Getting Sudo
 Purchase Sudo
 Download Sudo
 AnonCVS
 CVSweb
 Mirroring Sudo

Documentation
 README for Sudo
 README for LDAP
 Installation Notes
 Supported Platforms
 Troubleshooting FAQ
 License
 Changelog
 Sudo Manual
 Sudoers Manual
 Visudo Manual
 Other Documentation

Sudo Resources
 Commercial Support
 Web Site Mirrors
 Mailing Lists
 Sudo Security Alerts
 Bug Tracking System
 Sudo Tools
 Similar Utilities

Other
 Site Search
 GratiSoft main page
 Mktemp page
 Newsyslog page
 Todd's page

The current version of sudo is 1.6.8p8.

Major changes from version 1.6.8p7 to 1.6.8p8:

• The noexec functionality now works correctly on Linux.

• Fixed a bug that prevented Heimdal authentication from working.

Major changes from version 1.6.8p6 to 1.6.8p7:

• Sudo will issue a warning if the user tries to use the -u option when not running a command.

• Better PAM error handling and messages.

Major changes from version 1.6.8p5 to 1.6.8p6:

• Fixed compilation problem on MacOS X (aka Darwin)

• Fixed compilation problem with LDAP implementations that don't define LDAP_OPT_SUCCESS.

Major changes from version 1.6.8p4 to 1.6.8p5:

• Sudo now builds on systems with a 2-argument version of the timespecsub macro.

• Fixed a few gcc warnings that show up on some systems.

• In sudoers Defaults lines, tuples like "lecture" may now be used without a value, restoring their old boolean-like nature.

• Invalid values for a tuple are now handled correctly.

Major changes from version 1.6.8p3 to 1.6.8p4:

• The KRB5CCNAME environment variable is preserved during sudo execution for password lookups that use GSSAPI.

Major changes from version 1.6.8p2 to 1.6.8p3:

• The CDPATH variable is now stripped from the environment passed to the program to be executed.

• Fixed sudoedit temporary file generation on systems where the _PATH_VARTMP macro lacks a trailing slash.

Major changes from version 1.6.8p1 to 1.6.8p2:

• Bash exported functions are now stripped from the environment passed to the program to be executed.

Major changes from version 1.6.8 to 1.6.8p1:

• Sudoedit now re-opens the temp file as the invoking user and will only open regular files.

• Better detection of unchanged files in sudoedit.

• The path to ldap.conf is now configurable.

• Added SSL tls_* certificate checking options when using LDAP.

• The sample pam config file has been updated.

Major changes from version 1.6.7p5 to 1.6.8:

• Sudo now supports storing sudoers info in LDAP (optionally using TLS).

• There is a new -e option to edit files the with uid of the invoking user. This makes it possible to give users to ability to safely edit files without the possibility of editing other files or running commands as the target user. If sudo is run as "sudoedit" the -e flag is implied.

• A new tag, NOEXEC, will prevent a dynamically-linked program being run by sudo from executing another program (think shell escapes). Because this uses LD_PRELOAD it has no effect on static binaries.

• A uid specified in sudoers now matches the user specified by the -u flag even if the -u flag specified a name, not a uid.

• Added a -i option to simulate an initial login similar to "su -".

• If sudo is used to run as root shell, further sudo commands will be logged as run by the user specified by the SUDO_USER environment variable. In -e mode (sudoedit), SUDO_USER is used to determine what user to run the editor when the real uid is 0.

• The sudoers file is now parsed as the runas user in all cases instead of root. This fixes some issues with running NFS-mounted commands.

• If the target user == invoking user a password is no longer required.

• Sudo now produces a sensible error message when the targetpw Defaults option is set and a non-existent uid is specified via the -u option.

• A negated user/uid in a runas list is now treated the same as a negated command and overrides a previously allowed entry.

• PAM support now uses Use pam_acct_mgmt() to check for disabled accounts.

• Added a check in visudo for runas_default being used before it was set.

• Fixed several issues when closing all open descriptors. Sudo now uses closefrom() if it exists, otherwise it uses /proc/$$/fd if that exists with a fallback of closing all possible descriptors.

• Quoting globbing characters with a backslash now works as documented.

• Fixed a problem on FreeBSD (and perhaps others) when the user is only listed in NIS (not master.passwd) and netgroups are used in the master.passwd file.

