Notes on upgrading from an older release ======================================== o Upgrading from a version prior to 1.7.4: Starting with sudo 1.7.4, the time stamp files have moved from /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo. The directories are checked for existence in that order. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this. Additionally, the tty_tickets sudoers option is now enabled by default. To restore the old behavior (single time stamp per user), add a line like: Defaults !tty_tickets to sudoers or use the --without-tty-tickets configure option. The HOME and MAIL environment variables are now reset based on the target user's password database entry when the env_reset sudoers option is enabled (which is the case in the default configuration). Users wishing to preserve the original values should use a sudoers entry like: Defaults env_keep += HOME to preserve the old value of HOME and Defaults env_keep += MAIL to preserve the old value of MAIL. NOTE: preserving HOME has security implications since many programs use when searching for configuration files. Adding HOME to env_keep may enable a user to run unrestricted commands via sudo. The default syslog facility has changed from "local2" to "authpriv" (or "auth" if the operating system doesn't have "authpriv"). The --with-logfac configure option can be used to change this or it can be changed in the sudoers file. o Upgrading from a version prior to 1.7.0: Starting with sudo 1.7.0, comments in the sudoers file must not have a digit or minus sign immediately after the comment character ('#'). Otherwise, the comment may be interpreted as a user or group ID. When sudo is build with LDAP support the /etc/nsswitch.conf file is now used to determine the sudoers seach order. sudo will default to only using /etc/sudoers unless /etc/nsswitch.conf says otherwise. This can be changed with an nsswitch.conf line, e.g.: sudoers: ldap files Would case LDAP to be searched first, then the sudoers file. To restore the pre-1.7.0 behavior, run configure with the --with-nsswitch=no flag. Sudo now ignores user .ldaprc files as well as system LDAP defaults. All LDAP configuration is now in /etc/ldap.conf (or whichever file was specified by configure's --with-ldap-conf-file option). If you are using TLS, you may now need to specify: tls_checkpeer no in sudo's ldap.conf unless ldap.conf references a valid certificate authority file(s). Please also see the NEWS file for a list of new features in sudo 1.7.0. o Upgrading from a version prior to 1.6.9: Starting with sudo 1.6.9, if an OS supports a modular authentication method such as PAM, it will be used by default by configure. Environment variable handling has changed significantly in sudo 1.6.9. Prior to version 1.6.9, sudo would preserve the user's environment, pruning out potentially dangerous variables. Beginning with sudo 1.6.9, the envionment is reset to a default set of values with only a small number of "safe" variables preserved. To preserve specific environment variables, add them to the "env_keep" list in sudoers. E.g. Defaults env_keep += "EDITOR" The old behavior can be restored by negating the "env_reset" option in sudoers. E.g. Defaults !env_reset There have also been changes to how the "env_keep" and "env_check" options behave. Prior to sudo 1.6.9, the TERM and PATH environment variables would always be preserved even if the env_keep option was redefined. That is no longer the case. Consequently, if env_keep is set with "=" and not simply appended to (i.e. using "+="), PATH and TERM must be explicitly included in the list of environment variables to keep. The LOGNAME, SHELL, USER, and USERNAME environment variables are still always set. Additionally, the env_check setting previously had no effect when env_reset was set (which is now on by default). Starting with sudo 1.6.9, environment variables listed in env_check are also preserved in the env_reset case, provided that they do not contain a '/' or '%' character. Note that it is not necessary to also list a variable in env_keep--having it in env_check is sufficent. The default lists of variables to be preserved and/or checked are displayed when sudo is run by root with the -V flag. o Upgrading from a version prior to 1.6.8: Prior to sudo 1.6.8, if /var/run did not exist, sudo would put the time stamp files in /tmp/.odus. As of sudo 1.6.8, the time stamp files will be placed in /var/adm/sudo or /usr/adm/sudo if there is no /var/run directory. This directory will be created if it does not already exist. Previously, a sudoers entry that explicitly prohibited running a command as a certain user did not override a previous entry allowing the same command. This has been fixed in sudo 1.6.8 such that the last match is now used (as it is documented). Hopefully no one was depending on the previous (buggy) beghavior. o Upgrading from a version prior to 1.6: As of sudo 1.6, parsing of runas entries and the NOPASSWD tag has changed. Prior to 1.6, a runas specifier applied only to a single command directly following it. Likewise, the NOPASSWD tag only allowed the command directly following it to be run without a password. Starting with sudo 1.6, both the runas specifier and the NOPASSWD tag are "sticky" for an entire command list. So, given the following line in sudo < 1.6 millert ALL=(daemon) NOPASSWD:/usr/bin/whoami,/bin/ls millert would be able to run /usr/bin/whoami as user daemon without a password and /bin/ls as root with a password. As of sudo 1.6, the same line now means that millert is able to run run both /usr/bin/whoami and /bin/ls as user daemon without a password. To expand on this, take the following example: millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, (root) /bin/ls, \ /sbin/dump millert can run /usr/bin/whoami as daemon and /bin/ls and /sbin/dump as root. No password need be given for either command. In other words, the "(root)" sets the default runas user to root for the rest of the list. If we wanted to require a password for /bin/ls and /sbin/dump the line could be written thusly: millert ALL=(daemon) NOPASSWD:/usr/bin/whoami, \ (root) PASSWD:/bin/ls, /sbin/dump Additionally, sudo now uses a per-user time stamp directory instead of a time stamp file. This allows tty time stamps to simply be files within the user's time stamp dir. For the default, non-tty case, the time stamp on the directory itself is used. Also, the temporary file used by visudo is now /etc/sudoers.tmp since some versions of vipw on systems with shadow passwords use /etc/stmp for the temporary shadow file. o Upgrading from a version prior to 1.5: By default, sudo expects the sudoers file to be mode 0440 and to be owned by user and group 0. This differs from version 1.4 and below which expected the sudoers file to be mode 0400 and to be owned by root. Doing a `make install' will set the sudoers file to the new mode and group. If sudo encounters a sudoers file with the old permissions it will attempt to update it to the new scheme. You cannot, however, use a sudoers file with the new permissions with an old sudo binary. It is suggested that if have a means of distributing sudo you distribute the new binaries first, then the new sudoers file (or you can leave sudoers as is and sudo will fix the permissions itself as long as sudoers is on a local file system).