diff --git a/NEWS b/NEWS index ee35ad5db..9fb342d98 100644 --- a/NEWS +++ b/NEWS @@ -14,10 +14,16 @@ What's new in Sudo 1.9.3 * Fixed the libssl dependency in Debian packages on older releases that use libssl1.0.0. - * Sudo (and visudo) now provide more detailed messages when there - is a syntax error in sudoers. The offending line and token - is now displayed. If bison is used to generate the parser, - information about what token was expected is also displayed. + * Sudo (and visudo) now provide more detailed messages when a + syntax error is detected in sudoers. The offending line and + token are now displayed. If the parser was generated by GNU + bison, additional information about what token was expected is + also displayed. + + * Sudoers rules must now end in either a newline or the end-of-file. + Previously, it was possible to have multiple rules on a single + line, separated by white space. The use of an end-of-line + terminator makes it possible to display accurate error messages. * Sudo no longer refuses to run if a syntax error in the sudoers file is encountered. The entry with the syntax error will be @@ -28,6 +34,14 @@ What's new in Sudo 1.9.3 * Fixed the sample_approval plugin's symbol exports file for systems where the compiler doesn't support symbol hiding. + * Fixed a regression introduced in sudo 1.9.1 where arguments to + the "sudoers_policy" plugin in sudo.conf were not being applied. + The sudoers file is now parsed by the "sudoers_audit" plugin, + which is loaded implicitly when "sudoers_policy" is listed in + sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments + for "sudoers_policy" but "sudoers_audit" is not listed, those + arguments will be applied to "sudoers_audit" instead. + What's new in Sudo 1.9.2 * Fixed package builds on RedHat Enterprise Linux 8. diff --git a/doc/UPGRADE b/doc/UPGRADE index a6eb2e5e6..73c033abe 100644 --- a/doc/UPGRADE +++ b/doc/UPGRADE @@ -1,6 +1,33 @@ Notes on upgrading from an older release ======================================== +o Upgrading from a version prior to 1.9.3: + + Starting with version 1.9.3, sudoers rules must end in either + a newline or the end-of-file. This makes it possible to provide + better error messages. Previously, it was possible to include + multiple rules on a single line, separated by white space. + + Starting with version 1.9.3, sudo will attempt to recover from + a syntax error in the sudoers file by discarding the portion + of the line that contains the error until the end of the line. + To restore the historic behavior of refusing to run when a + syntax error is encountered, add "error_recovery=false" as a + plugin option in sudo.conf for the "sudoers_audit" plugin, (or + "sudoers_policy" if there is no "sudoers_audit" plugin configured). + +o Upgrading from a version prior to 1.9.1: + + Starting with version 1.9.1, sudoers plugin arguments in sudo.conf + should be specified for the "sudoers_audit" plugin, not + "sudoers_policy". This is because the sudoers file is now + opened and parsed by the "sudoers_audit" plugin. Previously, + this was done by the "sudoers_policy" plugin. The use of an + audit plugin makes it possible for the sudoers module to detect + when a command has been rejected by an approval plugin and only + log commands that are allowed by both policy and approval + plugins. + o Upgrading from a version prior to 1.8.30: Starting with version 1.8.30, sudo will no longer allow commands