diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..9e53a0f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/sudo-1.8.25p1.tar.gz
diff --git a/.sudo.metadata b/.sudo.metadata
new file mode 100644
index 0000000..a9c3233
--- /dev/null
+++ b/.sudo.metadata
@@ -0,0 +1 @@
+dc49b91ffbd9cd5e1d1eaaf001c42f71f869f377 SOURCES/sudo-1.8.25p1.tar.gz
diff --git a/SOURCES/sudo-1.6.7p5-strip.patch b/SOURCES/sudo-1.6.7p5-strip.patch
new file mode 100644
index 0000000..f9e2faa
--- /dev/null
+++ b/SOURCES/sudo-1.6.7p5-strip.patch
@@ -0,0 +1,11 @@
+--- sudo-1.6.7p5/install-sh.strip 2005-07-21 14:28:25.000000000 +0200
++++ sudo-1.6.7p5/install-sh 2005-07-21 14:29:18.000000000 +0200
+@@ -138,7 +138,7 @@
+ fi
+ ;;
+ X-s)
+- STRIPIT=true
++ #STRIPIT=true
+ ;;
+ X--)
+ shift
diff --git a/SOURCES/sudo-1.7.2p1-envdebug.patch b/SOURCES/sudo-1.7.2p1-envdebug.patch
new file mode 100644
index 0000000..94c719a
--- /dev/null
+++ b/SOURCES/sudo-1.7.2p1-envdebug.patch
@@ -0,0 +1,27 @@
+From 44a602b49365969e56c63c9f12eda197e951302f Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Fri, 19 Aug 2016 14:07:35 +0200
+Subject: [PATCH 02/10] Added "Enviroment debugging" message
+
+rebased from:
+Patch2: sudo-1.7.2p1-envdebug.patch
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9feddfd..39a2d86 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1390,7 +1390,7 @@ AC_ARG_ENABLE(env_debug,
+ [AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
+ [ case "$enableval" in
+ yes) AC_MSG_RESULT(yes)
+- AC_DEFINE(ENV_DEBUG)
++ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
+ ;;
+ no) AC_MSG_RESULT(no)
+ ;;
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
new file mode 100644
index 0000000..25bbfe9
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
@@ -0,0 +1,70 @@
+diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok
+--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200
++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200
+@@ -34,7 +34,7 @@
+ },
+ {
+ "Binding": [
+- { "username": "%them" }
++ { "usergroup": "them" }
+ ],
+ "Options": [
+ { "set_home": true }
+@@ -42,7 +42,7 @@
+ },
+ {
+ "Binding": [
+- { "username": "%: non UNIX 0 c" }
++ { "nonunixgroup": " non UNIX 0 c" }
+ ],
+ "Options": [
+ { "set_home": true }
+@@ -50,7 +50,7 @@
+ },
+ {
+ "Binding": [
+- { "username": "+net" }
++ { "netgroup": "net" }
+ ],
+ "Options": [
+ { "set_home": true }
+diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok
+--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200
++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200
+@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO
+ #
+ DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+ DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
++DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR
+
+ #
+ DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c
+--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200
+@@ -2395,7 +2395,7 @@ YY_RULE_SETUP
+ LEXTRACE("ERROR "); /* empty string */
+ LEXRETURN(ERROR);
+ }
+- if (prev_state == INITIAL) {
++ if (prev_state == INITIAL || prev_state == GOTDEFS) {
+ switch (sudoerslval.string[0]) {
+ case '%':
+ if (sudoerslval.string[1] == '\0' ||
+diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l
+--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200
+@@ -187,7 +187,7 @@ DEFVAR [a-z_]+
+ LEXTRACE("ERROR "); /* empty string */
+ LEXRETURN(ERROR);
+ }
+- if (prev_state == INITIAL) {
++ if (prev_state == INITIAL || prev_state == GOTDEFS) {
+ switch (sudoerslval.string[0]) {
+ case '%':
+ if (sudoerslval.string[1] == '\0' ||
diff --git a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch
new file mode 100644
index 0000000..9698d23
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch
@@ -0,0 +1,27 @@
+diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c
+--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200
+@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
+ if (ldap_conf.search_filter)
+ sz += strlen(ldap_conf.search_filter);
+
+- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
+- sz += 29 + sudo_ldap_value_len(pw->pw_name);
++ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
++ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
+
+ /* Add space for primary and supplementary groups and gids */
+ if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
+@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
+ CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
+ CHECK_STRLCAT(buf, ")", sz);
+
++ /* Append user uid */
++ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
++ (void) strlcat(buf, "(sudoUser=#", sz);
++ (void) strlcat(buf, gidbuf, sz);
++ (void) strlcat(buf, ")", sz);
++
+ /* Append primary group and gid */
+ if (grp != NULL) {
+ CHECK_STRLCAT(buf, "(sudoUser=%", sz);
diff --git a/SOURCES/sudo-1.8.23-legacy-group-processing.patch b/SOURCES/sudo-1.8.23-legacy-group-processing.patch
new file mode 100644
index 0000000..8cb6a8f
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-legacy-group-processing.patch
@@ -0,0 +1,89 @@
+diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvtsudoers.c
+--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2018-09-26 12:27:13.087680204 +0200
++++ ./plugins/sudoers/cvtsudoers.c 2018-09-26 12:30:59.222466620 +0200
+@@ -321,6 +321,15 @@ main(int argc, char *argv[])
+ sudo_fatalx("error: unhandled input %d", input_format);
+ }
+
++ /*
++ * cvtsudoers group filtering doesn't work if def_match_group_by_gid
++ * is set to true by default (at compile-time). It cannot be set to false
++ * because cvtsudoers doesn't apply the parsed Defaults.
