Current Maintenance Release
The sudo 1.7 branch is in mainenance mode and receives no new
features, only bug fixes. The current maintenance release of sudo
You can view the commit logs via mercurial.
Major changes between version 1.7.8p2 and 1.7.8p1:
- Fixed a crash in the monitor process on Solaris when NOPASSWD
was specified or when authentication was disabled.
Major changes between version 1.7.8p1 and 1.7.8:
- Fixed matching of a Runas_Alias in the group section of a Runas_Spec.
Major changes between version 1.7.8 and 1.7.7:
- Sudo will now use PAM by default on AIX 6 and higher.
- Added --enable-werror configure option for gcc's -Werror flag.
- Visudo no longer assumes all editors support the +linenumber
command line argument. It now uses a whitelist of editors known
to support the option.
- Fixed matching of network addresses when a netmask is specified
but the address is not the first one in the CIDR block.
- The configure script now check whether or not errno.h declares
the errno variable. Previously, sudo would always declare errno
itself for older systems that don't declare it in errno.h.
- The NOPASSWD tag is now honored for denied commands too, which
matches historic sudo behavior (prior to sudo 1.7.0).
- Sudo now honors the DEREF setting in ldap.conf which controls
how alias dereferencing is done during an LDAP search.
- Using the -n option may in conjunction with the -v or -l option
no longer results in a usage error.
- The LOGNAME, USER and USERNAME environment
variables are preserved correctly again in sudoedit mode.
Major changes between version 1.7.7 and 1.7.6p2:
- I/O logging is now supported for commands run in background mode
(using sudo's -b flag).
- Group ownership of the sudoers file is now only enforced when
the file mode on sudoers allows group readability or writability.
- Visudo now checks the contents of an alias and warns about cycles
when the alias is expanded.
- If the user specifes a group via sudo's -g option that matches
the target user's group in the password database, it is now
allowed even if no groups are present in the Runas_Spec.
- sudo -i command now works correctly with the bash version
2.0 and higher. Previously, the .bash_profile would not be
sourced prior to running the command unless bash was built with
- Multi-factor authentication is now supported on AIX.
- Added support for non-RFC 4517 compliant LDAP servers that require
that seconds be present in a timestamp, such as Tivoli Directory Server.
- If the group vector is to be preserved, the PATH search for the
command is now done with the user's original group vector.
- For LDAP-based sudoers, the runas_default sudoOption now works
properly in a sudoRole that contains a sudoCommand.
- Spaces in command line arguments for sudo -s and
sudo -i are now escaped with a backslash when checking
the sudoers file.
Major changes between version 1.7.6p2 and 1.7.6p1:
- Two-character CIDR-style IPv4 netmasks are now matched correctly
in the sudoers file.
- A build error with MIT Kerberos V has been resolved.
Major changes between version 1.7.6p1 and 1.7.6:
- A non-existent includedir is now treated the same as an empty
directory and not reported as an error.
- Removed extraneous parens in LDAP filter when sudoers_search_filter
is enabled that can cause an LDAP search error.
Major changes between version 1.7.6 and 1.7.5:
- A new LDAP setting, sudoers_search_filter, has been added to
ldap.conf. This setting can be used to restrict the set of
records returned by the LDAP query. Based on changes from Matthew
- White space is now permitted within a User_List when used in
conjunction with a per-user Defaults definition.
- A group ID (%#gid) may now be specified in a User_List or Runas_List.
Likewise, for non-Unix groups the syntax is %:#gid.
- Support for double-quoted words in the sudoers file has been fixed.
The change in 1.7.5 for escaping the double quote character
caused the double quoting to only be available at the beginning
of an entry.
- The fix for resuming a suspended shell in 1.7.5 caused problems
with resuming non-shells on Linux. Sudo will now save the process
group ID of the program it is running on suspend and restore it
when resuming, which fixes both problems.
- A bug that could result in corrupted output in "sudo -l" has been
Major changes between version 1.7.5 and 1.7.4p6:
- When using visudo in check mode, a file named "-" may be used to
check sudoers data on the standard input.
- Sudo now only fetches shadow password entries when using the
password database directly for authentication.
- Password and group entries are now cached using the same key
that was used to look them up. This fixes a problem when looking
up entries by name if the name in the retrieved entry does not
match the name used to look it up. This may happen on some systems
that do case insensitive lookups or that truncate long names.
- GCC will no longer display warnings on glibc systems that use
the warn_unused_result attribute for write(2) and other system calls.
- If a PAM account management module denies access, sudo now prints
a more useful error message and stops trying to validate the user.