• The username in a log entry is no longer truncated at 8 characters.

• Added a "sudo_lecture" option that can point to a file containing a custom lecture.

• The timeout for password reading is now done via alarm(), not select().

• /tmp/.odus is no longer used for timestamps by default.

• Sudo now works on the nsr-tandem-nsk platform.

• Fixed the --with-stow configure option.

• TIS fwtk authentication now supports fwtk 2.0 and higher.

• Added Stan Lee / Uncle Ben quote to the lecture from RedHat.

• Added the --with-pc-insults configure to replace politically incorrect insults with other ones.

Major changes from version 1.6.7p4 to 1.6.7p5:

• Fixed a typo that caused a compilation error on Heimdal.

• Deal with the lack of a real setreuid() on Darwin (MacOS X).

• Fixed a problem when there are a large number of environment variables.

Major changes from version 1.6.7p3 to 1.6.7p4:

• Fixed remaining Kerberos V issues with MIT Kerberos V and old Heimdal.

Major changes from version 1.6.7p2 to 1.6.7p3:

• The Kerberos 5 support now compiles on MIT Kerberos 5 1.2.6

Major changes from version 1.6.7p1 to 1.6.7p2:

• Fixed an unterminated comment that broke Kerberos V authentication.

• The krb5-config script is now used to determine Kerberos V CPPFLAGS and LDFLAGS/LIBS if it exists.

• Backed out changes to mkinstalldirs from autoconf 2.57 that caused problems on Tru64 Unix.

Major changes from version 1.6.7 to 1.6.7p1:

• Fixed false positives in the overflow detection of expand_prompt().

Major changes from version 1.6.6 to 1.6.7:

• Wildcards now work correctly in an env_keep Defaults directive.

• The owner of the timestamp directory is now configurable.

• Sudo now supports the SecurID 5.0 API.

• Sudo now saves and restores the state of signal handlers. This fixes a problem using sudo with the nohup command.

• Sudo now uses setresuid() if it exists to properly support the stay_setuid Defaults directive.

• In strict mode sudo did not throw an error for undefined User_Aliases, now it does.

• Write the prompt after turning off echo to avoid some password characters being echoed on heavily-loaded machines with fast typists.

• Added %U and %H escapes in the prompt and fixed treatment of %%.

• Visudo will now add a final newline to sudoers if the user's editor not add one before EOF.

• Added support for Defaults that apply based on the RunasUser.

• Sudo now includes copies of strlc{at,py} and uses them throughout.

• Sudo is now careful to avoid interger overflow when allocating memory. This is one of those "should not happen" situations.

• Added a configure option (--with-stow) to make sudo compatible with GNU stow.

• auth/kerb5.c now compiles under Heimdal.

• The volatile prefix is used in the hopes of preventing compilers from optimizing away memory zeroing. Unfortunately, this results in some warnings from gcc.

• The configure tests for Kerberos are much improved.

• A long-standing bug in the SIGCHLD handler was fixed.

• Added a --with-rpath configure option to pass the -R flag along with -L to the linker. Enabled by default on Solaris and SVR4.

• Added support for using the -blibpath ld option on AIX to add directories to the shared lib search path. This is only active when additional library paths are used. It may be disabled via the --without-blibpath configure option.

• The --with-skey and --with-opie configure options now take an optional directory argument that should have an include and lib dir for the skey/opie include file and library respectively.

Major changes from version 1.6.5p2 to 1.6.6:

• Fixed a compilation problem on HP-UX 9.x.

• Moved the call to endpwent() and added a call to endgrent() for greater paranoia.

• Fixed a warning conflicting declaration of VOID with AFS.

• Fixed a security hole in prompt rewriting found by Global InterSec.

Major changes from version 1.6.5p1 to 1.6.5p2:

• Older versions of BSDi have getifaddrs() but no freeifaddrs().

• BSDi has a fake setreuid() as do certain versions of FreeBSD and NetBSD.

• Ignore the return value of pam_setcred(). In Linux-PAM 0.75, pam_setcred() will return PAM_PERM_DENIED even if the setcred function of the module succeeds when pam_authenticate() has not been called.

• Avoid giving PAM a NULL password response, use the empty string instead. This avoids a log warning when the user hits ^C at the password prompt when Linux-PAM is in use. This also prevents older versions of Linux-PAM from dereferencing the NULL pointer.

