summaryrefslogtreecommitdiff
path: root/usr.bin/sudo/CHANGES
blob: d4d5ab765d5bd1615d65083ce7c2ae054c5bff42 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
CHANGES since sudo 1.2

01) sudo now works under hpux, aix, sunos, bsd43, ultrix, linux, osf and irix.

02) Files w/o the executable bit will be ignored if they are in your PATH.

03) If execv() fails, perror is called (which prints out an error based on
	errno) and sudo exits with -1.

04) Included in this shar should also be a version of getpass() derived from
	the bsd net-2 source which works on bsd, ultrix, hpux, aix, and irix
	at least.  The latter three unixes have what i consider to be a broken
	getpass() in that if /dev/tty can't be opened it doesn't just use stdin
	like bsd getpass().  This means you cannot do: rsh host "sudo command"
	and have it work if your ticket has expired.

05) The Makefile has changed significantly.  It now has defines for all
	supported architectures.

06) Changed MAXCOMMANDLENGTH from 48 bytes to MAXPATHLEN and included
	sys/param.h where appropriate.

07) Rewrote the code that expands links & paths.  It now works correctly.
	(rewrote find_path.c)

08) Added a define NEED_STRDUP so we don't conflict with the system's strdup(3)

09) Now does *not* pass LD_* environmental vars on to programs that get
	exec'd.  Also removes SHLIB_PATH for hpux and _RLD_* for dec osf.

10) Now searches current dir last if '.' or '' are in PATH.  Misses braindeath
    like './' but if that's in your path you deserve all the trojans you get.

11) Added in linux patches from drew + flex support.

12) Added insults back in from original sudo(8) (define USE_INSULTS).

13) visudo now uses EDITOR envar (from John_Rouillard@dl5000.bc.edu)

14) you can now specify a dir containing commands that a sudoer can do.
    (from John_Rouillard@dl5000.bc.edu)

15) Ported to Solaris 2.x (based on a port of sudo 1.1 done by UnixOps).

16) Took out setuid(0); setruid(uid); pairs that bracketed calls to
    update_timestamp() since they are unnecessary and setruid() is
    broken on systems without a setreuid(2) or setresuid(2) system call.
    (Ie: AIX and Solaris 2.x).

17) The bulk of sudo now runs with the caller's real uid.  Grep for
    be_root() to find the exceptions.

CHANGES from sudo 1.3

18) Added SECURE_PATH as suggested by russells@ccu1.auckland.ac.nz.

19) Reworked clean_envp() to modify environ (not envp) so we can use
    execvp() safely.

20) Now use execvp() instead of execve() so sudo /bin/kill works under
    broken solaris.  This also fixed sudo /etc/fastboot under stock
    4.3 BSD.  Basically, this means that any executable shell script that
    lacks a '#!/bin/sh' magic number will now work with sudo.  Personally
    I think that the broken scripts should be fixed rather than changing
    sudo, but vendors will be broken.  Sigh.

21) Added USE_EXECV define so you can make sudo use execv() if you
    want.  Using execvp() shouldn't be a problem since it is always
    handed a non-relative path that begins with '/' but some people
    may not trust execvp().

22) Log file lines will no longer get truncated.  Syslog entries that
    would overrun the syslog(3) line limit are continued on another entry.

23) When logging to a log file, long entries are indented to improve
    readability.

24) Whenever the umask is changed, it is changed back to what it was
    before.

25) Log file is written as mode 600 instead of 644

26) Umask that sudo runs with may now be specified.

27) There is now a "configure" script.

28) Sudo will use ultra fast crypt (ufc) if it finds it for systems w/o
    a real crypt(3) (non-US ConvexOS/Secure for instance).

29) _BSD_COMPAT is now defined for Irix.

30) The global variable uid is now initialized to -2 because I'm paranoid.

31) Native Solaris 2 port from Matthew.Stier@aisg.com

32) Now use sysconf(2) instead of getdtablesize(2) if it is available
    (see change #31).  Because of the the getdtablesize() emulation for
    hpux is no longer necessary.

33) Now only do a getcwd(3) or getwd(3) once and do it as the real user.
    Sudo should no longer complain that it can't get the cwd unless
    there is a real problem.

34) Changed some malloc'd globals of fixed length to be allocated from
    the stack instead as there was no win in allocating them from the
    heap.

35) Fixed AIX STATIC_FLAGS as per the AIX faq.

36) Added -V flag to sudo and visudo (for version)

37) Now treat EACCESS like EPERM when doing stat(2) in find_path.c

38) Added prototypes for sudo functions (via __P macro)

39) configure now uses uname(1) if it exists

40) gethostbyname(3) is now only called if you define FQDN.  There's really
    no reason to not trust gethostname(2) and this way if name service is
    hosed sudo isn't...

41) added -v (validate) flag to sudo to update a timestamp w/o running
    a command

42) now use tgetpass() (getpass with a timeout)

43) find_path() now uses realpath(3)

44) wrote versions of realpath(3) and getcwd(3) for those without

45) wrote tgetpass()--a getpass() that times out via select(2)

46) sudo now uses posix signals if available

47) Finally added ConvexOS C2 security support from
    "Peter A. Nikitser, Systems Software Support, QUT" <P.NIKITSER@qut.edu.au>

48) You can now #undef MAILER if you don't run sendmail or the equivalent.

49) AFS support from adamh@austin.ibm.com

50) If you define BOTH_LOGS in sudo.h you can log both via syslog(3) *ans*
    to a log file.

51) Added ultrix /etc/auth (enhanced security) support.

52) Sudo now will work with a 4.2BSD syslog (SunOS < 4 && ultrix).
    Personally, I'd say you are better off logging to a file if
    your syslog is this ancient.

53) Changed realpath(3) to sudo_realpath() since we need to do the
    chdir(2) with the invoking uid.  sudo_realpath() should be
    faster than vendor-supplied realpath(3)'s anyway...

54) No longer create a static binary on AIX since it reportedly
    causes problem on newer versions on AIX 3.x.

55) If sudo_realpath cannot chdir() back to cwd sudo will print
    and error and exit.  Previously it would either fail silently
    or print an incorrect error message.

56) Moved code to send error mail to be after the log message.
    From rouilj@cs.umb.edu.

57) Added SUDO_USER and SUDO_UID envars.  Suggested by John P. Rouillard
   (<rouilj@cs.umb.edu).

58) Added -k and -h options and rearranged some of the code to be
    more modular and less braindamaged.  This introduces the concept
    of "run modes" to sudo.

59) Fixed visudo and flex.  visudo now calls yyrestart() if you are using
    flex instead of lex.  From bostley@cs.colorado.edu.

60) Added a "cat page" for systems w/o nroff.

61) Fixed a bug whereby only the last directory specified in a Cmnd_Alias
    was checked.  Reported by "James R. Hendrick" <hendrick@ctron.com>.

62) All .{c,lex,yacc} files now include both sys/types.h and unistd.h so
    we are sure to get the typedef of uid_t.

CHANGES from sudo 1.3.1

63) Added preliminary support for DEC OSF/1 protected passwords
    (shadow passwords).

CHANGES from sudo 1.3.1pl1

64) More support for DEC OSF/1 protected passwords (shadow passwords).

CHANGES from sudo 1.3.1pl2

65) Fixed mail logging to include the username as it should have.

66) Added hostname to log message in error mail.

67) Added -l flag to sudo to list the allowed/forbidden commands.
    Suggested by matthew@gateway.bsis.com (Matthew Stier)

68) Fixed bison warnings for parse.yacc and visudo.yacc.
    Pointed out by alfie@dcs.warwick.ac.uk (Nick Holloway).

CHANGES from sudo 1.3.1pl3

69) Sudo will now exit with an error if the command to be run is > MAXPATHLEN.

70) Test in configure for termios support was insufficient.  It thought
    Nextstep 3.2 had termios just because it as termios.h (need to link
    with -posix for termios on NeXT's)

CHANGES from sudo 1.3.1pl4

71) First stab at Skey support.

