diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..59b3a3b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/sudo-1.8.19p2.tar.gz
diff --git a/.sudo.metadata b/.sudo.metadata
new file mode 100644
index 0000000..e9bab31
--- /dev/null
+++ b/.sudo.metadata
@@ -0,0 +1 @@
+78868ef825e7b6db246d99160ec16fd4e4c93f3f SOURCES/sudo-1.8.19p2.tar.gz
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/sudo-1.6.7p5-strip.patch b/SOURCES/sudo-1.6.7p5-strip.patch
new file mode 100644
index 0000000..ba00efc
--- /dev/null
+++ b/SOURCES/sudo-1.6.7p5-strip.patch
@@ -0,0 +1,27 @@
+From 8a045c3880e06f5fcf69a73c4029d6725e17f7bc Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Fri, 19 Aug 2016 13:49:25 +0200
+Subject: [PATCH 01/10] We do not strip
+
+rebased from:
+Patch1: sudo-1.6.7p5-strip.patch
+---
+ install-sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/install-sh b/install-sh
+index 6944fba..49d383a 100755
+--- a/install-sh
++++ b/install-sh
+@@ -147,7 +147,7 @@ while ${MORETODO} ; do
+ fi
+ ;;
+ X-s)
+- STRIPIT=true
++ #STRIPIT=true
+ ;;
+ X--)
+ shift
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.7.2p1-envdebug.patch b/SOURCES/sudo-1.7.2p1-envdebug.patch
new file mode 100644
index 0000000..94c719a
--- /dev/null
+++ b/SOURCES/sudo-1.7.2p1-envdebug.patch
@@ -0,0 +1,27 @@
+From 44a602b49365969e56c63c9f12eda197e951302f Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Fri, 19 Aug 2016 14:07:35 +0200
+Subject: [PATCH 02/10] Added "Enviroment debugging" message
+
+rebased from:
+Patch2: sudo-1.7.2p1-envdebug.patch
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9feddfd..39a2d86 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1390,7 +1390,7 @@ AC_ARG_ENABLE(env_debug,
+ [AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
+ [ case "$enableval" in
+ yes) AC_MSG_RESULT(yes)
+- AC_DEFINE(ENV_DEBUG)
++ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
+ ;;
+ no) AC_MSG_RESULT(no)
+ ;;
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.18-testsuitefix.patch b/SOURCES/sudo-1.8.18-testsuitefix.patch
new file mode 100644
index 0000000..6c60292
--- /dev/null
+++ b/SOURCES/sudo-1.8.18-testsuitefix.patch
@@ -0,0 +1,189 @@
+From ea44d916b9dffe0f33c3c62d1677567bf64a26b8 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Tue, 20 Sep 2016 15:07:53 +0200
+Subject: [PATCH 10/10] Fix upstream testsuite
+
+---
+ plugins/sudoers/regress/sudoers/test2.in | 60 ---------------------------
+ plugins/sudoers/regress/sudoers/test2.in_ | 60 +++++++++++++++++++++++++++
+ plugins/sudoers/regress/testsudoers/test3.sh | 13 ------
+ plugins/sudoers/regress/testsudoers/test3.sh_ | 13 ++++++
+ 4 files changed, 73 insertions(+), 73 deletions(-)
+ delete mode 100644 plugins/sudoers/regress/sudoers/test2.in
+ create mode 100644 plugins/sudoers/regress/sudoers/test2.in_
+ delete mode 100755 plugins/sudoers/regress/testsudoers/test3.sh
+ create mode 100755 plugins/sudoers/regress/testsudoers/test3.sh_
+
+diff --git a/plugins/sudoers/regress/sudoers/test2.in b/plugins/sudoers/regress/sudoers/test2.in
+deleted file mode 100644
+index cfdfaa3..0000000
+--- a/plugins/sudoers/regress/sudoers/test2.in
++++ /dev/null
+@@ -1,60 +0,0 @@
+-# Check quoted user name in User_Alias
+-User_Alias UA1 = "foo"
+-User_Alias UA2 = "foo.bar"
+-User_Alias UA3 = "foo\""
+-User_Alias UA4 = "foo:bar"
+-User_Alias UA5 = "foo:bar\""
+-
+-# Check quoted group name in User_Alias
+-User_Alias UA6 = "%baz"
+-User_Alias UA7 = "%baz.biz"
+-
+-# Check quoted non-Unix group name in User_Alias
+-User_Alias UA8 = "%:C/non UNIX 0 c"
+-User_Alias UA9 = "%:C/non\'UNIX\'1 c"
+-User_Alias UA10 = "%:C/non\"UNIX\"0 c"
+-User_Alias UA11 = "%:C/non_UNIX_0 c"
+-User_Alias UA12 = "%:C/non\'UNIX_3 c"
+-
+-# Check quoted user name in Runas_Alias
+-Runas_Alias RA1 = "foo"
+-Runas_Alias RA2 = "foo\""
+-Runas_Alias RA3 = "foo:bar"
+-Runas_Alias RA4 = "foo:bar\""
+-
+-# Check quoted host name in Defaults
+-Defaults@"somehost" set_home
+-Defaults@"quoted\"" set_home
+-
+-# Check quoted user name in Defaults
+-Defaults:"you" set_home
+-Defaults:"us\"" set_home
+-Defaults:"%them" set_home
+-Defaults:"%: non UNIX 0 c" set_home
+-Defaults:"+net" set_home
+-
+-# Check quoted runas name in Defaults
+-Defaults>"someone" set_home
+-Defaults>"some one" set_home
+-
+-# Check quoted command in Defaults
+-# XXX - not currently supported
+-#Defaults!"/bin/ls -l" set_home
+-#Defaults!"/bin/ls -l \"foo\"" set_home
+-
+-# Check quoted user, runas and host name in Cmnd_Spec
+-"foo" "hosta" = ("root") ALL
+-"foo.bar" "hostb" = ("root") ALL
+-"foo\"" "hostc" = ("root") ALL
+-"foo:bar" "hostd" = ("root") ALL
+-"foo:bar\"" "hoste" = ("root") ALL
+-
+-# Check quoted group/netgroup name in Cmnd_Spec
+-"%baz" "hosta" = ("root") ALL
+-"%baz.biz" "hostb" = ("root") ALL
+-"%:C/non UNIX 0 c" "hostc" = ("root") ALL
+-"%:C/non\'UNIX\'1 c" "hostd" = ("root") ALL
+-"%:C/non\"UNIX\"0 c" "hoste" = ("root") ALL
+-"%:C/non_UNIX_0 c" "hostf" = ("root") ALL
+-"%:C/non\'UNIX_3 c" "hostg" = ("root") ALL
+-"+netgr" "hosth" = ("root") ALL
+diff --git a/plugins/sudoers/regress/sudoers/test2.in_ b/plugins/sudoers/regress/sudoers/test2.in_
+new file mode 100644
+index 0000000..cfdfaa3
+--- /dev/null
++++ b/plugins/sudoers/regress/sudoers/test2.in_
+@@ -0,0 +1,60 @@
++# Check quoted user name in User_Alias
++User_Alias UA1 = "foo"
++User_Alias UA2 = "foo.bar"
++User_Alias UA3 = "foo\""
++User_Alias UA4 = "foo:bar"
++User_Alias UA5 = "foo:bar\""
++
++# Check quoted group name in User_Alias
++User_Alias UA6 = "%baz"
++User_Alias UA7 = "%baz.biz"
++
++# Check quoted non-Unix group name in User_Alias
++User_Alias UA8 = "%:C/non UNIX 0 c"
++User_Alias UA9 = "%:C/non\'UNIX\'1 c"
++User_Alias UA10 = "%:C/non\"UNIX\"0 c"
++User_Alias UA11 = "%:C/non_UNIX_0 c"
++User_Alias UA12 = "%:C/non\'UNIX_3 c"
++
++# Check quoted user name in Runas_Alias
++Runas_Alias RA1 = "foo"
++Runas_Alias RA2 = "foo\""
++Runas_Alias RA3 = "foo:bar"
++Runas_Alias RA4 = "foo:bar\""
++
++# Check quoted host name in Defaults
++Defaults@"somehost" set_home
++Defaults@"quoted\"" set_home
++
++# Check quoted user name in Defaults
++Defaults:"you" set_home
++Defaults:"us\"" set_home
++Defaults:"%them" set_home
++Defaults:"%: non UNIX 0 c" set_home
++Defaults:"+net" set_home
++
++# Check quoted runas name in Defaults
++Defaults>"someone" set_home
++Defaults>"some one" set_home
++
++# Check quoted command in Defaults
++# XXX - not currently supported
++#Defaults!"/bin/ls -l" set_home
++#Defaults!"/bin/ls -l \"foo\"" set_home
++
++# Check quoted user, runas and host name in Cmnd_Spec
++"foo" "hosta" = ("root") ALL
++"foo.bar" "hostb" = ("root") ALL
++"foo\"" "hostc" = ("root") ALL
++"foo:bar" "hostd" = ("root") ALL
++"foo:bar\"" "hoste" = ("root") ALL
++
++# Check quoted group/netgroup name in Cmnd_Spec
++"%baz" "hosta" = ("root") ALL
++"%baz.biz" "hostb" = ("root") ALL
++"%:C/non UNIX 0 c" "hostc" = ("root") ALL
++"%:C/non\'UNIX\'1 c" "hostd" = ("root") ALL
++"%:C/non\"UNIX\"0 c" "hoste" = ("root") ALL
++"%:C/non_UNIX_0 c" "hostf" = ("root") ALL
++"%:C/non\'UNIX_3 c" "hostg" = ("root") ALL
++"+netgr" "hosth" = ("root") ALL
+diff --git a/plugins/sudoers/regress/testsudoers/test3.sh b/plugins/sudoers/regress/testsudoers/test3.sh
+deleted file mode 100755
+index c1251b9..0000000
+--- a/plugins/sudoers/regress/testsudoers/test3.sh
++++ /dev/null
+@@ -1,13 +0,0 @@
+-#!/bin/sh
+-#
+-# Test #include facility
+-#
+-
+-MYUID=`\ls -lnd $TESTDIR/test3.d | awk '{print $3}'`
+-MYGID=`\ls -lnd $TESTDIR/test3.d | awk '{print $4}'`
+-exec 2>&1
+-./testsudoers -U $MYUID -G $MYGID root id <<EOF
+-#includedir $TESTDIR/test3.d
+-EOF
+-
+-exit 0
+diff --git a/plugins/sudoers/regress/testsudoers/test3.sh_ b/plugins/sudoers/regress/testsudoers/test3.sh_
+new file mode 100755
+index 0000000..c1251b9
+--- /dev/null
++++ b/plugins/sudoers/regress/testsudoers/test3.sh_
+@@ -0,0 +1,13 @@
++#!/bin/sh
++#
++# Test #include facility
++#
++
++MYUID=`\ls -lnd $TESTDIR/test3.d | awk '{print $3}'`
++MYGID=`\ls -lnd $TESTDIR/test3.d | awk '{print $4}'`
++exec 2>&1
++./testsudoers -U $MYUID -G $MYGID root id <<EOF
++#includedir $TESTDIR/test3.d
++EOF
++
++exit 0
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.19p2-CVE-2017-1000368.patch b/SOURCES/sudo-1.8.19p2-CVE-2017-1000368.patch
new file mode 100644
index 0000000..84c1f9d
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-CVE-2017-1000368.patch
@@ -0,0 +1,66 @@
+diff --git a/src/ttyname.c b/src/ttyname.c
+index ff2cacc..013be95 100644
+--- a/src/ttyname.c
++++ b/src/ttyname.c
+@@ -477,26 +477,38 @@ done:
+ char *
+ get_process_ttyname(char *name, size_t namelen)
+ {
+- char path[PATH_MAX], *line = NULL;
++ const char path[] = "/proc/self/stat";
++ char *cp, buf[1024];
+ char *ret = NULL;
+- size_t linesize = 0;
+ int serrno = errno;
+- ssize_t len;
+- FILE *fp;
++ ssize_t nread;
++ int fd;
+ debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
+
+- /* Try to determine the tty from tty_nr in /proc/pid/stat. */
+- snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
+- if ((fp = fopen(path, "r")) != NULL) {
+- len = getline(&line, &linesize, fp);
+- fclose(fp);
+- if (len != -1) {
++ /*
++ * Try to determine the tty from tty_nr in /proc/self/stat.