• The user's password was not zeroed after use when AIX authentication, BSD authentication, FWTK or PAM was in use.

Major changes from version 1.6.5 to 1.6.5p1:

• Visudo could access memory that was already freed.

• If the skey.access file denied use of plaintext passwords sudo would exit instead of allowing the user to enter an S/Key.

Major changes from version 1.6.4p2 to 1.6.5:

• Added a configure option to cause mail sent by sudo to be run as the invoking user instead of root. Some people consider this to be safer.

• If the mailer is being run as root, use a hard-coded environment that is not influenced in any way by the invoking user's environment.

Major changes from version 1.6.4p1 to 1.6.4p2:

• Some special characters were not being escaped properly (e..g '\,' and '\:') in command line arguments and would cause a syntax error.

• 'sudo -l' would not work if the always_set_home option was set.

• There is now a configure option to disable use of POSIX saved IDs for operating systems where these are broken.

• The SHELL environment variable was preserved from the user's environment instead of being reset based on the passwd database even when the env_reset option was set.

Major changes from version 1.6.4 to 1.6.4p1:

• The set_home sudoers option was broken in sudo 1.6.4.

• Use of the fqdn sudoers option could result in memory being accessed after it had been freed.

Major changes from version 1.6.3p7 to 1.6.4:

• Visudo now checks for the existence of an editor and gives a sensible error if it does not exist.

• The path to the editor for visudo is now a colon-separated list of allowable editors. If the user has $EDITOR set and it matches one of the allowed editors that editor will be used. If not, the first editor that actually exists is used.

• Allow special characters (including '#') to be embedded in pathnames if quoted by a '\\'. The quoted chars will be dealt with by fnmatch(). Unfortunately, 'sudo -l' still prints the '\\'.

• Added the always_set_home option.

• Now strip NLSPATH and PATH_LOCALE out from the environment to prevent reading of protected files by a less privileged user.

• Added support for BSD authentication and associated -a flag.

• Added stay_setuid option for systems that have libraries that perform extra paranoia checks in system libraries for setuid programs.

• Environment munging is now done by hand. The environment is zeroed upon sudo startup and a new environment is built before the command is executed. This means we don't rely on getenv(3), putenv(3), or setenv(3).

• Added a class of environment variables that are only cleared if they contain '/' or '%' characters.

• Use stashed user_gid when checking against exempt gid since sudo sets its gid to SUDOERS_GID, making getgid() return that, not the real gid. Fixes problem with setting exempt group == SUDOERS_GID.

• Fixed file locking in visudo on NeXT which has a broken lockf().

• Added mail_badpass option to send mail when the user does not authenticate successfully.

• Added env_reset Defaults option to reset the environment to a clean slate. Also implemented env_keep Defaults option to specify variables to be preserved when resetting the environment.

• Added env_check and env_delete Defaults options to allow the admin to modify the builtin list of environment variables to remove.

• If timestamp_timeout < 0 then the timestamp never expires. This allows users to manage their own timestamps and create or delete them via 'sudo -v' and 'sudo -k' respectively.

• Authentication routines that use sudo's tgetpass() now accept ^C or ^Z at the password prompt and sudo will act appropriately.

• Added a check-only mode to visudo to check an existing sudoers file for sanity.

• Visudo can now edit an alternate sudoers file.

• If sudo is configured with S/Key support and the system has skeyaccess(3) use that to determine whether or not to allow a normal Unix password or just S/Key.

• Fixed CIDR handling in sudoers.

• Fixed a segv if the local hostname is not resolvable and the 'fqdn' option is set.

• "listpw=never" was not having an effect for users who did not appear in sudoers--now it does.

• The --without-sendmail option now works on systems with a /usr/include/paths.h file that defines _PATH_SENDMAIL.

• Removed the "secure_path" Defaults option as it does not work and cannot work until the parser is overhauled.

• Added new -P flag and "preserve_groups" sudoers option to cause sudo to preserve the group vector instead of setting it to that of the target user. Previously, if the target user was root the group vector was not changed. Now it is always changed unless the -P flag or "preserve_groups" option was given.

• If find_path() fails as root, try again as the invoking user (useful for NFS).

• Use setpwent()/endpwent() and its shadow equivalents to be sure the passwd/shadow file gets closed.

• Use getifaddrs(3) to get the list of network interfaces if it is available.

