'configure' configures sudo 1.9.14 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1705,7 +1705,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sudo 1.9.13p3:";; + short | recursive ) echo "Configuration of sudo 1.9.14:";; esac cat <<\_ACEOF @@ -1999,7 +1999,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sudo configure 1.9.13p3 +sudo configure 1.9.14 generated by GNU Autoconf 2.72c Copyright (C) 2023 Free Software Foundation, Inc. @@ -2819,7 +2819,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sudo $as_me 1.9.13p3, which was +It was created by sudo $as_me 1.9.14, which was generated by GNU Autoconf 2.72c. Invocation command line was $ $0$ac_configure_args_raw @@ -36387,7 +36387,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sudo $as_me 1.9.13p3, which was +This file was extended by sudo $as_me 1.9.14, which was generated by GNU Autoconf 2.72c. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -36455,7 +36455,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -sudo config.status 1.9.13p3 +sudo config.status 1.9.14 configured by $0, generated by GNU Autoconf 2.72c, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 6f91f2838..781c18f81 100644 --- a/configure.ac +++ b/configure.ac @@ -18,7 +18,7 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. dnl AC_PREREQ([2.69]) -AC_INIT([sudo], [1.9.13p3], [https://bugzilla.sudo.ws/], [sudo]) +AC_INIT([sudo], [1.9.14], [https://bugzilla.sudo.ws/], [sudo]) AC_CONFIG_HEADERS([config.h pathnames.h]) AC_CONFIG_SRCDIR([src/sudo.c]) AC_CONFIG_AUX_DIR([scripts])