++ *
++ * Related: sudo-1.8.23-legacy-group-processing.patch
++ */
++ def_match_group_by_gid = def_legacy_group_processing = false;
++
+ /* Apply filters. */
+ filter_userspecs(&parsed_policy, conf);
+ filter_defaults(&parsed_policy, conf);
+diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaults.c
+--- ./plugins/sudoers/defaults.c.legacy-processing 2018-09-02 14:30:08.000000000 +0200
++++ ./plugins/sudoers/defaults.c 2018-09-26 12:27:13.087680204 +0200
+@@ -86,6 +86,7 @@ static struct early_default early_defaul
+ { I_FQDN },
+ #endif
+ { I_MATCH_GROUP_BY_GID },
++ { I_LEGACY_GROUP_PROCESSING },
+ { I_GROUP_PLUGIN },
+ { I_RUNAS_DEFAULT },
+ { I_SUDOERS_LOCALE },
+@@ -487,6 +488,8 @@ init_defaults(void)
+ }
+
+ /* First initialize the flags. */
++ def_legacy_group_processing = true;
++ def_match_group_by_gid = true;
+ #ifdef LONG_OTP_PROMPT
+ def_long_otp_prompt = true;
+ #endif
+diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_data.c
+--- ./plugins/sudoers/def_data.c.legacy-processing 2018-08-18 16:10:15.000000000 +0200
++++ ./plugins/sudoers/def_data.c 2018-09-26 12:27:13.087680204 +0200
+@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[]
+ N_("Ignore case when matching group names"),
+ NULL,
+ }, {
++ "legacy_group_processing", T_FLAG,
++ N_("Don't pre-resolve all group names"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff -up ./plugins/sudoers/def_data.h.legacy-processing ./plugins/sudoers/def_data.h
+--- ./plugins/sudoers/def_data.h.legacy-processing 2018-08-18 16:10:15.000000000 +0200
++++ ./plugins/sudoers/def_data.h 2018-09-26 12:27:13.087680204 +0200
+@@ -226,6 +226,8 @@
+ #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
+ #define I_CASE_INSENSITIVE_GROUP 113
+ #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
++#define I_LEGACY_GROUP_PROCESSING 114
++#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff -up ./plugins/sudoers/def_data.in.legacy-processing ./plugins/sudoers/def_data.in
+--- ./plugins/sudoers/def_data.in.legacy-processing 2018-08-18 16:10:15.000000000 +0200
++++ ./plugins/sudoers/def_data.in 2018-09-26 12:27:13.088680212 +0200
+@@ -357,3 +357,6 @@ case_insensitive_user
+ case_insensitive_group
+ T_FLAG
+ "Ignore case when matching group names"
++legacy_group_processing
++ T_FLAG
++ "Don't pre-resolve all group names"
+diff -up ./plugins/sudoers/sudoers.c.legacy-processing ./plugins/sudoers/sudoers.c
+--- ./plugins/sudoers/sudoers.c.legacy-processing 2018-08-18 16:10:25.000000000 +0200
++++ ./plugins/sudoers/sudoers.c 2018-09-26 12:27:13.088680212 +0200
+@@ -212,6 +212,10 @@ sudoers_policy_init(void *info, char * c
+ if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
+ ret = true;
+
++ if (!def_match_group_by_gid || !def_legacy_group_processing) {
++ def_match_group_by_gid = false;
++ def_legacy_group_processing = false;
++ }
+ cleanup:
+ if (!restore_perms())
+ ret = -1;
diff --git a/SOURCES/sudo-1.8.23-nowaitopt.patch b/SOURCES/sudo-1.8.23-nowaitopt.patch
new file mode 100644
index 0000000..6406396
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-nowaitopt.patch
@@ -0,0 +1,61 @@
+diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c
+--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200
++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200
+@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[]
+ N_("Don't pre-resolve all group names"),
+ NULL,
+ }, {
++ "cmnd_no_wait", T_FLAG,
++ N_("Don't fork and wait for the command to finish, just exec it"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h
+--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200
++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200
+@@ -228,6 +228,8 @@
+ #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
+ #define I_LEGACY_GROUP_PROCESSING 114
+ #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
++#define I_CMND_NO_WAIT 115
++#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in
+--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200
++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200
+@@ -360,3 +360,6 @@ case_insensitive_group
+ legacy_group_processing
+ T_FLAG
+ "Don't pre-resolve all group names"
++cmnd_no_wait
++ T_FLAG
++ "Don't fork and wait for the command to finish, just exec it"
+diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c
+diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c
+--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200
++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200
+@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c
+ def_match_group_by_gid = false;
+ def_legacy_group_processing = false;
+ }
++
++ /*
++ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation
++ * and I/O logging. This will cause sudo to execute the given command
++ * directly instead of forking a separate process for it.
++ */
++ if (def_cmnd_no_wait) {
++ def_pam_setcred = false;
++ def_pam_session = false;
++ def_use_pty = false;
++ def_log_input = false;
++ def_log_output = false;
++ }
++
+ cleanup:
+ if (!restore_perms())
+ ret = -1;
diff --git a/SOURCES/sudo-1.8.23-sudoldapconfman.patch b/SOURCES/sudo-1.8.23-sudoldapconfman.patch
new file mode 100644
index 0000000..d290162
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-sudoldapconfman.patch
@@ -0,0 +1,32 @@
+diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in
+--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-04-29 21:59:31.000000000 +0200
++++ sudo-1.8.23/doc/Makefile.in 2018-05-17 13:56:24.693651178 +0200
+@@ -345,10 +345,16 @@ install-doc: install-dirs
+ rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
++ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
++ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
+ else \
+ rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
++ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
++ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
+ fi
+
+ install-plugin:
+@@ -363,8 +369,9 @@ uninstall:
+ $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
+ $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
+ $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
+- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
+- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
++ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \
++ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \
++ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)
+
+ splint:
+
diff --git a/SOURCES/sudo-1.8.25-c-option-help.patch b/SOURCES/sudo-1.8.25-c-option-help.patch
new file mode 100644
index 0000000..5836052
--- /dev/null
+++ b/SOURCES/sudo-1.8.25-c-option-help.patch
@@ -0,0 +1,25 @@
+From 142b370c1f928549db3b357a495d151c7cd87f65 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Tue, 11 Dec 2018 09:05:04 -0700
+Subject: [PATCH 2/4] The -c option was missing from the help info; from
+ Radovan Sroka
+
+---
+ plugins/sudoers/cvtsudoers.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c
+index 795936c1..0221314b 100644
+--- a/plugins/sudoers/cvtsudoers.c
++++ b/plugins/sudoers/cvtsudoers.c
+@@ -1315,6 +1315,7 @@ help(void)
+ usage(0);
+ (void) puts(_("\nOptions:\n"
+ " -b, --base=dn the base DN for sudo LDAP queries\n"
++ " -c, --config=conf_file the path to the configuration file\n"
+ " -d, --defaults=deftypes only convert Defaults of the specified types\n"
+ " -e, --expand-aliases expand aliases when converting\n"
+ " -f, --output-format=format set output format: JSON, LDIF or sudoers\n"
+--
+2.17.2
+
diff --git a/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch b/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch
new file mode 100644
index 0000000..88fa081
--- /dev/null
+++ b/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch
@@ -0,0 +1,27 @@
+diff -up ./plugins/sudoers/sudoreplay.c.sudoreplay-help ./plugins/sudoers/sudoreplay.c
+--- ./plugins/sudoers/sudoreplay.c.sudoreplay-help 2018-12-11 18:12:56.715098760 +0100
++++ ./plugins/sudoers/sudoreplay.c 2018-12-11 18:18:34.345184173 +0100
+@@ -1582,13 +1582,16 @@ help(void)
+ (void) printf(_("%s - replay sudo session logs\n\n"), getprogname());
+ usage(0);
+ (void) puts(_("\nOptions:\n"
+- " -d, --directory=dir specify directory for session logs\n"
+- " -f, --filter=filter specify which I/O type(s) to display\n"
+- " -h, --help display help message and exit\n"
+- " -l, --list list available session IDs, with optional expression\n"
+- " -m, --max-wait=num max number of seconds to wait between events\n"
+- " -s, --speed=num speed up or slow down output\n"
+- " -V, --version display version information and exit"));
++ " -d, --directory=dir specify directory for session logs\n"
++ " -f, --filter=filter specify which I/O type(s) to display\n"
++ " -h, --help display help message and exit\n"
++ " -l, --list list available session IDs, with optional expression\n"
++ " -m, --max-wait=num max number of seconds to wait between events\n"
++ " -n, --non-interactive no prompts, session is sent to the standard output\n"
++ " -R, --no-resize do not attempt to re-size the terminal\n"
++ " -S, --suspend-wait wait while the command was suspended\n"
++ " -s, --speed=num speed up or slow down output\n"
++ " -V, --version display version information and exit"));
+ exit(0);
+ }
+
diff --git a/SOURCES/sudo-1.8.25-typos-manpages.patch b/SOURCES/sudo-1.8.25-typos-manpages.patch
new file mode 100644
index 0000000..32c645e
--- /dev/null
+++ b/SOURCES/sudo-1.8.25-typos-manpages.patch
@@ -0,0 +1,80 @@
+From 04a4b3c1fcc1526ff1ea73597a1764cb160d400b Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Tue, 11 Dec 2018 09:02:30 -0700
+Subject: [PATCH 1/4] Fix some typos; reported by Radovan Sroka
+
+---
+ doc/cvtsudoers.cat | 6 +++---
+ doc/cvtsudoers.man.in | 6 +++---
+ doc/cvtsudoers.mdoc.in | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat
+index 61bf3a28..9c1ef140 100644
+--- a/doc/cvtsudoers.cat
++++ b/doc/cvtsudoers.cat
+@@ -24,7 +24,7 @@ D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
+ -�-b�b _�d_�n, -�--�-b�ba�as�se�e=_�d_�n
+ The base DN (distinguished name) that will be used when
+ performing LDAP queries. Typically this is of the form
+- ou=SUDOers,dc=-mydomain,dc=com for the domain my-domain.com.
++ ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com.
+ If this option is not specified, the value of the
+ SUDOERS_BASE environment variable will be used instead. Only
+ necessary when converting to LDIF format.
+@@ -60,7 +60,7 @@ D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
+ Expand aliases in _�i_�n_�p_�u_�t_�__�f_�i_�l_�e. Aliases are preserved by
+ default when the output _�f_�o_�r_�m_�a_�t is JSON or sudoers.
+
+- -�-f�f _�o_�u_�t_�p_�u_�t_�__�f_�o_�r_�m_�a_�t, -�--�-f�fo�or�rm�ma�at�t=_�o_�u_�t_�p_�u_�t_�__�f_�o_�r_�m_�a_�t
++ -�-f�f _�o_�u_�t_�p_�u_�t_�__�f_�o_�r_�m_�a_�t, -�--�-o�ou�ut�tp�pu�ut�t-�-f�fo�or�rm�ma�at�t=_�o_�u_�t_�p_�u_�t_�__�f_�o_�r_�m_�a_�t
+ Specify the output format (case-insensitive). The following
+ formats are supported:
+
+diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in
+index b159ee5d..2f45ee1d 100644
+--- a/doc/cvtsudoers.man.in
++++ b/doc/cvtsudoers.man.in
+@@ -59,7 +59,7 @@ The options are as follows:
+ The base DN (distinguished name) that will be used when performing
+ LDAP queries.
+ Typically this is of the form
+-\fRou=SUDOers,dc=-mydomain,dc=com\fR
++\fRou=SUDOers,dc=my-domain,dc=com\fR
+ for the domain
+ \fRmy-domain.com\fR.
+ If this option is not specified, the value of the
+@@ -125,7 +125,7 @@ Aliases are preserved by default when the output
+ \fIformat\fR
+ is JSON or sudoers.
+ .TP 12n
+-\fB\-f\fR \fIoutput_format\fR, \fB\--format\fR=\fIoutput_format\fR
++\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR
+ Specify the output format (case-insensitive).
+ The following formats are supported:
+ .PP
+diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in
+index 1812bc67..8261ddc6 100644
+--- a/doc/cvtsudoers.mdoc.in
++++ b/doc/cvtsudoers.mdoc.in
+@@ -57,7 +57,7 @@ The options are as follows:
+ The base DN (distinguished name) that will be used when performing
+ LDAP queries.
+ Typically this is of the form
+-.Li ou=SUDOers,dc=-mydomain,dc=com
++.Li ou=SUDOers,dc=my-domain,dc=com
+ for the domain
+ .Li my-domain.com .
+ If this option is not specified, the value of the
+@@ -110,7 +110,7 @@ Expand aliases in
+ Aliases are preserved by default when the output
+ .Ar format
+ is JSON or sudoers.
+-.It Fl f Ar output_format , Fl -format Ns = Ns Ar output_format
++.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
+ Specify the output format (case-insensitive).
+ The following formats are supported:
+ .Bl -tag -width 8n
+--
+2.17.2
+
diff --git a/SOURCES/sudo-1.8.6p7-logsudouser.patch b/SOURCES/sudo-1.8.6p7-logsudouser.patch
new file mode 100644
index 0000000..c3742a0
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-logsudouser.patch
@@ -0,0 +1,90 @@
+From 06b46ae226fecd4188af372ac0ccd7aa582e21c8 Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Wed, 17 Aug 2016 10:12:11 +0200
+Subject: [PATCH] Sudo logs username root instead of realuser
+
+RHEL7 sudo logs username root instead of realuser in /var/log/secure
+
+Rebased from:
+Patch50: sudo-1.8.6p7-logsudouser.patch
+
+Resolves:
+rhbz#1312486
+---
+ plugins/sudoers/logging.c | 14 +++++++-------
+ plugins/sudoers/sudoers.h | 1 +
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
+index 45cae67..74b2220 100644
+--- a/plugins/sudoers/logging.c
++++ b/plugins/sudoers/logging.c
+@@ -104,7 +104,7 @@ do_syslog(int pri, char *msg)
+ * Log the full line, breaking into multiple syslog(3) calls if necessary
+ */
+ fmt = _("%8s : %s");
+- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
+ for (p = msg; *p != '\0'; ) {
+ len = strlen(p);
+ if (len > maxlen) {
+@@ -120,7 +120,7 @@ do_syslog(int pri, char *msg)
+ save = *tmp;
+ *tmp = '\0';
+
+- mysyslog(pri, fmt, user_name, p);
++ mysyslog(pri, fmt, sudo_user_name, p);
+
+ *tmp = save; /* restore saved character */
+
+@@ -128,11 +128,11 @@ do_syslog(int pri, char *msg)
+ for (p = tmp; *p == ' '; p++)
+ continue;
+ } else {
+- mysyslog(pri, fmt, user_name, p);
++ mysyslog(pri, fmt, sudo_user_name, p);
+ p += len;
+ }
+ fmt = _("%8s : (command continued) %s");
+- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
+ }
+
+ sudoers_setlocale(oldlocale, NULL);
+@@ -179,10 +179,10 @@ do_logfile(const char *msg)
+ timestr = "invalid date";
+ if (def_log_host) {
+ len = asprintf(&full_line, "%s : %s : HOST=%s : %s",
+- timestr, user_name, user_srunhost, msg);
++ timestr, sudo_user_name, user_srunhost, msg);
+ } else {
+ len = asprintf(&full_line, "%s : %s : %s",
+- timestr, user_name, msg);
++ timestr, sudo_user_name, msg);
+ }
+ if (len == -1) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+@@ -746,7 +746,7 @@ send_mail(const char *fmt, ...)
+
+ if ((timestr = get_timestr(time(NULL), def_log_year)) == NULL)
+ timestr = "invalid date";
+- (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, user_name);
++ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, sudo_user_name);
+ va_start(ap, fmt);
+ (void) vfprintf(mail, fmt, ap);
+ va_end(ap);
+diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
+index cfd5abb..c69a043 100644
+--- a/plugins/sudoers/sudoers.h
++++ b/plugins/sudoers/sudoers.h
+@@ -180,6 +180,7 @@ struct sudo_user {
+ /*
+ * Shortcuts for sudo_user contents.
+ */
++#define sudo_user_name (sudo_user.pw->pw_name)
+ #define user_name (sudo_user.name)
+ #define user_uid (sudo_user.uid)
+ #define user_gid (sudo_user.gid)
+--
+2.7.4
+
diff --git a/SOURCES/sudo-ldap.conf b/SOURCES/sudo-ldap.conf
new file mode 100644
index 0000000..d8f8e4d
--- /dev/null
+++ b/SOURCES/sudo-ldap.conf
@@ -0,0 +1,86 @@
+## BINDDN DN
+## The BINDDN parameter specifies the identity, in the form of a Dis‐
+## tinguished Name (DN), to use when performing LDAP operations. If
+## not specified, LDAP operations are performed with an anonymous
+## identity. By default, most LDAP servers will allow anonymous
+## access.
