sudo: updated to 1.9.10

What's new in Sudo 1.9.10

 * Added new "log_passwords" and "passprompt_regex" sudoers options.
   If "log_passwords" is disabled, sudo will attempt to prevent passwords
   from being logged.  If sudo detects any of the regular expressions in
   the "passprompt_regex" list in the terminal output, sudo will log '*'
   characters instead of the terminal input until a newline or carriage
   return is found in the input or an output character is received.

 * Added new "log_passwords" and "passprompt_regex" settings to
   sudo_logsrvd that operate like the sudoers options when logging
   terminal input.

 * Fixed several few bugs in the cvtsudoers utility when merging
   multiple sudoers sources.

 * Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf
   file, where the "retry_interval" in the [relay] section was not
   being recognized.

 * Restored the pre-1.9.9 behavior of not performing authentication
   when sudo's -n option is specified.  A new "noninteractive_auth"
   sudoers option has been added to enable PAM authentication in
   non-interactive mode.

 * On systems with /proc, if the /proc/self/stat (Linux) or
   /proc/pid/psinfo (other systems) file is missing or invalid,
   sudo will now check file descriptors 0-2 to determine the user's
   terminal.

 * Fixed a compilation problem on Debian kFreeBSD.

 * Fixed a crash in sudo_logsrvd when running in relay mode if
   an alert message is received.

 * Fixed an issue that resulting in "problem with defaults entries"
   email to be sent if a user ran sudo when the sudoers entry in
   the nsswitch.conf file includes "sss" but no sudo provider is
   configured in /etc/sssd/sssd.conf.

 * Updated the warning displayed when the invoking user is not
   allowed to run sudo.  If sudo has been configured to send mail
   on failed attempts (see the mail_* flags in sudoers), it will
   now print "This incident has been reported to the administrator."
   If the "mailto" or "mailerpath" sudoers settings are disabled,
   the message will not be printed and no mail will be sent.

 * Fixed a bug where the user-specified command timeout was not
   being honored if the sudoers rule did not also specify a timeout.

 * Added support for using POSIX extended regular expressions in
   sudoers rules.  A command and/or arguments in sudoers are treated
   as a regular expression if they start with a '^' character and
   end with a '$'.  The command and arguments are matched separately,
   either one (or both) may be a regular expression.

 * A user may now only run "sudo -U otheruser -l" if they have a
   "sudo ALL" privilege where the RunAs user contains either "root"
   or "otheruser".  Previously, having "sudo ALL" was sufficient,
   regardless of the RunAs user.

 * The sudo lecture is now displayed immediately before the password
   prompt.  As a result, sudo will no longer display the lecture
   unless the user needs to enter a password.  Authentication methods
   that don't interact with the user via a terminal do not trigger
   the lecture.

 * Sudo now uses its own closefrom() emulation on Linux systems.
   The glibc version may not work in a chroot jail where /proc is
   not available.  If close_range(2) is present, it will be used
   in preference to /proc/self/fd.

What's new in Sudo 1.9.9

 * Sudo can now be built with OpenSSL 3.0 without generating warnings
   about deprecated OpenSSL APIs.

 * A digest can now be specified along with the "ALL" command in
   the LDAP and SSSD back-ends.  Sudo 1.9.0 introduced support for
   this in the sudoers file but did not include corresponding changes
   for the other back-ends.

 * visudo now only warns about an undefined alias or a cycle in an
   alias once for each alias.

 * The sudoRole cn was truncated by a single character in warning messages.

 * The cvtsudoers utility has new --group-file and --passwd-file options
   to use a custom passwd or group file when the --match-local option is
   also used.

 * The cvtsudoers utility can now filter or match based on a command.

 * The cvtsudoers utility can now produce output in csv (comma-separated
   value) format.  This can be used to help generate entitlement reports.

 * Fixed a bug in sudo_logsrvd that could result in the connection being
   dropped for very long command lines.

 * Fixed a bug where sudo_logsrvd would not accept a restore point
   of zero.

 * Fixed a bug in visudo where the value of the "editor" setting was not
   used if it did not match the user's EDITOR environment variable.
   This was only a problem if the "env_editor" setting was not enabled.

 * Sudo now builds with the -fcf-protection compiler option and the
   "-z now" linker option if supported.

 * The output of "sudoreplay -l" now more closely matches the
   traditional sudo log format.

 * The sudo_sendlog utility will now use the full contents of the log.json
   file, if present.  This makes it possible to send sudo-format I/O logs
   that use the newer log.json format to sudo_logsrvd without losing any
   information.

 * Fixed compilation of the arc4random_buf() replacement on systems with
   arc4random() but no arc4random_buf().

 * Sudo now uses its own getentropy() by default on Linux.  The GNU libc
   version of getentropy() will fail on older kernels that don't support
   the getrandom() system call.

 * It is now possible to build sudo with WolfSSL's OpenSSL compatibility
   layer by using the --enable-wolfssl configure option.

 * Fixed a bug related to Daylight Saving Time when parsing timestamps
   in Generalized Time format.  This affected the NOTBEFORE and
   NOTAFTER options in sudoers.

 * Added the -O and -P options to visudo, which can be used to check
   or set the owner and permissions.  This can be used in conjunction
   with the -c option to check that the sudoers file ownership and
   permissions are correct.