• Dump list of local IP addresses and environment variables to clear when 'sudo -V' is run as root.

• Wrap each call to syslog() with openlog()/closelog() since some things (such as PAM) may call closelog(3) behind sudo's back.

• The LOGNAME and USER environment variables are now set if the user specified a target uid and that uid exists in the password database.

• Now call pam_setcreds() to setup creds for the target user when PAM is in use. On Linux this often sets resource limits.

• If "make install" is run by non-root and the destination dir is writable, install things normally but don't set owner and mode.

• The Makefile now supports installing in a shadow hierarchy specified via the DESTDIR variable.

Major changes from version 1.6.3 to 1.6.3p7:

• Fixed a case where a string was used after it had been freed.

• Fixed a bug that prevented the -H option from working.

• Fixed targetpw, rootpw, and runaspw options when used with non-passwd file authentication (PAM, etc).

• When the targetpw flag is set, use the target username as part of the timestamp path.

• The listpw and verifypw options had no effect.

• Fixed word splitting bug that caused a segv for very long command line args.

• Fixed negation of path-type Defaults entries in a boolean context.

Major changes from version 1.6.2 to 1.6.3:

• Users in the 'exempt' group shouldn't get their $PATH overridden by the 'secure-path' option.

• PAM now works on HP-UX 11.X.

• Fixed a bug that caused an infinite loop when the password timeout was disabled.

• It is now possible to set the path to the editor for visudo as well as the flag that determines whether or not visudo will look at $EDITOR in the sudoers file.

• configure now pulls in the values of LIBS, LDFLAGS, CPPFLAGS, etc from the environment as the documentation says it ought to.

• Added rootpw, runaspw, and targetpw to prompt for the root, runas_default and target user's passwords respectively (instead of the invoking user's password).

• Added -S flag to force the password to be read from stdin.

• Passwords are now truncated to 8 characters if the encrypted version is exactly 13 characters long, which should indicate a standard DES password. Apparently not all versions of crypt() treat only the first 8 characters as salient.

• Fixed a typo/thinko that broke secureware support for long passwords.

• Added support for BSD login classes. There is a new -c flag to specify an alternate class and a use_loginclass run-time option.

• Fixed a bug with the mail_always option where sudo would hang around and consume CPU if a long-running process was started (like a shell).

• Sudo is no longer confused by HP-UX password aging info that may be appended to an encrypted password.

• Added set_logname run-time option. When negated, sudo will not set the USER and LOGNAME environment variables.

• Wildcards are now allowed in the hostnames specified in sudoers. The 'fqdn' option is often required for this to be useful.

• Fixed a bug where host and user qualifiers in a Defaults entry were not being honored and the entry was being applied globally.

Major changes from version 1.6.1 to 1.6.2:

• Better behavior for -l and -v flags in conjunction with NOPASSWD. Behavior is configurable via the new "verifypw" and "listpw" run-time options.

• Fixed compilation problems with K&R compilers.

• During netgroup host matching, match against the short version of the hostname as well as the long one (if they are different).

• Terminate passwd reading on '\r' in addition to '\n'.

• Visudo used to loop endlessly if a user entered ^D at the whatnow prompt. EOF is now treaded as 'x' (exit w/o saving changes).

• The 'shell_noargs' runtime option has been added back (it now works properly).

• Systems that return RLIM_INFINITY for RLIMIT_NOFILE (like AIX) would loop for a very loing time during sudo startup. A value of RLIM_INFINITY is now ignored (getdtablesize/sysconf is used instead).

• Locking in visudo was broken. We now lock the sudoers file, not the sudoers temp file (which could get fouled up by the editor).

• Custom prompts with PAM were broken.

Major changes from version 1.6 to 1.6.1:

• Better diagnostics on PAM failure.

• The --enable-noargs-shell configure option works again. The noargs-shell run-time option has been removed since it cannot work due to the way the sudoers file is parsed.

• The following run-time options were not honored in all cases: set_home, fqdn, syslog, tty_tickets, ticket_dir, insults.

• Fixed a bug parsing runas modifiers. If a user spec contained multiple runas specs, the latter ones may not be applied.

• #uid now works in a RunasAlias line.

• Don't ask the user for a password if the user is not allowed to run the command and the authenticate flag (in sudoers) is false.

• SecurID support now compiles and works.

For full details see the CHANGES file or view the commit logs via cvsweb.