+##
+#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+## BINDPW secret
+## The BINDPW parameter specifies the password to use when performing
+## LDAP operations. This is typically used in conjunction with the
+## BINDDN parameter.
+##
+#bindpw secret
+
+## SSL start_tls
+## If the SSL parameter is set to start_tls, the LDAP server connec‐
+## tion is initiated normally and TLS encryption is begun before the
+## bind credentials are sent. This has the advantage of not requiring
+## a dedicated port for encrypted communications. This parameter is
+## only supported by LDAP servers that honor the start_tls extension,
+## such as the OpenLDAP and Tivoli Directory servers.
+##
+#ssl start_tls
+
+## TLS_CACERTFILE file name
+## The path to a certificate authority bundle which contains the cer‐
+## tificates for all the Certificate Authorities the client knows to
+## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐
+## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
+## use the same certificate database for CA and client certificates
+## (see TLS_CERT).
+##
+#tls_cacertfile /path/to/CA.crt
+
+## TLS_CHECKPEER on/true/yes/off/false/no
+## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
+## cated to be verified. If the server's TLS certificate cannot be
+## verified (usually because it is signed by an unknown certificate
+## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
+## is disabled, no check is made. Note that disabling the check cre‐
+## ates an opportunity for man-in-the-middle attacks since the
+## server's identity will not be authenticated. If possible, the CA's
+## certificate should be installed locally so it can be verified.
+## This option is not supported by the Tivoli Directory Server LDAP
+## libraries.
+#tls_checkpeer yes
+
+##
+## URI ldap[s]://[hostname[:port]] ...
+## Specifies a whitespace-delimited list of one or more
+## URIs describing the LDAP server(s) to connect to.
+##
+#uri ldap://ldapserver
+
+##
+## SUDOERS_BASE base
+## The base DN to use when performing sudo LDAP queries.
+## Multiple SUDOERS_BASE lines may be specified, in which
+## case they are queried in the order specified.
+##
+#sudoers_base ou=SUDOers,dc=example,dc=com
+
+##
+## BIND_TIMELIMIT seconds
+## The BIND_TIMELIMIT parameter specifies the amount of
+## time to wait while trying to connect to an LDAP server.
+##
+#bind_timelimit 30
+
+##
+## TIMELIMIT seconds
+## The TIMELIMIT parameter specifies the amount of time
+## to wait for a response to an LDAP query.
+##
+#timelimit 30
+
+##
+## SUDOERS_DEBUG debug_level
+## This sets the debug level for sudo LDAP queries. Debugging
+## information is printed to the standard error. A value of 1
+## results in a moderate amount of debugging information.
+## A value of 2 shows the results of the matches themselves.
+##
+#sudoers_debug 1
diff --git a/SOURCES/sudo.conf b/SOURCES/sudo.conf
new file mode 100644
index 0000000..3047842
--- /dev/null
+++ b/SOURCES/sudo.conf
@@ -0,0 +1,57 @@
+#
+# Default /etc/sudo.conf file
+#
+# Format:
+# Plugin plugin_name plugin_path plugin_options ...
+# Path askpass /path/to/askpass
+# Path noexec /path/to/sudo_noexec.so
+# Debug sudo /var/log/sudo_debug all@warn
+# Set disable_coredump true
+#
+# Sudo plugins:
+#
+# The plugin_path is relative to ${prefix}/libexec unless fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+# The sudoers plugin is used by default if no Plugin lines are present.
+Plugin sudoers_policy sudoers.so
+Plugin sudoers_io sudoers.so
+
+#
+# Sudo askpass:
+#
+# An askpass helper program may be specified to provide a graphical
+# password prompt for "sudo -A" support. Sudo does not ship with its
+# own passpass program but can use the OpenSSH askpass.
+#
+# Use the OpenSSH askpass
+#Path askpass /usr/X11R6/bin/ssh-askpass
+#
+# Use the Gnome OpenSSH askpass
+#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
+
+#
+# Sudo noexec:
+#
+# Path to a shared library containing dummy versions of the execv(),
+# execve() and fexecve() library functions that just return an error.
+# This is used to implement the "noexec" functionality on systems that
+# support C<LD_PRELOAD> or its equivalent.
+# The compiled-in value is usually sufficient and should only be changed
+# if you rename or move the sudo_noexec.so file.
+#
+#Path noexec /usr/libexec/sudo_noexec.so
+
+#
+# Core dumps:
+#
+# By default, sudo disables core dumps while it is executing (they
+# are re-enabled for the command that is run).
+# To aid in debugging sudo problems, you may wish to enable core
+# dumps by setting "disable_coredump" to false.
+#
+# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable
+#
+Set disable_coredump false
diff --git a/SOURCES/sudoers b/SOURCES/sudoers
new file mode 100644
index 0000000..93e02ba
--- /dev/null
+++ b/SOURCES/sudoers
@@ -0,0 +1,120 @@
+## Sudoers allows particular users to run various commands as
+## the root user, without needing the root password.
+##
+## Examples are provided at the bottom of the file for collections
+## of related commands, which can then be delegated out to particular
+## users or groups.
+##
+## This file must be edited with the 'visudo' command.
+
+## Host Aliases
+## Groups of machines. You may prefer to use hostnames (perhaps using
+## wildcards for entire domains) or IP addresses instead.
+# Host_Alias FILESERVERS = fs1, fs2
+# Host_Alias MAILSERVERS = smtp, smtp2
+
+## User Aliases
+## These aren't often necessary, as you can use regular groups
+## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
+## rather than USERALIAS
+# User_Alias ADMINS = jsmith, mikem
+
+
+## Command Aliases
+## These are groups of related commands...
+
+## Networking
+# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+
+## Installation and management of software
+# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
+
+## Services
+# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
+
+## Updating the locate database
+# Cmnd_Alias LOCATE = /usr/bin/updatedb
+
+## Storage
+# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
+
+## Delegating permissions
+# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
+
+## Processes
+# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
+
+## Drivers
+# Cmnd_Alias DRIVERS = /sbin/modprobe
+
+# Defaults specification
+
+#
+# Refuse to run if unable to disable echo on the tty.
+#
+Defaults !visiblepw
+
+#
+# Preserving HOME has security implications since many programs
+# use it when searching for configuration files. Note that HOME
+# is already set when the the env_reset option is enabled, so
+# this option is only effective for configurations where either
+# env_reset is disabled or HOME is present in the env_keep list.
+#
+Defaults always_set_home
+Defaults match_group_by_gid
+
+# Prior to version 1.8.15, groups listed in sudoers that were not
+# found in the system group database were passed to the group
+# plugin, if any. Starting with 1.8.15, only groups of the form
+# %:group are resolved via the group plugin by default.
+# We enable always_query_group_plugin to restore old behavior.
+# Disable this option for new behavior.
+Defaults always_query_group_plugin
+
+Defaults env_reset
+Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+#
+# Adding HOME to env_keep may enable a user to run unrestricted
+# commands via sudo.
+#
+# Defaults env_keep += "HOME"
+
+Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Next comes the main part: which users can run what software on
+## which machines (the sudoers file can be shared between multiple
+## systems).
+## Syntax:
+##
+## user MACHINE=COMMANDS
+##
+## The COMMANDS section may have other options added to it.
+##
+## Allow root to run any commands anywhere
+root ALL=(ALL) ALL
+
+## Allows members of the 'sys' group to run networking, software,
+## service management apps and more.
+# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
+
+## Allows people in group wheel to run all commands
+%wheel ALL=(ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL) NOPASSWD: ALL
+
+## Allows members of the users group to mount and unmount the
+## cdrom as root
+# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
+
+## Allows members of the users group to shutdown this system
+# %users localhost=/sbin/shutdown -h now
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
new file mode 100644
index 0000000..2300d28
--- /dev/null
+++ b/SPECS/sudo.spec
@@ -0,0 +1,969 @@
+Summary: Allows restricted root access for specified users
+Name: sudo
+Version: 1.8.25p1
+Release: 4%{?dist}
+License: ISC
+Group: Applications/System
+URL: http://www.courtesan.com/sudo/
+
+Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
+Source1: sudoers
+Source2: sudo-ldap.conf
+Source3: sudo.conf
+
+Requires: /etc/pam.d/system-auth
+Requires: /usr/bin/vi
+Requires(post): /bin/chmod
+
+BuildRequires: /usr/sbin/sendmail
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: bison
+BuildRequires: flex
+BuildRequires: gettext
+BuildRequires: groff
+BuildRequires: libtool
+BuildRequires: audit-libs-devel
+BuildRequires: libcap-devel
+BuildRequires: libgcrypt-devel
+BuildRequires: libselinux-devel
+BuildRequires: openldap-devel
+BuildRequires: pam-devel
+BuildRequires: zlib-devel
+
+# don't strip
+Patch1: sudo-1.6.7p5-strip.patch
+# 881258 - rpmdiff: added missing sudo-ldap.conf manpage
+Patch2: sudo-1.8.23-sudoldapconfman.patch
+# env debug patch
+Patch3: sudo-1.7.2p1-envdebug.patch
+# 1247591 - Sudo taking a long time when user information is stored externally.
+Patch4: sudo-1.8.23-legacy-group-processing.patch
+# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option
+Patch5: sudo-1.8.23-ldapsearchuidfix.patch
+# 840980 - sudo creates a new parent process
+# Adds cmnd_no_wait Defaults option
+Patch6: sudo-1.8.23-nowaitopt.patch
+# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure
+Patch7: sudo-1.8.6p7-logsudouser.patch
+# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
+Patch8: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
+# 1613327 - Man page scan results for sudo
+Patch9: sudo-1.8.25-typos-manpages.patch
+Patch10: sudo-1.8.25-c-option-help.patch
+Patch11: sudo-1.8.25-sudoreplay-missing-options-help.patch
+
+%description
+Sudo (superuser do) allows a system administrator to give certain
+users (or groups of users) the ability to run some (or all) commands
+as root while logging all commands and arguments. Sudo operates on a
+per-command basis. It is not a replacement for the shell. Features
+include: the ability to restrict what commands a user may run on a
+per-host basis, copious logging of each command (providing a clear
+audit trail of who did what), a configurable timeout of the sudo
+command, and the ability to use the same configuration file (sudoers)
+on many different machines.
+
+%package devel
+Summary: Development files for %{name}
+Group: Development/Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description devel
+The %{name}-devel package contains header files developing sudo
+plugins that use %{name}.
+
+%prep
+%setup -q
+
+%patch1 -p1 -b .strip
+%patch2 -p1 -b .sudoldapconfman
+%patch3 -p1 -b .env-debug
+%patch4 -p1 -b .legacy-processing
+%patch5 -p1 -b .ldap-search-uid
+%patch6 -p1 -b .nowait
+%patch7 -p1 -b .logsudouser
+%patch8 -p1 -b .double-quote
+
+%patch9 -p1 -b .typos
+%patch10 -p1 -b .c-option
+%patch11 -p1 -b .sudoreplay-help
+
+%build
+# Remove bundled copy of zlib
+rm -rf zlib/
+autoreconf -I m4 -fv --install
+
+%ifarch s390 s390x sparc64
+F_PIE=-fPIE
+%else
+F_PIE=-fpie
+%endif
+
+export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
+
+%configure \
+ --prefix=%{_prefix} \
+ --sbindir=%{_sbindir} \
+ --libdir=%{_libdir} \
+ --docdir=%{_pkgdocdir} \
+ --disable-root-mailer \
+ --with-logging=syslog \
+ --with-logfac=authpriv \
+ --with-pam \
+ --with-pam-login \
+ --with-editor=/bin/vi \
+ --with-env-editor \
+ --with-ignore-dot \
+ --with-tty-tickets \
+ --with-ldap \
+ --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \
+ --with-selinux \
+ --with-passprompt="[sudo] password for %p: " \
+ --with-linux-audit \
+ --with-sssd
+# --without-kerb5 \
+# --without-kerb4
+make
+
+%check
+make check
+
+%install
+rm -rf $RPM_BUILD_ROOT
+
+# Update README.LDAP (#736653)
+sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP
+
+make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
+chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
+install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
+install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
+install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
+install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
+install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf
+install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf
+
+# Add sudo to protected packages
+install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/
+touch sudo.conf
+echo sudo > sudo.conf
+install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/
+rm -f sudo.conf
+
+chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files
+
+# Don't package LICENSE as a doc
+rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
+
+# Remove examples; Examples can be found in man pages too.
+rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo
+
+# Remove all .la files
+find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
+
+# Remove sudoers.dist
+rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist
+
+%find_lang sudo
+%find_lang sudoers
+
+cat sudo.lang sudoers.lang > sudo_all.lang
+rm sudo.lang sudoers.lang
+
+mkdir -p $RPM_BUILD_ROOT/etc/pam.d
+cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
+#%%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session include system-auth
+EOF
+
+cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
+#%%PAM-1.0
+auth include sudo
+account include sudo
+password include sudo
+session optional pam_keyinit.so force revoke
+session include sudo
+EOF
+
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files -f sudo_all.lang
+%defattr(-,root,root)
+%attr(0440,root,root) %config(noreplace) /etc/sudoers
+%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
+%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf
+%attr(0750,root,root) %dir /etc/sudoers.d/
+%config(noreplace) /etc/pam.d/sudo
+%config(noreplace) /etc/pam.d/sudo-i
+%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
+%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
+%dir /var/db/sudo
+%dir /var/db/sudo/lectured
+%attr(4111,root,root) %{_bindir}/sudo
+%{_bindir}/sudoedit
+%{_bindir}/cvtsudoers
+%attr(0111,root,root) %{_bindir}/sudoreplay
+%attr(0755,root,root) %{_sbindir}/visudo
+%dir %{_libexecdir}/sudo
+%attr(0755,root,root) %{_libexecdir}/sudo/sesh
+%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
+%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
+%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
+%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
+%{_libexecdir}/sudo/libsudo_util.so.?
