xref: /macosx-10.10.1/sudo-73/src/NEWS

What's new in Sudo 1.7.10p7?

 * A time stamp file with the date set to the epoch by "sudo -k" 
   is now completely ignored regardless of what the local clock is
   set to.  Previously, if the local clock was set to a value between 
   the epoch and the time stamp timeout value, a time stamp reset
   by "sudo -k" would be considered current.

 * Fixed the sudo exit status when "sudo -l command" is run.
   This is a regression introduced in version 1.7.10.

What's new in Sudo 1.7.10p6?

 * Fixed the restoration of SIGINT, SIGQUIT and SIGTSTP.  This
   is a regression introduced in version 1.7.10p4.

 * The tty-specific time stamp file now includes the session ID
   of the sudo process that created it.  If a process with the same
   tty but a different session ID runs sudo, the user will now be
   prompted for a password (assuming authentication is required for
   the command).

What's new in Sudo 1.7.10p5?

 * On systems where the controlling tty can be determined via /proc
   or sysctl(), sudo will no longer fall back to using ttyname()
   if the process has no controlling tty.  This prevents sudo from
   using a non-controlling tty for logging and time stamp purposes.

 * Fixed a potential crash in visudo's alias cycle detection.

What's new in Sudo 1.7.10p4?

 * Avoid building PIE binaries on FreeBSD/ia64 as they don't run
   properly.

 * Fixed a crash in visudo strict mode when an unknown Defaults
   setting is encountered.

 * Do not inform the user that the command was not permitted by the
   policy if they do not successfully authenticate. This is a
   regression introduced in sudo 1.7.10.

 * Fix running commands that need the terminal in the background
   when I/O logging is enabled. E.g. "sudo vi &". When the command
   is foregrounded, it will now resume properly.

What's new in Sudo 1.7.10p3?

 * Fixed post-processing of the man pages on systems with legacy
   versions of sed.

 * Fixed "sudoreplay -l" on Linux systems with file systems that 
   set DT_UNKNOWN in the d_type field of struct dirent.

What's new in Sudo 1.7.10p2?

 * Fixed suspending a command after it has already been resumed
   once when I/O logging (or use_pty) is not enabled.
   This was a regression introduced in version 1.7.10.

What's new in Sudo 1.7.10p1?

 * Fixed the setting of LOGNAME, USER and USERNAME variables in the
   command's environment when env_reset is enabled (the default).
   This was a regression introduced in version 1.7.10.

 * Sudo now honors SUCCESS=return in /etc/nsswitch.conf.

What's new in Sudo 1.7.10?

 * Sudo is now built with the -fstack-protector flag if the the
   compiler supports it.  Also, the -zrelro linker flag is used if
   supported.  The --disable-hardening configure option can be used
   to build sudo without stack smashing protection.

 * Sudo is now built as a Position Independent Executable (PIE)
   if supported by the compiler and linker.

 * If the user is a member of the "exempt" group in sudoers, they
   will no longer be prompted for a password even if the -k flag
   is specified with the command.  This makes "sudo -k command"
   consistent with the behavior one would get if the user ran "sudo
   -k" immediately before running the command.

 * The sudoers file may now be a symbolic link.  Previously, sudo
   would refuse to read sudoers unless it was a regular file.

 * The user/group/mode checks on sudoers files have been relaxed.
   As long as the file is owned by the sudoers uid, not world-writable
   and not writable by a group other than the sudoers gid, the file
   is considered OK.  Note that visudo will still set the mode to
   the value specified at configure time.

 * /etc/environment is no longer read directly on Linux systems
   when PAM is used.  Sudo now merges the PAM environment into the
   user's environment which is typically set by the pam_env module.

 * The initial evironment created when env_reset is in effect now
   includes the contents of /etc/environment on AIX systems and the
   "setenv" and "path" entries from /etc/login.conf on BSD systems.

 * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo
   file is now uses to determine the controlling terminal, if possible.
   This allows tty-based tickets to work properly even when, e.g.
   standard input, output and error are redirected to /dev/null.