++ * Ignore /proc/self/stat if it contains embedded NUL bytes.
++ */
++ if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
++ cp = buf;
++ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
++ if (nread == -1) {
++ if (errno == EAGAIN || errno == EINTR)
++ continue;
++ break;
++ }
++ cp += nread;
++ if (cp >= buf + sizeof(buf))
++ break;
++ }
++ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+ /*
+ * Field 7 is the tty dev (0 if no tty).
+- * Since the process name at field 2 "(comm)" may include spaces,
+- * start at the last ')' found.
++ * Since the process name at field 2 "(comm)" may include
++ * whitespace (including newlines), start at the last ')' found.
+ */
+- char *cp = strrchr(line, ')');
++ *cp = '\0';
++ cp = strrchr(buf, ')');
+ if (cp != NULL) {
+ char *ep = cp;
+ const char *errstr;
+@@ -527,7 +539,8 @@ get_process_ttyname(char *name, size_t namelen)
+ errno = ENOENT;
+
+ done:
+- free(line);
++ if (fd != -1)
++ close(fd);
+ if (ret == NULL)
+ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+ "unable to resolve tty via %s", path);
diff --git a/SOURCES/sudo-1.8.19p2-display-privs.patch b/SOURCES/sudo-1.8.19p2-display-privs.patch
new file mode 100644
index 0000000..234aa8d
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-display-privs.patch
@@ -0,0 +1,16 @@
+diff -up ./plugins/sudoers/sudo_nss.c.display-privs ./plugins/sudoers/sudo_nss.c
+--- ./plugins/sudoers/sudo_nss.c.display-privs 2017-01-13 23:30:15.000000000 -0500
++++ ./plugins/sudoers/sudo_nss.c 2017-08-31 07:41:02.764738698 -0400
+@@ -348,7 +348,11 @@ display_privs(struct sudo_nss_list *snl,
+ sudo_lbuf_destroy(&defs);
+ sudo_lbuf_destroy(&privs);
+
+- debug_return_int(count > 0);
++/*
++ * This is ok, we return 1 which is success in this case
++ * and we don't want return failure even when there is nothing to print
++ */
++ debug_return_int(1);
+ bad:
+ sudo_lbuf_destroy(&defs);
+ sudo_lbuf_destroy(&privs);
diff --git a/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch b/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch
new file mode 100644
index 0000000..6d52342
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch
@@ -0,0 +1,53 @@
+From daa728fd889680cf5294fbb0e836cade9fe1a6d8 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@courtesan.com>
+Date: Wed, 22 Feb 2017 06:38:33 -0700
+Subject: [PATCH] Go back to using a Warning/Error prefix in the message
+ printed to stderr for alias problems. Requested by Tomas Sykora.
+
+---
+ doc/visudo.cat | 10 +++++-----
+ doc/visudo.man.in | 12 ++++++------
+ doc/visudo.mdoc.in | 12 ++++++------
+ plugins/sudoers/regress/visudo/test2.err.ok | 2 +-
+ plugins/sudoers/regress/visudo/test3.err.ok | 4 ++--
+ plugins/sudoers/visudo.c | 14 ++++++++++----
+ 6 files changed, 30 insertions(+), 24 deletions(-)
+
+diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c
+index 4f192b2..4793d54 100644
+--- a/plugins/sudoers/visudo.c
++++ b/plugins/sudoers/visudo.c
+@@ -1137,12 +1137,17 @@ check_alias(char *name, int type, char *file, int lineno, bool strict, bool quie
+ } else {
+ if (!quiet) {
+ if (errno == ELOOP) {
+- sudo_warnx(U_("%s:%d cycle in %s \"%s\""),
++ fprintf(stderr, strict ?
++ U_("Error: %s:%d cycle in %s \"%s\"") :
++ U_("Warning: %s:%d cycle in %s \"%s\""),
+ file, lineno, alias_type_to_string(type), name);
+ } else {
+- sudo_warnx(U_("%s:%d %s \"%s\" referenced but not defined"),
++ fprintf(stderr, strict ?
++ U_("Error: %s:%d %s \"%s\" referenced but not defined") :
++ U_("Warning: %s:%d %s \"%s\" referenced but not defined"),
+ file, lineno, alias_type_to_string(type), name);
+ }
++ fputc('\n', stderr);
+ if (strict && errorfile == NULL) {
+ errorfile = rcstr_addref(file);
+ errorlineno = lineno;
+@@ -1292,8 +1297,9 @@ print_unused(void *v1, void *v2)
+ {
+ struct alias *a = (struct alias *)v1;
+
+- sudo_warnx_nodebug(U_("%s:%d unused %s \"%s\""),
++ fprintf(stderr, U_("Warning: %s:%d unused %s \"%s\""),
+ a->file, a->lineno, alias_type_to_string(a->type), a->name);
++ fputc('\n', stderr);
+ return 0;
+ }
+
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch b/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch
new file mode 100644
index 0000000..1c44dcc
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch
@@ -0,0 +1,124 @@
+diff -up ./plugins/sudoers/sssd.c.fqdnafterfree ./plugins/sudoers/sssd.c
+--- ./plugins/sudoers/sssd.c.fqdnafterfree 2017-01-14 05:30:15.000000000 +0100
++++ ./plugins/sudoers/sssd.c 2017-04-25 14:23:39.655649726 +0200
+@@ -82,8 +82,8 @@ typedef void (*sss_sudo_free_values_t)(c
+
+ struct sudo_sss_handle {
+ char *domainname;
+- char *host;
+- char *shost;
++ char *ipa_host;
++ char *ipa_shost;
+ struct passwd *pw;
+ void *ssslib;
+ sss_sudo_send_recv_t fn_send_recv;
+@@ -385,7 +385,7 @@ sudo_sss_open(struct sudo_nss *nss)
+ debug_decl(sudo_sss_open, SUDOERS_DEBUG_SSSD);
+
+ /* Create a handle container. */
+- handle = malloc(sizeof(struct sudo_sss_handle));
++ handle = calloc(1, sizeof(struct sudo_sss_handle));
+ if (handle == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_int(ENOMEM);
+@@ -447,9 +447,6 @@ sudo_sss_open(struct sudo_nss *nss)
+ debug_return_int(EFAULT);
+ }
+
+- handle->domainname = NULL;
+- handle->host = user_runhost;
+- handle->shost = user_srunhost;
+ handle->pw = sudo_user.pw;
+ nss->handle = handle;
+
+@@ -458,7 +455,7 @@ sudo_sss_open(struct sudo_nss *nss)
+ * in sssd.conf and use it in preference to user_runhost.
+ */
+ if (strcmp(user_runhost, user_host) == 0) {
+- if (get_ipa_hostname(&handle->shost, &handle->host) == -1) {
++ if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ free(handle);
+ debug_return_int(ENOMEM);
+@@ -480,7 +477,10 @@ sudo_sss_close(struct sudo_nss *nss)
+ if (nss && nss->handle) {
+ handle = nss->handle;
+ sudo_dso_unload(handle->ssslib);
+- free(nss->handle);
++ free(handle->ipa_host);
++ free(handle->ipa_shost);
++ free(handle);
++ nss->handle = NULL;
+ }
+ debug_return_int(0);
+ }
+@@ -585,8 +585,9 @@ sudo_sss_checkpw(struct sudo_nss *nss, s
+ static int
+ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int group_matched)
+ {
+- char **val_array = NULL;
+- char *val;
++ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost;
++ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost;
++ char *val, **val_array = NULL;
+ int ret = false, i;
+ debug_decl(sudo_sss_check_runas_user, SUDOERS_DEBUG_SSSD);
+
+@@ -656,8 +657,8 @@ sudo_sss_check_runas_user(struct sudo_ss
+ switch (val[0]) {
+ case '+':
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
+- if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL,
+- def_netgroup_tuple ? handle->shost : NULL, runas_pw->pw_name)) {
++ if (netgr_matches(val, def_netgroup_tuple ? host : NULL,
++ def_netgroup_tuple ? shost : NULL, runas_pw->pw_name)) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
+ ret = true;
+ }
+@@ -762,7 +763,9 @@ sudo_sss_check_runas(struct sudo_sss_han
+ static bool
+ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+ {
+- char **val_array, *val;
++ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost;
++ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost;
++ char *val, **val_array;
+ int matched = UNSPEC;
+ bool negated;
+ int i;
+@@ -792,9 +795,9 @@ sudo_sss_check_host(struct sudo_sss_hand
+
+ /* match any or address or netgroup or hostname */
+ if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
+- netgr_matches(val, handle->host, handle->shost,
++ netgr_matches(val, host, shost,
+ def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
+- hostname_matches(handle->shost, handle->host, val)) {
++ hostname_matches(shost, host, val)) {
+
+ matched = negated ? false : true;
+ }
+@@ -816,9 +819,10 @@ sudo_sss_check_host(struct sudo_sss_hand
+ static bool
+ sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+ {
+- int ret = false;
++ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost;
++ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost;
+ char **val_array;
+- int i;
++ int i, ret = false;
+ debug_decl(sudo_sss_check_user, SUDOERS_DEBUG_SSSD);
+
+ if (!handle || !rule)
+@@ -844,8 +848,8 @@ sudo_sss_check_user(struct sudo_sss_hand
+ switch (*val) {
+ case '+':
+ /* Netgroup spec found, check membership. */
+- if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL,
+- def_netgroup_tuple ? handle->shost : NULL, handle->pw->pw_name)) {
++ if (netgr_matches(val, def_netgroup_tuple ? host : NULL,
++ def_netgroup_tuple ? shost : NULL, handle->pw->pw_name)) {
+ ret = true;
+ }
+ break;
diff --git a/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch b/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch
new file mode 100644
index 0000000..8d304d5
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch
@@ -0,0 +1,76 @@
+diff -ru sudo-1.8.20/src/ttyname.c sudo-1.8.20-Q/src/ttyname.c
+--- sudo-1.8.20/src/ttyname.c 2017-05-10 08:38:44.000000000 -0700
++++ sudo-1.8.20-Q/src/ttyname.c 2017-05-19 02:15:48.442705049 -0700
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2016 Todd C. Miller <Todd.Miller@courtesan.com>
++ * Copyright (c) 2012-2017 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+@@ -159,6 +159,8 @@
+
+ static char *ignore_devs[] = {
+ "/dev/fd/",
++ "/dev/mqueue/",
++ "/dev/shm/",
+ "/dev/stdin",
+ "/dev/stdout",
+ "/dev/stderr",
+@@ -493,28 +495,35 @@
+ len = getline(&line, &linesize, fp);
+ fclose(fp);
+ if (len != -1) {
+- /* Field 7 is the tty dev (0 if no tty) */
+- char *cp = line;
+- char *ep = line;
+- const char *errstr;
+- int field = 0;
+- while (*++ep != '\0') {
+- if (*ep == ' ') {
+- *ep = '\0';
+- if (++field == 7) {
+- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
+- if (errstr) {
+- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+- "%s: tty device %s: %s", path, cp, errstr);
++ /*
++ * Field 7 is the tty dev (0 if no tty).