72) Sudo now sets IFS to be SPACE, TAB, NEWLINE.

73) Sudo now sets the real and effective gid to root's group
    (based on passwd file).

74) Sudo now checks that the sudoers file is owned by a certain user
    and not readable or writable by anyone else.
    (based on a suggestion by Joerg Schumacher <schuma@ips.cs.tu-bs.de>)

75) Visudo now sets the owner on the new sudoers file based on #74

76) Sudo and visudo will now compile with byacc (Berkeley yacc).

77) If the rename(2) of stmp -> sudoers fails /bin/mv is executed before
    bailing.  Based on code from Case Larsen <clarsen@mh1.lbl.gov>.

78) User-level configuration is now done in options.h.

79) Moved all compatibility #defines to compat.h

80) Incorporated new parsing code from Chris Jepeway <jepeway@cs.utk.edu>.
    This is much better than the previous parser.

81) Rewrote visudo.c and tickled parse.yacc to work with it.  Visudo
    now gives you options if a parse error occurs rather than blindly
    dumping you back in the editor.

82) Took out all references to realpath since we are now checking based
    in inode and device (with Chris' new parser).  The upshot of this
    is that path matches are done safely and the symlink problem has
    gone away.

83) Fixed bison warnings from new parse.yacc.

84) Added a default case to parse.lex to error on unmatched tokens as Chris
    suggested.

85) Converted configure.in and acsite.m4 to autoconf 2.1.

86) Added lsearch.c and search.h for os's w/o lsearch()/lfind().

87) Sudo now checks to see that the file it is executing is a regular file
    (was just checking the execute bit so dirs slipped through).
    Pointed out by Barb Dijker <barb@labyrinth.com>.

88) Fixed a problem on HP-UX trusted systems with getpwuid() returning "*"
    unless the real uid is 0.  Reported by Brian Cunnie (cunnie@nyc.hp.com).

89) configure now checks for size_t and ssize_t in unistd.h as well
    as sys/types.h.

90) configure now checks for egrep before actually using it.

91) configure now checks for a working void implementation (ie: void * as
    a generic pointer) and sets VOID to void or char accordingly.

92) Added support for SunOS 4.x C2 security (shadow passwords) from
    Kendall Libby (fubar@shore.net)

93) Changed all occurrences of bzero() to memset() and bcopy() to
    memmove().

94) Fixed a bug in sudo.c.  If a user has no passwd entry sudo would
    dump core (writing to a garbage pointer).  Pointed out by
    Stephen Schaefer <sps@gateway.bsis.com>.

95) Worked around a bug in AIX's lex in parse.c.  AIX lex doesn't seem
    to handle {x,y} range notation correctly.  Bleah.

96) Sudo would not report a failed attempt if the user entered return
    at the 2nd password: prompt so someone trying to guess a password
    could just invoked sudo multiple times and try one passwd at a time.
    Reported by Jonathan Adams <jonathan@smada.com>.

97) Added User_Alias facility.

98) Rewrote most of the ip address / network support.  Now works on all
    systems sudo has currently been tested on.

99) Sudo now sets SUDO_COMMAND and SUDO_GID envariables in addition to
    SUDO_USER and SUDO_UID.

100) Added changes to configure.in for UnixWare.
     (from John Warburton <jwarb@SACBH.com.au>)

101) Merged in changes for Interactive Unix and RISCos.
     (from Andy Smith <abs@maunsell.co.uk>)

102) Added testsudoers (from Chris Jepeway <jepeway@cs.utk.edu>).

103) Added fix for parse.yacc to avoid the kludge I was doing.
     (from Chris Jepeway <jepeway@cs.utk.edu>)

104) Now remove the IFS envar if set instead of setting it to a "safe"
     value to avoid problems with make and others.

105) Added FAST_MATCH option to check basenames of sudo command and
     paths listed in sudoers file.  If the basename doesn't match
     then it is not a match.  If the basename matches, then do
     a stat to make sure it is a valid match.

106) Now only stat(2) cmnd once in path_matches() (in parse.c).  Sudo
     was stating cmnd for *every* attempted match.  Now the stat struct
     is cached (ie: the var is a static).

107) Signal handlers in visudo are now only installed after the stmp
     file is opened.  Previously, it was possible to erase an open
     stmp file by sending visudo a signal within a small window.

108) Added Goon Show insults from  Russell Street <r.street@auckland.ac.nz>.

109) Broke out the insults into separate include files (insults.h
     is the master and includes the appropriate one).

110) Now use getwd() instead of getcwd() and provide emulation for
     OS's w/o it.  This was done since some OS's with getwd()
     implement getcwd() via a pipe to pwd(1).  By emulating getwd()
     by calling getcwd() on OS's w/o getwd() we lose nothing since
     the compiler should optimize away the extra function call.

111) Added crypt() for DEC OSF/1 3.x enhanced security.
     From "Richard L Jackson Jr" <rjackson@osf1.gmu.edu>.

112) Added an option to run the command in the background (-b) as
     suggested by Jonathan Adams <jonathan@smada.com>

113) First stab at kerberos support.  I'm not really sure it is
     possible to do this in a sane manor.  Sigh.

114) Better kerberos support.  Had to use setreuid(2) but falls
     back on a kludge if that does not exist or is broken.

115) Added -p (password prompt) support.
     Suggested by "David W. Cooley" <dwcooley@COLBY.EDU>

116) Added partial implementation of -l (list) flag.
     This is probably as good as it will get until sudo:tng.

117) Added anti-spoofing code to tighten up a race condition
     where a user could run sudo some_link and then change
     where the link pointed after the old link had been
     validated but before the exec().

118) Now update timestamp file via utime() (and emulate via utimes()
     if necessary) to eliminate a small race.  Works with
     both POSIX utime() as well as old utime() in BSD <= 4.3.

119) Kerberos ticket file now lives in same dirs as sudo timestamp
     files (to avoid trouncing on normal ticket file) and is removed
     after validation.

120) Now log tty user is on as well as pwd in sudo logs.

CHANGES from sudo 1.3.2 BETA

121) Fixed a bug in the anti-spoofing check.

122) Fixed up ISC support so that it works and looks like non-streams
     stuff in interfaces.c.

123) Now deal correctly with ip implementations that has an sa_len
     field in struct sockaddr.

124) Check ownership and permissions on timestamp dir and ignore if
     not owned by root and mode 0700.  Problem pointed out by Larry Auton
     <lda@research.AT&T.com> and Navjot Singh <singh@research.AT&T.com>.

125) Ignore timestamp files with preposterous dates to keep people from
     faking out sudo on OS's that allow you to give away files to root.
     Problem pointed out by Larry Auton <lda@research.AT&T.com> and
     Navjot Singh <singh@research.AT&T.com>.

126) A timeout of 0 will now cause a password to be entered every
     time.  Based on a suggestion by Larry Auton <lda@research.AT&T.com>
     and Navjot Singh <singh@research.AT&T.com>.

CHANGES from sudo 1.3.3 BETA

127) Cleaned up interfaces.c so that it is more readable.

128) Added support for syslog()'s that don't guarantee delivery
     of a message.  HP-UX is the only known offender.

129) No longer use memmove() since memcpy() does what we need and
     configure doesn't always catch memmove() even when it is
     there (may be a library problem).

130) Updated man page to reflect two more security issues.

131) Cleaned up shadow password support in check.c.  It should now
     be readable.

132) Added SCO support.

133) Added check to configure to find the max length of a uid_t
     in characters.

134) Removed uid2str() since we now know how big a uid_t/gid_t
     can be.  This elminates a few malloc()'s.

135) Added support for multiple insult types.  Based on code and
     a suggestion from Dieter Dworkin Muller <dworkin@village.org>.

136) Replaced clean_env() and rmenv() with a rewritten clean_env()
     that should be a little faster.  This also makes it easier to
     add to the list of "dangerous" envariables.