 * The output of "sudoreplay -l" is now sorted by file name (or
   sequence number).  Previously, entries were displayed in the
   order in which they were found on the file system.

 * The sudoreplay command can now properly replay sessions where
   no tty was present.

 * Sudo now behaves properly when I/O logging is enabled and the
   controlling terminal is revoked (e.g. the running sshd is killed).
   Previously, sudo may have exited without calling the I/O plugin's
   close function which can lead to an incomplete I/O log.

 * Sudo can now detect when a user has logged out and back in again
   on Solaris 11, just like it can on Solaris 10.

 * The built-in zlib included with Sudo has been upgraded to version
   1.2.6.

 * Setting the SSL parameter to start_tls in ldap.conf now works
   properly when using Mozilla-based SDKs that support the
   ldap_start_tls_s() function.

 * The TLS_CHECKPEER parameter in ldap.conf now works when the
   Mozilla NSS crypto backend is used with OpenLDAP.

 * Improved support for the Tivoli Directory Server LDAP client
   libraries.  This includes support for using LDAP over SSL (ldaps)
   as well as support for the BIND_TIMELIMIT, TLS_KEY and TLS_CIPHERS
   ldap.conf options.  A new ldap.conf option, TLS_KEYPW can be
   used to specify a password to decrypt the key database.

 * Fixed a crash introduced in version 1.7.7 when "sudo -s" is
   specified with a command.

 * If a user fails to authenticate and the command would be rejected
   by sudoers, it is now logged with "command not allowed" instead
   of "N incorrect password attempts".  Likewise, the "mail_no_perms"
   sudoers option now takes precedence over "mail_badpass".

 * The sudo manuals are now formatted using the mdoc macros.  Versions
   using the legacy man macros are provided for systems that lack mdoc.

 * Fixed a problem with the reboot and shutdown commands on some
   systems (such as HP-UX and BSD).  On these systems, reboot sends
   all processes (except itself) SIGTERM.  When sudo received
   SIGTERM, it would relay it to the reboot process, thus killing
   reboot before it had a chance to actually reboot the system.

 * Visudo will now warn about unknown Defaults entries that are
   per-host, per-user, per-runas or per-command.

 * When constructing a time filter for use with LDAP sudoNotBefore
   and sudoNotAfter attributes, the current time now includes tenths
   of a second.  This fixes a problem with timed entries on Active
   Directory.

 * Fixed a race condition that could cause sudo to receive SIGTTOU
   (and stop) when resuming a shell that was run via sudo when I/O
   logging (and use_pty) is not enabled.

 * Sending SIGTSTP directly to the sudo process will now suspend the
   running command when I/O logging (and use_pty) is not enabled.

What's new in Sudo 1.7.9p1?

 * Fixed a bug when matching against an IP address with an associated
   netmask in the sudoers file.  In certain circumstances, this
   could allow users to run commands on hosts they are not authorized
   for.

What's new in Sudo 1.7.9?

 * Fixed a false positive in visudo strict mode when aliases are
   in use.

 * The line on which a syntax error is reported in the sudoers file
   is now more accurate.  Previously it was often off by a line.

 * The #include and #includedir directives in sudoers now support
   relative paths.  If the path is not fully qualified it is expected
   to be located in the same directory of the sudoers file that is
   including it.

 * visudo will now fix the mode on the sudoers file even if no changes
   are made unless the -f option is specified.

 * The "use_loginclass" sudoers option works properly again.

 * For LDAP-based sudoers, values in the search expression are now
   escaped as per RFC 4515.

 * Fixed a race condition when I/O logging is not enabled that could
   result in tty-generated signals (e.g. control-C) being received
   by the command twice.

 * If none of the standard input, output or error are connected to
   a tty device, sudo will now check its parent's standard input,
   output or error for the tty name on systems with /proc and BSD
   systems that support the KERN_PROC_PID sysctl.  This allows
   tty-based tickets to work properly even when, e.g. standard
   input, output and error are redirected to /dev/null.