++ * Since the process name at field 2 "(comm)" may include spaces,
++ * start at the last ')' found.
++ */
++ char *cp = strrchr(line, ')');
++ if (cp != NULL) {
++ char *ep = cp;
++ const char *errstr;
++ int field = 1;
++
++ while (*++ep != '\0') {
++ if (*ep == ' ') {
++ *ep = '\0';
++ if (++field == 7) {
++ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
++ if (errstr) {
++ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
++ "%s: tty device %s: %s", path, cp, errstr);
++ }
++ if (tdev > 0) {
++ errno = serrno;
++ ret = sudo_ttyname_dev(tdev, name, namelen);
++ goto done;
++ }
++ break;
+ }
+- if (tdev > 0) {
+- errno = serrno;
+- ret = sudo_ttyname_dev(tdev, name, namelen);
+- goto done;
+- }
+- break;
++ cp = ep + 1;
+ }
+- cp = ep + 1;
+ }
+ }
+ }
+
diff --git a/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch b/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch
new file mode 100644
index 0000000..aadb45d
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch
@@ -0,0 +1,142 @@
+From 93cef1efac4e2b4930c23cdc35c0b916365ccabc Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Tue, 21 Feb 2017 14:56:24 +0100
+Subject: [PATCH] Add ignore_unknown_defaults flag to ignore unknown Defaults
+ entries in sudoers instead of producing a warning.
+
+Patch: sudo-1.8.19p2-ignore-unknown-defaults.patch
+Resolves:
+rhbz#1413160
+---
+ doc/sudoers.cat | 6 ++++++
+ doc/sudoers.man.in | 11 +++++++++++
+ doc/sudoers.mdoc.in | 10 ++++++++++
+ plugins/sudoers/def_data.c | 4 ++++
+ plugins/sudoers/def_data.h | 2 ++
+ plugins/sudoers/def_data.in | 3 +++
+ plugins/sudoers/defaults.c | 3 ++-
+ 7 files changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/doc/sudoers.cat b/doc/sudoers.cat
+index 76dbf28..50cf78a 100644
+--- a/doc/sudoers.cat
++++ b/doc/sudoers.cat
+@@ -1071,6 +1071,12 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
+ meaningful for the cn=defaults section. This flag is
+ _�o_�f_�f by default.
+
++ ignore_unknown_defaults
++ If set, s�su�ud�do�o will not produce a warning if it
++ encounters an unknown Defaults entry in the _^Hs_^Hu_^Hd_^Ho_^He_^Hr_^Hs
++ file or an unknown sudoOption in LDAP. This flag is
++ _�o_�f_�f by default.
++
+ insults If set, s�su�ud�do�o will insult users when they enter an
+ incorrect password. This flag is _�o_�f_�f by default.
+
+diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
+index 8673da0..4be3760 100644
+--- a/doc/sudoers.man.in
++++ b/doc/sudoers.man.in
+@@ -2266,6 +2266,17 @@ This flag is
+ \fIoff\fR
+ by default.
+ .TP 18n
++ignore_unknown_defaults
++If set,
++\fBsudo\fR
++will not produce a warning if it encounters an unknown Defaults entry
++in the
++\fIsudoers\fR
++file or an unknown sudoOption in LDAP.
++This flag is
++\fIoff\fR
++by default.
++.TP 18n
+ insults
+ If set,
+ \fBsudo\fR
+diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
+index 74b6f01..f3fe5e6 100644
+--- a/doc/sudoers.mdoc.in
++++ b/doc/sudoers.mdoc.in
+@@ -2124,6 +2124,16 @@ section.
+ This flag is
+ .Em off
+ by default.
++.It ignore_unknown_defaults
++If set,
++.Nm sudo
++will not produce a warning if it encounters an unknown Defaults entry
++in the
++.Em sudoers
++file or an unknown sudoOption in LDAP.
++This flag is
++.Em off
++by default.
+ .It insults
+ If set,
+ .Nm sudo
+diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
+index 3926fed..3d787c2 100644
+--- a/plugins/sudoers/def_data.c
++++ b/plugins/sudoers/def_data.c
+@@ -443,6 +443,10 @@ struct sudo_defs_types sudo_defs_table[] = {
+ N_("Don't pre-resolve all group names"),
+ NULL,
+ }, {
++ "ignore_unknown_defaults", T_FLAG,
++ N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
+index b5e61b4..f5773a3 100644
+--- a/plugins/sudoers/def_data.h
++++ b/plugins/sudoers/def_data.h
+@@ -208,6 +208,8 @@
+ #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
+ #define I_LEGACY_GROUP_PROCESSING 104
+ #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
++#define I_IGNORE_UNKNOWN_DEFAULTS 105
++#define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
+index f1c9265..8f63d70 100644
+--- a/plugins/sudoers/def_data.in
++++ b/plugins/sudoers/def_data.in
+@@ -328,3 +328,6 @@ cmnd_no_wait
+ legacy_group_processing
+ T_FLAG
+ "Don't pre-resolve all group names"
++ignore_unknown_defaults
++ T_FLAG
++ "Ignore unknown Defaults entries in sudoers instead of producing a warning"
+diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
+index 9e60d94..5f93f80 100644
+--- a/plugins/sudoers/defaults.c
++++ b/plugins/sudoers/defaults.c
+@@ -79,6 +79,7 @@ static struct strmap priorities[] = {
+ };
+
+ static struct early_default early_defaults[] = {
++ { I_IGNORE_UNKNOWN_DEFAULTS },
+ #ifdef FQDN
+ { I_FQDN, true },
+ #else
+@@ -206,7 +207,7 @@ find_default(const char *name, const char *file, int lineno, bool quiet)
+ if (strcmp(name, sudo_defs_table[i].name) == 0)
+ debug_return_int(i);
+ }
+- if (!quiet) {
++ if (!quiet && !def_ignore_unknown_defaults) {
+ if (lineno > 0) {
+ sudo_warnx(U_("%s:%d unknown defaults entry \"%s\""),
+ file, lineno, name);
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.19p2-iologflush.patch b/SOURCES/sudo-1.8.19p2-iologflush.patch
new file mode 100644
index 0000000..213566f
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-iologflush.patch
@@ -0,0 +1,317 @@
+diff -up ./doc/sudoers.cat.orig ./doc/sudoers.cat
+--- ./doc/sudoers.cat.orig 2017-03-21 13:31:00.953951199 +0100
++++ ./doc/sudoers.cat 2017-03-21 14:14:18.679116865 +0100
+@@ -1549,6 +1549,16 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
+ will be truncated and overwritten unless _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
+ ends in six or more Xs.
+
++ iolog_flush If set, s�su�ud�do�o will flush I/O log data to disk after each
++ write instead of buffering it. This makes it possible
++ to view the logs in real-time as the program is
++ executing but may significantly reduce the
++ effectiveness of I/O log compression. This flag is _�o_�f_�f
++ by default.
++
++ This setting is only supported by version 1.8.20 or
++ higher.
++
+ iolog_group The group name to look up when setting the group ID on
+ new I/O log files and directories. By default, I/O log
+ files and directories inherit the group ID of the
+@@ -2141,10 +2151,14 @@ I�I/�/O�O L�LO�OG�G F�FI�IL�LE�ES�S
+ _�s_�t_�d_�e_�r_�r standard error to a pipe or redirected to a file
+
+ All files other than _�l_�o_�g are compressed in gzip format unless the
+- _�c_�o_�m_�p_�r_�e_�s_�s_�__�i_�o option has been disabled. Due to buffering, the I/O log data
+- will not be complete until the s�su�ud�do�o command has completed. The output
+- portion of an I/O log file can be viewed with the sudoreplay(1m) utility,
+- which can also be used to list or search the available logs.
++ _�c_�o_�m_�p_�r_�e_�s_�s_�__�i_�o flag has been disabled. Due to buffering, it is not normally
++ possible to display the I/O logs in real-time as the program is executing
++ The I/O log data will not be complete until the program run by s�su�ud�do�o has
++ exited or has been terminated by a signal. The _�i_�o_�l_�o_�g_�__�f_�l_�u_�s_�h flag can be
++ used to disable buffering, in which case I/O log data is written to disk
++ as soon as it is available. The output portion of an I/O log file can be
++ viewed with the sudoreplay(1m) utility, which can also be used to list or
++ search the available logs.
+
+ Note that user input may contain sensitive information such as passwords
+ (even if they are not echoed to the screen), which will be stored in the
+diff -up ./doc/sudoers.man.in.orig ./doc/sudoers.man.in
+--- ./doc/sudoers.man.in.orig 2017-03-21 14:22:33.804283190 +0100
++++ ./doc/sudoers.man.in 2017-03-21 14:22:21.136664667 +0100
+@@ -3199,6 +3199,19 @@ ends in six or
+ more
+ \fRX\fRs.
+ .TP 18n
++iolog_flush
++If set,
++\fBsudo\fR
++will flush I/O log data to disk after each write instead of buffering it.
++This makes it possible to view the logs in real-time as the program
++is executing but may significantly reduce the effectiveness of I/O
++log compression.
++This flag is
++\fIoff\fR
++by default.
++.sp
++This setting is only supported by version 1.8.20 or higher.
++.TP 18n
+ iolog_group
+ The group name to look up when setting the group ID on new I/O log
+ files and directories.
+@@ -4298,10 +4311,16 @@ All files other than
+ \fIlog\fR
+ are compressed in gzip format unless the
+ \fIcompress_io\fR
+-option has been disabled.
+-Due to buffering, the I/O log data will not be complete until the
++flag has been disabled.
++Due to buffering, it is not normally possible to display the I/O logs in
++real-time as the program is executing
++The I/O log data will not be complete until the program run by
+ \fBsudo\fR
+-command has completed.
++has exited or has been terminated by a signal.
++The
++\fIiolog_flush\fR
++flag can be used to disable buffering, in which case I/O log data
++is written to disk as soon as it is available.
