Sudo 1.9.12p2

• Fixed a compilation error on Linux/aarch64. GitHub issue #197.

• Fixed a potential crash introduced in the fix GitHub issue #134. If a user's sudoers entry did not have any RunAs user's set, running sudo -U otheruser -l would dereference a NULL pointer.

• Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating a I/O files when the iolog_file sudoers setting contains six or more Xs.

• Fixed a compilation issue on AIX with the native compiler. GitHub issue #231.

• Fixed CVE-2023-22809, a flaw in sudo's -e option (aka sudoedit) that could allow a malicious user with sudoedit privileges to edit arbitrary files. For more information, see Sudoedit can edit arbitrary files.

Sudo 1.9.12p1

• Sudo's configure script now does a better job of detecting when the -fstack-clash-protection compiler option does not work. GitHub issue #191.

• Fixed CVE-2022-43995, a potential out-of-bounds write for passwords smaller than 8 characters when passwd authentication is enabled. This does not affect configurations that use other authentication methods such as PAM, AIX authentication or BSD authentication.

• Fixed a build error with some configurations compiling host_port.c.

Sudo 1.9.12

• Fixed a bug in the ptrace-based intercept mode where the current working directory could include garbage at the end.

• Fixed a compilation error on systems that lack the stdint.h header. Bug #1035.

• Fixed a bug when logging the command's exit status in intercept mode. The wrong command could be logged with the exit status.

• For ptrace-based intercept mode, sudo will now attempt to verify that the command path name, arguments and environment have not changed from the time when they were authorized by the security policy. The new intercept_verify sudoers setting can be used to control this behavior.

• Fixed running commands with a relative path (e.g. ./foo) in intercept mode. Previously, this would fail if sudo's current working directory was different from that of the command.

• Sudo now supports passing the execve(2) system call the NULL pointer for the argv and/or envp arguments when in intercept mode. Linux treats a NULL pointer like an empty array.

• The sudoers LDAP schema now allows sudoUser, sudoRunasUser and sudoRunasGroup to include UTF-8 characters, not just 7-bit ASCII.

• Fixed a problem with sudo -i on SELinux when the target user's home directory is not searchable by sudo. GitHub issue #160.

• Neovim has been added to the list of visudo editors that support passing the line number on the command line.

• Fixed a bug in sudo's SHA384 and SHA512 message digest padding.

• Added a new -N (no-update) command line option to sudo which can be used to prevent sudo from updating the user's cached credentials. It is now possible to determine whether or not a user's cached credentials are currently valid by running:

  $ sudo -Nnv

  and checking the exit value. One use case for this is to indicate in a shell prompt that sudo is "active" for the user.

• PAM approval modules are no longer invoked when running sub-commands in intercept mode unless the intercept_authenticate option is set. There is a substantial performance penalty for calling into PAM for each command run. PAM approval modules are still called for the initial command.

• Intercept mode on Linux now uses process_vm_readv(2) and process_vm_writev(2) if available.

• The XDG_CURRENT_DESKTOP environment variable is now preserved by default. This makes it possible for graphical applications to choose the correct theme when run via sudo.

• On 64-bit systems, if sudo fails to load a sudoers group plugin, it will use system-specific heuristics to try to locate a 64-bit version of the plugin.

• The cvtsudoers manual now documents the JSON and CSV output formats. GitHub issue #172.

• Fixed a bug where sub-commands were not being logged to a remote log server when log_subcmds was enabled. GitHub issue #174.

• The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout sudoers settings can be used to support more fine-grained I/O logging. The sudo front-end no longer allocates a pseudo-terminal when running a command if the I/O logging plugin requests logging of stdin, stdout, or stderr but not terminal input/output.

• Quieted a libgcrypt run-time initialization warning. This fixes Debian bug #1019428 and Ubuntu bug #1397663.

• Fixed a bug in visudo that caused literal backslashes to be removed from the EDITOR environment variable. GitHub issue #179.