 * Fixed a bug where a pattern like "/usr/*" included /usr/bin/ in
   the results, which would be incorrectly be interpreted as if the
   sudoers file had specified a directory.

 * "visudo -c" will now list any include files that were checked
   in addition to the main sudoers file when everything parses OK.

 * Users that only have read-only access to the sudoers file may
   now run "visudo -c".  Previously, write permissions were required
   even though no writing is down in check-only mode.

What's new in Sudo 1.7.8p2?

 * Fixed a crash in the monitor process on Solaris when NOPASSWD
   was specified or when authentication was disabled.

What's new in Sudo 1.7.8p1?

 * Fixed matching of a Runas_Alias in the group section of a
   Runas_Spec.

What's new in Sudo 1.7.8?

 * Sudo will now use PAM by default on AIX 6 and higher.

 * Added --enable-werror configure option for gcc's -Werror flag.

 * Visudo no longer assumes all editors support the +linenumber
   command line argument.  It now uses a whitelist of editors known
   to support the option.

 * Fixed matching of network addresses when a netmask is specified
   but the address is not the first one in the CIDR block.

 * The configure script now check whether or not errno.h declares
   the errno variable.  Previously, sudo would always declare errno
   itself for older systems that don't declare it in errno.h.

 * The NOPASSWD tag is now honored for denied commands too, which
   matches historic sudo behavior (prior to sudo 1.7.0).

 * Sudo now honors the "DEREF" setting in ldap.conf which controls
   how alias dereferencing is done during an LDAP search.

 * Using the -n option may in conjunction with the -v or -l option
   no longer results in a usage error.

 * The LOGNAME, USER and USERNAME environment variables are preserved
   correctly again in sudoedit mode.

What's new in Sudo 1.7.7

 * I/O logging is now supported for commands run in background mode
   (using sudo's -b flag).

 * Group ownership of the sudoers file is now only enforced when
   the file mode on sudoers allows group readability or writability.

 * Visudo now checks the contents of an alias and warns about cycles
   when the alias is expanded.

 * If the user specifes a group via sudo's -g option that matches
   the target user's group in the password database, it is now
   allowed even if no groups are present in the Runas_Spec.

 * "sudo -i command" now works correctly with the bash version
   2.0 and higher.  Previously, the .bash_profile would not be
   sourced prior to running the command unless bash was built with
   NON_INTERACTIVE_LOGIN_SHELLS defined.

 * Multi-factor authentication is now supported on AIX.

 * Added support for non-RFC 4517 compliant LDAP servers that require
   that seconds be present in a timestamp, such as Tivoli Directory Server.

 * If the group vector is to be preserved, the PATH search for the
   command is now done with the user's original group vector.

 * For LDAP-based sudoers, the "runas_default" sudoOption now works
   properly in a sudoRole that contains a sudoCommand.

 * Spaces in command line arguments for "sudo -s" and "sudo -i" are
    now escaped with a backslash when checking the sudoers file.

What's new in Sudo 1.7.6p2

 * Two-character CIDR-style IPv4 netmasks are now matched correctly 
   in the sudoers file.

 * A build error with MIT Kerberos V has been resolved.

What's new in Sudo 1.7.6p1

 * A non-existent includedir is now treated the same as an empty
   directory and not reported as an error.

 * Removed extraneous parens in LDAP filter when sudoers_search_filter
   is enabled that can cause an LDAP search error.

What's new in Sudo 1.7.6?

 * A new LDAP setting, sudoers_search_filter, has been added to
   ldap.conf.  This setting can be used to restrict the set of
   records returned by the LDAP query.  Based on changes from Matthew
   Thomas.

 * White space is now permitted within a User_List when used in
   conjunction with a per-user Defaults definition.

 * A group ID (%#gid) may now be specified in a User_List or Runas_List.
   Likewise, for non-Unix groups the syntax is %:#gid.

 * Support for double-quoted words in the sudoers file has been fixed.
   The change in 1.7.5 for escaping the double quote character
   caused the double quoting to only be available at the beginning
   of an entry.

