Important: if this rebase instead contains *only bug fixes,* or *only enhancements*, select the correct option from the Doc Type drop-down list. Rebase package(s) to version: sudo-1.8.19p2 Highlights, important fixes, or notable enhancements: * FIX/CHANGE: Set the sudoers locale before opening the sudoers file.Previously the sudoers locale was used when evaluating sudoers but not during the inital parse. * FIX/CHANGE: The fqdn, runas_default and sudoers_locale Defaults settings are now applied before any other Defaults settings since they can change how other Defaults settings are parsed. * FIX/CHANGE: A comment character ('#') is only special at the beginning of the line (in ldap.conf). * FIX/CHANGE: Fix matching when no sudoRunAsUser is present in a sudoRole. If only a sudoRunAsGroup is present, match on the invoking user if the -g option was specified and the group matched. If no sudoRunAsGroup is present and the -g option was specified, allow it if it matches the passwd gid of the runas user. This matches the behavior of the sudoers backend. * FIX/CHANGE: Create I/O log files with the same gid as the parent directory. * FIX/CHANGE: When updating defaults, process certain values fist since they can influence how other defaults are parsed. Currently, runas_default and sudoers_locale are processed early. * CHANGE: Sudo now takes all sudoers sources into account when determining whether or not "sudo -l" or "sudo -b" should prompt for a password. In other words, if both file and ldap sudoers sources are in specified in /etc/nsswitch.conf, "sudo -v" will now require that all entries in both sources be have NOPASSWD (file) or !authenticate (ldap) in the entries. * CHANGE: Sudo now ignores SIGPIPE until the command is executed. Previously, SIGPIPE was only ignored in a few select places. * CHANGE: Unix groups are now set before the plugin session intialization code is run. This makes it possible to use dynamic groups with the Linux-PAM pam_group module. * CHANGE: When preserving variables from the invoking user's environment, if there are duplicates sudo now only keeps the first instance. * CHANGE: When editing files with sudoedit, symbolic links will no longer be followed by default. The old behavior can be restored by enabling the sudoedit_follow option in sudoers or on a per-command basis with the FOLLOW and NOFOLLOW tags. * CHANGE: Individual records are now locked in the time stamp file instead of the entire file. This allows sudo to avoid prompting for a password multiple times on the same terminal when used in a pipeline. In other words, "sudo cat foo | sudo grep bar" now only prompts for the password once. Previously, both sudo processes would prompt for a password, often making it impossible to enter. * CHANGE: Previously, when env_reset was enabled (the default) and the -s option was not used, the SHELL environment variable was set to the shell of the invoking user. Now, when env_reset is enabled and the -s option is not used, SHELL is set based on the target user. * CHANGE: When the user runs a command as a user ID that is not present in the password database via the -u flag, the command is now run with the group ID of the invoking user instead of group ID 0. * CHANGE: The sudo timestamp directory is now created at boot time on platforms that use systemd. * CHANGE: The editor invoked by sudoedit once again uses an unmodified copy of the user's environment as per the documentation. This was inadvertantly changed in sudo 1.8.0. * CHANGE: The mail_always sudoers option no longer sends mail for "sudo -l" or "sudo -v" unless the user is unable to authenticate themselves. * CHANGE: When listing a user's privileges (sudo -l), the sudoers plugin will now prompt for the user's password even if the targetpw, rootpw or runaspw options are set. * CHANGE: The sudoers plugin uses a new format for its time stamp files. Each user now has a single file which may contain multiple records when per-tty time stamps are in use (the default). The time stamps use a monotonic timer where available and are once again located in a directory under /var/run. In rhel we change this default direcotry by a configure option --with-rundir="/var/db/sudo". The lecture status is now stored separately from the time stamps in a different directory: /var/db/sudo/lectured, /var/lib/sudo/lectured or /var/adm/sudo/lectured depending on what is present on the system. * CHANGE: sudo's -K option will now remove all of the user's time stamps, not just the time stamp for the current terminal. The -k option can be used to only disable time stamps for the current terminal. * CHANGE: LDAP-based sudoers now uses a default search filter of (objectClass=sudoRole) for more efficient queries. It is possible to disable the default search filter by specifying SUDOERS_SEARCH_FILTER in ldap.conf but omitting a value. * ENHANCEMENT: Support negated sudoHost entries. * ENHANCEMENT: Warnings from visudo about a cycle in an Alias entry now include the file and line number of the problem. * ENHANCEMENT: If the file system holding the sudo log file is full, allow the command to run unless the new