• The sudo Python plugin now implements the find_spec method instead of the the deprecated find_module. This fixes a test failure when a newer version of setuptools that doesn't include find_module is found on the system.

• Fixed a bug introduced in sudo 1.9.9 where sudo_logsrvd created the process ID file, usually /var/run/sudo/sudo_logsrvd.pid, as a directory instead of a plain file. The same bug could result in I/O log directories that end in six or more X's being created literally in addition to the name being used as a template for the mkdtemp(3) function.

• Fixed a long-standing bug where a sudoers rule with a command line argument of "", which indicates the command may be run with no arguments, would also match a literal "" on the command line. GitHub issue #182.

• Added the -I option to visudo which only edits the main sudoers file. Include files are not edited unless a syntax error is found.

• Fixed sudo -l -U otheruser output when the runas list is empty. Previously, sudo would list the invoking user instead of the
  list user. GitHub issue #183.

• Fixed the display of command tags and options in sudo -l output when the RunAs user or group changes. A new line is started for RunAs changes which means we need to display the command tags and options again. GitHub issue #184.

• The sesh helper program now uses getopt_long(3) to parse the command line options.

• The embedded copy of zlib has been updated to version 1.2.13.

• Fixed a bug that prevented event log data from being sent to the log server when I/O logging was not enabled. This only affected systems without PAM or configurations where the pam_session and pam_setcred options were disabled in the sudoers file.

• Fixed a bug where sudo -l output included a carriage return after the newline. This is only needed when displaying to a terminal in raw mode. Bug #1042.

Sudo 1.9.11p3

• Fixed "connection reset" errors on AIX when running shell scripts with the intercept or log_subcmds sudoers options enabled. Bug #1034.

• Fixed very slow execution of shell scripts when the intercept or log_subcmds sudoers options are set on systems that enable Nagle's algorithm on the loopback device, such as AIX. Bug #1034.

Sudo 1.9.11p2

• Fixed a compilation error on Linux/x86_64 with the x32 ABI.

• Fixed a regression introduced in 1.9.11p1 that caused a warning when logging to sudo_logsrvd if the command returned no output.

Sudo 1.9.11p1

• Correctly handle EAGAIN in the I/O read/right events. This fixes a hang seen on some systems when piping a large amount of data
  through sudo, such as via rsync. Bug #963..

• Changes to avoid implementation or unspecified behavior when bit shifting signed values in the protobuf library.

• Fixed a compilation error on Linux/aarch64.

• Fixed the configure check for seccomp(2) support on Linux.

• Corrected the EBNF specification for tags in the sudoers manual page. GitHub issue #153.

Sudo 1.9.11

• Fixed a crash in the Python module with Python 3.9.10 on some systems. Additionally, make check now passes for Python 3.9.10.

• Error messages sent via email now include more details, including the file name and the line number and column of the error. Multiple errors are sent in a single message. Previously, only the first error was included.

• Fixed logging of parse errors in JSON format. Previously, the JSON logger would not write entries unless the command and runuser were set. These may not be known at the time a parse error is encountered.

• Fixed a potential crash parsing sudoers lines larger than twice the value of LINE_MAX on systems that lack the getdelim() function.

• The tests run by make check now unset the LANGUAGE environment variable. Otherwise, localization strings will not match if LANGUAGE is set to a non-English locale. Bug #1025.

• The "starttime" test now passed when run under Debian faketime. Bug #1026.

• The Kerberos authentication module now honors the custom password prompt if one has been specified.

• The embedded copy of zlib has been updated to version 1.2.12.

• Updated the version of libtool used by sudo to version 2.4.7.

• Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE in the header files (currently only GNU libc). This is required to allow the use of 64-bit time values on some 32-bit systems.

• Sudo's intercept and log_subcmds options no longer force the command to run in its own pseudo-terminal. It is now also possible to intercept the system(3) function.

• Fixed a bug in sudo_logsrvd when run in store-first relay mode where the commit point messages sent by the server were incorrect if the command was suspended or received a window size change event.

• Fixed a potential crash in sudo_logsrvd when the tls_dhparams configuration setting was used.