 * It is now possible to set resource limits in the sudoers file itself.
   The special values "default" and "user" refer to the default system
   limit and invoking user limit respectively.  The core dump size limit
   is now set to 0 by default unless overridden by the sudoers file.

 * The cvtsudoers utility can now merge multiple sudoers sources into
   a single, combined sudoers file.  If there are conflicting entries,
   cvtsudoers will attempt to resolve them but manual intervention
   may be required.  The merging of sudoers rules is currently fairly
   simplistic but will be improved in a future release.

 * Sudo was parsing but not applying the "deref" and "tls_reqcert"
   ldap.conf settings.  This meant the options were effectively
   ignored which broke dereferencing of aliases in LDAP.

 * Clarified in the sudo man page that the security policy may
   override the user's PATH environment variable.

 * When sudo is run in non-interactive mode (with the -n option), it
   will now attempt PAM authentication and only exit with an error
   if user interaction is required.  This allows PAM modules that
   don't interact with the user to succeed.  Previously, sudo
   would not attempt authentication if the -n option was specified.

 * Fixed a regression introduced in version 1.9.1 when sudo is
   built with the --with-fqdn configure option.  The local host
   name was being resolved before the sudoers file was processed,
   making it impossible to disable DNS lookups by negating the
   "fqdn" sudoers option.

 * Added support for negated sudoUser attributes in the LDAP and
   SSSD sudoers back ends.  A matching sudoUser that is negated
   will cause the sudoRole containing it to be ignored.

 * Fixed a bug where the stack resource limit could be set to a
   value smaller than that of the invoking user and not be reset
   before the command was run.

What's new in Sudo 1.9.8p2

 * Fixed a potential out-of-bounds read with "sudo -i" when the
   target user's shell is bash.  This is a regression introduced
   in sudo 1.9.8.

 * sudo_logsrvd now only sends a log ID for first command of a session.
   There is no need to send the log ID for each sub-command.

 * Fixed a few minor memory leaks in intercept mode.

 * Fixed a problem with sudo_logsrvd in relay mode if "store_first"
   was enabled when handling sub-commands.  A new zero-length journal
   file was created for each sub-command instead of simply using
   the existing journal file.

 * Fixed a bug where sudoedit would fail if one of the directories
   in the path to be edited had the immutable flag set (BSD, Linux
   or macOS).

What's new in Sudo 1.9.8p1

 * Fixed support for passing a prompt (sudo -p) or a login class
   (sudo -c) on the command line.  This is a regression introduced
   in sudo 1.9.8.

 * Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
   This is a regression introduced in sudo 1.9.8.

 * Fixed a compilation error when the --enable-static-sudoers configure
   option was specified.  This is a regression introduced in sudo
   1.9.8 caused by a symbol clash with the intercept and log server
   protobuf functions.

What's new in Sudo 1.9.8

 * It is now possible to transparently intercepting sub-commands
   executed by the original command run via sudo.  Intercept support
   is implemented using LD_PRELOAD (or the equivalent supported by
   the system) and so has some limitations.  The two main limitations
   are that only dynamic executables are supported and only the
   execl, execle, execlp, execv, execve, execvp, and execvpe library
   functions are currently intercepted. Its main use case is to
   support restricting privileged shells run via sudo.

   To support this, there is a new "intercept" Defaults setting and
   an INTERCEPT command tag that can be used in sudoers.  For example:

    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
    Defaults!SHELLS intercept

   would cause sudo to run the listed shells in intercept mode.
   This can also be set on a per-rule basis.  For example:

    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
    chuck ALL = INTERCEPT: SHELLS

   would only apply intercept mode to user "chuck" when running one
   of the listed shells.

   In intercept mode, sudo will not prompt for a password before
   running a sub-command and will not allow a set-user-ID or
   set-group-ID program to be run by default.  The new
   intercept_authenticate and intercept_allow_setid sudoers settings
   can be used to change this behavior.

 * The new "log_subcmds" sudoers setting can be used to log additional
   commands run in a privileged shell.  It uses the same mechanism as
   the intercept support described above and has the same limitations.

 * The new "log_exit_status" sudoers setting can be used to log
   the exit status commands run via sudo.  This is also a corresponding
   "log_exit" setting in the sudo_logsrvd.conf eventlog stanza.

 * Support for logging sudo_logsrvd errors via syslog or to a file.
   Previously, most sudo_logsrvd errors were only visible in the
   debug log.

 * Better diagnostics when there is a TLS certificate validation error.

 * Using the "+=" or "-=" operators in a Defaults setting that takes
   a string, not a list, now produces a warning from sudo and a
   syntax error from inside visudo.

 * Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
   had no effect when creating I/O log parent directories if the I/O log
   file name ended with the string "XXXXXX".

 * Fixed a bug in the sudoers custom prompt code where the size
   parameter that was passed to the strlcpy() function was incorrect.
   No overflow was possible since the correct amount of memory was
   already pre-allocated.

 * The mksigname and mksiglist helper programs are now built with
   the host compiler, not the target compiler, when cross-compiling.

 * Fixed compilation error when the --enable-static-sudoers configure
   option was specified.  This was due to a typo introduced in sudo
   1.9.7.


(adam)