+ The output portion of an I/O log file can be viewed with the
+ sudoreplay(@mansectsu@)
+ utility, which can also be used to list or search the available logs.
+diff -up ./doc/sudoers.mdoc.in.orig ./doc/sudoers.mdoc.in
+--- ./doc/sudoers.mdoc.in.orig 2017-03-21 14:23:46.652089432 +0100
++++ ./doc/sudoers.mdoc.in 2017-03-21 14:26:43.686758162 +0100
+@@ -2998,6 +2998,18 @@ overwritten unless
+ ends in six or
+ more
+ .Li X Ns s .
++.It iolog_flush
++If set,
++.Nm sudo
++will flush I/O log data to disk after each write instead of buffering it.
++This makes it possible to view the logs in real-time as the program
++is executing but may significantly reduce the effectiveness of I/O
++log compression.
++This flag is
++.Em off
++by default.
++.Pp
++This setting is only supported by version 1.8.20 or higher.
+ .It iolog_group
+ The group name to look up when setting the group ID on new I/O log
+ files and directories.
+@@ -3991,10 +4003,16 @@ All files other than
+ .Pa log
+ are compressed in gzip format unless the
+ .Em compress_io
+-option has been disabled.
+-Due to buffering, the I/O log data will not be complete until the
+-.Nm sudo
+-command has completed.
++flag has been disabled.
++Due to buffering, it is not normally possible to display the I/O logs in
++real-time as the program is executing
++The I/O log data will not be complete until the program run by
++.Nm sudo
++has exited or has been terminated by a signal.
++The
++.Em iolog_flush
++flag can be used to disable buffering, in which case I/O log data
++is written to disk as soon as it is available.
+ The output portion of an I/O log file can be viewed with the
+ .Xr sudoreplay @mansectsu@
+ utility, which can also be used to list or search the available logs.
+diff -up ./plugins/sudoers/def_data.c.orig ./plugins/sudoers/def_data.c
+--- ./plugins/sudoers/def_data.c.orig 2017-03-21 13:24:10.682064806 +0100
++++ ./plugins/sudoers/def_data.c 2017-03-21 13:25:09.805322057 +0100
+@@ -447,6 +447,10 @@ struct sudo_defs_types sudo_defs_table[]
+ N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"),
+ NULL,
+ }, {
++ "iolog_flush", T_FLAG,
++ N_("Flush I/O log data to disk immediately instead of buffering it"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff -up ./plugins/sudoers/def_data.h.orig ./plugins/sudoers/def_data.h
+--- ./plugins/sudoers/def_data.h.orig 2017-03-21 13:25:20.489006524 +0100
++++ ./plugins/sudoers/def_data.h 2017-03-21 13:28:09.251022290 +0100
+@@ -210,6 +210,8 @@
+ #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
+ #define I_IGNORE_UNKNOWN_DEFAULTS 105
+ #define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag)
++#define I_IOLOG_FLUSH 106
++#define def_iolog_flush (sudo_defs_table[I_IOLOG_FLUSH].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff -up ./plugins/sudoers/def_data.in.orig ./plugins/sudoers/def_data.in
+--- ./plugins/sudoers/def_data.in.orig 2017-03-21 13:28:35.115258413 +0100
++++ ./plugins/sudoers/def_data.in 2017-03-21 13:30:03.239655739 +0100
+@@ -331,3 +331,6 @@ legacy_group_processing
+ ignore_unknown_defaults
+ T_FLAG
+ "Ignore unknown Defaults entries in sudoers instead of producing a warning"
++iolog_flush
++ T_FLAG
++ "Flush I/O log data to disk immediately instead of buffering it"
+diff -up ./plugins/sudoers/iolog.c.orig ./plugins/sudoers/iolog.c
+--- ./plugins/sudoers/iolog.c.orig 2017-03-21 13:12:39.471464160 +0100
++++ ./plugins/sudoers/iolog.c 2017-03-21 13:21:49.279230759 +0100
+@@ -709,6 +709,7 @@ iolog_deserialize_info(struct iolog_deta
+
+ /*
+ * Write the "/log" file that contains the user and command info.
++ * This file is not compressed.
+ */
+ static bool
+ write_info_log(char *pathbuf, size_t len, struct iolog_details *details,
+@@ -747,6 +748,57 @@ write_info_log(char *pathbuf, size_t len
+ debug_return_bool(ret);
+ }
+
++#ifdef HAVE_ZLIB_H
++static const char *
++gzstrerror(gzFile file)
++{
++ int errnum;
++
++ return gzerror(file, &errnum);
++}
++#endif /* HAVE_ZLIB_H */
++
++/*
++ * Write to an I/O log, compressing if iolog_compress is enabled.
++ * If def_iolog_flush is true, flush the buffer immediately.
++ */
++static const char *
++iolog_write(const void *buf, unsigned int len, int idx)
++{
++ const char *errstr = NULL;
++ debug_decl(iolog_write, SUDOERS_DEBUG_PLUGIN)
++
++#ifdef HAVE_ZLIB_H
++ if (iolog_compress) {
++ if (gzwrite(io_log_files[idx].fd.g, buf, len) != (int)len) {
++ errstr = gzstrerror(io_log_files[idx].fd.g);
++ goto done;
++ }
++ if (def_iolog_flush) {
++ if (gzflush(io_log_files[idx].fd.g, Z_SYNC_FLUSH) != Z_OK) {
++ errstr = gzstrerror(io_log_files[idx].fd.g);
++ goto done;
++ }
++ }
++ } else
++#endif
++ {
++ if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) {
++ errstr = strerror(errno);
++ goto done;
++ }
++ if (def_iolog_flush) {
++ if (fflush(io_log_files[idx].fd.f) != 0) {
++ errstr = strerror(errno);
++ goto done;
++ }
++ }
++ }
++
++done:
++ debug_return_const_str(errstr);
++}
++
+ static int
+ sudoers_io_open(unsigned int version, sudo_conv_t conversation,
+ sudo_printf_t plugin_printf, char * const settings[],
+@@ -914,13 +966,15 @@ sudoers_io_version(int verbose)
+
+ /*
+ * Generic I/O logging function. Called by the I/O logging entry points.
++ * Returns 1 on success and -1 on error.
+ */
+ static int
+ sudoers_io_log(const char *buf, unsigned int len, int idx)
+ {
+ struct timeval now, delay;
++ char tbuf[1024];
+ const char *errstr = NULL;
+- int ret = true;
++ int ret = -1;
+ debug_decl(sudoers_io_version, SUDOERS_DEBUG_PLUGIN)
+
+ if (io_log_files[idx].fd.v == NULL) {
+@@ -931,41 +985,28 @@ sudoers_io_log(const char *buf, unsigned
+
+ gettimeofday(&now, NULL);
+
+-#ifdef HAVE_ZLIB_H
+- if (iolog_compress) {
+- if (gzwrite(io_log_files[idx].fd.g, (const voidp)buf, len) != (int)len) {
+- int errnum;
++ /* Write I/O log file entry. */
++ errstr = iolog_write(buf, len, idx);
++ if (errstr != NULL)
++ goto done;
+
+- errstr = gzerror(io_log_files[idx].fd.g, &errnum);
+- ret = -1;
+- }
+- } else
+-#endif
+- {
+- if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) {
+- errstr = strerror(errno);
+- ret = -1;
+- }
+- }
++ /* Write timing file entry. */
+ sudo_timevalsub(&now, &last_time, &delay);
+-#ifdef HAVE_ZLIB_H
+- if (iolog_compress) {
+- if (gzprintf(io_log_files[IOFD_TIMING].fd.g, "%d %f %u\n", idx,
+- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) == 0) {
+- int errnum;
+-
+- errstr = gzerror(io_log_files[IOFD_TIMING].fd.g, &errnum);
+- ret = -1;
+- }
+- } else
+-#endif
+- {
+- if (fprintf(io_log_files[IOFD_TIMING].fd.f, "%d %f %u\n", idx,
+- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) < 0) {
+- errstr = strerror(errno);
+- ret = -1;
+- }
++ len = (unsigned int)snprintf(tbuf, sizeof(tbuf), "%d %f %u\n", idx,
++ delay.tv_sec + ((double)delay.tv_usec / 1000000), len);
++ if (len >= sizeof(tbuf)) {
++ /* Not actually possible due to the size of tbuf[]. */
++ errstr = strerror(EOVERFLOW);
++ goto done;
+ }
++ errstr = iolog_write(tbuf, len, IOFD_TIMING);
++ if (errstr != NULL)
++ goto done;
++
++ /* Success. */
++ ret = 1;
++
++done:
+ last_time.tv_sec = now.tv_sec;
+ last_time.tv_usec = now.tv_usec;
+
+@@ -979,7 +1020,7 @@ sudoers_io_log(const char *buf, unsigned
+
+ /* Ignore errors if they occur if the policy says so. */
+ if (iolog_details.ignore_iolog_errors)
+- ret = true;
++ ret = 1;
+ }
+
+ debug_return_int(ret);
diff --git a/SOURCES/sudo-1.8.19p2-iologtruncate.patch b/SOURCES/sudo-1.8.19p2-iologtruncate.patch
new file mode 100644
index 0000000..ee358eb
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-iologtruncate.patch
@@ -0,0 +1,171 @@
+diff --git a/src/exec_pty.c b/src/exec_pty.c
+index 7403506..56b2899 100644
+--- a/src/exec_pty.c
++++ b/src/exec_pty.c
+@@ -711,8 +711,10 @@ io_buf_new(int rfd, int wfd,
+ int
+ fork_pty(struct command_details *details, int sv[], sigset_t *omask)
+ {
++ struct plugin_container *plugin;
+ struct command_status cstat;
+- int io_pipe[3][2];
++ int io_pipe[3][2] = { { -1, -1 }, { -1, -1 }, { -1, -1 } };
++ bool interpose[3] = { false, false, false };
+ sigaction_t sa;
+ sigset_t mask;
+ pid_t child;
+@@ -738,6 +740,16 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask)
+ sigaddset(&ttyblock, SIGTTIN);
+ sigaddset(&ttyblock, SIGTTOU);
+
++ /* Determine whether any of std{in,out,err} should be logged. */
++ TAILQ_FOREACH(plugin, &io_plugins, entries) {
++ if (plugin->u.io->log_stdin)
++ interpose[STDIN_FILENO] = true;
++ if (plugin->u.io->log_stdout)
++ interpose[STDOUT_FILENO] = true;
++ if (plugin->u.io->log_stderr)
++ interpose[STDERR_FILENO] = true;
++ }
++
+ /*
+ * Setup stdin/stdout/stderr for child, to be duped after forking.
+ * In background mode there is no stdin.
+@@ -763,35 +775,64 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask)
+ }
+
+ /*
+- * If either stdin, stdout or stderr is not a tty we use a pipe
+- * to interpose ourselves instead of duping the pty fd.
++ * If stdin, stdout or stderr is not a tty and logging is enabled,
++ * use a pipe to interpose ourselves instead of using the pty fd.