• The intercept and log_subcmds functionality can now use ptrace(2) on Linux systems that support seccomp(2) filtering. This has the advantage of working for both static and dynamic binaries and can work with sudo's SELinux RBAC mode. The following architectures are currently supported: i386, x86_64, aarch64, arm, mips (log_subcmds only), powerpc, riscv, and s390x. The default is to use ptrace(2) where possible; the new intercept_type sudoers setting can be used to explicitly set the type.

• New Georgian translation from translationproject.org.

• Fixed creating packages on CentOS Stream.

• Fixed a bug in the intercept and log_subcmds support where the execve(2) wrapper was using the current environment instead of the passed environment pointer. Bug #1030.

• Added AppArmor integration for Linux. A sudoers rule can now specify an APPARMOR_PROFILE option to run a command confined by the named AppArmor profile.

• Fixed parsing of the server_log setting in sudo_logsrvd.conf. Non-paths were being treated as paths and an actual path was treated as an error.

Sudo 1.9.10

• Added new log_passwords and passprompt_regex sudoers options. If log_passwords is disabled, sudo will attempt to prevent passwords from being logged. If sudo detects any of the regular expressions in the passprompt_regex list in the terminal output, sudo will log '*' characters instead of the terminal input until a newline or carriage return is found in the input or an output character is received.

• Added new log_passwords and passprompt_regex settings to sudo_logsrvd that operate like the sudoers options when logging terminal input.

• Fixed several few bugs in the cvtsudoers utility when merging multiple sudoers sources.

• Fixed a bug in sudo_logsrvd parsing the sudo_logsrvd.conf file, where the retry_interval in the [relay] section was not being
  recognized.

• Restored the pre-1.9.9 behavior of not performing authentication when sudo's -n option is specified. A new noninteractive_auth sudoers option has been added to enable PAM authentication in non-interactive mode. GitHub issue #131.

• On systems with /proc, if the /proc/self/stat (Linux) or /proc/pid/psinfo (other systems) file is missing or invalid, sudo will now check file descriptors 0-2 to determine the user's terminal. Bug #1020.

• Fixed a compilation problem on Debian kFreeBSD. Bug #1021.

• Fixed a crash in sudo_logsrvd when running in relay mode if an alert message is received.

• Fixed an issue that resulting in "problem with defaults entries" email to be sent if a user ran sudo when the sudoers entry in the nsswitch.conf file includes "sss" but no sudo provider is configured in /etc/sssd/sssd.conf. Bug #1022.

• Updated the warning displayed when the invoking user is not allowed to run sudo. If sudo has been configured to send mail on failed attempts (see the mail_* flags in sudoers), it will now print "This incident has been reported to the administrator." If the mailto or mailerpath sudoers settings are disabled, the message will not be printed and no mail will be sent.

• Fixed a bug where the user-specified command timeout was not being honored if the sudoers rule did not also specify a timeout.

• Added support for using POSIX extended regular expressions in sudoers rules. A command and/or arguments in sudoers are treated as a regular expression if they start with a '^' character and end with a '$'. The command and arguments are matched separately, either one (or both) may be a regular expression. Bug #578, GitHub issue #15.

• A user may now only run sudo -U otheruser -l if they have a "sudo ALL" privilege where the RunAs user contains either root or otheruser. Previously, having "sudo ALL" was sufficient, regardless of the RunAs user. GitHub issue #134.

• The sudo lecture is now displayed immediately before the password prompt. As a result, sudo will no longer display the lecture unless the user needs to enter a password. Authentication methods that don't interact with the user via a terminal do not trigger the lecture.

• Sudo now uses its own closefrom() emulation on Linux systems. The glibc version may not work in a chroot jail where /proc is not available. If close_range(2) is present, it will be used in preference to /proc/self/fd.

Sudo 1.9.9

• Sudo can now be built with OpenSSL 3.0 without generating warnings about deprecated OpenSSL APIs.

• A digest can now be specified along with the ALL command in the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for
  this in the sudoers file but did not include corresponding changes for the other back-ends.