137) Added netgroup support.  Netgroups must start with a leading
     "+" to that sudo knows it is a netgroup.

138) Split out sudoers file format into its own man page.
     As suggested by Andy Smith <abs@maunsell.co.uk>.

139) Updated testsudoers.c to grok netgroups.

CHANGES from sudo 1.3.4 BETA

140) Added SecurID support from Giles Todd <giles@gt.demon.co.uk>.

141) Added -s flag to start a root shell and -- to signify end of args.

142) Sped up logging routines by replacing strncpy()'s with strcat()'s.
     This is safe because we dyanically allocate logline to be big enough.

143) Now support command line arguments in the sudoers file.

144) Sped up the loading on command line arguments.  This fixes the
     "commands with large argc's take forever to run" bug.

145) Expanded MAXCOMMANDLEN to 8K since we now have to deal with
     command line arguments.  Added bounds checking in fill() and
     append() so we don't drop core.
     XXX - 8k makes sudo *SLOW*

146) Added support in the lexer for "termination characters" to be
     escaped.  Ie: you can now use [\,:=] in command line args
     as long as you escape with a \.

147) Testsudoers can now deal with commands that have arguments.

148) If a file is not executable or not a regular file sudo will
     now give the appropriate error message instead of just
     "command not found" which is misleading.

149) Fixed a bug where if FQDN is set, load_interfaces() was never
     called.

150) tty is now a global so it can be used in the ticket file
     at a later date.

151) Strings in the parser are now allocated dynamically.  This results
     in a large speedup as compared to a 1K array on the stack. I
     have freed the strings in the parser where appropriate but that
     may not catch all instances.  Even so, the average sudo now
     takes up less memory than the 1K array version.

152) Fixed a bug in tgetpass() and configure that broke termio/termios
     support for some OS's.

153) Added cheapo implementation of tty-based timestamps.  The correct
     way is to have username be a directory with the tty tickets
     inside.  However, the current code does not take to that very
     well, and it does not allow the two systems to coexist. Therefore,
     instead of timestampdir/user/tty it is timestampdir/user.tty.

154) Added support for building in other than the source directory.
     Based on changes from "Simon J. Gerraty" <sjg@frodo.dn.itg.telecom.com.au>

155) options.h and pathnames.h are now included via angle brackets
     (<>) so as to use the -I include path.  This way, those using
     a shadow build tree may have local copies of these headers
     w/o clobbering the distribution ones.

156) EXEMPTGROUP is now a string (group name) and user_is_exempt()
     is now less of a hack.  It uses getgrnam(EXEMPTGROUP) to
     get a list of users in the exempted group.

157) --prefix and --exe_prefix are now honored in the Makefile.

158) Sudo will now behave reasonably in the case where the sudoers
     file location is mounted via NFS and the client does not
     have "root" NFS privs.

159) _PATH_SUDO_SUDOERS, _PATH_SUDO_STMP, and SUDOERS_OWNER are
     now set via the Makefile since that appears to be what
     most people expect...

160) Now include a pre-generated version of parse.lex since so many
     versions of lex are brain damaged.  If parse.lex is changed
     a new lex.yy.c will be generated.  The distribution copy is
     sudo-lex.yy.c.

161) Upgraded to GNU autoconf version 1.5.  There are now even
     *more* options.

CHANGES from sudo 1.3.5 BETA

162) Fixed S/Key support.

163) Cleaned up shadow password support further by moving much of
     it to getspwuid.c.

164) First cut at DCE support. [needs work to be functional]

165) New Digital UNIX C2 support based on code from
     "Randy M. Hayman" <haymanr@icefog.sois.alaska.edu>

166) S/key support now works with the generic bellcore s/key
     as well as the s/key from Wietse Venema's logdaemon.
     (Previously only worked with the logdaemon s/key).
     As an added bonus the s/key challenge is now embedded
     in the password prompt for a cleaner look.

167) lsearch.c will now compile on a strict ANSI C compiler.
     ANSI doesn't allow pointer arithmetic on a "void *"
     but gcc does.

168) Bought back latest HP-UX DCE support from Jeff Earickson
     <jaearick@colby.edu>.

169) configure now comletely groks $SUDO_LIBS and $VISUDO_LIBS.
     Plain old $LIBS is no longer used.  LDFLAGS has also been
     split up into $SUDO_LDFLAGS and $VISUDO_LDFLAGS.
     The reason for this is that sudo often needs extra libs
     for alternate authentication schemes but visudo rarely does.

170) The code to copy command arguments flaied for large values of
     argc due to realloc() lossage.  We now cheat and treat argv[]
     as a flat string (since that's what it is) and use pointer
     arithmetic to compute the length.  Kind of sneaky but it
     works (and is relatively fast).

CHANGES from sudo 1.3.6 BETA

171) Added support for UN*X groups in sudoers based on code from
     Dougal Scott <dwagon@aaii.oz.au>.

172) interfaces.c should work on ISC UN*X again.

173) All source files are <= 14 characters for old SYSV file systems.

CHANGES from sudo 1.3.7 GAMMA

174) Minor configure[.in] fixes.

175) tgetpass.c now compiles on OS's that put the definition of
     fd_set in <sys/bsdtypes.h>

CHANGES from sudo 1.4

176) Command args in sudoers are now stored in an argument vector
     instead of a flat string to make wildcard matching simpler.

177) Added NewArgv and NewArgc that describe the command to be
     executed.  The copy of args in cmnd_args is no longer necessary
     and has been removed.

178) Using strcmp(3) for argument matching in command_matches()
     (was path_matches()) is no longer sufficient since we don't
     have a flat string.  compare_args() is used instead which
     calls either strcmp(3) or wildmat(3l) depending on whether
     there are shell-style meta chars (wildcards) present.

179) Shell-style wildcard matches are now available in the sudoers
     file.  Matches are done via Rich $alz's wildmat(3).
     This required the tweaks described in #176-178 as well as
     other, more minor, changes.

180) Commented out rule to build lex.yy.c from parse.lex since
     we ship with a pre-flex'd parser and can't rely on file
     dates being set correctly.

181) Fixed visudo and testsudoers to deal with new argument
     vector handling.

182) A null string ("") as shell in passwd file (or $SHELL) is
     now treated as the bourne shell.

183) Converted *.man to pod format for easy conversion to man,
     html, latex, and just plain text.  Tried to make the
     sudoers manual easier to read in the process.

184) Updated sample.sudoers and sudoers.pod to include info
     on wildcards.

CHANGES from sudo 1.4.1

185) compat.h now defines _PASSWD_LEN based on PASS_MAX if it
     is defined (from limits.h on SYSV).

186) Both short and long hostnames may now be used in the sudoers
     file if FQDN is defined.  From patches submitted by
     Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.

187) Now use skeylookup() instead of skeychallenge().  Hopefully
     this will work around a problem some people have reported
     on Solaris 2.5 with sudo and logdaemon 5.0's skey.

188) Now uses /var/run to hold timestamp files if it exists.  This
     is more secure.

189) configure now puts the timestamp dir in /var/run if it exists.
     Sugestion by Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.

190) Both short and long hostnames now exist even if FQDN is not set.
     This allows machines with fully qualified hostnames set via
     hostname(1) to use them in the sudoers file.

191) sudo was not honoring "." in $PATH due to a bug in find_path().

192) Added IGNORE_DOT_PATH option to ignore "." in $PATH.

193) tgetpass() now uses raw read(2) and write(2) instead of stdio.
     This should make it work on more OS's.  Previously, it used
     stdio (buffered) fgets(3) and fputs(3) with select(2) which
     may not be legal.  Also got rid of the nasty goto's and
     generally simplified the code.

194) Parser now supports hostnames like UPPERCASE.foo.com.  Previously,
     `UPPERCASE' was interpreted as an Alias.  This means that
     the `fqdn' stuff has been moved to the lexer (FQHOST is used
     to avoid collision with FQDN option).