 * The fix for resuming a suspended shell in 1.7.5 caused problems
   with resuming non-shells on Linux.  Sudo will now save the process
   group ID of the program it is running on suspend and restore it
   when resuming, which fixes both problems.

 * A bug that could result in corrupted output in "sudo -l" has been
   fixed.

What's new in Sudo 1.7.5?

 * When using visudo in check mode, a file named "-" may be used to
   check sudoers data on the standard input.

 * Sudo now only fetches shadow password entries when using the
   password database directly for authentication.

 * Password and group entries are now cached using the same key
   that was used to look them up.  This fixes a problem when looking
   up entries by name if the name in the retrieved entry does not
   match the name used to look it up.  This may happen on some systems
   that do case insensitive lookups or that truncate long names.

 * GCC will no longer display warnings on glibc systems that use
   the warn_unused_result attribute for write(2) and other system calls.

 * If a PAM account management module denies access, sudo now prints
   a more useful error message and stops trying to validate the user.

 * Fixed a potential hang on idle systems when the sudo-run process
   exits immediately.

 * Sudo now includes a copy of zlib that will be used on systems
   that do not have zlib installed.

 * The --with-umask-override configure flag has been added to enable
   the "umask_override" sudoers Defaults option at build time.

 * Sudo now unblocks all signals on startup to avoid problems caused
   by the parent process changing the default signal mask.

 * LDAP Sudoers entries may now specify a time period for which
   the entry is valid.  This requires an updated sudoers schema
   that includes the sudoNotBefore and sudoNotAfter attributes.
   Support for timed entries must be explicitly enabled in the
   ldap.conf file.  Based on changes from Andreas Mueller.

 * LDAP Sudoers entries may now specify a sudoOrder attribute that
   determines the order in which matching entries are applied.  The
   last matching entry is used, just like file-based sudoers.  This
   requires an updated sudoers schema that includes the sudoOrder
   attribute.  Based on changes from Andreas Mueller.

 * When run as sudoedit, or when given the -e flag, sudo now treats
   command line arguments as pathnames.  This means that slashes
   in the sudoers file entry must explicitly match slashes in
   the command line arguments.  As a result, and entry such as:
	user ALL = sudoedit /etc/*
   will allow editing of /etc/motd but not /etc/security/default.

 * NETWORK_TIMEOUT is now an alias for BIND_TIMELIMIT in ldap.conf for
   compatibility with OpenLDAP configuration files.

 * The LDAP API TIMEOUT parameter is now honored in ldap.conf.

 * The I/O log directory may now be specified in the sudoers file.

 * Sudo will no longer refuse to run if the sudoers file is writable
   by root.

 * Sudo now performs command line escaping for "sudo -s" and "sudo -i"
   after validating the command so the sudoers entries do not need
   to include the backslashes.

 * Logging and email sending are now done in the locale specified
   by the "sudoers_locale" setting ("C" by default).  Email send by
   sudo now includes MIME headers when "sudoers_locale" is not "C".

 * The configure script has a new option, --disable-env-reset, to
   allow one to change the default for the sudoers Default setting
   "env_reset" at compile time.

 * When logging "sudo -l command", sudo will now prepend "list "
   to the command in the log line to distinguish between an
   actual command invocation in the logs.

 * Double-quoted group and user names may now include escaped double
   quotes as part of the name.  Previously this was a parse error.

 * Sudo once again restores the state of the signal handlers it
   modifies before executing the command.  This allows sudo to be
   used with the nohup command.

 * Resuming a suspended shell now works properly when I/O logging
   is not enabled (the I/O logging case was already correct).

What's new in Sudo 1.7.4p6?

 * A bug has been fixed in the I/O logging support that could cause
   visual artifacts in full-screen programs such as text editors.

What's new in Sudo 1.7.4p5?

 * A bug has been fixed that would allow a command to be run without the
   user entering a password when sudo's -g flag is used without the -u flag.

 * If user has no supplementary groups, sudo will now fall back on checking
   the group file explicitly, which restores historic sudo behavior.

