Summary: Allows restricted root access for specified users

Name: sudo

Version: 1.8.23

Release: 7%{?dist}

License: ISC

Group: Applications/System

URL: http://www.courtesan.com/sudo/

Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz

Source1: sudoers

Source2: sudo-ldap.conf

Source3: sudo.conf

Requires: /etc/pam.d/system-auth

Requires: /usr/bin/vi

BuildRequires: /usr/sbin/sendmail

BuildRequires: autoconf

BuildRequires: automake

BuildRequires: bison

BuildRequires: flex

BuildRequires: gettext

BuildRequires: groff

BuildRequires: libtool

BuildRequires: audit-libs-devel

BuildRequires: libcap-devel

BuildRequires: libgcrypt-devel

BuildRequires: libgcrypt-devel

BuildRequires: libselinux-devel

BuildRequires: openldap-devel

BuildRequires: pam-devel

BuildRequires: zlib-devel

# don't strip

Patch1: sudo-1.6.7p5-strip.patch

# configure.in fix

Patch2: sudo-1.7.2p1-envdebug.patch

# 881258 - rpmdiff: added missing sudo-ldap.conf manpage

Patch3: sudo-1.8.23-sudoldapconfman.patch

# 1247591 - Sudo taking a long time when user information is stored externally.

Patch4: sudo-1.8.23-legacy-group-processing.patch

# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option

Patch5: sudo-1.8.23-ldapsearchuidfix.patch

# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure

Patch6: sudo-1.8.6p7-logsudouser.patch

# 840980 - sudo creates a new parent process

# Adds cmnd_no_wait Defaults option

Patch7: sudo-1.8.23-nowaitopt.patch

# 1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers

#  This is fix of a regression in the referenced feature request. It was fixed

#  in newer versions of sudo and we backport it to prevent future regression

#  bz in RHEL. The feature itself was delivered via the rebase to 1.8.23.

Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch

# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version

Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch

# 1647678 - sudo access denied with pam_access and pts terminal configurations

# 1672876 - Backporting sudo bug with expired passwords - this is included in in this patch

Patch10: sudo-1.8.23-pam_access-and-terminals.patch

# 1665285 - Problem with sudo-1.8.23 and 'who am i'

Patch11: sudo-1.8.23-who-am-i.patch

# 1738841 - Crash in do_syslog() while doing sudoedit

Patch12: sudo-1.8.23-fix_empty_username_in_do_syslog.patch

%description

Sudo (superuser do) allows a system administrator to give certain

users (or groups of users) the ability to run some (or all) commands

as root while logging all commands and arguments. Sudo operates on a

per-command basis.  It is not a replacement for the shell.  Features

include: the ability to restrict what commands a user may run on a

per-host basis, copious logging of each command (providing a clear

audit trail of who did what), a configurable timeout of the sudo

command, and the ability to use the same configuration file (sudoers)

on many different machines.

%package        devel

Summary:        Development files for %{name}

Group:          Development/Libraries

Requires:       %{name} = %{version}-%{release}

%description    devel

The %{name}-devel package contains header files developing sudo

plugins that use %{name}.