+%{_libexecdir}/sudo/libsudo_util.so
+%{_mandir}/man5/sudoers.5*
+%{_mandir}/man5/sudoers.ldap.5*
+%{_mandir}/man5/sudo-ldap.conf.5*
+%{_mandir}/man5/sudo.conf.5*
+%{_mandir}/man8/sudo.8*
+%{_mandir}/man8/sudoedit.8*
+%{_mandir}/man8/sudoreplay.8*
+%{_mandir}/man8/visudo.8*
+%{_mandir}/man1/cvtsudoers.1*
+%{_mandir}/man5/sudoers_timestamp.5*
+%dir %{_pkgdocdir}/
+%{_pkgdocdir}/*
+%{!?_licensedir:%global license %%doc}
+%license doc/LICENSE
+%exclude %{_pkgdocdir}/ChangeLog
+
+
+# Make sure permissions are ok even if we're updating
+%post
+/bin/chmod 0440 /etc/sudoers || :
+
+%files devel
+%defattr(-,root,root,-)
+%doc plugins/sample/sample_plugin.c
+%{_includedir}/sudo_plugin.h
+%{_mandir}/man8/sudo_plugin.8*
+
+%changelog
+* Tue Dec 11 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.25-4
+- Fix most of the man page scans problems
+- Resolves: rhbz#1613327
+
+* Fri Oct 12 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-3
+- bump release for new build after gating tests fixes
+Resolves: rhbz#1625683
+
+* Thu Oct 11 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-2
+- Depend explicitly on /usr/sbin/sendmail instead of sendmail (rhel-7 sync)
+- Simplified pam configuration file by removing duplicate pam stack entries
+Resolves: rhbz#1633144
+
+* Wed Sep 26 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.25-1
+- rebase to the new upstream version 1.8.25p1
+- sync patches with rhel-7.6
+- sync sudoers with rhel-7.6
+ resolves: rhbz#1633144
+
+* Mon Sep 10 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.23-2
+- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo
+ resolves: rhbz#1626972
+
+* Thu May 17 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-1
+- Packaging update for RHEL 8.0 (sync with latest RHEL 7 state)
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.22-0.2.b1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Thu Dec 14 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.22b1-1
+- update to 1.8.22b1
+- Added /usr/local/sbin and /usr/local/bin to secure path rhbz#1166185
+
+* Thu Sep 21 2017 Marek Tamaskovic <mtamasko@redhat.com> - 1.8.21p2-1
+- update to 1.8.21p2
+- Moved libsudo_util.so from the -devel sub-package to main package (1481225)
+
+* Wed Sep 06 2017 Matthew Miller <mattdm@fedoraproject.org> - 1.8.20p2-4
+- replace file-based requirements with package-level ones:
+- /etc/pam.d/system-auth to 'pam'
+- /bin/chmod to 'coreutils' (bug #1488934)
+- /usr/bin/vi to vim-minimal
+- ... and make vim-minimal "recommends" instead of "requires", because
+ other editors can be configured.
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.20p2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.20p2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jun 01 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p2-1
+- update to 1.8.20p2
+
+* Wed May 31 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p1-1
+- update to 1.8.20p1
+- fixes CVE-2017-1000367
+ Resolves: rhbz#1456884
+
+* Fri Apr 07 2017 Jiri Vymazal <jvymazal@redhat.com> - 1.8.20-0.1.b1
+- update to latest development version 1.8.20b1
+- added sudo to dnf/yum protected packages
+ Resolves: rhbz#1418756
+
+* Mon Feb 13 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-1
+- update to 1.8.19p2
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.19-0.3.20161108git738c3cb
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Tue Nov 08 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.19-0.2.20161108git738c3cb
+- update to latest development version
+- fixes CVE-2016-7076
+
+* Fri Sep 23 2016 Radovan Sroka <rsroka@redhat.com> 1.8.19-0.1.20160923git90e4538
+- we were not able to update from rc and beta versions to stable one
+- so this is a new snapshot package which resolves it
+
+* Wed Sep 21 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18-1
+- update to 1.8.18
+
+* Fri Sep 16 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18rc4-1
+- update to 1.8.18rc4
+
+* Wed Sep 14 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18rc2-1
+- update to 1.8.18rc2
+- dropped sudo-1.8.14p1-ldapconfpatch.patch
+ upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html
+
+* Fri Aug 26 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18b2-1
+- update to 1.8.18b2
+- added --disable-root-mailer as configure option
+ Resolves: rhbz#1324091
+
+* Fri Jun 24 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.17p1-1
+- update to 1.8.17p1
+- install the /var/db/sudo/lectured
+ Resolves: rhbz#1321414
+
+* Tue May 31 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-4
+- removed INPUTRC from env_keep to prevent a possible info leak
+ Resolves: rhbz#1340701
+
+* Fri May 13 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-3
+- fixed upstream patch for rhbz#1328735
+
+* Thu May 12 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-2
+- fixed invalid sesh argument array construction
+
+* Mon Apr 04 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-1
+- update to 1.8.16
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.15-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Nov 5 2015 Daniel Kopecek <dkopecek@redhat.com> 1.8.15-1
+- update to 1.8.15
+- fixes CVE-2015-5602
+
+* Mon Aug 24 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-3
+- enable upstream test suite
+
+* Mon Aug 24 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-2
+- add patch that resolves initialization problem before sudo_strsplit call
+- add patch that resolves deadcode in visudo.c
+- add patch that removes extra while in visudo.c and sudoers.c
+
+* Mon Jul 27 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-1
+- update to 1.8.14p3
+
+* Mon Jul 20 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p1-1
+- update to 1.8.14p1-1
+- rebase sudo-1.8.14b3-ldapconfpatch.patch -> sudo-1.8.14p1-ldapconfpatch.patch
+- rebase sudo-1.8.14b4-docpassexpire.patch -> sudo-1.8.14p1-docpassexpire.patch
+
+* Tue Jul 14 2015 Radovan Sroka <rsroka@redhat.com> 1.8.12-2
+- add patch3 sudo.1.8.14b4-passexpire.patch that makes change in documentation about timestamp_time
+- Resolves: rhbz#1162070
+
+* Fri Jul 10 2015 Radovan Sroka <rsroka@redhat.com> - 1.8.14b4-1
+- Update to 1.8.14b4
+- Add own %%{_tmpfilesdir}/sudo.conf
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Feb 18 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.12
+- update to 1.8.12
+- fixes CVE-2014-9680
+
+* Mon Nov 3 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11p2-1
+- update to 1.8.11p2
+- added patch to fix upstream bug #671 -- exiting immediately
+ when audit is disabled
+
+* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1
+- update to 1.8.11
+- major changes & fixes:
+ - when running a command in the background, sudo will now forward
+ SIGINFO to the command
+ - the passwords in ldap.conf and ldap.secret may now be encoded in base64.
+ - SELinux role changes are now audited. For sudoedit, we now audit
+ the actual editor being run, instead of just the sudoedit command.
+ - it is now possible to match an environment variable's value as well as
+ its name using env_keep and env_check
+ - new files created via sudoedit as a non-root user now have the proper group id
+ - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
+ - it is now possible to disable network interface probing in sudo.conf by
+ changing the value of the probe_interfaces setting
+ - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
+ for the user's password even if the targetpw, rootpw or runaspw options are set.
+ - the new use_netgroups sudoers option can be used to explicitly enable or disable
+ netgroups support
+ - visudo can now export a sudoers file in JSON format using the new -x flag
+- added patch to read ldap.conf more closely to nss_ldap
+- require /usr/bin/vi instead of vim-minimal
+- include pam.d/system-auth in PAM session phase from pam.d/sudo
+- include pam.d/sudo in PAM session phase from pam.d/sudo-i
+
+* Tue Aug 5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-6
+- fix license handling
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.8-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Sat May 31 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.8-4
+- Drop ChangeLog, we ship NEWS
+
+* Mon Mar 10 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-3
+- remove bundled copy of zlib before compilation
+- drop the requiretty Defaults setting from sudoers
+
+* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 1.8.8-2
+- Own the %%{_libexecdir}/sudo dir.
+
+* Mon Sep 30 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-1
+- update to 1.8.8
+- major changes & fixes:
+ - LDAP SASL support now works properly with Kerberos
+ - root may no longer change its SELinux role without entering a password
+ - user messages are now always displayed in the user's locale, even when
+ the same message is being logged or mailed in a different locale.
+ - log files created by sudo now explicitly have the group set to group
+ ID 0 rather than relying on BSD group semantics
+ - sudo now stores its libexec files in a sudo subdirectory instead of in
+ libexec itself
+ - system_group and group_file sudoers group provider plugins are now
+ installed by default
+ - the paths to ldap.conf and ldap.secret may now be specified as arguments
+ to the sudoers plugin in the sudo.conf file
+ - ...and many new features and settings. See the upstream ChangeLog for the
+ full list.