195) Reworked --with-FOO in configure.in to support --without-FOO.
     Made shadow passwords the default for appropriate OS's.  They
     can be turned off with --without-C2.

196) Added NO_PASSWD option for those who don't want to be bothered
     by a password prompt from sudo.  This is really just a hack.

197) Added support for double quotes to mean "treat these words as one
     argument".  This is similar to what most shells do.

198) Added mkinstalldirs to make install destination dirs if
     they do not already exist.

CHANGES from sudo 1.4.2

199) Added support for --with-CC (which C compiler to use).

200) Added support for NOPASSWD token and running commands a
     specified users (sudo -u) from Keith Garry Boyce
     <garp@opustel.com>

201) Only link with -lshadow for Linux if libc lacks getspnam().  Problem
     pointed out by Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.

202) Replaced SUDOERS_OWNER with SUDOERS_UID and SUDOERS_GID.  Added
     SUDOERS_MODE and changed the default to 0440 (from 0400).
     It is now possible to NFS-mount sudoers without doing anything fancy.

202) If a runas list is specified, a user may only run commands as
     "root" if "root" is a member of the runas list.  The old behavior
     was to always allow commands to be run as root, even if a runas
     list was specified.  Now you can give someone "sudo -u operator"
     and not have the equivalent of "sudo -u root" as well.

203) Added "USER=%s" to logging functions.

204) configure will now add -lPW to (VI)?SUDO_LIBS if using bison
     or DCE and alloca(3) is not in libc (or provided by gcc) but
     is in libPW.a.

205) sudo would give an incorrect error message if the sudoers file
     didn't exist due to close() stomping errno if the open() failed.

206) Fixed "shell" mode (sudo -s).  When building NewArgv sudo was
     not allocating space for the NULL.

207) Added support for wildcards in the pathname.  Ie: /bin/*.

208) 'command ""' in sudoers now means no args allowed.

209) Added command line args to SUDO_COMMAND envariable.

210) HP-UX 10.x with C2 now uses bigcrypt().
     Changes from david_dill@Merck.Com (David Dill).

211) lsearch.c will now compile w/o compiler warnings.
     (Updated from NetBSD lsearch.c)

212) Now uses POSIX fnmatch(3) (which uses ! instead of ^ in ranges)

CHANGES from sudo 1.4.3

213) Now allows network/netmask in sudoers to override per-interface
     netmask.

214) Fixed -u support with multiple user lists on a line.

215) Fixed a core dump problem when built with -DSHELL_IF_NO_ARGS.

216) Fixed 2 typos in parse.yacc and removed some unnecessary if's.

217) Now always use install-sh since SunOS install can't do uid/gid's.
     Other BSD installs are probably similarly afflicted.

218) Fixed NFS-mounted sudoers file under solaris both uid *and* gid
     were being set to -2.  Now set uid to 1 to avoid group being
     remapped.

219) Now includes alloca.c (from gcc) for those w/o it.  Linking
     against -lPW breaks visudo on HP-UX and probably others.

220) Added --with-libpath, --with-libraries, --with-incpath options
     to configure.

221) configure now uses shicc instead of gcc on BSD/OS >= 2.0 to
     generate binaries linked with shared libs.

222) The parser was setting no_passwd even if there wasn't a
     runas match.  I reordered some things in parse.yacc
     to fix this.

223) `sudo -v' (validate) wasn't paying attention to NOPASSWD.
     Now it does.

224) testsudoers now groks "-u user".

225) Updated AFS support based on what tcsh 6.06 does.

226) Fixed a typo/thinko that broke BSD > 4.3reno wrt interfaces.c.

227) HPUX 10.X shadow password stuff now uses SecureWare routines.

228) SecureWare passwd checking now uses bigcrypt() if available.
     Now uses AUTH_MAX_PASSWD_LENGTH if defined.

229) configure now makes sure you don't have a config.cache file
     from another OS.

230) Added better shadow password detection.
     BSD >= 4.3reno -> /etc/master.passwd
     hpux9: getspwnam() -> /.secure/etc/passwd
     hpux10: getspnam() or getprpwnam() -> /tcb/files/auth/*/* (link with -lsec)
     SVR4: getspnam() -> /etc/shadow
     solaris: getspnam() -> /etc/shadow
     irix[56].x: getspnam() -> /etc/shadow
     sunos 4.x: getpwanam() -> /etc/security/passwd.adjunct
     DUNIX: getprpwnam() -> /tcb/files/auth/*/* (link with -lsecurity)
     SecureWare: getprpwnam() -> /tcb/files/auth/*/*
     ultrix 4.x: getauthuid() -> /etc/auth.{pag,dir}

231) '(' in command args no longer are a syntax error.

232) '!command' now works in the presence of a runas or NOPASSWD token.
     Simplified parse rules wrt runas and NOPASSWD (more consistent).

233) Command args and now compared as a flat string again.  This makes
     wildcard matches more consistent.

234) DUNIX C2 support now groks AUTH_CRYPT_OLDCRYPT and AUTH_CRYPT_C1CRYPT.

235) configure now uses config.{sub,guess} to guess OS type.
     Sudo should work out of the box on more OS's now.

236) Got rid of HAVE_C2_SECURITY, now just use SHADOW_TYPE.

237) Fixed race in tgetpass() where echo can be turned off and
     left off if sudo is used in a pipeline and a password is
     required.

CHANGES from sudo 1.4.4

238) `sudo -l' output now includes runas and NOPASSWD info and
     asks for a password unless NOPASSWD for ALL is set.

239) Sudo can now deal with all-caps user and host names.

240) Sudo will now remove the "ENV" and "BASH_ENV" envariables.
     From Michael Meskes <meskes@Informatik.RWTH-Aachen.DE>.

241) `sudo -l' will now expand Cmnd_Alias's (could be prettier).

242) `sudo -s' will now set $HOME to root's homedir (or that of
     the user specified -u) so dot files get sourced.

CHANGES from sudo 1.4.5

243) $HOME was always being set, not just with `-s'.

244) In visudo, the owner and group of the sudoers file were
     being set too early; an editor could change them and change
     the owner/group of the resulting sudoers file.

CHANGES from sudo 1.5

245) Added SHELL_SETS_HOME option.

246) Added NO_MESSAGE option.

247) Added %u and %h escapes in PASSPROMPT to expand to user's name
     and host.

248) Added "SUDO_PROMPT" envariable.

249) Usernames may now begin with a digit.  Gross, but people do it.

Sudo 1.5.1 released.

250) Added `opie' support.

251) Added check to make sure fnmatch() really works.

252) Now use the prompt S/Key gives us instead of rolling our own.

253) Added -H flag from Danny Barron <dcbarro@nppd.com>.

254) Add SUDO_PS1 envariable support.

255) Attempt at sequent support.

Sudo 1.5.2 released.

256) visudo acts sanely when there is no sudoers file.

257) Added Runas_Alias support.

258) Sudo will now work with SUDOERS_MODE == 400 and SUDO_UID = 0.

259) Alias's in a runas list are now expanded.

260) Fixed bug with > 32 saved aliases.  Reported by BHH@capgroup.com.

261) Code that uses sprintf() is now more paranoid about buffer
     overflows.

262) Whitespace is now allowed after a line continuation character before
     a newline in sudoers.

263) %h in MAILSUBJECT expands to local hostname.

Sudo 1.5.3 released.

264) Don't pass getdtablesize() as first arg to select(2).  No need
     to do this since we only select on one fd--use (fd+1) as nfds
     and the old way caused problems on some systems (arguably
     a bug in those OS's).  From Marc Slemko marcs@znep.com.

265) Fixed coredump when passwd file is missing or unavailable.
     Reported by Jason Downs <downsj@teeny.org> and
     Klee Dienes <klee@mit.edu> (via a Debian Linux bug report).

266) Fixed bug wrt exclusion lists and relative pathnames.
     Reported by osiris@COURIER.CB.LUCENT.COM.

267) exit(1) if user doesn't enter a passwd.
     Noted by Alex Parchkov <alexp@ind.tansu.com.au>.