+ */
+- memset(io_pipe, 0, sizeof(io_pipe));
+ if (io_fds[SFD_STDIN] == -1 || !isatty(STDIN_FILENO)) {
+- sudo_debug_printf(SUDO_DEBUG_INFO, "stdin not a tty, creating a pipe");
+- pipeline = true;
+- if (pipe(io_pipe[STDIN_FILENO]) != 0)
+- sudo_fatal(U_("unable to create pipe"));
+- io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1],
+- log_stdin, &iobufs);
+- io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0];
+- }
+- if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) {
+- sudo_debug_printf(SUDO_DEBUG_INFO, "stdout not a tty, creating a pipe");
+- pipeline = true;
+- if (pipe(io_pipe[STDOUT_FILENO]) != 0)
+- sudo_fatal(U_("unable to create pipe"));
+- io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO,
+- log_stdout, &iobufs);
+- io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1];
+- }
+- if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) {
+- sudo_debug_printf(SUDO_DEBUG_INFO, "stderr not a tty, creating a pipe");
+- if (pipe(io_pipe[STDERR_FILENO]) != 0)
+- sudo_fatal(U_("unable to create pipe"));
+- io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO,
+- log_stderr, &iobufs);
+- io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1];
++ if (!interpose[STDIN_FILENO]) {
++ /* Not logging stdin, do not interpose. */
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stdin not a tty, not logging");
++ io_fds[SFD_STDIN] = dup(STDIN_FILENO);
++ if (io_fds[SFD_STDIN] == -1)
++ sudo_fatal("dup");
++ } else {
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stdin not a tty, creating a pipe");
++ pipeline = true;
++ if (pipe(io_pipe[STDIN_FILENO]) != 0)
++ sudo_fatal(U_("unable to create pipe"));
++ io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1],
++ log_stdin, &iobufs);
++ io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0];
++ }
++ }
++ if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) {
++ if (!interpose[STDOUT_FILENO]) {
++ /* Not logging stdout, do not interpose. */
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stdout not a tty, not logging");
++ io_fds[SFD_STDOUT] = dup(STDOUT_FILENO);
++ if (io_fds[SFD_STDOUT] == -1)
++ sudo_fatal("dup");
++ } else {
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stdout not a tty, creating a pipe");
++ pipeline = true;
++ if (pipe(io_pipe[STDOUT_FILENO]) != 0)
++ sudo_fatal(U_("unable to create pipe"));
++ io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO,
++ log_stdout, &iobufs);
++ io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1];
++ }
++ }
++ if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) {
++ if (!interpose[STDERR_FILENO]) {
++ /* Not logging stderr, do not interpose. */
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stderr not a tty, not logging");
++ io_fds[SFD_STDERR] = dup(STDERR_FILENO);
++ if (io_fds[SFD_STDERR] == -1)
++ sudo_fatal("dup");
++ } else {
++ sudo_debug_printf(SUDO_DEBUG_INFO,
++ "stderr not a tty, creating a pipe");
++ if (pipe(io_pipe[STDERR_FILENO]) != 0)
++ sudo_fatal(U_("unable to create pipe"));
++ io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO,
++ log_stderr, &iobufs);
++ io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1];
++ }
+ }
+
+ /* We don't want to receive SIGTTIN/SIGTTOU, getting EIO is preferable. */
+@@ -1549,10 +1590,24 @@ exec_pty(struct command_details *details,
+ setpgid(0, self);
+
+ /* Wire up standard fds, note that stdout/stderr may be pipes. */
+- if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1 ||
+- dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1 ||
+- dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1)
+- sudo_fatal("dup2");
++ if (io_fds[SFD_STDIN] != STDIN_FILENO) {
++ if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1)
++ sudo_fatal("dup2");
++ if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE])
++ close(io_fds[SFD_STDIN]);
++ }
++ if (io_fds[SFD_STDOUT] != STDOUT_FILENO) {
++ if (dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1)
++ sudo_fatal("dup2");
++ if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE])
++ close(io_fds[SFD_STDOUT]);
++ }
++ if (io_fds[SFD_STDERR] != STDERR_FILENO) {
++ if (dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1)
++ sudo_fatal("dup2");
++ if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE])
++ close(io_fds[SFD_STDERR]);
++ }
+
+ /* Wait for parent to grant us the tty if we are foreground. */
+ if (foreground && !ISSET(details->flags, CD_EXEC_BG)) {
+@@ -1561,15 +1616,9 @@ exec_pty(struct command_details *details,
+ nanosleep(&ts, NULL);
+ }
+
+- /* We have guaranteed that the slave fd is > 2 */
++ /* Done with the pty slave, don't leak it. */
+ if (io_fds[SFD_SLAVE] != -1)
+ close(io_fds[SFD_SLAVE]);
+- if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE])
+- close(io_fds[SFD_STDIN]);
+- if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE])
+- close(io_fds[SFD_STDOUT]);
+- if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE])
+- close(io_fds[SFD_STDERR]);
+
+ /* Execute command; only returns on error. */
+ exec_cmnd(details, cstat, errfd);
diff --git a/SOURCES/sudo-1.8.19p2-lecture-boolean.patch b/SOURCES/sudo-1.8.19p2-lecture-boolean.patch
new file mode 100644
index 0000000..482bc6b
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-lecture-boolean.patch
@@ -0,0 +1,54 @@
+commit 631d458b6fc7341363a121c390e086cf676ecc83
+Author: Todd C. Miller <Todd.Miller@courtesan.com>
+Date: Wed May 3 09:28:36 2017 -0600
+
+ Allow a tuple to be set to boolean true. Regression introduced by
+ refactor of set_default_entry() in sudo 1.8.18.
+
+diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
+index 89788477..91b47eeb 100644
+--- a/plugins/sudoers/defaults.c
++++ b/plugins/sudoers/defaults.c
+@@ -238,19 +238,31 @@ parse_default_entry(struct sudo_defs_types *def, const char *val, int op,
+ int rc;
+ debug_decl(parse_default_entry, SUDOERS_DEBUG_DEFAULTS)
+
+- if (val == NULL && !ISSET(def->type, T_FLAG)) {
+- /* Check for bogus boolean usage or missing value if non-boolean. */
+- if (!ISSET(def->type, T_BOOL) || op != false) {
+- if (!quiet) {
+- if (lineno > 0) {
+- sudo_warnx(U_("%s:%d no value specified for \"%s\""),
+- file, lineno, def->name);
+- } else {
+- sudo_warnx(U_("%s: no value specified for \"%s\""),
+- file, def->name);
++ /*
++ * If no value specified, the boolean flag must be set for non-flags.
++ * Only flags and tuples support boolean "true".
++ */
++ if (val == NULL) {
++ switch (def->type & T_MASK) {
++ case T_FLAG:
++ break;
++ case T_TUPLE:
++ if (ISSET(def->type, T_BOOL))
++ break;
++ /* FALLTHROUGH */
++ default:
++ if (!ISSET(def->type, T_BOOL) || op != false) {
++ if (!quiet) {
++ if (lineno > 0) {
++ sudo_warnx(U_("%s:%d no value specified for \"%s\""),
++ file, lineno, def->name);
++ } else {
++ sudo_warnx(U_("%s: no value specified for \"%s\""),
++ file, def->name);
++ }
+ }
++ debug_return_bool(false);
+ }
+- debug_return_bool(false);
+ }
+ }
+
diff --git a/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch b/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch
new file mode 100644
index 0000000..af85676
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch
@@ -0,0 +1,164 @@
+diff -up ./doc/sudoers.cat.lookup ./doc/sudoers.cat
+--- ./doc/sudoers.cat.lookup 2017-04-25 13:17:51.073190114 +0200
++++ ./doc/sudoers.cat 2017-04-25 13:17:51.081190069 +0200
+@@ -1140,24 +1140,39 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
+ _�o_�n by default.
+
+ match_group_by_gid
+- By default, when matching groups, s�su�ud�do�oe�er�rs�s will first
+- resolve all the user's group IDs to group names and
+- then compare those group names to any group names
+- listed in the _�s_�u_�d_�o_�e_�r_�s file. This works well on systems
+- where the number of groups listed in the _�s_�u_�d_�o_�e_�r_�s file
+- is larger than the number of groups a typical user
+- belongs to. On systems where group lookups are slow,
+- where users may belong to a large number of groups, and
+- where the number of groups listed in the _�s_�u_�d_�o_�e_�r_�s file
+- is relatively small, it may be prohibitively expensive
+- and running commands via s�su�ud�do�o may take longer than
+- normal. On such systems it may be faster to use the
++ By default, s�su�ud�do�oe�er�rs�s will look up each group the user is
++ a member of by group ID to determine the group name
++ (this is only done once). The resulting list of the
++ user's group names is used when matching groups listed
++ in the _�s_�u_�d_�o_�e_�r_�s file. This works well on systems where
++ the number of groups listed in the _�s_�u_�d_�o_�e_�r_�s file is
++ larger than the number of groups a typical user belongs
++ to. On systems where group lookups are slow, where
++ users may belong to a large number of groups, and where
++ the number of groups listed in the _�s_�u_�d_�o_�e_�r_�s file is
++ relatively small, it may be prohibitively expensive and
++ running commands via s�su�ud�do�o may take longer than normal.
++ On such systems it may be faster to use the
+ _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d flag to avoid resolving the user's
+- group IDs to group names and instead resolve all group
+- names listed in the _�s_�u_�d_�o_�e_�r_�s file, matching by group ID
+- instead of by group name. The _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d flag
+- has no effect when _�s_�u_�d_�o_�e_�r_�s data is stored in LDAP.
+- This flag is _�o_�f_�f by default.
++ group IDs to group names. In this case, s�su�ud�do�oe�er�rs�s must
++ look up any group name listed in the _�s_�u_�d_�o_�e_�r_�s file and
++ use the group ID instead of the group name when
++ determining whether the user is a member of the group.
++
++ Note that if _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d is enabled, group
++ database lookups performed by s�su�ud�do�oe�er�rs�s will be keyed by
++ group name as opposed to group ID. On systems where
++ there are multiple sources for the group database, it
++ is possible to have conflicting group names or group
++ IDs in the local _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p file and the remote group
++ database. On such systems, enabling or disabling
++ _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d can be used to choose whether group
++ database queries are performed by name (enabled) or ID
++ (disabled), which may aid in working around group entry
++ conflicts.
++
++ The _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d flag has no effect when _�s_�u_�d_�o_�e_�r_�s
++ data is stored in LDAP. This flag is _�o_�f_�f by default.
+
+ This setting is only supported by version 1.8.18 or
+ higher.
+diff -up ./doc/sudoers.man.in.lookup ./doc/sudoers.man.in
+--- ./doc/sudoers.man.in.lookup 2017-04-25 13:17:51.074190108 +0200
++++ ./doc/sudoers.man.in 2017-04-25 13:17:51.082190064 +0200
+@@ -2423,10 +2423,12 @@ This flag is
+ by default.
+ .TP 18n
+ match_group_by_gid
+-By default, when matching groups,
++By default,
+ \fBsudoers\fR
+-will first resolve all the user's group IDs to group names and then
+-compare those group names to any group names listed in the
++will look up each group the user is a member of by group ID to
++determine the group name (this is only done once).