ignore_logfile_errors Defaults option is disabled. * ENHANCEMENT: Sudo will now only resolve a user's group IDs to group names when sudoers includes group-based permissions. Group lookups can be expensive on some systems where the group database is not local. * ENHANCEMENT: Make the behavior when we cannot write to a log or audit file configurable. File log failures are ignored by default for consistency with syslog. Audit errors are ignored by default to allow the admin to fix the issue. I/O log file errors are still fatal by default since if I/O logging is activated it is usually to have an audit trail. * ENHANCEMENT: Add match_group_by_gid Defaults option to allow sites with slow group lookups and a small number of groups in sudoers to match groups by group ID instead of by group name. * ENHANCEMENT: Make the I/O log file/dir permissions and owner configurable via the "iolog_mode", "iolog_user" and "iolog_group" sudoers Defaults variables. * ENHANCEMENT: Sudoreplay can now display the stdin and ttyin streams when they are explicitly added to the filter list. * ENHANCEMENT: New "syslog_maxlen" Defaults option to control the maximum size of syslog messages generated by sudo. * ENHANCEMENT: In the LDAP and sssd backends, white space is now ignored between an operator (!, +, +=, -=) when parsing a sudoOption. * ENHANCEMENT: The netgroup_tuple Defaults option has been added to enable matching of the entire netgroup tuple, not just the host or user portion. When matching host, short-circuit the loop when we get a match. Only check username as part of the netgroup when netgroup_tuple is enabled. * ENHANCEMENT: If some, but not all, of the LOGNAME, USER or USERNAME environment variables have been preserved from the invoking user's environment, sudo will now use the preserved value to set the remaining variables instead of using the runas user. This ensures that if, for example, only LOGNAME is present in the env_keep list, that sudo will not set USER and USERNAME to the runas user. * ENHANCEMENT: When the command sudo is running dies due to a signal, sudo will now send itself that same signal with the default signal handler installed instead of exiting. The bash shell appears to ignore some signals, e.g. SIGINT, unless the command being run is killed by that signal. This makes the behavior of commands run under sudo the same as without sudo when bash is the shell. * ENHANCEMENT: Added the sudoedit_checkdir Defaults option to prevent sudoedit from editing files located in a directory that is writable by the invoking user. * ENHANCEMENT: The /usr/lib/tmpfiles.d/sudo.conf file is now installed as part of "make install" when systemd is in use. * ENHANCEMENT: Double-quoted values in an LDAP sudoOption are now supported for consistency with file-based sudoers. * ENHANCEMENT: new mail_all_cmnds sudoers flag will send mail when a user runs a command (or tries to). The behavior of the mail_always flag has been restored to always send mail when sudo is run. * ENHANCEMENT: New "MAIL" and "NOMAIL" command tags have been added to toggle mail sending behavior on a per-command (or Cmnd_Alias) basis. * ENHANCEMENT: Visudo will now use the optional sudoers_file, sudoers_mode, sudoers_uid and sudoers_gid arguments if specified on the sudoers.so Plugin line in the sudo.conf file. * ENHANCEMENT: LDAP-based sudoers can now query an LDAP server for a user's netgroups directly. This is often much faster than fetching every sudoRole object containing a sudoUser that begins with a `+' prefix and checking whether the user is a member of any of the returned netgroups. * ENHANCEMENT: The passwords in ldap.conf and ldap.secret may now be encoded in base64. * ENHANCEMENT: It is now possible to disable network interface probing in sudo.conf by changing the value of the probe_interfaces setting. * ENHANCEMENT: The new "use_netgroups" sudoers option can be used to explicitly enable or disable netgroups support. For LDAP-based sudoers, netgroup support requires an expensive substring match on the server. If netgroups are not needed, this option can be disabled to reduce the load on the LDAP server. * ENHANCEMENT: Visudo can now export a sudoers file in JSON format using the new -x flag. * ENHANCEMENT: New "pam_service" and "pam_login_service" sudoers options that can be used to specify the PAM service name to use. * ENHANCEMENT: The "closefrom_override" sudoers option may now be used in a command-specified Defaults entry. * ENHANCEMENT: A new "exec_background" sudoers option can be used to initially run the command without read access to the terminal when running a command in a pseudo-tty. If the command tries to read from the terminal it will be stopped by the kernel (via SIGTTIN or SIGTTOU) and sudo will immediately restart it as the foreground process (if possible). This allows sudo to only pass terminal input to the program if the program actually is expecting it. Unfortunately, a few poorly-behaved programs (like "su" on most Linux systems) do not handle SIGTTIN and SIGTTOU properly. * ENHANCEMENT: A new sudoers option "maxseq" can be used to limit the number of I/O log entries that are stored.