Sudo 1.5.4 released.

268) Newer versions of Irix use _RLDN32_* envariables for 32-bit binaries
     so ignore _RLD* instead of _RLD_*.  From tarrall@bamboo.Colorado.EDU.

269) Only open sudoers file once as opposed to once for sanity checks and
     once for the parser.  Also try to open ten times if we get EAGAIN.

Sudo 1.5.5 released.

270) Initialize group vector if we are becoming a user other than root.
     For root, it is often more useful to hang on to our existing group
     vector.

271) Fix usage of select(2) to deal correctly with a high-numbered fd.

272) Fixed a bug where sudo sometime didn't give the user a chance to
     enter a password at the prompt.

273) Use a dynamically sized buffer when reading ether interfaces.

274) Fixed configure problems with identification of HP-UX > 10.x and
     with cc being identified as a cross compiler on some platforms.

275) Fixed a problem with HP-UX 10.x and alloca.  Bison does not
     include alloca.h on HP-UX 10.x even though it uses alloca()
     (and thus needs the #define of alloca(x) to __builtin_alloca(x)).
     To fix this we include alloca.h ourselves if using bison and not gcc.

276) Included support for the AIX 4.x authenticate() function from
     Matt Richards <v2matt@btv.ibm.com>.

277) Fixed an off by one error in the parser.  Found by
     Piete Brooks <Piete.Brooks@cl.cam.ac.uk>

278) Change NewArgv size computation to work on UNICOS.
     From Mike Kienenberger <mkienenb@arsc.edu>

279) Added --with-logfile and --with-timedir configure options.

280) Use getcwd(3), not getwd(3) to avoid possible buffer overflow.
     Use BSD getcwd(3) if system lacks one or is SunOS 4.x.

281) Fix 'fprintf' argument mismatches in 'visudo.c'.
     From ariel@oz.engr.sgi.com (Ariel Faigon)

282) Use waitpid or wait3 to reap children in logging.c.
     Pointed out by Theo de Raadt <deraadt@theos.com>

283) Sudo should prompt for a password before telling the user that
     a command could not be found.  Noted by rhodie@NAC.NET.

284) Fix OTP_ONLY for opie; "Deven T. Corzine" <deven@fuse.net>.

285) Include pre-yacc'd parse.yacc as sudo.tab.[ch] since more and
     more vendors are charging for yacc (bad vendor, no cookie).

286) Use MAX*, not MAX*+1

287) Add support for Hitachi SR2201, from b-edgington@hpcc.hitachi-eu.co.uk

288) Added RUNAS_DEFAULT option to allow one to compile sudo with a
     default runas user other than root.

289) Add options to log the hostname in the file-based log and to not
     do word wrap in file-based log.  From Theo Van Dinter <tvd@chrysalis.com>

290) RedHat Linux pam support, from Gary Calvin <GCalvin@kenwoodusa.com>.
     pam.sudo goes in /etc/pam.d/sudo on RedHat 5.0 and above.

291) With sudo -s, set command the full path of the shell, not the basename.
     Noted by Peter W. Osel <pwo@guug.de>

Sudo 1.5.6 released.

292) Pam auth now runs as root; necessary for shadow passwords.

293) Shadow password support is now compiled in by default.  You can disable
     it via --disable-shadow.

294) We now remove a timestamp file with a bogus date when it is detected.
     From Steve Fobes <sfobes@uswest.com>.

295) In tgetpass(), restart select if it is interrupted.  This really fixes a
     problem where a user sometimes is not given a change to enter a password.

296) All options have moved from options.h -> configure.

297) visudo is now installed in /usr/local/sbin where it belongs.

298) Lots of configure changes.  Instead of checking for the existence
     of -lsocket, -lnsl, or -linet, we instead check them for the
     functions we need only if they are not already in libc.

299) Added DUNIX SIA (Security Integration Architecture) support from
     Spider Boardman <spider@Orb.Nashua.NH.US>.

300) Added test for broken Digital UNIX 4.0 prot.h.

301) Better support for C2 security on Digital UNIX.

302) Hacked autoconf so that you have have single quotes in
     --with-passprompt.

303) For SecureWare-style shadow passwords use getprpwnam() instead
     of getprpwuid() since getprpwuid is broken in HP-UX 10.20 at
     least (it sleeps for 2 minutes if the shadow files don't exist).

304) We can't really trust UID_MAX or MAXUID since they may only exist for
     backwards compatibility; spider-both@Orb.Nashua.NH.US

305) Make %groups work as RunAs specifiers; Ray Bellis <rpb@community.net.uk>.

306) Set USER environment variable to target user.
     Suggested by Ray Bellis <rpb@community.net.uk>.

307) Go back to printing "command not found" unless --disable-path-info
     specified.  Also, tell user when we ignore '.' in their path and it
     would have been used but for --with-ignore-dot.

308) When using tty tickets make it user:tty not user.tty as a username
     could have a '.' in it.

309) Define BSD_COMP for svr4 to get BSD ioctl defs.  Also, if we have
     sys/sockio.h but SIOCGIFCONF is not defined by including sys/ioctl.h
     include sys/sockio.h directly.

310) Fixed a bug that could cause "sudo -l" to segfault or complain
     about non-existent syntax errors.

Sudo 1.5.7 released.

311) Fixed square bracket quoting in configure and moved check for -lnsl
     to be before -lsocket.

312) In load_interfaces(), close sock after bwe are done with it.  Leak
     noticed by Mike Kienenberger <mkienenb@arsc.edu>.

313) Missing pieces from change #308; from Mike Kienenberger.

314) Real Kerberos 5 support from Frank Cusack <fcusack@iconnet.net>.

315) FWTK 'authsrv' support from Kevin Kadow <kadow@MSG.NET>.

316) Fixed handling and documentation of -with-umask.

317) If the check for socket() or inet_addr() fails, retry, this time
     linking with both -lsocket and -lnsl for those systems that
     have interlibrary dependencies.

Sudo 1.5.8 released.

318) Add dirfd() macro for systems without it.

319) Better check for socket() in -lsocket -lnsl in configure.

320) Minor configure fixes.

Sudo 1.5.8p1 released.

321) Fixed a bug wrt quoting characters in command args.

322) Make --without-sendmail work.

Sudo 1.5.8p2 released.

323) Fixed a segv if HOST_IN_LOG defined and gethostbyname() fails.
     Reported by Gero Treuner <gero@faveve.uni-stuttgart.de>.

324) Fixed a parse bug wrt the ! operator and runas specs.  Noted by
     David A Beck <BKD@payserv.telekurs.com>.

325) Use new emalloc/erealloc/estrdup functions (catch errors and exit).

326) New PAM code that should work on both Solaris and Linux.

327) Make sudo's usage info better when mutually exclusive args are given
     and don't rely on argument order to detect this.  From Nick Andrew.

328) In visudo, shift return value of system() by 8 to get the real exit value.

Sudo 1.5.9 released.

329) The runas user and NOPASSWD tags are now persistent across entries
     in a command list (ie: cmnd1,cmnd2,cmnd3).  A PASSWD tag has been
     added to reverse NOPASSWD.  The runas user and *PASSWD tags can be
     overridden on a per-command basis at which point they become the
     new default for the rest of the list.

330) It is now possible to use the '!' operator in a runas list as
     well as in a Cmnd_Alias, Host_Alias and User_Alias.

331) In estrdup(), do the malloc ourselves so we don't need to rely on the
     system strdup(3) which may or may not exist.  There is now no need to
     provide strdup() for those w/o it.

332) You can now specify a host list instead of just a host or alias
     in a privilege list.  Ie: user=host1,host2,ALIAS,!host3 /bin/ls

333) Stash the "safe" path to the command instead of stashing the struct
     stat.  Should be safer.

334) Now set $LOGNAME in addition to $USER.

335) No longer use stdio in tgetpass()

336) Don't use _PASSWD_LEN or PASS_MAX as we can't rely on them corresponding
     to anything real.  Instead, we just use a max password size of 256
     everywhere.