%prep

%setup -q

%patch1 -p1 -b .strip

%patch2 -p1 -b .envdebug

%patch3 -p1 -b .sudoldapconfman

%patch4 -p1 -b .legacy-group-processing

%patch5 -p1 -b .ldapsearchuidfix

%patch6 -p1 -b .logsudouser

%patch7 -p1 -b .nowaitopt

%patch8 -p1 -b .pam-mgmt-ignore-errors

%patch9 -p1 -b .defaults-double-quote-fix

%patch10 -p1 -b .pam_access-and-terminals

%patch11 -p1 -b .who-am-i

%patch12 -p1 -b .do_syslog-username

%build

autoreconf -I m4 -fv --install

%ifarch s390 s390x sparc64

F_PIE=-fPIE

%else

F_PIE=-fpie

%endif

export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHLIB_MODE=755

%configure \

        --prefix=%{_prefix} \

        --sbindir=%{_sbindir} \

        --libdir=%{_libdir} \

        --docdir=%{_datadir}/doc/%{name}-%{version} \

        --with-logging=syslog \

        --with-logfac=authpriv \

        --with-pam \

        --with-pam-login \

        --with-editor=/usr/bin/vi \

        --with-env-editor \

        --enable-gcrypt \

        --with-ignore-dot \

        --with-tty-tickets \

        --with-ldap \

        --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \

        --with-selinux \

        --with-passprompt="[sudo] password for %p: " \

        --with-linux-audit \

        --with-sssd

make

%check

make check

%install

rm -rf %{buildroot}

# Update README.LDAP (#736653)

sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP

make install DESTDIR="%{buildroot}" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

chmod 755 %{buildroot}%{_bindir}/* %{buildroot}%{_sbindir}/*

install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo

install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo/lectured

install -p -d -m 750 %{buildroot}%{_sysconfdir}/sudoers.d

install -p -c -m 0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers

install -p -c -m 0640 %{SOURCE3} %{buildroot}%{_sysconfdir}/sudo.conf

install -p -c -m 0640 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudo-ldap.conf

# Remove upstream sudoers file

rm -f %{buildroot}%{_sysconfdir}/sudoers.dist

# Remove all .la files

find %{buildroot} -name '*.la' -exec rm -f {} ';'

%find_lang sudo

%find_lang sudoers

cat sudo.lang sudoers.lang > sudo_all.lang

rm sudo.lang sudoers.lang

mkdir -p %{buildroot}%{_sysconfdir}/pam.d

cat > %{buildroot}%{_sysconfdir}/pam.d/sudo << EOF

#%%PAM-1.0

auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    optional     pam_keyinit.so revoke

session    include      system-auth

EOF

cat > %{buildroot}%{_sysconfdir}/pam.d/sudo-i << EOF

#%%PAM-1.0

auth       include      sudo

account    include      sudo

password   include      sudo

session    optional     pam_keyinit.so force revoke

session    include      sudo

EOF

%clean

rm -rf %{buildroot}

%files -f sudo_all.lang

%defattr(-,root,root)

%attr(0440,root,root) %config(noreplace) %{_sysconfdir}/sudoers

%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf

%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf

%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d/

%config(noreplace) %{_sysconfdir}/pam.d/sudo

%config(noreplace) %{_sysconfdir}/pam.d/sudo-i

%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf

%dir %{_localstatedir}/db/sudo

%dir %{_localstatedir}/db/sudo/lectured

%attr(4111,root,root) %{_bindir}/sudo

%{_bindir}/sudoedit

%{_bindir}/cvtsudoers

%attr(0111,root,root) %{_bindir}/sudoreplay

%attr(0755,root,root) %{_sbindir}/visudo

%attr(0755,root,root) %{_libexecdir}/sudo/sesh

%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so

%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so

%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so

%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so

%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?

%{_libexecdir}/sudo/libsudo_util.so.?

%{_libexecdir}/sudo/libsudo_util.so

%{_mandir}/man5/sudoers.5*

%{_mandir}/man5/sudoers.ldap.5*

%{_mandir}/man5/sudo-ldap.conf.5*

%{_mandir}/man5/sudo.conf.5*

%{_mandir}/man8/sudo.8*

%{_mandir}/man8/sudoedit.8*

%{_mandir}/man8/sudoreplay.8*

%{_mandir}/man8/visudo.8*

%{_mandir}/man1/cvtsudoers.1.gz

%{_mandir}/man5/sudoers_timestamp.5.gz

%dir %{_docdir}/sudo-%{version}

%{_docdir}/sudo-%{version}/*

# Make sure permissions are ok even if we're updating

%post

/bin/chmod 0440 %{_sysconfdir}/sudoers || :

%files devel

%defattr(-,root,root,-)

%doc plugins/sample/sample_plugin.c

%{_includedir}/sudo_plugin.h

%{_mandir}/man8/sudo_plugin.8*

%changelog

* Thu Aug 22 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-7

- RHEL-7.8 erratum

  Resolves: rhbz#1738841 Crash in do_syslog() while doing sudoedit

* Mon Aug 19 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-6

- RHEL-7.8 erratum

  Resolves: rhbz#1647678 sudo access denied with pam_access and pts terminal configurations