- Fixed a potential hang on idle systems when the sudo-run process
- Sudo now includes a copy of zlib that will be used on systems
that do not have zlib installed.
- The --with-umask-override configure flag has been added to enable
the "umask_override" sudoers Defaults option at build time.
- Sudo now unblocks all signals on startup to avoid problems caused
by the parent process changing the default signal mask.
- LDAP Sudoers entries may now specify a time period for which
the entry is valid. This requires an updated sudoers schema
that includes the sudoNotBefore and sudoNotAfter attributes.
Support for timed entries must be explicitly enabled in the
ldap.conf file. Based on changes from Andreas Mueller.
- LDAP Sudoers entries may now specify a sudoOrder attribute that
determines the order in which matching entries are applied. The
last matching entry is used, just like file-based sudoers. This
requires an updated sudoers schema that includes the sudoOrder
attribute. Based on changes from Andreas Mueller.
- When run as sudoedit, or when given the -e flag, sudo now treats
command line arguments as pathnames. This means that slashes
in the sudoers file entry must explicitly match slashes in
the command line arguments. As a result, and entry such as:
user ALL = sudoedit /etc/*
will allow editing of /etc/motd but not /etc/security/default.
- NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
compatibility with OpenLDAP configuration files.
- The LDAP API TIMEOUT parameter is now honored in ldap.conf.
- The I/O log directory may now be specified in the sudoers file.
- Sudo will no longer refuse to run if the sudoers file is writable
- Sudo now performs command line escaping for "sudo -s" and "sudo -i"
after validating the command so the sudoers entries do not need
to include the backslashes.
- Logging and email sending are now done in the locale specified
by the "sudoers_locale" setting ("C" by default). Email send by
sudo now includes MIME headers when "sudoers_locale" is not "C".
- The configure script has a new option, --disable-env-reset, to
allow one to change the default for the sudoers Default setting
"env_reset" at compile time.
- When logging "sudo -l command", sudo will now prepend "list "
to the command in the log line to distinguish between an
actual command invocation in the logs.
- Double-quoted group and user names may now include escaped double
quotes as part of the name. Previously this was a parse error.
- Sudo once again restores the state of the signal handlers it
modifies before executing the command. This allows sudo to be
used with the nohup command.
- Resuming a suspended shell now works properly when I/O logging
is not enabled (the I/O logging case was already correct).
Major changes between version 1.7.4p5 and 1.7.4p6:
- A bug has been fixed in the I/O logging support that could cause
visual artifacts in full-screen programs such as text editors,.
Major changes between version 1.7.4p4 and 1.7.4p5:
- A bug has been fixed that would allow a command to be run without the
user entering a password when sudo's -g flag is used without the -u flag.
- If user has no supplementary groups, sudo will now fall back on checking
the group file explicitly, which restores historic sudo behavior.
- A crash has been fixed when sudo's -g flag is used without the -u flag
and the sudoers file contains an entry with no runas user or group listed.
- A crash has been fixed when the Solaris project support is enabled
and sudo's -g flag is used without the -u flag.
- Sudo no longer exits with an error when support for auditing is
compiled in but auditing is not enabled.
- Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
being honored when the "targetpw" sudoers Defaults option was enabled.
- The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.
- A crash has been fixed in "sudo -l" when sudo is built with auditing
support and the user is not allowed to run any commands on the host.
Major changes between version 1.7.4p3 and 1.7.4p4:
- A potential security
issue has been fixed with respect to the handling of sudo's
-g command line option when -u is also specified.
The flaw may allow an attacker to run commands as a user that is
not authorized by the sudoers file.
- A bug has been fixed where "sudo -l" output was incomplete
if multiple sudoers sources were defined in nsswitch.conf
and there was an error querying one of the sources.
- The log_input, log_output, and use_pty sudoers options now
work correctly on AIX. Previously, sudo would hang if
they were enabled.
- Fixed "make install" when sudo is built in a directory
other than the directory that holds the sources.
- The runas_default sudoers setting now works properly
in a per-command Defaults line.
- Suspending and resuming the bash shell when PAM is in use now
works properly. The SIGCONT signal was not being propagated
to the child process.
Major changes between version 1.7.4p2 and 1.7.4p3:
- A bug has been fixed where duplicate HOME environment
variables could be set when the env_reset setting
was disabled and the always_set_home setting was
enabled in sudoers.
- The value of sysconfdir is now substituted into the path
to the sudoers.d directory in the installed
- Fixed compilation problems on Irix and other platforms.