337) Block keyboard-generated signals during startup and restore signal
     mask before exec'ing the program.  We don't want the user to be
     able to simply kill us and avoid logging.

338) Rewrote timestamp handling.  For the default case, a directory is used
     instead of a file.  For the tty-based case, the timestamp is just a
     file in that directory (eg. /var/run/sudo/username/tty).  You now only
     get the lecture once, even in the tty case.  The goal here is to allow
     the tty and non-tty schemes to coexist, though it is worth noting that
     when you update a tty file, the mtime of the dir gets updated too.

339) The meaning of -k has changed to mean "invalidate the timestamp".
     There is a new -K option to really remove the timestamp file/dir.

340) New modular authentication API.  This fixes the rat's nest of
     #ifdefs that was the old auth code.

341) New logging functions.  log_error() now takes a variable number of
     args ala printf() and log_auth() reacts to the return value of validate().

342) If a user is not in the sudoers file they are still asked for a password.
     This keeps someone who finds a user logged in to a terminal from being
     able to tell whether or not the user is allowed to use sudo.

343) New PAM code again, this time it should be correct.

344) tgetpass() now has a flag to specify whether or not to turn
     off echo while reading the password.  Used by the new PAM and
     fwtk code.

345) Fixed shadow password dectection on SCO.

346) Sudo is now available under a BSD/Apache style license.  This is
     possible because it no longer contains any of the original 1.1 code.

347) Added configuration info when sudo is run with the -V flag by root.

348) Change visudo tmp file from /etc/stmp -> /etc/sudoers.tmp since
     Solaris uses stmp for shadow temp file.  Also rename _PATH_SUDO_SUDOERS
     to _PATH_SUDOERS and _PATH_SUDO_STMP to _PATH_SUDOERS_TMP.

349) Added configure option to set syslog priorities.

350) Sudo now locks its log file to prevent mangled entries.

351) Visudo now locks the sudoers temp file instead of bailing when
     the temp file already exists.  This fixes the problem of stale
     temp files but it does *require* that you not try to put the
     temp file in a world-writable directory.  This shoud not be
     an issue as the temp file should live in the same dir as sudoers.

352) Fixed crypt() check in libufc.

353) It is now possible to put a list of users as the first thing in a
     user specification.  I don't suggest this but it makes the grammar
     more uniform.

354) Visudo will now warn about what it thinks are undefined aliases.
     Since it can't be 100% sure these are just warnings, not errors.

355) Add a --without-passwd option to configure that turns off
     passwd/shadow file authentication.  Only usable with an alternate
     authentication scheme.

356) Add a --disable-authentication option to configure that causes sudo
     to not require authentication by default.  The PASSWD tag can be
     used to require authentication for an entry.

357) Add a --with-devel option to add -Wall and uncomment yacc/lex
     generation in Makefile.

358) Zero out plaintext password after use (should do encrypted as well).

359) Added real dependencies in Makefile.

360) Deprecated --with-otp-only in favor of --without-passwd.

361) Add --with-mail-if-no-host to send mail if a user tries to run sudo on
     a host for which he/she is not authorized.

362) Most of sudo now runs as root instead of the invoking user to
     minimize the possibility of user control via signals or tracing.

363) Now Support CIDR-style netmasks (ie: 128.138.0.0/16).

364) In "sudo -l" mode, the type of the stored (expanded) alias was not
     stored with the contents.  This could lead to incorrect output
     if the sudoers file had different alias types with the same name.
     Normal parsing (ie: not in '-l' mode) is unaffected.

365) Now include strcasecmp() for those without it.

366) Most compile-time options are now changable at runtime via
     the 'Defaults' specification in the sudoers file.

367) Added a -L flag to printout all the possible 'Defaults' parameters.

368) It is now possible to escape "special" characters in usernames, hostnames,
     etc with a backslash.

369) Sudo will now accept a hostname/username/netgroupname that contains
     almost any character in it.  It seems many people want to use '.'
     and other non-alphanumerics in usernames.

370) Fixed the root_sudo option.  Sudo was always complaining that root
     was not allowed to run sudo if the root_sudo flag was turned off.

371) tgetpass() now uses a function to read up until the end of line.
     Fixes problems in a pipeline when a program sets the tty mode
     to be character at a time.

372) sudo now turns off core dumps via setrlimit (probably paranoia).

Sudo 1.6 released.

373) Better diagnostics on PAM failure.

374) Killed shell_noargs option, it cannot work since the command needs to
     be set before sudoers is parsed.

375) Fixed the following Defaults options: set_home, fqdn, syslog, tty_tickets,
     ticket_dir, insults.

376) When using select() in tgetpass(), do a separate select before
     each read to be sure we can timeout correctly.

377) SecurID support compiles and works again.

378) Fixed a bug parsing runas modifiers.  If a user spec contained multiple
     runas specs, the latter ones may not be applied.

379) #uid now works in a RunasAlias

380) Don't ask the user for a password if the user is not allowed to run
     the command and the authenticate flag (in sudoers) is false.

381) Added configure check for initgroups(3).

382) Use our own fnmatch() if there is no fnmatch.h, even if there is an
     fnmatch() in libc.

Sudo 1.6.1 released.

383) Better behavior for -l and -v flags in conjunction with NOPASSWD and
     added "verifypw" and "listpw" options.

384) For HP-UX with cc, add the -Aa flag along with -D_HPUX_SOURCE.

385) Fix compilation with K&R compilers.

386) For netgroup host matching, match against the short version of the
     hostname as well as the long one if they are different.

387) Terminate passwd reading on '\r' in addition to '\n'

388) Visudo used to loop endlessly if a user entered ^D at the whatnow
     prompt.  EOF is now treaded as 'x' (exit w/o saving changes).

389) The 'shell_noargs' runtime option is back based on a patch from
     bguillory@email.com.

390) Systems that return RLIM_INFINITY for RLIMIT_NOFILE (like AIX)
     would loop for a very loing time during sudo startup.  A value of
     RLIM_INFINITY is now ignored (getdtablesize/sysconf is used instead).

391) Locking in visudo was broken.  We now lock the sudoers file, not the
     sudoers temp file, which should be safe.

392) PAM fixups: custom prompts now work correctly and errors are
     dealt with more sanely.  Patches from Cloyce D. Spradling.

Sudo 1.6.2 released.

393) Users in the 'exempt' group shouldn't get their $PATH overridden
     by 'secure-path'.  Patch from jmknoble@pobox.com.

394) Pam now works on HP-UX 11.0, thanks to Jeff A. Earickson.

395) Fixed a bug that caused an infinite loop when the password
     timeout was disabled.

396) It is now possible to set the path to the editor for visudo as well
     as the flag that determines whether or not visudo will look at
     $EDITOR in the sudoers file.

397) configure now pulls in the values of LIBS, LDFLAGS, CPPFLAGS, etc
     as the documentation says it ought to.

398) Added rootpw, runaspw, and targetpw to prompt for the root, runas_default
     and target user's passwords respectively (instead of the invoking user's
     password).

399) Added -S flag to force password read from stdin.

400) Restore coredumpsize resource limit before exec'ing the child
     process (sudo sets it to 0 internally).

401) Truncate unencrypted password to 8 chars if encrypted password is exactly
     13 characters (indicateing standard a DES password).  Many versions
     of crypt() do this for you, but not all (like HP-UX's).

402) Fixed a typo/thinko that broke secureware support for long passwords.

403) Added a new command line switch '-c' to support BSD login classes.
     The '-c' option can be used to sudo a command with specific resource
     limits in the login.conf database.  This feature is optionally enabled
     via the --with-logincap configure switch.  Based on a patch from
     Michael D. Marchionna.

404) Fixed a bug where sudo would hang around and consume CPU if we spawn
     a long-running process.

405) Deal with HP-UX password aging info tacked on to the end of the
     encrypted password.