* Mon Aug 12 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.23-5

- RHEL-7.8 erratum

  Resolves: rhbz#1711997 sudo is super slow when /etc/security/limits.conf contains many entries

* Wed Feb 20 2019 Radovan Sroka <rsroka@redhat.com> 1.8.23-4

- RHEL-7.7 erratum

  Resolves: rhbz#1672876 - Backporting sudo bug with expired passwords

  Resolves: rhbz#1665285 - Problem with sudo-1.8.23 and 'who am i'

* Mon Sep 24 2018 Daniel Kopecek <dkopecek@redhat.com> 1.8.23-3

- RHEL-7.6 erratum

  Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version

* Fri Sep 21 2018 Daniel Kopecek <dkopecek@redhat.com> 1.8.23-2

- RHEL-7.6 erratum

  Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers

  Resolves: rhbz#1506025 - Latest update broke sudo for ldap users.

  Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets

* Thu Jun 28 2018 Daniel Kopecek <dkopecek@redhat.com> 1.8.23-1

- RHEL-7.6 erratum

  Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version (1.8.23)

  Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets

  Resolves: rhbz#1506025 - Latest update broke sudo for ldap users.

  Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers

  Resolves: rhbz#1548380 - RFE: Create flag to filter to sudo -l output

  Resolves: rhbz#1510002 - Ensure that the command input (stdin) eating behaviour of Default log_input is documented

  Resolves: rhbz#1596032 - Why does sudo package depend on vim-minimal?

* Thu Nov 30 2017 Radovan Sroka <rsroka@redhat.com> 1.8.19p2-13

- RHEL 7.5 erratum

- Fixed sudo -l checking results whether user should be authenticated

- Enabled LDAP filter patch

- Fixed double free in sssd

  Resolves: rhbz#1505409

  Resolves: rhbz#1511850

  Resolves: rhbz#1518104

* Mon Oct 02 2017 Radovan Sroka <rsroka@redhat.com> 1.8.19p2-12

- RHEL 7.5 erratum

- Fixed exit codes for `sudo -l -U <user>`

- Fixed truncated output when log_output is enabled

- Updated use_pty and IO logging manpage

  Resolves: rhbz#1458696

  Resolves: rhbz#1454571

  Resolves: rhbz#1490358

- Fixed second pass LDAP filter expression in the sudoers ldap backend

  - inclomplete patch for rhbz#1485397

* Mon Aug 14 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-11

- Moved libsudo_util.so from the -devel sub-package to main package

  Resolves: rhbz#1481225

* Wed Jun 07 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-10

- RHEL 7.4 erratum

- Fix CVE-2017-1000368

  Resolves: rhbz#1459411

* Tue Jun 06 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.19p2-9

- RHEL 7.4 erratum

- removed patch for output truncation (1454571) which introduced regression

  Resolves: rhbz#1360687

* Thu May 25 2017 Jakub Jelen <jjelen@redhat.com> - 1.8.19p2-8

- RHEL 7.4 erratum

- Fixes CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing

  Resolves: rhbz#1455402

* Tue May 23 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-7

- RHEL 7.4 erratum

- added patch to fix output truncation (in some cases) when log_output

  option is enabled

  Resolves: rhbz#1454571

* Thu May 04 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.19p2-6

- RHEL 7.4 erratum

- added patch that fixes lecture option used as bolean

  Resolves rhbz#1360687

* Tue Apr 25 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.19p2-5

- RHEL 7.4 erratum

- added doc patch about sudo lookup issue

  Resolves: rhbz#1293306

- added test suite patch

  Resolves: rhbz#1360687

- fixed use after free fqdn problem

  Resolves: rhbz#1360687

* Tue Mar 21 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-4

- RHEL 7.4 erratum

- fixed cmnd_no_wait patch

- backported iolog_flush sudoers default

  Resolves: rhbz#1369856

  Resolves: rhbz#1425853

* Wed Mar 08 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-3

- RHEL 7.4 eratum

- Fixes semicolon typo in digest backport patch from the previous build

  Resolves: rhbz#1360687

* Wed Mar 08 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-2

- RHEL 7.4 erratum

- Fixes coverity scan issues created by our patches:

  - fixed resource leaks and a compiler warning in digest backport patch

  - removed needless code from cmnd_no_wait patch causing clang warning

  - format of the last changelog message causes problems to rhpkg push,

    so don't use that as a commit message

  Resolves: rhbz#1360687

* Wed Mar 01 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-1

- RHEL 7.4 erratum

  - Resolves: rhbz#1360687 - rebase to 1.8.19p2

  - Resolves: rhbz#1123526 - performance improvement

  - Resolves: rhbz#1308789 - add MAIL and NOMAIL tags

  - Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale

  - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command

    was runnable even if denied by sudoers when using LDAP or SSSD backend.

  - Resolves: rhbz#1387303 - add ignore_iolog_errors option

  - Resolves: rhbz#1389360 - wrong log file group ownership

  - Resolves: rhbz#1389735 - add iolog_group, iolog_mode, iolog_user options

  - Resolves: rhbz#1397169 - maxseq and ignore_iolog_errors options

  - Resolves: rhbz#1403051 - add support for querying netgroups directly via LDAP

  - Resolves: rhbz#1410086 - race condition while creating /var/log/sudo-io dir

  - Resolves: rhbz#1413160 - add ignore_unknown_defaults flag

  - Resolves: rhbz#1254772 - ability to export sudoers in json format

  - Resolves: rhbz#1417187 - wrong reference to config file in systax error message

  - Resolves: rhbz#1424575 - visudo was not printing severity of error/warning message