+- several sssd support fixes
+- added patch to make uid/gid specification parsing more strict (don't accept
+ an invalid number as uid/gid)
+- use the _pkgdocdir macro
+ (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs)
+- fixed several bugs found by the clang static analyzer
+- added %%post dependency on chmod
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1
+- update to 1.8.6p7
+- fixes CVE-2013-1775 and CVE-2013-1776
+- fixed several packaging issues (thanks to ville.skytta@iki.fi)
+ - build with system zlib.
+ - let rpmbuild strip libexecdir/*.so.
+ - own the %%{_docdir}/sudo-* dir.
+ - fix some rpmlint warnings (spaces vs tabs, unescaped macros).
+ - fix bogus %%changelog dates.
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Nov 12 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-2
+- added upstream patch for a regression
+- don't include arch specific files in the -devel subpackage
+- ship only one sample plugin in the -devel subpackage
+
+* Tue Sep 25 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-1
+- update to 1.8.6p3
+- drop -pipelist patch (fixed in upstream)
+
+* Thu Sep 6 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6-1
+- update to 1.8.6
+
+* Thu Jul 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-4
+- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com)
+- re-enabled SSSD support
+- removed libsss_sudo dependency
+
+* Tue Jul 24 2012 Bill Nottingham <notting@redhat.com> - 1.8.5-3
+- flip sudoers2ldif executable bit after make install, not in setup
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1
+- update to 1.8.5
+- fixed CVE-2012-2337
+- temporarily disabled SSSD support
+
+* Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6
+- fixed problems with undefined symbols (rhbz#798517)
+
+* Wed Feb 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-5
+- SSSD patch update
+
+* Tue Feb 7 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-4
+- added SSSD support
+
+* Thu Jan 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-3
+- added patch for CVE-2012-0809
+
+* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.3p1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1
+- update to 1.8.3p1
+- disable output word wrapping if the output is piped
+
+* Wed Sep 7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2
+- Remove execute bit from sample script in docs so we don't pull in perl
+
+* Tue Jul 12 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.1p2-1
+- rebase to 1.8.1p2
+- removed .sudoi patch
+- fixed typo: RELPRO -> RELRO
+- added -devel subpackage for the sudo_plugin.h header file
+- use default ldap configuration files again
+
+* Fri Jun 3 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-4
+- build with RELRO
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.4p5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Jan 17 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-2
+- rebase to 1.7.4p5
+- fixed sudo-1.7.4p4-getgrouplist.patch
+- fixes CVE-2011-0008, CVE-2011-0010
+
+* Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5
+- anybody in the wheel group has now root access (using password) (rhbz#656873)
+- sync configuration paths with the nss_ldap package (rhbz#652687)
+
+* Wed Sep 29 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-4
+- added upstream patch to fix rhbz#638345
+
+* Mon Sep 20 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-3
+- added patch for #635250
+- /var/run/sudo -> /var/db/sudo in .spec
+
+* Tue Sep 7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-2
+- sudo now uses /var/db/sudo for timestamps
+
+* Tue Sep 7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1
+- update to new upstream version
+- new command available: sudoreplay
+- use native audit support
+- corrected license field value: BSD -> ISC
+
+* Wed Jun 2 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-2
+- added patch that fixes insufficient environment sanitization issue (#598154)
+
+* Wed Apr 14 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-1
+- update to new upstream version
+- merged .audit and .libaudit patch
+- added sudoers.ldap.5* to files
+
+* Mon Mar 1 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p5-2
+- update to new upstream version
+
+* Tue Feb 16 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-5
+- fixed no valid sudoers sources found (#558875)
+
+* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-4
+- audit related Makefile.in and configure.in corrections
+- added --with-audit configure option
+- removed call to libtoolize
+
+* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-3
+- fixed segfault when #include directive is used in cycles (#561336)
+
+* Fri Jan 8 2010 Ville Skyttä <ville.skytta@iki.fi> - 1.7.2p2-2
+- Add /etc/sudoers.d dir and use it in default config (#551470).
+- Drop *.pod man page duplicates from docs.
+
+* Thu Jan 07 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-1
+- new upstream version 1.7.2p2-1
+- commented out unused aliases in sudoers to make visudo happy (#550239)
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.7.1-7
+- rebuilt with new audit
+
+* Thu Aug 20 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-6
+- moved secure_path from compile-time option to sudoers file (#517428)
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Jul 09 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-4
+- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch)
+- epoch number sync
+
+* Mon Jun 22 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-1
+- updated sudo to version 1.7.1
+- fixed small bug in configure.in (sudo-1.7.1-conffix.patch)
+
+* Tue Feb 24 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-6
+- fixed building with new libtool
+- fix for incorrect handling of groups in Runas_User
+- added /usr/local/sbin to secure-path
+
+* Tue Jan 13 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-3
+- build with sendmail installed
+- Added /usr/local/bin to secure-path
+
+* Tue Sep 02 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-2
+- adjust audit patch, do not scream when kernel is
+ compiled without audit netlink support (#401201)
+
+* Fri Jul 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-1
+- upgrade
+
+* Wed Jun 18 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-7
+- build with newer autoconf-2.62 (#449614)
+
+* Tue May 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-6
+- compiled with secure path (#80215)
+
+* Mon May 05 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-5
+- fix path to updatedb in /etc/sudoers (#445103)
+
+* Mon Mar 31 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-4
+- include ldap files in rpm package (#439506)
+
+* Thu Mar 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-3
+- include [sudo] in password prompt (#437092)
+
+* Tue Mar 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-2
+- audit support improvement
+
+* Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1
+- upgrade to the latest upstream release
+
+* Wed Feb 06 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p12-1
+- upgrade to the latest upstream release
+- add selinux support
+
+* Mon Feb 04 2008 Dennis Gilmore <dennis@ausil.us> 1.6.9p4-6
+- sparc64 needs to be in the -fPIE list with s390
+
+* Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5
+- fix complains about audit_log_user_command(): Connection
+ refused (#401201)
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-4
+- Rebuild for deps
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-3
+- Rebuild for openssl bump
+
+* Thu Aug 30 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-2
+- fix autotools stuff and add audit support
+
+* Mon Aug 20 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-1
+- upgrade to upstream release
+
+* Thu Apr 12 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-14
+- also use getgrouplist() to determine group membership (#235915)
+
+* Mon Feb 26 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-13
+- fix some spec file issues
+
+* Thu Dec 14 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-12
+- fix rpmlint issue
+
+* Thu Oct 26 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-11
+- fix typo in sudoers file (#212308)
+
+* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-10
+- rebuilt for unwind info generation, broken in gcc-4.1.1-21
+
+* Thu Sep 21 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-9
+- fix sudoers file, X apps didn't work (#206320)
+
+* Tue Aug 08 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-8
+- use Red Hat specific default sudoers file
+
+* Sun Jul 16 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-7
+- fix #198755 - make login processes (sudo -i) initialise session keyring
+ (thanks for PAM config files to David Howells)
+- add IPv6 support (patch by Milan Zazrivec)
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-6.1
+- rebuild
+
+* Mon May 29 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-6
+- fix #190062 - "ssh localhost sudo su" will show the password in clear
+
+* Tue May 23 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-5
+- add LDAP support (#170848)
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-4.1
+- bump again for double-long bug on ppc(64)
+
+* Wed Feb 8 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-4
+- reset env. by default
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-3.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Mon Jan 23 2006 Dan Walsh <dwalsh@redhat.com> 1.6.8p12-3
+- Remove selinux patch. It has been decided that the SELinux patch for sudo is
+- no longer necessary. In tageted policy it had no effect. In strict/MLS policy
+- We require the person using sudo to execute newrole before using sudo.