406) Added set_logname run-time option.  When unset, sudo will not set
     the USER and LOGNAME environment variables.

407) Wildcards are now allowed in the hostnames specified in sudoers.
     The 'fqdn' option is often required for this to be useful.

408) Fixed a bug where host and user qualifiers in a Defaults entry were
     not being used correctly and the entry was being applied globally.

Sudo 1.6.3 released.

409) Fixed targetpw, rootpw, and runaspw options when used with non-passwd
     authentication (pam, etc).

Sudo 1.6.3p1 released.

410) When the targetpw flag is set, use the target username as part
     of the timestamp path.

Sudo 1.6.3p2 released.

411) Fixed a bug that prevented the -H option from being useful.

Sudo 1.6.3p3 released.

412) Fixed a case where a string was used after it had been freed.

Sudo 1.6.3p4 released.

413) Fixed listpw and verifypw sudoers options.

414) Do not write NUL when writing passwd prompt; hag@linnaean.org.

Sudo 1.6.3p5 released.

415) Fix word splitting bug that caused a segv for very long command line args.

Sudo 1.6.3p6 released.

416) Fix negation of path-type Defaults entries in a boolean context.

Sudo 1.6.3p7 released.

417) Visudo now checks for the existence of an editor and gives a sensible
     error if it does not exist.

418) The path to the editor for visudo is now a colon-separated list of
     allowable editors.  If the user has $EDITOR set and it matches
     one of the allowed editors that editor will be used.  If not,
     the first editor that actually exists is used.

419) Visudo now does its own fork/exec instead of calling system(3).

420) Allow special characters (including '#') to be embedded in pathnames
     if quoted by a '\\'.  The quoted chars will be dealt with by fnmatch().
     Unfortunately, 'sudo -l' still prints the '\\'.

421) Added the always_set_home option.

422) Strip NLSPATH and PATH_LOCALE out from the environment to prevent
     reading of protected files by a less privileged user.

423) Added support for BSD authentication and associated -a flag.

424) Added check for _innetgr(3) since NCR systems have this instead
     of innetgr(3).

425) Added stay_setuid option for systems that have libraries that perform
     extra paranoia checks in system libraries for setuid programs.

426) Environment munging is now done by hand.  The environment is zeroed
     upon sudo startup and a new environment is built before the command
     is executed.  This means we don't rely on getenv(3), putenv(3),
     or setenv(3).

427) Added a class of environment variables that are only cleared if they
     contain '/' or '%' characters.

428) Use stashed user_gid when checking against exempt gid since sudo
     sets its gid to SUDOERS_GID, making getgid() return that, not the
     real gid.  Fixes problem with setting exempt group == SUDOERS_GID.
     Fix from Paul Kranenburg.

429) Fixed file locking in visudo on NeXT which has a broken lockf().
     Patch from twetzel@gwdg.de.

430) Regenerated configure script with autoconf-2.52 (required some
     tweaking of configure.in and friends).

431) Added mail_badpass option to send mail when the user does not
     authenticate successfully.

432) Added env_reset Defaults option to reset the environment to
     a clean slate.  Also implemented env_keep Defaults option
     to specify variables to be preserved when resetting the
     environment.

433) Added env_check and env_delete Defaults options to allow the admin
     to modify the built-in list of environment variables to remove.

434) If timestamp_timeout < 0 then the timestamp never expires.  This
     allows users to manage their own timestamps and create or delete
     them via 'sudo -v' and 'sudo -k' respectively.

435) Authentication routines that use sudo's tgetpass() now accept
     ^C or ^Z at the password prompt and sudo will act appropriately.

436) Added a check-only mode to visudo to check an existing sudoers
     file for sanity.

437) Visudo can now edit an alternate sudoers file.

438) If sudo is configured with S/Key support and the system has
     skeyaccess(3) use that to determine whether or not to allow
     a normal Unix password or just S/Key.

439) Fixed CIDR handling in sudoers.

440) Fixed a segv if the local hostname is not resolvable and
     the 'fqdn' option is set.

441) "listpw=never" was not having an effect for users who did not
     appear in sudoers--now it does.

442) The --without-sendmail option now works on systems with
     a /usr/include/paths.h file that defines _PATH_SENDMAIL.

443) Removed the "secure_path" Defaults option as it does not work and
     cannot work until the parser is overhauled.

444) Added new -P flag and "preserve_groups" sudoers option to cause
     sudo to preserve the group vector instead of setting it to that
     of the target user.  Previously, if the target user was root
     the group vector was not changed.  Now it is always changed unless
     the -P flag or "preserve_groups" option was given.

445) If find_path() fails as root, try again as the invoking user (useful
     for NFS).  Idea from Chip Capelik.

446) Use setpwent()/endpwent() and its shadow equivalents to be sure
     the passwd/shadow file gets closed.

447) Use getifaddrs(3) to get the list of network interfaces if it is
     available.

448) Dump list of local IP addresses and environment variables to clear
     when 'sudo -V' is run as root.

449) Reorganized the lexer a bit and added more states.  Sudo now does a
     better job of parsing command arguments in the sudoers file.

450) Wrap each call to syslog() with openlog()/closelog() since some
     things (such as PAM) may call closelog(3) behind sudo's back.

451) The LOGNAME and USER environment variables are now set if the user
     specified a target uid and that uid exists in the password database.

452) configure will no longer add the -g flag to CFLAGS by default.

453) Now call pam_setcreds() to setup creds for the target user when
     PAM is in use.  On Linux this often sets resource limits.

454) If "make install" is run by non-root and the destination dir
     is writable, install things normally but don't set owner and mode.

455) The Makefile now supports installing in a shadow hierarchy
     specified via the DESTDIR variable.

456) config.h.in is now generated by autoheader.

Sudo 1.6.4 released.

457) Move the call to rebuild_env() until after MODE_RESET_HOME is set.
     Otherwise, the set_home option has no effect.

458) Fix use of freed memory when the "fqdn" flag is set.  This was
     introduced by the fix for the "segv when gethostbynam() fails" bug.

459) Add 'continue' statements to optimize the switch statement.
     From Solar Designer.

Sudo 1.6.4p1 released.

460) Some special characters were not being escaped properly (e.g. '\,')
     in command line arguments and would cause a syntax error instead.

461) "sudo -l" would not work if the always_set_home option was set.

462) Added a configure option to disable use of POSIX saved IDs for
     operating systems where these are broken.

463) The SHELL environment variable was preserved from the user's environment
     instead of being reset based on the passwd database even when the
     "env_reset" option was set.

Sudo 1.6.4p2 released.

464) Added a configure option to cause mail sent by sudo to be run as
     the invoking user instead of root.  Some people consider this to
     be safer.

465) If the mailer is being run as root, use a hard-coded environment
     that is not influenced in any way by the invoking user's environment.

466) Fixed the call to skeyaccess().  Patch from Phillip E. Lobbes.

Sudo 1.6.5 released.

467) Visudo could access memory that was already freed.

468) If the skey.access file denied use of plaintext passwords sudo
     would exit instead of allowing the user to enter an S/Key.

Sudo 1.6.5p1 released.

469) Older versions of BSDi have getifaddrs() but no freeifaddrs().

470) BSDi has a fake setreuid() as do certain versions of FreeBSD and NetBSD.

471) Ignore the return value of pam_setcred().  In Linux-PAM 0.75,
     pam_setcred() will return PAM_PERM_DENIED even if the setcred function
     of the module succeeds when pam_authenticate() has not been called.

472) Avoid giving PAM a NULL password response, use the empty string instead.
     This avoids a log warning when the user hits ^C at the password prompt
     when Linux-PAM is in use.  This also prevents older versions of
     Linux-PAM from dereferencing the NULL pointer.

473) The user's password was not zeroed after use when AIX authentication,
     BSD authentication, FWTK or PAM was in use.

Sudo 1.6.5p2 released.

474) Fixed compilation problem on HP-UX 9.x.

475) Moved call to endpwent() and added a call to endgrent().