 * A crash has been fixed when sudo's -g flag is used without the -u flag
   and the sudoers file contains an entry with no runas user or group listed.

 * A crash has been fixed when the Solaris project support is enabled
   and sudo's -g flag is used without the -u flag.

 * Sudo no longer exits with an error when support for auditing is
   compiled in but auditing is not enabled.

 * Fixed a bug introduced in sudo 1.7.3 where the ticket file was not
   being honored when the "targetpw" sudoers Defaults option was enabled.

 * The LOG_INPUT and LOG_OUTPUT tags in sudoers are now parsed correctly.

 * A crash has been fixed in "sudo -l" when sudo is built with auditing
   support and the user is not allowed to run any commands on the host.

What's new in Sudo 1.7.4p4?

 * A potential security issue has been fixed with respect to the handling
   of sudo's -g command line option when -u is also specified.  The flaw
   may allow an attacker to run commands as a user that is not authorized
   by the sudoers file.

 * A bug has been fixed where "sudo -l" output was incomplete if multiple
   sudoers sources were defined in nsswitch.conf and there was an error
   querying one of the sources.

 * The log_input, log_output, and use_pty sudoers options now work correctly
   on AIX.  Previously, sudo would hang if they were enabled.

 * The "make install" target now works correctly when sudo is built in a
   directory other than the source directory.

 * The "runas_default" sudoers setting now works properly in a per-command
   Defaults line.

 * Suspending and resuming the bash shell when PAM is in use now works
   correctly.  The SIGCONT signal was not propagated to the child process.

What's new in Sudo 1.7.4p3?

 * A bug has been fixed where duplicate HOME environment variables could be
   present when the env_reset setting was disabled and the always_set_home
   setting was enabled in sudoers.

 * The value of sysconfdir is now substituted into the path to the sudoers.d
   directory in the installed sudoers file.

 * Compilation problems on IRIX and other platforms have been fixed.

 * If multiple PAM "auth" actions are specified and the user enters ^C at
   the password prompt, sudo will no longer prompt for a password for any
   subsequent "auth" actions.  Previously it was necessary to enter ^C for
   each "auth" action.

What's new in Sudo 1.7.4p2?

 * A bug where sudo could spin in a busy loop waiting for the child process
   has been fixed.

What's new in Sudo 1.7.4p1?

 * A bug introduced in sudo 1.7.3 that prevented the -k and -K options from
   functioning when the tty_tickets sudoers option is enabled has been fixed.

 * Sudo no longer prints a warning when the -k or -K options are specified
   and the ticket file does not exist.

 * It is now easier to cross-compile sudo.

What's new in Sudo 1.7.4?

 * Sudoedit will now preserve the file extension in the name of the
   temporary file being edited.  The extension is used by some
   editors (such as emacs) to choose the editing mode.

 * Time stamp files have moved from /var/run/sudo to either /var/db/sudo,
   /var/lib/sudo or /var/adm/sudo.  The directories are checked for
   existence in that order.  This prevents users from receiving the
   sudo lecture every time the system reboots.  Time stamp files older
   than the boot time are ignored on systems where it is possible to
   determine this.

 * The tty_tickets sudoers option is now enabled by default.

 * Ancillary documentation (README files, LICENSE, etc) is now installed
   in a sudo documentation directory.

 * Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile"
   in ldap.conf.

 * Defaults settings that are tied to a user, host or command may
   now include the negation operator.  For example:
	Defaults:!millert lecture
   will match any user but millert.

 * The default PATH environment variable, used when no PATH variable
    exists, now includes /usr/sbin and /sbin.

 * Sudo now uses polypkg (http://rc.quest.com/topics/polypkg/)
   for cross-platform packing.

 * On Linux, sudo will now restore the nproc resource limit before
   executing a command, unless the limit appears to have been modified
   by pam_limits.  This avoids a problem with bash scripts that open
   more than 32 descriptors on SuSE Linux, where sysconf(_SC_CHILD_MAX)
   will return -1 when RLIMIT_NPROC is set to RLIMIT_UNLIMITED (-1).