* Wed Nov 23 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-21

- Update noexec syscall blacklist

- Fixes CVE-2016-7032 and CVE-2016-7076

  Resolves: rhbz#1391940

* Tue Jul 19 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-20

- RHEL 7.3 erratum

  - fixed visudo's -q flag

  Resolves: rhbz#1350828

* Tue Jun 14 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-19

- RHEL 7.3 erratum

  - removed INPUTRC from env_keep to prevent a potential info leak

  Resolves: rhbz#1340700

* Wed May 11 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-18

- RHEL 7.3 erratum

  - removed requiretty flag from the default sudoers policy

  - backported pam_service and pam_login_service defaults options

  - implemented netgroup_tuple defaults option for changing netgroup

    processing semantics

  - fixed user matching logic in the LDAP nss backend

  - don't allow visudo to accept an invalid sudoers file

  - fixed a bug causing that non-root users can list privileges of

    other users

  - modified digest check documentation to mention the raciness of

    the checking mechanism

  Resolves: rhbz#1196451

  Resolves: rhbz#1247230

  Resolves: rhbz#1334331

  Resolves: rhbz#1334360

  Resolves: rhbz#1261998

  Resolves: rhbz#1313364

  Resolves: rhbz#1312486

  Resolves: rhbz#1268958

  Resolves: rhbz#1335039

  Resolves: rhbz#1335042

  Resolves: rhbz#1335045

  Resolves: rhbz#1273243

  Resolves: rhbz#1299883

* Mon Feb 15 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-17

- fixed bug in closefrom_override defaults option

  Resolves: rhbz#1297062

* Tue Sep  1 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-16

- RHEL 7.2 erratum

  - show the digest type in warning messages

  Resolves: rhbz#1183818

* Tue Sep  1 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-15

- RHEL 7.2 erratum

  - fixed compilation of testing binaries during make check

  - added legacy group processing patch

  - replaced buggy base64 decoder with a public domain implementation

  Resolves: rhbz#1254621

  Resolves: rhbz#1183818

  Resolves: rhbz#1247591

* Tue Jul  7 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-14

- RHEL 7.2 erratum

  - backported command digest specification

  - fixed CVE-2014-9680 sudo: unsafe handling of TZ environment variable

  - fixed typos in sudoers.ldap man page

  - fixed handling of double-quoted sudoOption values in ldap, sssd sources

  - fixed numeric uid specification support in ldap source

  - fixed authentication flag logic in ldap source

  - added the systemctl command to the SERVICES alias in the default sudoers file

  Resolves: rhbz#1144446

  Resolves: rhbz#1235570

  Resolves: rhbz#1138259

  Resolves: rhbz#1183818

  Resolves: rhbz#1233607

  Resolves: rhbz#1144419

  Resolves: rhbz#1135539

  Resolves: rhbz#1215400

* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-13

- RHEL 7.1 erratum

  - fixed issues found by covscan/clang-analyzer

  Resolves: rhbz#1147616

* Mon Sep 29 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-12

- RHEL 7.1 erratum

  - don't retry authentication when ctrl-c pressed

  - fix double-quote processing in Defaults options

  - handle the "(none)" hostname correctly

  - SSSD: fix sudoUser netgroup specification filtering

  - SSSD: list correct user when -U <user> -l specified

  - SSSD: show rule names on long listing (-ll)

  - fix infinite loop when duplicate entries are specified on the

    sudoers nsswitch.conf line

  Resolves: rhbz#1084488

  Resolves: rhbz#1088464

  Resolves: rhbz#1088825

  Resolves: rhbz#1092499

  Resolves: rhbz#1093099

  Resolves: rhbz#1096813

  Resolves: rhbz#1147497

  Resolves: rhbz#1147557

* Wed Feb 26 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-11

- Fixed incorrect login shell path construction in sesh

  (thanks fkrska@redhat.com for the patch)

  Resolves: rhbz#1065418

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.8.6p7-10

- Mass rebuild 2014-01-24

* Wed Jan 15 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-9

- allow the wheel group to use sudo

  Resolves: rhbz#994623

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.8.6p7-8

- Mass rebuild 2013-12-27

* Fri Nov 08 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-7

- dropped wrong patch and fixed patch comments

  Resolves: rhbz#1000389

* Thu Nov 07 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-6

- fixed alias cycle detection code

- added debug messages for tracing of netgroup matching

- fixed aborting on realloc when displaying allowed commands

- sssd: filter netgroups in the sudoUser attribute

- parse uids/gids more strictly

- added debug messages to trace netgroup matching

  Resolves: rhbz#1026904

  Resolves: rhbz#1026890

  Resolves: rhbz#1007014

  Resolves: rhbz#1026894

  Resolves: rhbz#1000389

  Resolves: rhbz#994566

* Mon Aug 05 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-5

- added standalone manpage for sudo.conf and sudo-ldap.conf

- spec file cleanup

  Resolves: rhbz#881258

* Mon Jul 29 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-4

- added RHEL 6 patches

* Wed Jul 24 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-3

- synced sudoers, configure options & configuration files with

  expected RHEL configuration

  Resolves: rhbz#969373

  Resolves: rhbz#971009

  Resolves: rhbz#965124

  Resolves: rhbz#971013

  Resolves: rhbz#839705

* Thu Apr 11 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-2

- depend on /usr/sbin/sendmail instead of the sendmail package

  Resolves: rhbz#927842

* Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1

- update to 1.8.6p7

- fixes CVE-2013-1775 and CVE-2013-1776

- fixed several packaging issues (thanks to ville.skytta@iki.fi)

  - build with system zlib.

  - let rpmbuild strip libexecdir/*.so.

  - own the %%{_docdir}/sudo-* dir.

  - fix some rpmlint warnings (spaces vs tabs, unescaped macros).

  - fix bogus %%changelog dates.

* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p3-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Mon Nov 12 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-2

- added upstream patch for a regression

- don't include arch specific files in the -devel subpackage

- ship only one sample plugin in the -devel subpackage

* Tue Sep 25 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-1

- update to 1.8.6p3

- drop -pipelist patch (fixed in upstream)

* Thu Sep  6 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6-1

- update to 1.8.6

* Thu Jul 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-4

- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com)

- re-enabled SSSD support

- removed libsss_sudo dependency

* Tue Jul 24 2012 Bill Nottingham <notting@redhat.com> - 1.8.5-3

- flip sudoers2ldif executable bit after make install, not in setup

* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.5-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1

- update to 1.8.5

- fixed CVE-2012-2337

- temporarily disabled SSSD support

* Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6

- fixed problems with undefined symbols (rhbz#798517)

* Wed Feb 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-5

- SSSD patch update

* Tue Feb  7 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-4

- added SSSD support

* Thu Jan 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-3

- added patch for CVE-2012-0809

* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.3p1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1

- update to 1.8.3p1

- disable output word wrapping if the output is piped

* Wed Sep  7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2

- Remove execute bit from sample script in docs so we don't pull in perl

* Tue Jul 12 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.1p2-1

- rebase to 1.8.1p2

- removed .sudoi patch

- fixed typo: RELPRO -> RELRO

- added -devel subpackage for the sudo_plugin.h header file

- use default ldap configuration files again

* Fri Jun  3 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-4

- build with RELRO

* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.4p5-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Mon Jan 17 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-2

- rebase to 1.7.4p5

- fixed sudo-1.7.4p4-getgrouplist.patch

- fixes CVE-2011-0008, CVE-2011-0010

* Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5

- anybody in the wheel group has now root access (using password) (rhbz#656873)

- sync configuration paths with the nss_ldap package (rhbz#652687)

* Wed Sep 29 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-4

- added upstream patch to fix rhbz#638345

* Mon Sep 20 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-3

- added patch for #635250

- /var/run/sudo -> /var/db/sudo in .spec

* Tue Sep  7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-2

- sudo now uses /var/db/sudo for timestamps

* Tue Sep  7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1

- update to new upstream version

- new command available: sudoreplay

- use native audit support

- corrected license field value: BSD -> ISC

* Wed Jun  2 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-2

- added patch that fixes insufficient environment sanitization issue (#598154)

* Wed Apr 14 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-1

- update to new upstream version

- merged .audit and .libaudit patch

- added sudoers.ldap.5* to files

* Mon Mar  1 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p5-2

- update to new upstream version

* Tue Feb 16 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-5

- fixed no valid sudoers sources found (#558875)

* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-4

- audit related Makefile.in and configure.in corrections

- added --with-audit configure option

- removed call to libtoolize

* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-3

- fixed segfault when #include directive is used in cycles (#561336)

* Fri Jan  8 2010 Ville Skyttä <ville.skytta@iki.fi> - 1.7.2p2-2

- Add /etc/sudoers.d dir and use it in default config (#551470).

- Drop *.pod man page duplicates from docs.

* Thu Jan 07 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-1

- new upstream version 1.7.2p2-1

- commented out unused aliases in sudoers to make visudo happy (#550239)

* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.7.1-7

- rebuilt with new audit

* Thu Aug 20 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-6

- moved secure_path from compile-time option to sudoers file (#517428)

* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.1-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Thu Jul 09 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-4

- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch)

- epoch number sync

* Mon Jun 22 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-1

- updated sudo to version 1.7.1

- fixed small bug in configure.in (sudo-1.7.1-conffix.patch)

* Tue Feb 24 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-6

- fixed building with new libtool

- fix for incorrect handling of groups in Runas_User

- added /usr/local/sbin to secure-path

* Tue Jan 13 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-3

- build with sendmail installed

- Added /usr/local/bin to secure-path

* Tue Sep 02 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-2

- adjust audit patch, do not scream when kernel is

  compiled without audit netlink support (#401201)

* Fri Jul 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-1

- upgrade

* Wed Jun 18 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-7

- build with newer autoconf-2.62 (#449614)

* Tue May 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-6

- compiled with secure path (#80215)

* Mon May 05 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-5

- fix path to updatedb in /etc/sudoers (#445103)

* Mon Mar 31 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-4

- include ldap files in rpm package (#439506)

* Thu Mar 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-3

- include [sudo] in password prompt (#437092)

* Tue Mar 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-2

- audit support improvement

* Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1

- upgrade to the latest upstream release

* Wed Feb 06 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p12-1

- upgrade to the latest upstream release