++The resulting list of the user's group names is used when matching
++groups listed in the
+ \fIsudoers\fR
+ file.
+ This works well on systems where the number of groups listed in the
+@@ -2442,10 +2444,29 @@ running commands via
+ may take longer than normal.
+ On such systems it may be faster to use the
+ \fImatch_group_by_gid\fR
+-flag to avoid resolving the user's group IDs to group names and
+-instead resolve all group names listed in the
++flag to avoid resolving the user's group IDs to group names.
++In this case,
++\fBsudoers\fR
++must look up any group name listed in the
+ \fIsudoers\fR
+-file, matching by group ID instead of by group name.
++file and use the group ID instead of the group name when determining
++whether the user is a member of the group.
++.sp
++Note that if
++\fImatch_group_by_gid\fR
++is enabled, group database lookups performed by
++\fBsudoers\fR
++will be keyed by group name as opposed to group ID.
++On systems where there are multiple sources for the group database,
++it is possible to have conflicting group names or group IDs in the local
++\fI/etc/group\fR
++file and the remote group database.
++On such systems, enabling or disabling
++\fImatch_group_by_gid\fR
++can be used to choose whether group database queries are performed
++by name (enabled) or ID (disabled), which may aid in working around
++group entry conflicts.
++.sp
+ The
+ \fImatch_group_by_gid\fR
+ flag has no effect when
+diff -up ./doc/sudoers.mdoc.in.lookup ./doc/sudoers.mdoc.in
+--- ./doc/sudoers.mdoc.in.lookup 2017-04-25 13:17:51.075190102 +0200
++++ ./doc/sudoers.mdoc.in 2017-04-25 13:17:51.082190064 +0200
+@@ -2268,10 +2268,12 @@ This flag is
+ .Em @mail_no_user@
+ by default.
+ .It match_group_by_gid
+-By default, when matching groups,
++By default,
+ .Nm
+-will first resolve all the user's group IDs to group names and then
+-compare those group names to any group names listed in the
++will look up each group the user is a member of by group ID to
++determine the group name (this is only done once).
++The resulting list of the user's group names is used when matching
++groups listed in the
+ .Em sudoers
+ file.
+ This works well on systems where the number of groups listed in the
+@@ -2287,10 +2289,29 @@ running commands via
+ may take longer than normal.
+ On such systems it may be faster to use the
+ .Em match_group_by_gid
+-flag to avoid resolving the user's group IDs to group names and
+-instead resolve all group names listed in the
++flag to avoid resolving the user's group IDs to group names.
++In this case,
++.Nm
++must look up any group name listed in the
+ .Em sudoers
+-file, matching by group ID instead of by group name.
++file and use the group ID instead of the group name when determining
++whether the user is a member of the group.
++.Pp
++Note that if
++.Em match_group_by_gid
++is enabled, group database lookups performed by
++.Nm
++will be keyed by group name as opposed to group ID.
++On systems where there are multiple sources for the group database,
++it is possible to have conflicting group names or group IDs in the local
++.Pa /etc/group
++file and the remote group database.
++On such systems, enabling or disabling
++.Em match_group_by_gid
++can be used to choose whether group database queries are performed
++by name (enabled) or ID (disabled), which may aid in working around
++group entry conflicts.
++.Pp
+ The
+ .Em match_group_by_gid
+ flag has no effect when
diff --git a/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch
new file mode 100644
index 0000000..acb4daa
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch
@@ -0,0 +1,206 @@
+diff -up ./doc/sudoers.cat.manpage ./doc/sudoers.cat
+--- ./doc/sudoers.cat.manpage 2017-09-11 15:16:47.443869930 +0200
++++ ./doc/sudoers.cat 2017-09-11 15:42:15.140500826 +0200
+@@ -1088,13 +1088,19 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
+- For more information, see the _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S section.
+- This flag is _�o_�f_�f by default.
++ Anything sent to the standard input will be consumed,
++ regardless of whether or not the command run via s�su�ud�do�o
++ is actually reading the standard input. This may have
++ unexpected results when using s�su�ud�do�o in a shell script
++ that expects to process the standard input. For more
++ information about I/O logging, see the _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S
++ section. This flag is _�o_�f_�f by default.
+
+ log_output If set, s�su�ud�do�o will run the command in a pseudo-tty and
+ log all output that is sent to the screen, similar to
+- the script(1) command. For more information, see the
+- _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S section. This flag is _�o_�f_�f by default.
++ the script(1) command. For more information about I/O
++ logging, see the _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S section. This flag is
++ _�o_�f_�f by default.
+
+ log_year If set, the four-digit year will be logged in the (non-
+ syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
+@@ -1396,13 +1402,18 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
+ not needed, this option can be disabled to reduce the
+ load on the LDAP server. This flag is _�o_�n by default.
+
+- use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even
+- if no I/O logging is being gone. A malicious program
+- run under s�su�ud�do�o could conceivably fork a background
+- process that retains to the user's terminal device
+- after the main program has finished executing. Use of
+- this option will make that impossible. This flag is
+- _�o_�f_�f by default.
++ use_pty If set, and s�su�ud�do�o is running in a terminal, the command
++ will be run in a pseudo-pty (even if no I/O logging is
++ being done). If the s�su�ud�do�o process is not attached to a
++ terminal, _�u_�s_�e_�__�p_�t_�y has no effect.
++
++ A malicious program run under s�su�ud�do�o may be capable of
++ injecting injecting commands into the user's terminal
++ or running a background process that retains access to
++ the user's terminal device even after the main program
++ has finished executing. By running the command in a
++ separate pseudo-pty, this attack is no longer possible.
++ This flag is _�o_�f_�f by default.
+
+ utmp_runas If set, s�su�ud�do�o will store the name of the runas user when
+ updating the utmp (or utmpx) file. By default, s�su�ud�do�o
+@@ -2135,11 +2146,11 @@ L�LO�OG�G F�FO�OR�RM�MA�AT�T
+
+ I�I/�/O�O L�LO�OG�G F�FI�IL�LE�ES�S
+ When I/O logging is enabled, s�su�ud�do�o will run the command in a pseudo-tty
+- and log all user input and/or output. I/O is logged to the directory
+- specified by the _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
+- unique session ID that is included in the s�su�ud�do�o log line, prefixed with
+- ``TSID=''. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option may be used to control the format of
+- the session ID.
++ and log all user input and/or output, depending on which options are
++ are enabled. I/O is logged to the directory specified by the _�i_�o_�l_�o_�g_�__�d_�i_�r
++ option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a unique session ID that is
++ included in the s�su�ud�do�o log line, prefixed with "TSID=". The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
++ option may be used to control the format of the session ID.
+
+ Each I/O log is stored in a separate directory that contains the
+ following files:
+diff -up ./doc/sudoers.man.in.manpage ./doc/sudoers.man.in
+--- ./doc/sudoers.man.in.manpage 2017-09-11 15:16:47.444869925 +0200
++++ ./doc/sudoers.man.in 2017-09-11 15:16:47.456869864 +0200
+@@ -2300,7 +2300,14 @@ will run the command in a pseudo-tty and
+ If the standard input is not connected to the user's tty, due to
+ I/O redirection or because the command is part of a pipeline, that
+ input is also captured and stored in a separate log file.
+-For more information, see the
++Anything sent to the standard input will be consumed, regardless of
++whether or not the command run via
++\fBsudo\fR
++is actually reading the standard input.
++This may have unexpected results when using
++\fBsudo\fR
++in a shell script that expects to process the standard input.
++For more information about I/O logging, see the
+ \fII/O LOG FILES\fR
+ section.
+ This flag is
+@@ -2314,7 +2321,7 @@ will run the command in a pseudo-tty and
+ to the screen, similar to the
+ script(1)
+ command.
+-For more information, see the
++For more information about I/O logging, see the
+ \fII/O LOG FILES\fR
+ section.
+ This flag is
+@@ -2934,14 +2941,24 @@ This flag is
+ by default.
+ .TP 18n
+ use_pty
+-If set,
++If set, and
+ \fBsudo\fR
+-will run the command in a pseudo-pty even if no I/O logging is being gone.
++is running in a terminal, the command will be run in a pseudo-pty
++(even if no I/O logging is being done).
++If the
++\fBsudo\fR
++process is not attached to a terminal,
++\fIuse_pty\fR
++has no effect.
++.sp
+ A malicious program run under
+ \fBsudo\fR
+-could conceivably fork a background process that retains to the user's
+-terminal device after the main program has finished executing.
+-Use of this option will make that impossible.
++may be capable of injecting injecting commands into the user's
++terminal or running a background process that retains access to the
++user's terminal device even after the main program has finished
++executing.
++By running the command in a separate pseudo-pty, this attack is
++no longer possible.
+ This flag is
+ \fIoff\fR
+ by default.
+@@ -4281,7 +4298,8 @@ word wrap will be disabled.
+ .SH "I/O LOG FILES"
+ When I/O logging is enabled,
+ \fBsudo\fR
+-will run the command in a pseudo-tty and log all user input and/or output.
++will run the command in a pseudo-tty and log all user input and/or output,
++depending on which options are enabled.
+ I/O is logged to the directory specified by the
+ \fIiolog_dir\fR
+ option
+diff -up ./doc/sudoers.mdoc.in.manpage ./doc/sudoers.mdoc.in
+--- ./doc/sudoers.mdoc.in.manpage 2017-09-11 15:16:47.445869920 +0200
++++ ./doc/sudoers.mdoc.in 2017-09-11 15:16:47.456869864 +0200
+@@ -2155,7 +2155,14 @@ will run the command in a pseudo-tty and
+ If the standard input is not connected to the user's tty, due to
+ I/O redirection or because the command is part of a pipeline, that
+ input is also captured and stored in a separate log file.
+-For more information, see the
++Anything sent to the standard input will be consumed, regardless of
++whether or not the command run via
++.Nm sudo
++is actually reading the standard input.
++This may have unexpected results when using
++.Nm sudo
++in a shell script that expects to process the standard input.
++For more information about I/O logging, see the
+ .Sx "I/O LOG FILES"
+ section.
+ This flag is
+@@ -2168,7 +2175,7 @@ will run the command in a pseudo-tty and
+ to the screen, similar to the
+ .Xr script 1
+ command.
+-For more information, see the
++For more information about I/O logging, see the
+ .Sx "I/O LOG FILES"
+ section.
+ This flag is
+@@ -2752,14 +2759,24 @@ This flag is
+ .Em on
+ by default.
+ .It use_pty
+-If set,
++If set, and
+ .Nm sudo
+-will run the command in a pseudo-pty even if no I/O logging is being gone.
++is running in a terminal, the command will be run in a pseudo-pty
++(even if no I/O logging is being done).
++If the
++.Nm sudo
++process is not attached to a terminal,
++.Em use_pty
++has no effect.
++.Pp
+ A malicious program run under
+ .Nm sudo
+-could conceivably fork a background process that retains to the user's
+-terminal device after the main program has finished executing.
+-Use of this option will make that impossible.
++may be capable of injecting injecting commands into the user's
++terminal or running a background process that retains access to the
++user's terminal device even after the main program has finished
++executing.