- If multiple PAM "auth" actions are specified and the user
enters ^C at the password prompt, sudo will now abort any
subsequent "auth" actions. Previously it was necessary to
enter ^C once for each "auth" action.
Major changes between version 1.7.4p1 and 1.7.4p2:
- Fixed a bug where sudo could spin in a cpu loop waiting
for the child process.
- Packaging fixes for sudo.pp to better handle patchlevels.
Major changes between version 1.7.4 and 1.7.4p1:
- Fix a bug introduced in sudo 1.7.3 that prevented the
-k and -K options from functioning when
the tty_tickets sudoers option was enabled.
- Sudo no longer prints a warning when the -k or -K
options are specified and the ticket file does not exist.
- Changes to the configure script to enable cross-compilation of Sudo.
Major changes between version 1.7.3 and 1.7.4:
- Sudoedit will now preserve the file extension in the name of the
temporary file being edited. The extension is used by some
editors (such as emacs) to choose the editing mode.
- Time stamp files have moved from /var/run/sudo to either /var/db/sudo,
/var/lib/sudo or /var/adm/sudo. The directories are checked for
existence in that order. This prevents users from receiving the
sudo lecture every time the system reboots. Time stamp files older
than the boot time are ignored on systems where it is possible to
- Ancillary documentation (README files, LICENSE, etc) is now installed
in a sudo documentation directory.
- Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
- Defaults settings that are tied to a user, host or command may
now include the negation operator. For example:
will match any user but millert.
- The default PATH environment variable, used when no PATH variable
exists, now includes /usr/sbin and /sbin.
- Sudo now uses polypkg
for cross-platform packing.
- On Linux, sudo will now restore the nproc resource limit before
executing a command, unless the limit appears to have been modified
by pam_limits. This avoids a problem with bash scripts that open
more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).
- Visudo will now treat an unrecognized Defaults entry as a
parse error (sudo will warn but still run).
- The HOME and MAIL environment variables are now reset based on the
target user's password database entry when the env_reset sudoers option
is enabled (which is the case in the default configuration). Users
wishing to preserve the original values should use a sudoers entry like:
Defaults env_keep += HOME
to preserve the old value of HOME and
Defaults env_keep += MAIL
to preserve the old value of MAIL.
- The tty_tickets option is now on by default.
- Fixed a problem in the restoration of the AIX authdb registry setting.
- If PAM is in use, wait until the process has finished before closing
the PAM session.
- Fixed "sudo -i -u user" where user has no shell listed in the
- When logging I/O, sudo now handles pty read/write returning ENXIO,
as seen on FreeBSD when the login session has been killed.
- Sudo now performs I/O logging in the C locale. This avoids
locale-related issues when parsing floating point
numbers in the timing file.
- Added support for Ubuntu-style admin flag dot files.
Major changes between version 1.7.2p8 and 1.7.3:
- Support for logging a command's input and output as well as
the ability to replay sessions. For more information, see
the documentation for the log_input and
log_output Defaults options in the sudoers manual.
Also see the sudoreplay manual
for information on replaying I/O log sessions.
- The use_pty sudoers option can be used to force a command
to be run in a pseudo-pty, even when I/O logging is not enabled.
- On some systems, sudo can now detect when a
user has logged out and back in again when tty-based time
stamps are in use. Supported systems include Solaris systems
with the devices file system, Mac OS X, and Linux systems
with the devpts filesystem (pseudo-ttys only).
- On AIX systems, the registry setting in /etc/security/user
is now taken into account when looking up users and groups. Sudo
now applies the correct the user and group ids when running a
command as a user whose account details come from a different
source (e.g. LDAP or DCE vs. local files).
- Support for multiple sudoers_base and uri entries in
ldap.conf. When multiple entries are listed, sudo will try
each one in the order in which they are specified.
- Sudo's SELinux support should now function correctly when running
commands as a non-root user and when one of stdin, stdout or stderr
is not a terminal.
- Sudo will now use the Linux audit system with configure with
the --with-linux-audit flag.
- Sudo now uses mbr_check_membership() on systems that support
it to determine group membership. Currently, only Darwin (Mac OS X)
- When the tty_tickets sudoers option is enabled but there
is no terminal device, sudo will no longer use or create a tty-based
ticket file. Previously, sudo would use a tty name of "unknown".
As a consequence, if a user has no terminal device, sudo will
now always prompt for a password.
- The passwd_timeout and timestamp_timeout options
may now be specified as floating point numbers for more granular
- Negating the fqdn option in sudoers now works correctly
when sudo is configured with the --with-fqdn option.
