1TODO list (most will be addressed in sudo 2.0)
2
301) Redo parsing to be more like op(8) with true command aliases where
4    can specify uid, gid(s) and part/all of the environment.
5
602) Add a SHELLS reserved word that checks against /etc/shells.
7
803) Make the sudoers file accessible via NIS, Hesiod, and maybe NetInfo.
9
1004) Add a -h (?) flag to sudo for a history mechanism.
11
1205) Add an option to set LD_LIBRARY_PATH?
13
1406) Add Prog_Alias facility (Prog_Alias VI = /usr/secure/bin/vi +args).
15
1607) check for <net/errno.h> in configure and include it in sudo.c if it exists.
17
1808) Add generic STREAMS support for getting interfaces and netmasks.
19
2009) Add support for "safe scripts" by checking for shell script
21    cookie (first two bytes are "#!") and execing the shell outselves
22    after doing the stat to guard against spoofing.  This should avoid
23    the race condition caused by going through namei() twice...
24
2510) Overhaul testsudoers to use things from parse.o so we don't reimplement
26    things.
27
2811) Make runas_user a struct "runas" with user and group components.
29    (maybe uid and gid too???)
30
3112) Add -g group/gid option.
32
3313) Should be able to mix Cmnd_Alias's and command args.  Ie:
34	pete   ALL=PASSWD [A-z]*,!PASSWD root
35    where PASSWD was defined to be /usr/bin/passwd.
36    This requires the arg parsing to happen in the yacc grammer.
37    At the very least, commands and args have to become separate
38    tokens in the lexer.
39
4014) Add a per-tty restriction?  Ie: only can run foo from /dev/console.
41
4215) Add test for how to read ether interfaces in configure script
43
4416) Add configure option to enable old behavior of visudo (O_EXCL)?
45    --without-sudoers-lock?
46
4717) Profile sudo again (is the yacc grammar optimal?)
48
4918) Zero out encrypted passwords after use.  Use an Exit function or
50    some such (have to hook in to emalloc() and friends).
51    Hard (impossible?) to be thorough w/ atexit/on_exit.
52
5319) Make 'sudo -l user' if run as root do a "sudo -l" output for the specified
54    user.
55
5620) Use strtol() and strtoul(), not atoi()
57
5821) Look into %e, %p, %k in parse.lex
59
6022) Make syslog stuff work on vanilla ultrix
61
6223) Implement date_format and log_format options.
63
6424) Add support for: Default:user@host
65
6625) Make visudo rcs-aware
67
6826) Add support for parsing multiple sudoers files.  Basically make
69    _PATH_SUDOERS be a colon-separated list of pathname like EDITOR.
70    Requires _PATH_SUDOERS_TMP chages (perhaps "%s.tmp").
71
7227) Some people want to be able to specify a special password in sudoers
73    in addition or instead of the normal one.  The best argument for
74    this so far is to be able to use separate passwords for the
75    target users that are not the passwd file ones.
76
7728) Add support for trusted users.  E.g. allow user to run a certain
78    command regardless of what dir it is in if it is owned by the
79    trusted user.
80
8128) Split the parser into two stages.  The first parse checks for
82    syntax and sets the Defaults options and sets up the
83    data structures to check a user.  The second stage does
84    the actual user check.
85
8630) Add a flag similar to '-l' but that spits out sudo commands in
87    a format suitable for cut & paste (requires parser overhaul first).
88
8931) Someone wants a recursive version of the dir specifier.  Ie:
90    SOME_MODIFIER:/usr/local/ to allow anything under /usr/local to be run.
91
9231) An option to set the shell to the target user would make sense.
93    See other target user-related issues above.
94
9533) Add an option (-D) to dump the defaults after the sudoers file
96    has been parsed.  Should only be available to root and should
97    allow a -u user modifier.
98
9934) For sudo 1.7 wipe out the environment by default.
100
10135) Allow /etc/sudoers to be a symlink but require the parent dir to
102    be root-owned and not writable by anything else.  Should really
103    traverse the tree to the root doing this.
104
10536) Improve interfaces.c STREAMS code (see ntpd's ntp_io.c for hints)
106
10737) Wildcard support for user and group names? (netgroup too?)
108
10938) If root_sudo is off, still allow sudo -u to non-root users?
110
11139) Add configure option to id user based on euid not ruid?
112
11340) Split $EDITOR/$VISUAL in visudo into an argument vector based on whitespace
114
11541) Use proper links in .pod files
116
11742) Parse gids like %#0
118
11943) Add support for systrace (requires that sudo fork and be persistent)
120
12144) For AIX, call getuserattr() to get resource limits and set them
122    as appropriate, see:
123    http://nscp.upenn.edu/aix4.3html/libs/basetrf1/getuserattr.htm#A16691a89
124
12545) Add an insult_path variable that is intialized to "builtin" but that
126    can point to other files containing an insult count as the first
127    line and that have a constant record length (sparse files) for
128    easy seeking.
129
13046) Investigate using glob(3) instead of fnmatch(3) for path matching.  That
131    way we can stat each potential match like we normally would.  Patterns
132    ending in '/*' can be replaced with '/basename' as an optimization.
133
13447) Some way of using a new pty for the program run via sudo would prevent
135    access to the caller's /dev/tty (but probably makes job control tricky).
136
13748) Maybe have a database of checksums that commands are verified against.
138    Basically replace the st_ino/st_dev check with a checksum lookup.
139
14049) Look into testing writability of a file via sudoedit *before* doing
141    the edit; e.g., try opening with O_APPEND.
142
14350) Add Makefile.in bits to autogenerate Solaris and HP-UX packages
144