476) Fixed a warning conflicting declaration of VOID with AFS.

477) Fixed a security hole in prompt rewriting found by Global InterSec.

Sudo 1.6.6 released.

478) Wildcards now work correctly in the env_keep Defaults directive.

479) Added support for non-root timestamp dirs.  This allows the timestamp
     dir to be shared via NFS (though this is not recommended).

480) Removed double printing of bad environment variable table in -V mode.

481) configure script has been regenerated with autoconf 2.5.7.
     This required some changes to configure.in.

482) Fixed a compilation problem on SunOS; thanks to Alek O. Komarnitsky.

483) SecurID 5.0 API support from Michael Stroucken.

484) Restore state of signal handlers to what we had upon startup.
     Fixes a problem when using sudo with nohup; thanks to Paul Markham.

485) Revamp set_perms() to use setresuid() or setreuid() when available
     in preference to POSIX stuff since they allow us to properly
     implement "stay_setuid" whereas POSIX does not really.

486) In strict mode sudo did not throw an error for undefined User_Aliases.

487) Fixed a Makefile bug on IRIX.

488) Write the prompt *after* turning off echo to avoid some password
     characters being echoed on heavily-loaded machines with fast typists.

489) Added %U and %H escapes in the prompt and fixed treatment of %%.

490) Visudo will now add a final newline to sudoers if the user's editor
     not add one before EOF.

491) The lexer state is now reset to its initial value on EOF. 
     Previously, the state was not reset between parser invocations
     which could cause problems for visudo in rare cases.

492) Added support for Defaults that apply based on the RunasUser.

493) Sudo now includes copies of strlc{at,py} and uses them throughout.

494) Sudo is now careful to avoid interger overflow when allocating
     memory.  This is one of those "should not happen" situations.

495) Added a configure option (--with-stow) to make sudo compatible
     with GNU stow.

496) auth/kerb5.c now compiles under Heimdal.

497) The volatile prefix is used in the hopes of preventing compilers
     from optimizing away memory zeroing.  Unfortunately, this results
     in some warnings from gcc.

498) Better Kerberos IV/V support in the configure script.

499) Fixed a logic thinko in the SIGCHLD handler that caused problems
     with rlogin on HP-UX.

500) configure now adds -R to LDFLAGS when it adds -L for Solaris and
     SVR4.  There is a configure option, --with-rpath, to control this.

501) On AIX, configure will pass extra directory paths to the linker
     via the -blibpath ld option.  This is only active when additional
     library paths are used.  It may be disabled via the
     --without-blibpath configure option.

502) The --with-skey and --with-opie configure options now take
     an optional directory argument that should have an include and
     lib dir for the skey/opie include file and library respectively.

Sudo 1.6.7 released.

503) Fixed false positives in the overflow detection of expand_prompt().

Sudo 1.6.7p1 released.

504) An unterminated comment broke Kerberos V authentication.

505) The krb5-config script is used to determine Kerberos V CPPFLAGS
     and LDFLAGS/LIBS if it exists.

506) Backed out changes to mkinstalldirs from autoconf 2.57 that
     caused problems on Tru64 Unix.

Sudo 1.6.7p2 released.

507) Kerberos V support should work on latest MIT Kerberos V and Heimdal.

Sudo 1.6.7p3 released.

508) Fixed remaining Kerberos V issues with MIT Kerberos V and old Heimdal.

Sudo 1.6.7p4 released.

509) Fixed a typo that caused a compilation error on Heimdal.

510) Darwin (MacOS X) doesn't have a real setreuid() system call.

511) Fixed a problem with large numbers of environment variables.

Sudo 1.6.7p5 released.

512) Fixed a problem on FreeBSD when the user is only listed in NIS (not
     master.passwd) and netgroups are used in the master.passwd file.

513) BSD-style warn/err functions are now used throughout.

514) Fixed the --with-stow configure option

515) Added a "sudo_lecture" option that points to a file containing a custom
     lecture.

516) The username in a log entry is no longer truncated at 8 characters.

517) A new tag, NOEXEC, will prevent a dynamically-linked program being run
     by sudo from executing another program (think shell escapes).
     Because this uses LD_PRELOAD it has no effect on static binaries.
     Idea from Reznic Valery.

518) TIS fwtk authentication now supports fwtk 2.0 and higher.

519) Sudo will now try to stat the command to be run as the user
     specified by the -u flag if the stat fails as root.  Fixes
     an NFS issue.

520) Added Stan Lee / Uncle Ben quote to the lecture (from RedHat).

521) Added a -i option to simulate an initial login similar to "su -".
     Originally based on a patch from David J. MacKenzie.

522) Added a -e option to edit files the with uid of the invoking user.
     This prevents the user from editing other files or running commands
     as the target user.  If sudo is run as "sudoedit" the -e flag is implied.

523) If sudo is used to run as root shell, further sudo commands will
     be logged as run by the user specified by the SUDO_USER environment
     variable.  In -e mode (sudoedit), SUDO_USER is used to determine
     what user to run the editor when the real uid is 0.

524) Merged in LDAP support from Aaron Spangler.

525) Added the --with-pc-insults configure to replace politically
     incorrect insults with ones from Alek O. Komarnitsky.

526) Added start_tls support from Gudleik Rasch <gudleik@rastamatra.org>.

527) A uid specified in sudoers now matches the user specified by the
     -u flag even if the -u flag specified a name, not a uid.

528) /tmp/.odus is no longer used for timestamps by default.  One of
     /var/run/sudo, /var/adm/sudo or /usr/adm/sudo is used depending
     on what directories exist.

529) Quoting globbing characters with a backslash now works as documented.

530) A negated user/uid in a runas list was not treated the same as a
     negated command (it did not override a previously allowed entry).
     Now it does.

531) Added support for Tandem NSK and other systems w/o seteuid().

532) The timeout on password reading is now done via alarm(), not select().

533) Fixed several issues when closing all open descriptors.  Sudo now uses
     closefrom() if it exists, using /proc/$$/fd if possible.

534) Use PATH_MAX, not MAXPATHLEN since the former is standardized.

535) Added a check in visudo for runas_default being used before it
     was set.

536) If the target user == invoking user a password is no longer required.

537) PAM support now uses Use pam_acct_mgmt() to check for disabled accounts
    (from Brian Farrell).

538) The sudoers file is now parsed as the runas user in all cases instead
     of root.  This fixes some issues with running NFS-mounted commands.

539) Sudo now produces a sensible error message when the targetpw
     Defaults option is set and a non-existent uid is specified via -u.

Sudo 1.6.8 released.

540) Now find the command base and fill in struct stat earlier.

541) sudoedit now re-opens the temp file as the invoking user.

542) struct timespec is used throughout the code base.

543) Added --with-ldap-conf-file option to override /etc/ldap.conf

544) Added SSL tls_* certificate checking options when using LDAP.

545) Sudoedit will now only attempt to edit regular files or links.

546) Sudo now uses futime() or futimes() where possible.

547) Updated sample.pam to a current version.

548) Better detection of unchanged files in sudoedit.

Sudo 1.6.8p1 released.

549) Bash exported functions are now stripped from the environment passed
     to the program to be executed.

Sudo 1.6.8p2 released.

550) The CDPATH variable is now stripped from the environment passed
     to the program to be executed.

551) Fix temp file generation on systems where the _PATH_VARTMP macro
     lacks a trailing slash.

Sudo 1.6.8p3 released.

552) The KRB5CCNAME environment variable is preserved during sudo
     execution for password lookups that use GSSAPI.

Sudo 1.6.8p4 released.

553) Added a configure check for systems with a 2-argument version of
     timespecsub (like BSD/OS).

554) Added stub struct defintions to sudo.h to quiet compiler warnings
     on some systems.

555) In sudoers Defaults lines, tuples like "lecture" may now be used
     without a value, restoring their old boolean-like nature.

556) Invalid values for a tuple are now handled correctly.

Sudo 1.6.8p5 released.