In previous versions of sudo the fqdn was set before sudoers
Major changes between version 1.7.2p7 and 1.7.2p8:
- Fixed a crash on AIX when LDAP support is in use.
- Fixed problems with the QAS non-Unix group support.
Major changes between version 1.7.2p6 and 1.7.2p7:
- Fix detection of newer versions of OpenPAM.
- Sync non-Unix group support with Quest sudo git repo.
- Configure fixes: HP-UX ld uses +b instead of -R or -rpath;
fix typo in --with-vasgroups check; link with -ldl for
vasgroups; add missing template for ENV_DEBUG.
- Fix typos in README.LDAP.
- Use the value of SHELL from configure in the Makefile.
- Handle duplicate variables in the environment.
For unsetenv(), keep looking even after remove the first instance.
For sudo_putenv(), check for and remove dupes after we replace an
- Fix a crash in visudo when checking a sudoers file that has aliases
that reference themselves.
- Fix a crash in visudo when checking a sudoers file in strict mode
when alias errors are present.
Major changes between version 1.7.2p5 and 1.7.2p6:
- When doing a glob match, short circuit if gl_pathc is 0.
- Fix a bug introduced with def_closefrom. The value of
def_closefrom already includes the +1.
- Added a note about the security implications of the fast_glob
- Qualify the command even if it is in the current working directory,
e.g. "./foo" instead of just returning "foo". This removes
an ambiguity between real commands and possible pseudo-commands
in command matching.
- Fix installation of sudoers.ldap in "make install" when
--with-ldap was specified without a directory.
Major changes between version 1.7.2p4 and 1.7.2p5:
- Fix size arg when realloc()ing include stack.
- Avoid a duplicate fclose() of the sudoers file.
Major changes between version 1.7.2p3 and 1.7.2p4:
- Fix a bug that could allow users with permission to run sudoedit
to run arbitrary commands.
Major changes between version 1.7.2p2 and 1.7.2p3:
- Fix printing of entries with multiple host entries on
a single line.
- Fix use after free when sending error messages via email.
- Use setrlimit64(), if available, instead of setrlimit() when
setting AIX resource limits since rlim_t is 32bits.
Major changes between version 1.7.2p1 and 1.7.2p2:
- Fixed a a bug where the negation operator in a Cmnd_List
was not being honored.
- No longer produce a parse error when #includedir references a
directory that contains no valid filenames.
- The sudo.man.pl and sudoers.man.pl files are now included in
the distribution for people who wish to regenerate the man pages.
- Fixed the emulation of krb5_get_init_creds_opt_alloc() for MIT kerberos.
- When authenticating via PAM, set PAM_RUSER and PAM_RHOST early so
they can be used during authentication.
Major changes between version 1.7.2 and 1.7.2p1:
- Fixed the expansion of the %h escape in
#include file names introduced in sudo 1.7.1.
Major changes between version 1.7.1 and 1.7.2:
- A new #includedir directive is available in sudoers.
This can be used to implement an /etc/sudo.d directory. Files
in an includedir are not edited by visudo unless they contain a
- The -g option did not work properly when only setting the group
(and not the user). Also, in -l mode the wrong user was displayed
for sudoers entries where only the group was allowed to be set.
- Fixed a problem with the alias checking in visudo which
could prevent visudo from exiting.
- Sudo will now correctly parse the shell-style /etc/environment
file format used by pam_env on Linux.
- When doing password and group database lookups, sudo will only
cache an entry by name or by id, depending on how the entry was
looked up. Previously, sudo would cache by both name and id
from a single lookup, but this breaks sites that have multiple
password or group database names that map to the same uid or
- User and group names in sudoers may now be enclosed in double
quotes to avoid having to escape special characters.
- BSM audit fixes when changing to a non-root uid.
- Experimental non-Unix group support. Currently only works with
Quest Authorization Services and allows Active Directory groups
fixes for Minix-3.
- For Netscape/Mozilla-derived LDAP SDKs the certificate and key
paths may be specified as a directory or a file. However, version
5.0 of the SDK only appears to support using a directory (despite
documentation to the contrary). If SSL client initialization
fails and the certificate or key paths look like they could be
default file name, strip off the last path element and try again.
- A setenv() compatibility fix for Linux systems, where a NULL
value is treated the same as an empty string and the variable
name is checked against the NULL pointer.
Major changes between version 1.7.0 and 1.7.1:
- Fixed a bug in the version of glob() supplied with
sudo that affected character classes and ranges.
- Fixed a NULL pointer dereference when the sudoers
file mode or owner was incorrect.