 * The HOME and MAIL environment variables are now reset based on the
   target user's password database entry when the env_reset sudoers option
   is enabled (which is the case in the default configuration).  Users
   wishing to preserve the original values should use a sudoers entry like:
	Defaults env_keep += HOME
   to preserve the old value of HOME and
	Defaults env_keep += MAIL
   to preserve the old value of MAIL.

 * Fixed a problem in the restoration of the AIX authdb registry setting.

 * Sudo will now fork(2) and wait until the command has completed before
   calling pam_close_session().

 * The default syslog facility is now "authpriv" if the operating system
   supports it, else "auth".

What's new in Sudo 1.7.3?

 * Support for logging I/O for the command being run.
   For more information, see the documentation for the "log_input"
   and "log_output" Defaults options in the sudoers manual.  Also
   see the sudoreplay manual for how to replay I/O log sessions.

 * The use_pty sudoers option can be used to force a command to be
   run in a pseudo-pty, even when I/O logging is not enabled.

 * On some systems, sudo can now detect when a user has logged out
   and back in again when tty-based time stamps are in use.  Supported
   systems include Solaris systems with the devices file system,
   Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys
   only).

 * On AIX systems, the registry setting in /etc/security/user is
   now taken into account when looking up users and groups.  Sudo
   now applies the correct the user and group ids when running a
   command as a user whose account details come from a different
   source (e.g. LDAP or DCE vs.  local files).

 * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf.
   When multiple entries are listed, sudo will try each one in the
   order in which they are specified.

 * Sudo's SELinux support should now function correctly when running
   commands as a non-root user and when one of stdin, stdout or stderr
   is not a terminal.

 * Sudo will now use the Linux audit system with configure with
   the --with-linux-audit flag.

 * Sudo now uses mbr_check_membership() on systems that support it
   to determine group membership.  Currently, only Darwin (Mac OS X)
   supports this.

 * When the tty_tickets sudoers option is enabled but there is no
   terminal device, sudo will no longer use or create a tty-based
   ticket file.  Previously, sudo would use a tty name of "unknown".
   As a consequence, if a user has no terminal device, sudo will
   now always prompt for a password.

 * The passwd_timeout and timestamp_timeout options may now be
   specified as floating point numbers for more granular timeout
   values.

 * Negating the fqdn option in sudoers now works correctly when sudo
   is configured with the --with-fqdn option.  In previous versions
   of sudo the fqdn was set before sudoers was parsed.

What's new in Sudo 1.7.2?

 * A new #includedir directive is available in sudoers.  This can be
   used to implement an /etc/sudo.d directory.  Files in an includedir
   are not edited by visudo unless they contain a syntax error.

 * The -g option did not work properly when only setting the group
   (and not the user).  Also, in -l mode the wrong user was displayed
   for sudoers entries where only the group was allowed to be set.

 * Fixed a problem with the alias checking in visudo which
   could prevent visudo from exiting.

 * Sudo will now correctly parse the shell-style /etc/environment
   file format used by pam_env on Linux.

 * When doing password and group database lookups, sudo will only
   cache an entry by name or by id, depending on how the entry was
   looked up.  Previously, sudo would cache by both name and id
   from a single lookup, but this breaks sites that have multiple
   password or group database names that map to the same uid or
   gid.

 * User and group names in sudoers may now be enclosed in double
   quotes to avoid having to escape special characters.

 * BSM audit fixes when changing to a non-root uid.

 * Experimental non-Unix group support.  Currently only works with
   Quest Authorization Services and allows Active Directory groups
   fixes for Minix-3.

 * For Netscape/Mozilla-derived LDAP SDKs the certificate and key
   paths may be specified as a directory or a file.  However, version
   5.0 of the SDK only appears to support using a directory (despite
   documentation to the contrary).  If SSL client initialization
   fails and the certificate or key paths look like they could be
   default file name, strip off the last path element and try again.

 * A setenv() compatibility fix for Linux systems, where a NULL
   value is treated the same as an empty string and the variable
   name is checked against the NULL pointer.