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Fri Nov 25 2005 Karel Zak <kzak@redhat.com> 1.6.8p12-1
+- new upstream version 1.6.8p12
+
+* Tue Nov 8 2005 Karel Zak <kzak@redhat.com> 1.6.8p11-1
+- new upstream version 1.6.8p11
+
+* Thu Oct 13 2005 Tomas Mraz <tmraz@redhat.com> 1.6.8p9-6
+- use include instead of pam_stack in pam config
+
+* Tue Oct 11 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-5
+- enable interfaces in selinux patch
+- merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch
+
+* Mon Sep 19 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-4
+- fix debuginfo
+
+* Mon Sep 19 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-3
+- fix #162623 - sesh hangs when child suspends
+
+* Mon Aug 1 2005 Dan Walsh <dwalsh@redhat.com> 1.6.8p9-2
+- Add back in interfaces call, SELinux has been fixed to work around
+
+* Tue Jun 21 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-1
+- new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution)
+
+* Tue May 24 2005 Karel Zak <kzak@redhat.com> 1.6.8p8-2
+- fix #154511 - sudo does not use limits.conf
+
+* Mon Apr 4 2005 Thomas Woerner <twoerner@redhat.com> 1.6.8p8-1
+- new version 1.6.8p8: new sudoedit and sudo_noexec
+
+* Wed Feb 9 2005 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-31
+- rebuild
+
+* Mon Oct 4 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-30.1
+- added missing BuildRequires for libselinux-devel (#132883)
+
+* Wed Sep 29 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-30
+- Fix missing param error in sesh
+
+* Mon Sep 27 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-29
+- Remove full patch check from sesh
+
+* Thu Jul 8 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-28
+- Fix selinux patch to switch to root user
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Apr 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-26
+- Eliminate tty handling from selinux
+
+* Thu Apr 1 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-25
+- fixed spec file: sesh in file section with selinux flag (#119682)
+
+* Tue Mar 30 2004 Colin Walters <walters@redhat.com> 1.6.7p5-24
+- Enhance sesh.c to fork/exec children itself, to avoid
+ having sudo reap all domains.
+- Only reinstall default signal handlers immediately before
+ exec of child with SELinux patch
+
+* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-23
+- change to default to sysadm_r
+- Fix tty handling
+
+* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-22
+- Add /bin/sesh to run selinux code.
+- replace /bin/bash -c with /bin/sesh
+
+* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-21
+- Hard code to use "/bin/bash -c" for selinux
+
+* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-20
+- Eliminate closing and reopening of terminals, to match su.
+
+* Mon Mar 15 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-19
+- SELinux fixes to make transitions work properly
+
+* Fri Mar 5 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-18
+- pied sudo
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Jan 27 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-16
+- Eliminate interfaces call, since this requires big SELinux privs
+- and it seems to be useless.
+
+* Tue Jan 27 2004 Karsten Hopp <karsten@redhat.de> 1.6.7p5-15
+- visudo requires vim-minimal or setting EDITOR to something useful (#68605)
+
+* Mon Jan 26 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-14
+- Fix is_selinux_enabled call
+
+* Tue Jan 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-13
+- Clean up patch on failure
+
+* Tue Jan 6 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-12
+- Remove sudo.te for now.
+
+* Fri Jan 2 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-11
+- Fix usage message
+
+* Mon Dec 22 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-10
+- Clean up sudo.te to not blow up if pam.te not present
+
+* Thu Dec 18 2003 Thomas Woerner <twoerner@redhat.com>
+- added missing BuildRequires for groff
+
+* Tue Dec 16 2003 Jeremy Katz <katzj@redhat.com> 1.6.7p5-9
+- remove left-over debugging code
+
+* Tue Dec 16 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-8
+- Fix terminal handling that caused Sudo to exit on non selinux machines.
+
+* Mon Dec 15 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-7
+- Remove sudo_var_run_t which is now pam_var_run_t
+
+* Fri Dec 12 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-6
+- Fix terminal handling and policy
+
+* Thu Dec 11 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-5
+- Fix policy
+
+* Thu Nov 13 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-4.sel
+- Turn on SELinux support
+
+* Tue Jul 29 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-3
+- Add support for SELinux
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Mon May 19 2003 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-1
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Tue Nov 12 2002 Nalin Dahyabhai <nalin@redhat.com> 1.6.6-2
+- remove absolute path names from the PAM configuration, ensuring that the
+ right modules get used for whichever arch we're built for
+- don't try to install the FAQ, which isn't there any more
+
+* Thu Jun 27 2002 Bill Nottingham <notting@redhat.com> 1.6.6-1
+- update to 1.6.6
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu May 23 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu Apr 18 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p2-2
+- Fix bug #63768
+
+* Thu Mar 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p2-1
+- 1.6.5p2
+
+* Fri Jan 18 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p1-1
+- 1.6.5p1
+- Hope this "a new release per day" madness stops ;)
+
+* Thu Jan 17 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5-1
+- 1.6.5
+
+* Tue Jan 15 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.4p1-1
+- 1.6.4p1
+
+* Mon Jan 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.4-1
+- Update to 1.6.4
+
+* Mon Jul 23 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.3p7-2
+- Add build requirements (#49706)
+- s/Copyright/License/
+- bzip2 source
+
+* Sat Jun 16 2001 Than Ngo <than@redhat.com>
+- update to 1.6.3p7
+- use %%{_tmppath}
+
+* Fri Feb 23 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- 1.6.3p6, fixes buffer overrun
+
+* Tue Oct 10 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- 1.6.3p5
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Tue Jun 06 2000 Karsten Hopp <karsten@redhat.de>
+- fixed owner of sudo and visudo
+
+* Thu Jun 1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- modify PAM setup to use system-auth
+- clean up buildrooting by using the makeinstall macro
+
+* Tue Apr 11 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- initial build in main distrib
+- update to 1.6.3
+- deal with compressed man pages
+
+* Tue Dec 14 1999 Preston Brown <pbrown@redhat.com>
+- updated to 1.6.1 for Powertools 6.2
+- config files are now noreplace.
+
+* Thu Jul 22 1999 Tim Powers <timp@redhat.com>
+- updated to 1.5.9p2 for Powertools 6.1
+
+* Wed May 12 1999 Bill Nottingham <notting@redhat.com>
+- sudo is configured with pam. There's no pam.d file. Oops.
+
+* Mon Apr 26 1999 Preston Brown <pbrown@redhat.com>
+- upgraded to 1.59p1 for powertools 6.0
+
+* Tue Oct 27 1998 Preston Brown <pbrown@redhat.com>
+- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)
+
+* Thu Oct 08 1998 Michael Maher <mike@redhat.com>
+- built package for 5.2
+
+* Mon May 18 1998 Michael Maher <mike@redhat.com>
+- updated SPEC file
+
+* Thu Jan 29 1998 Otto Hammersmith <otto@redhat.com>
+- updated to 1.5.4
+
+* Tue Nov 18 1997 Otto Hammersmith <otto@redhat.com>
+- built for glibc, no problems
+
+* Fri Apr 25 1997 Michael Fulbright <msf@redhat.com>
+- Fixed for 4.2 PowerTools
+- Still need to be pamified
+- Still need to move stmp file to /var/log
+
+* Mon Feb 17 1997 Michael Fulbright <msf@redhat.com>
+- First version for PowerCD.
+