++By running the command in a separate pseudo-pty, this attack is
++no longer possible.
+ This flag is
+ .Em off
+ by default.
+@@ -3976,7 +3993,8 @@ word wrap will be disabled.
+ .Sh I/O LOG FILES
+ When I/O logging is enabled,
+ .Nm sudo
+-will run the command in a pseudo-tty and log all user input and/or output.
++will run the command in a pseudo-tty and log all user input and/or output,
++depending on which options are enabled.
+ I/O is logged to the directory specified by the
+ .Em iolog_dir
+ option
diff --git a/SOURCES/sudo-1.8.19p2-sssd-double-free.patch b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch
new file mode 100644
index 0000000..d53eb4c
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch
@@ -0,0 +1,44 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1511893724 25200
+# Node ID 14dacdea331942a38d443a75d1b08f67eafaa5eb
+# Parent b456101fe5091540e9f6429db7568fa32b6d4da8
+Avoid a double free when ipa_hostname is set in sssd.conf and it
+is an unqualified host name. From Daniel Kopecek.
+
+Also move the "unable to allocate memory" warning into get_ipa_hostname()
+itself to make it easier to see where the allocation failed in the
+debug log.
+
+diff -r b456101fe509 -r 14dacdea3319 plugins/sudoers/sssd.c
+--- a/plugins/sudoers/sssd.c Tue Nov 28 09:48:43 2017 -0700
++++ b/plugins/sudoers/sssd.c Tue Nov 28 11:28:44 2017 -0700
+@@ -349,6 +349,8 @@
+ *lhostp = lhost;
+ ret = true;
+ } else {
++ sudo_warnx(U_("%s: %s"), __func__,
++ U_("unable to allocate memory"));
+ free(shost);
+ free(lhost);
+ ret = -1;
+@@ -456,7 +458,6 @@
+ */
+ if (strcmp(user_runhost, user_host) == 0) {
+ if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) {
+- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ free(handle);
+ debug_return_int(ENOMEM);
+ }
+@@ -478,7 +479,8 @@
+ handle = nss->handle;
+ sudo_dso_unload(handle->ssslib);
+ free(handle->ipa_host);
+- free(handle->ipa_shost);
++ if (handle->ipa_host != handle->ipa_shost)
++ free(handle->ipa_shost);
+ free(handle);
+ nss->handle = NULL;
+ }
+
diff --git a/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch
new file mode 100644
index 0000000..62d0cf2
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch
@@ -0,0 +1,113 @@
+From 1f37620953699fe71b09760fe01e33eb6ada771c Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@courtesan.com>
+Date: Wed, 15 Nov 2017 12:27:39 -0700
+Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep
+ checking even after we get a match since the value of doauth may depend on
+ evaluating all the results. From Radovan Sroka of RedHat.
+
+In list (-l) or verify (-v) mode, if we have a match but authentication
+is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
+set to "all" and there are multiple sudoers sources a password will
+be required unless none of the entries in all sources require
+authentication. From Radovan Sroka of RedHat
+
+Avoid calling cmnd_matches() in list/verify mode if we already have
+a match.
+---
+ plugins/sudoers/ldap.c | 5 ++++-
+ plugins/sudoers/parse.c | 10 +++++++---
+ plugins/sudoers/sssd.c | 5 ++++-
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
+index 46309cba..c5c18360 100644
+--- a/plugins/sudoers/ldap.c
++++ b/plugins/sudoers/ldap.c
+@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
+ (pwcheck == all && doauth != true)) {
+ doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate");
+ }
++ if (matched == true)
++ continue;
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+ sudo_ldap_check_command(ld, entry, NULL) == true) {
+ matched = true;
+- break;
+ }
+ }
+ if (matched == true || user_uid == 0) {
+@@ -3339,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
+ case any:
+ if (doauth == false)
+ SET(ret, FLAG_NOPASSWD);
++ else
++ CLR(ret, FLAG_NOPASSWD);
+ break;
+ default:
+ break;
+diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
+index 749a3eb2..a12e88c5 100644
+--- a/plugins/sudoers/parse.c
++++ b/plugins/sudoers/parse.c
+@@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
+ if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW)
+ continue;
+ TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
++ if ((pwcheck == any && cs->tags.nopasswd == true) ||
++ (pwcheck == all && cs->tags.nopasswd != true))
++ nopass = cs->tags.nopasswd;
++ if (match == ALLOW)
++ continue;
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+ cmnd_matches(cs->cmnd) == ALLOW)
+ match = ALLOW;
+- if ((pwcheck == any && cs->tags.nopasswd == true) ||
+- (pwcheck == all && cs->tags.nopasswd != true))
+- nopass = cs->tags.nopasswd;
+ }
+ }
+ }
+@@ -202,6 +204,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
+ SET(validated, FLAG_CHECK_USER);
+ else if (nopass == true)
+ SET(validated, FLAG_NOPASSWD);
++ else
++ CLR(validated, FLAG_NOPASSWD);
+ debug_return_int(validated);
+ }
+
+diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
+index 65b4d875..09ca9fee 100644
+--- a/plugins/sudoers/sssd.c
++++ b/plugins/sudoers/sssd.c
+@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
+ (pwcheck == all && doauth != true)) {
+ doauth = !!sudo_sss_check_bool(handle, rule, "authenticate");
+ }
++ if (matched == true)
++ continue;
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+ sudo_sss_check_command(handle, rule, NULL) == true) {
+ matched = true;
+- break;
+ }
+ }
+ }
+@@ -1341,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
+ case any:
+ if (doauth == false)
+ SET(ret, FLAG_NOPASSWD);
++ else
++ CLR(ret, FLAG_NOPASSWD);
+ break;
+ default:
+ break;
+--
+2.14.3
+
diff --git a/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch b/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch
new file mode 100644
index 0000000..ef2946c
--- /dev/null
+++ b/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch
@@ -0,0 +1,14 @@
+diff -up ./plugins/sudoers/regress/visudo/test2.err.ok.orig ./plugins/sudoers/regress/visudo/test2.err.ok
+--- ./plugins/sudoers/regress/visudo/test2.err.ok.orig 2017-04-10 10:12:53.003000000 -0400
++++ ./plugins/sudoers/regress/visudo/test2.err.ok 2017-04-10 10:13:36.771000000 -0400
+@@ -1 +1 @@
+-visudo: stdin:1 cycle in User_Alias "FOO"
++Error: stdin:1 cycle in User_Alias "FOO"
+diff -up ./plugins/sudoers/regress/visudo/test3.err.ok.orig ./plugins/sudoers/regress/visudo/test3.err.ok
+--- ./plugins/sudoers/regress/visudo/test3.err.ok.orig 2017-04-10 10:13:12.141000000 -0400
++++ ./plugins/sudoers/regress/visudo/test3.err.ok 2017-04-10 10:13:56.842000000 -0400
+@@ -1,2 +1,2 @@
+-visudo: stdin:1 unused User_Alias "A"
+-visudo: stdin:2 unused User_Alias "B"
++Warning: stdin:1 unused User_Alias "A"
++Warning: stdin:2 unused User_Alias "B"
diff --git a/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch
new file mode 100644
index 0000000..8da9603
--- /dev/null
+++ b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch
@@ -0,0 +1,19 @@
+diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
+index f21a99ee..83202e28 100644
+--- a/plugins/sudoers/ldap.c
++++ b/plugins/sudoers/ldap.c
+@@ -1847,12 +1847,10 @@ sudo_ldap_build_pass2(void)
+ ldap_conf.timed ? timebuffer : "",
+ (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
+ } else {
+- len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s",
+- (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
++ len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)",
+ ldap_conf.search_filter ? ldap_conf.search_filter : "",
+ query_netgroups ? "+" : "%:",
+- ldap_conf.timed ? timebuffer : "",
+- (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
++ ldap_conf.timed ? timebuffer : "");
+ }
+ if (len == -1)
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
diff --git a/SOURCES/sudo-1.8.6p3-doublequotefix.patch b/SOURCES/sudo-1.8.6p3-doublequotefix.patch
new file mode 100644
index 0000000..c028017
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p3-doublequotefix.patch
@@ -0,0 +1,46 @@
+From 1b16310c7ec5ba23fbe066c7d000016e534b4448 Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Tue, 16 Aug 2016 09:54:06 +0200
+Subject: [PATCH] Double quotes are not accepted in sudoers
+
+Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers
+
+Rebased from:
+Patch25: sudo-1.8.6p3-doublequotefix.patch
+
+Resolves:
+rhbz#1092499
+---
+ plugins/sudoers/toke.c | 2 +-
+ plugins/sudoers/toke.l | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c
+index e5b4d97..3b510bb 100644
+--- a/plugins/sudoers/toke.c
++++ b/plugins/sudoers/toke.c
+@@ -2385,7 +2385,7 @@ YY_RULE_SETUP
+ LEXTRACE("ERROR "); /* empty string */
+ LEXRETURN(ERROR);
+ }
+- if (prev_state == INITIAL) {
++ if (prev_state == INITIAL || prev_state == GOTDEFS) {
+ switch (sudoerslval.string[0]) {
+ case '%':
+ if (sudoerslval.string[1] == '\0' ||
+diff --git a/plugins/sudoers/toke.l b/plugins/sudoers/toke.l
+index b63edd0..82724aa 100644
+--- a/plugins/sudoers/toke.l
++++ b/plugins/sudoers/toke.l
+@@ -185,7 +185,7 @@ DEFVAR [a-z_]+
+ LEXTRACE("ERROR "); /* empty string */
+ LEXRETURN(ERROR);
+ }
+- if (prev_state == INITIAL) {
++ if (prev_state == INITIAL || prev_state == GOTDEFS) {
+ switch (sudoerslval.string[0]) {
+ case '%':
+ if (sudoerslval.string[1] == '\0' ||
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.6p3-nowaitopt.patch b/SOURCES/sudo-1.8.6p3-nowaitopt.patch
new file mode 100644
index 0000000..df51500
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p3-nowaitopt.patch
@@ -0,0 +1,161 @@
+From 9b1f0f16bfe7552810b4adb6b17ac3674da660f9 Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Mon, 15 Aug 2016 15:13:31 +0200
+Subject: [PATCH] Backport direct exec of command from sudo
+
+Added cmnd_no_wait option
+Sudo does not run command in a new child process,
+when cmnd_no_wait is enabled.
+
+!!!
+Upstream can do that too now in 1.8.17 with combination of
+pam_session, pam_setcred and use_pty option.
+They must be disabled and I/O logging must not be configured.
+See "man sudoers".