What's new in Sudo 1.7.1?

 * A new Defaults option "pwfeedback" will cause sudo to provide visual
   feedback when the user is entering a password.

 * A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
   function for file name globbing instead of glob().  When this option
   is enabled, sudo will not check the file system when expanding wildcards.
   This is faster but a side effect is that relative paths with wildcard
   will no longer work.

 * New BSM audit support for systems that support it such as FreeBSD
   and Mac OS X.

 * The file name specified with the #include directive may now include
   a %h escape which is expanded to the short form of hostname.

 * The -k flag may now be specified along with a command, causing the
   user's timestamp file to be ignored.

 * New support for Tivoli-based LDAP START_TLS, present in AIX.

 * New support for /etc/netsvc.conf on AIX.

 * The unused alias checks in visudo now handle the case of an alias
   referring to another alias.

What's new in Sudo 1.7.0?

 * Rewritten parser that converts sudoers into a set of data structures.
   This eliminates a number of ordering issues and makes it possible to
   apply sudoers Defaults entries before searching for the command.
   It also adds support for per-command Defaults specifications.

 * Sudoers now supports a #include facility to allow the inclusion of other
   sudoers-format files.

 * Sudo's -l (list) flag has been enhanced:
    o applicable Defaults options are now listed
    o a command argument can be specified for testing whether a user
      may run a specific command.
    o a new -U flag can be used in conjunction with "sudo -l" to allow
      root (or a user with "sudo ALL") list another user's privileges.

 * A new -g flag has been added to allow the user to specify a
   primary group to run the command as.  The sudoers syntax has been
   extended to include a group section in the Runas specification.

 * A uid may now be used anywhere a username is valid.

 * The "secure_path" run-time Defaults option has been restored.

 * Password and group data is now cached for fast lookups.

 * The file descriptor at which sudo starts closing all open files is now
   configurable via sudoers and, optionally, the command line.

 * Visudo will now warn about aliases that are defined but not used.

 * The -i and -s command line flags now take an optional command
   to be run via the shell.  Previously, the argument was passed
   to the shell as a script to run.

 * Improved LDAP support.  SASL authentication may now be used in
   conjunction when connecting to an LDAP server.  The krb5_ccname
   parameter in ldap.conf may be used to enable Kerberos.

 * Support for /etc/nsswitch.conf.  LDAP users may now use nsswitch.conf
   to specify the sudoers order.  E.g.:
	sudoers: ldap files
   to check LDAP, then /etc/sudoers.  The default is "files", even
   when LDAP support is compiled in.  This differs from sudo 1.6
   where LDAP was always consulted first.

 * Support for /etc/environment on AIX and Linux.  If sudo is run
   with the -i flag, the contents of /etc/environment are used to
   populate the new environment that is passed to the command being
   run.

 * If no terminal is available or if the new -A flag is specified,
   sudo will use a helper program to read the password if one is
   configured.  Typically, this is a graphical password prompter
   such as ssh-askpass.

 * A new Defaults option, "mailfrom" that sets the value of the
   "From:" field in the warning/error mail.  If unspecified, the
   login name of the invoking user is used.

 * A new Defaults option, "env_file" that refers to a file containing
   environment variables to be set in the command being run.

 * A new flag, -n, may be used to indicate that sudo should not
   prompt the user for a password and, instead, exit with an error
   if authentication is required.

 * If sudo needs to prompt for a password and it is unable to disable
   echo (and no askpass program is defined), it will refuse to run
   unless the "visiblepw" Defaults option has been specified.

 * Prior to version 1.7.0, hitting enter/return at the Password: prompt
   would exit sudo.  In sudo 1.7.0 and beyond, this is treated as
   an empty password.  To exit sudo, the user must press ^C or ^D
   at the prompt.

 * visudo will now check the sudoers file owner and mode in -c (check)
   mode when the -s (strict) flag is specified.

 * A new Defaults option "umask_override" will cause sudo to set the
   umask specified in sudoers even if it is more permissive than the
   invoking user's umask.