- Fixed a NULL pointer dereference when a PAM module
called the sudo conversation function during a phase other
- Fixed an LDAP compatibility problem with the AIX LDAP libraries.
- A new Defaults option "pwfeedback" will cause sudo to provide
visual feedback when the user is entering a password.
- A new Defaults option "fast_glob" will cause sudo to use the
fnmatch() function for file name globbing instead
of glob(). When this option is enabled, sudo will
not check the file system when expanding wildcards. This
is faster but a side effect is that relative paths with
wildcard will no longer work.
- New BSM audit support for systems that support it such as FreeBSD
and Mac OS X.
- The file name specified with the #include directive may
now include a %h escape which is expanded to the short form of
- The -k flag may now be specified along with a command, causing the
user's timestamp file to be ignored.
- New support for Tivoli-based LDAP START_TLS, present in AIX.
- New support for /etc/netsvc.conf on AIX.
- The unused alias checks in visudo now handle the case of an alias
referring to another alias.
- A new Defaults option "umask_override" will cause sudo to set
the umask specified in sudoers even if it is more permissive
than the invoking user's umask.
Major changes between version 1.6.9p19 and 1.7.0:
- Rewritten parser that converts sudoers into a set of data structures.
This eliminates a number of ordering issues and makes it possible to
apply sudoers Defaults entries before searching for the command.
It also adds support for per-command Defaults specifications.
- Sudoers now supports a #include facility to allow the
inclusion of other sudoers-format files.
- Sudo's -l (list) flag has been enhanced:
- applicable Defaults options are now listed
- a command argument can be specified for testing
whether a user may run a specific command.
- a new -U flag can be used in conjunction with
sudo -l to allow root (or a user with
sudo ALL) to list another user's privileges.
- A new -g flag has been added to allow the user to specify a
primary group to run the command as. The sudoers syntax has been
extended to include a group section in the Runas specification.
- A uid may now be used anywhere a username is valid.
- The secure_path run-time Defaults option has been restored.
- Password and group data is now cached for fast lookups.
- The file descriptor at which sudo starts closing all open files is now
configurable via sudoers and, optionally, the command line.
- visudo will now warn about aliases that are defined but
- The -i and -s command line flags now take an optional command
to be run via the shell. Previously, the argument was passed
to the shell as a script to run.
- Improved LDAP support. SASL authentication may now be used in
conjunction when connecting to an LDAP server. The krb5_ccname
parameter in ldap.conf may be used to enable Kerberos.
- Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
to specify the sudoers order. E.g.:
sudoers: ldap files
to check LDAP, then /etc/sudoers. The default is files,
even when LDAP support is compiled in. This differs from sudo 1.6
where LDAP was always consulted first.
- Support for /etc/environment on AIX and Linux. If sudo is
run with the -i flag, the contents of /etc/environment are
used to populate the new environment that is passed to the command
- Sudo now ignores user .ldaprc files as well as system LDAP defaults.
All LDAP configuration is now in /etc/ldap.conf
(or whichever file was specified by configure's
If you are using TLS, you may now need to specify:
in sudo's ldap.conf unless ldap.conf references a valid certificate
- If no terminal is available or if the new -A flag is specified,
sudo will use a helper program to read the password if one is
configured. Typically, this is a graphical password prompter
such as ssh-askpass.
- A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used.
- Resource limits are now set to the default value for the
user the command is being run as on AIX systems.
A new Defaults option, "env_file" that refers to a file containing
environment variables to be set in the command being run.
- A new -n flag is available which may be used to indicate
that sudo should not prompt the user for a password and,
instead, exit with an error if authentication is required.
A new Defaults option, "sudoers_locale" that can be used to set
the locale to be used when parsing the sudoers file.
sudoedit now checks the EDITOR and VISUAL environment
variables to make sure sudoedit is not re-invoking itself
(or sudo). This allows one to set EDITOR to sudoedit without
getting into an infinite loop for programs that need to
invoke an editor such as crontab(1). Also added SUDO_EDITOR
environment variable which is used by sudoedit in preference
The versions of glob(3) and fnmatch(3) bundled
with sudo now support POSIX character classes.
If sudo needs to prompt for a password and it is unable to
disable echo (and no askpass program is defined), it will
refuse to run unless the "visiblepw" Defaults option has
Prior to version 1.7.0, hitting enter/return at the Password:
prompt would exit sudo. In sudo 1.7.0 and beyond, this is
treated as an empty password. To exit sudo, the user must
now press ^C or ^D at the prompt.