• visudo now only warns about an undefined alias or a cycle in an alias once for each alias.

• The sudoRole cn was truncated by a single character in warning messages. GitHub issue #115.

• The cvtsudoers utility has new --group-file and --passwd-file options to use a custom passwd or group file when the --match-local option is also used.

• The cvtsudoers utility can now filter or match based on a command.

• The cvtsudoers utility can now produce output in csv (comma-separated value) format. This can be used to help generate entitlement reports.

• Fixed a bug in sudo_logsrvd that could result in the connection being dropped for very long command lines.

• Fixed a bug where sudo_logsrvd would not accept a restore point of zero.

• Fixed a bug in visudo where the value of the editor setting was not used if it did not match the user's EDITOR environment variable. This was only a problem if the env_editor setting was not enabled. Bug #1000.

• Sudo now builds with the -fcf-protection compiler option and the -z now linker option if supported.

• The output of sudoreplay -l now more closely matches the traditional sudo log format.

• The sudo_sendlog utility will now use the full contents of the log.json file, if present. This makes it possible to send sudo-format I/O logs that use the newer log.json format to sudo_logsrvd without losing any information.

• Fixed compilation of the arc4random_buf() replacement on systems with arc4random() but no arc4random_buf(). Bug #1008.

• Sudo now uses its own getentropy() by default on Linux. The GNU libc version of getentropy() will fail on older kernels that don't support the getrandom() system call.

• It is now possible to build sudo with WolfSSL's OpenSSL compatibility layer by using the --enable-wolfssl configure option.

• Fixed a bug related to Daylight Saving Time when parsing timestamps in Generalized Time format. This affected the NOTBEFORE and
  NOTAFTER options in sudoers. Bug #1006.

• Added the -O and -P options to visudo, which can be used to check or set the owner and permissions. This can be used in conjunction with the -c option to check that the sudoers file ownership and permissions are correct. Bug #1007.

• It is now possible to set resource limits in the sudoers file itself. The special values default and "user" refer to the default system limit and invoking user limit respectively. The core dump size limit is now set to 0 by default unless overridden by the sudoers file.

• The cvtsudoers utility can now merge multiple sudoers sources into a single, combined sudoers file. If there are conflicting entries, cvtsudoers will attempt to resolve them but manual intervention may be required. The merging of sudoers rules is currently fairly simplistic but will be improved in a future release.

• Sudo was parsing but not applying the "deref" and "tls_reqcert" ldap.conf settings. This meant the options were effectively ignored which broke dereferencing of aliases in LDAP. Bug #1013.

• Clarified in the sudo man page that the security policy may override the user's PATH environment variable. Bug #1014.

• When sudo is run in non-interactive mode (with the -n option), it will now attempt PAM authentication and only exit with an error if user interaction is required. This allows PAM modules that don't interact with the user to succeed. Previously, sudo would not attempt authentication if the -n option was specified. Bug #956 and GitHub issue #83.

• Fixed a regression introduced in version 1.9.1 when sudo is built with the --with-fqdn configure option. The local host name was being resolved before the sudoers file was processed, making it impossible to disable DNS lookups by negating the fqdn sudoers option. Bug #1016.

• Added support for negated sudoUser attributes in the LDAP and SSSD sudoers back ends. A matching sudoUser that is negated will cause the sudoRole containing it to be ignored.

• Fixed a bug where the stack resource limit could be set to a value smaller than that of the invoking user and not be reset before the command was run. Bug #1016.

Sudo 1.9.8p2

• Fixed a potential out-of-bounds read with sudo -i when the target user's shell is bash. This is a regression introduced in sudo 1.9.8. Bug #998.

• sudo_logsrvd now only sends a log ID for first command of a session. There is no need to send the log ID for each sub-command.

• Fixed a few minor memory leaks in intercept mode.

• Fixed a problem with sudo_logsrvd in relay mode if store_first was enabled when handling sub-commands. A new zero-length journal file was created for each sub-command instead of simply using the existing journal file.