+
+rebased from:
+Patch8: sudo-1.8.6p3-nowaitopt.patch
+
+Resolves:
+rhbz#840980
+---
+ plugins/sudoers/def_data.c | 4 ++++
+ plugins/sudoers/def_data.h | 2 ++
+ plugins/sudoers/def_data.in | 3 +++
+ plugins/sudoers/policy.c | 4 ++++
+ src/exec.c | 34 ++++++++++++++++++++++++++++++++++
+ src/sudo.c | 5 +++++
+ src/sudo.h | 1 +
+ 7 files changed, 53 insertions(+)
+
+diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
+index 00caa8b..d8b1ada 100644
+--- a/plugins/sudoers/def_data.c
++++ b/plugins/sudoers/def_data.c
+@@ -435,6 +435,10 @@ struct sudo_defs_types sudo_defs_table[] = {
+ N_("File mode to use for the I/O log files: 0%o"),
+ NULL,
+ }, {
++ "cmnd_no_wait", T_FLAG,
++ N_("Don't fork and wait for the command to finish, just exec it"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
+index d83d2c3..1b6be3d 100644
+--- a/plugins/sudoers/def_data.h
++++ b/plugins/sudoers/def_data.h
+@@ -204,6 +204,8 @@
+ #define def_iolog_group (sudo_defs_table[I_IOLOG_GROUP].sd_un.str)
+ #define I_IOLOG_MODE 102
+ #define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode)
++#define I_CMND_NO_WAIT 103
++#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
+index 9f069f1..5200fe3 100644
+--- a/plugins/sudoers/def_data.in
++++ b/plugins/sudoers/def_data.in
+@@ -322,3 +322,6 @@ iolog_group
+ iolog_mode
+ T_MODE
+ "File mode to use for the I/O log files: 0%o"
++cmnd_no_wait
++ T_FLAG
++ "Don't fork and wait for the command to finish, just exec it"
+diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
+index 4ee1e28..93df1dd 100644
+--- a/plugins/sudoers/policy.c
++++ b/plugins/sudoers/policy.c
+@@ -564,6 +564,10 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
+ if ((command_info[info_len++] = strdup("use_pty=true")) == NULL)
+ goto oom;
+ }
++ if (def_cmnd_no_wait) {
++ if ((command_info[info_len++] = strdup("cmnd_no_wait=true")) == NULL)
++ goto oom;
++ }
+ if (def_utmp_runas) {
+ if ((command_info[info_len++] = sudo_new_key_val("utmp_user", runas_pw->pw_name)) == NULL)
+ goto oom;
+diff --git a/src/exec.c b/src/exec.c
+index 56da013..08bc86d 100644
+--- a/src/exec.c
++++ b/src/exec.c
+@@ -384,6 +384,41 @@ sudo_execute(struct command_details *details, struct command_status *cstat)
+ }
+
+ /*
++ * If we don't want to wait for the command to exit, then just exec it.
++ * THIS WILL BREAK SEVERAL THINGS including SELinux, PAM sessions and I/O
++ * logging. Implemented because of rhbz#840980 (backwards compatibility).
++ * In 1.8.x branch this is even harder to get back, since the nowait code
++ * was completely removed.
++ */
++ if (details->flags & CD_DONTWAIT) {
++ if (exec_setup(details, NULL, -1) == true) {
++ restore_signals();
++ /* headed for execve() */
++ sudo_debug_execve(SUDO_DEBUG_INFO, details->command,
++ details->argv, details->envp);
++ if (details->closefrom >= 0) {
++ closefrom(details->closefrom);
++ }
++#ifdef HAVE_SELINUX
++ if (ISSET(details->flags, CD_RBAC_ENABLED)) {
++ selinux_execve(-1, details->command, details->argv, details->envp,
++ ISSET(details->flags, CD_NOEXEC));
++ } else
++#endif
++ {
++ sudo_execve(-1, details->command, details->argv, details->envp,
++ ISSET(details->flags, CD_NOEXEC));
++ }
++ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to exec %s: %s",
++ details->command, strerror(errno));
++ }
++ cstat->type = CMD_ERRNO;
++ cstat->val = errno;
++ return 127;
++ }
++
++
++ /*
+ * We communicate with the child over a bi-directional pair of sockets.
+ * Parent sends signal info to child and child sends back wait status.
+ */
+diff --git a/src/sudo.c b/src/sudo.c
+index 5dd090d..0606a19 100644
+--- a/src/sudo.c
++++ b/src/sudo.c
+@@ -670,6 +670,11 @@ command_info_to_details(char * const info[], struct command_details *details)
+ sudo_fatalx(U_("%s: %s"), info[i], U_(errstr));
+ break;
+ }
++ if (strncmp("cmnd_no_wait=", info[i], sizeof("cmnd_no_wait=") - 1) == 0) {
++ if (sudo_strtobool(info[i] + sizeof("cmnd_no_wait=") - 1) == true)
++ SET(details->flags, CD_DONTWAIT);
++ break;
++ }
+ break;
+ case 'e':
+ SET_FLAG("exec_background=", CD_EXEC_BG)
+diff --git a/src/sudo.h b/src/sudo.h
+index 3ac2c9d..f07ba11 100644
+--- a/src/sudo.h
++++ b/src/sudo.h
+@@ -130,6 +130,7 @@ struct user_details {
+ #define CD_SUDOEDIT_FOLLOW 0x10000
+ #define CD_SUDOEDIT_CHECKDIR 0x20000
+ #define CD_SET_GROUPS 0x40000
++#define CD_DONTWAIT 0x80000
+
+ struct preserved_fd {
+ TAILQ_ENTRY(preserved_fd) entries;
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.6p7-digest-backport.patch b/SOURCES/sudo-1.8.6p7-digest-backport.patch
new file mode 100644
index 0000000..a814b2c
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-digest-backport.patch
@@ -0,0 +1,435 @@
+From c8a6eecf768d8102a9a77f5fdb5b516e571d462e Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Tue, 23 Aug 2016 13:43:08 +0200
+Subject: [PATCH] Using libgcrypt
+
+Using libgcrypt and not sudo implementation of SHA...
+
+Rebased patch of digest backport.
+Added option --with-gcrypt
+
+Rebased from:
+Patch35: sudo-1.8.6p7-digest-backport.patch
+
+Resolves:
+rhbz#1183818
+---
+ configure.ac | 16 +++++++
+ plugins/sudoers/Makefile.in | 9 +++-
+ plugins/sudoers/filedigest.c | 104 +++++++++++++++++++++++++++++++++++++++++++
+ plugins/sudoers/filedigest.h | 17 +++++++
+ plugins/sudoers/match.c | 94 ++++++++++++++++++++++++++++++--------
+ 5 files changed, 219 insertions(+), 21 deletions(-)
+ create mode 100644 plugins/sudoers/filedigest.c
+ create mode 100644 plugins/sudoers/filedigest.h
+
+diff --git a/configure.ac b/configure.ac
+index 13c3c1b..54929b2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -35,6 +35,7 @@ AC_SUBST([SUDO_OBJS])
+ AC_SUBST([LIBS])
+ AC_SUBST([SUDO_LIBS])
+ AC_SUBST([SUDOERS_LIBS])
++AC_SUBST([LIBPARSESUDOERS_LIBS])
+ AC_SUBST([STATIC_SUDOERS])
+ AC_SUBST([NET_LIBS])
+ AC_SUBST([AFS_LIBS])
+@@ -1517,6 +1518,19 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])
+ ;;
+ esac], [with_selinux=no])
+
++AC_ARG_WITH(gcrypt, [AS_HELP_STRING([--with-gcrypt], [enable libgcrypt support])],
++[case $with_gcrypt in
++ yes)
++ AC_DEFINE(HAVE_LIBGCRYPT)
++ LIBPARSESUDOERS_LIBS="${LIBPARSESUDOERS_LIBS} -lgcrypt"
++ AC_CHECK_LIB([gcrypt], [gcry_md_open],
++ [AC_DEFINE(HAVE_GCRY_MD_OPEN)])
++ ;;
++ no) ;;
++ *) AC_MSG_ERROR(["--with-gcrypt does not take an argument."])
++ ;;
++esac])
++
+ dnl
+ dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
+ dnl
+@@ -4344,6 +4358,8 @@ AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file
+ AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
+ AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
+ AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.])
++AH_TEMPLATE(HAVE_LIBGCRYPT, [Define to 1 to enable libgcrypt support.])
++AH_TEMPLATE(HAVE_GCRY_MD_OPEN, [Define to 1 if you have the `gcry_md_open' function.])
+ AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
+ AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
+ AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
+diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in
+index f36f9ef..32c0ed0 100644
+--- a/plugins/sudoers/Makefile.in
++++ b/plugins/sudoers/Makefile.in
+@@ -55,6 +55,7 @@ LT_LIBS = $(top_builddir)/lib/util/libsudo_util.la
+ LIBS = $(LT_LIBS)
+ NET_LIBS = @NET_LIBS@
+ SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) @ZLIB@ @LIBMD@
++LIBPARSESUDOERS_LIBS = @LIBPARSESUDOERS_LIBS@
+ REPLAY_LIBS = @REPLAY_LIBS@ @ZLIB@
+ VISUDO_LIBS = $(NET_LIBS) @LIBMD@
+ TESTSUDOERS_LIBS = $(NET_LIBS) @LIBMD@
+@@ -153,7 +154,7 @@ AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@
+ LIBPARSESUDOERS_OBJS = alias.lo audit.lo base64.lo defaults.lo hexchar.lo \
+ gram.lo match.lo match_addr.lo pwutil.lo pwutil_impl.lo \
+ rcstr.lo redblack.lo sudoers_debug.lo timestr.lo \
+- toke.lo toke_util.lo
++ toke.lo toke_util.lo filedigest.lo
+
+ SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo editor.lo env.lo find_path.lo \
+ gc.lo goodpath.lo group_plugin.lo interfaces.lo iolog.lo \
+@@ -217,7 +218,7 @@ Makefile: $(srcdir)/Makefile.in
+ (cd $(top_builddir) && ./config.status --file plugins/sudoers/Makefile)
+
+ libparsesudoers.la: $(LIBPARSESUDOERS_OBJS)
+- $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install
++ $(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) $(LIBPARSESUDOERS_LIBS) -no-install
+
+ sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la @LT_LDDEP@
+ case "$(LT_LDFLAGS)" in \
+@@ -656,6 +657,10 @@ env.lo: $(srcdir)/env.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+ $(top_builddir)/pathnames.h
+ $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/env.c
++filedigest.lo: $(srcdir)/filedigest.c $(top_builddir)/config.h \
++ $(incdir)/sudo_debug.h
++ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/filedigest.c
++filedigest.o: filedigest.lo
+ find_path.lo: $(srcdir)/find_path.c $(devdir)/def_data.h \
+ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+diff --git a/plugins/sudoers/filedigest.c b/plugins/sudoers/filedigest.c
+new file mode 100644
+index 0000000..c173741
+--- /dev/null
++++ b/plugins/sudoers/filedigest.c
+@@ -0,0 +1,104 @@
++#include <config.h>
++#include <errno.h>
++#include <stddef.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <unistd.h>
++#include "filedigest.h"
++#include "sudo_compat.h"
++#include "sudo_debug.h"
++
++#if defined(HAVE_LIBGCRYPT)
++#include <gcrypt.h>
++
++static int sudo_filedigest_gcrypt(int fd, int algo, unsigned char **dvalue, size_t *dvalue_size)
++{
++ char buffer[4096];
++ gcry_md_hd_t ctx;
++ int gcry_algo;
++ debug_decl(sudo_filedigest_gcrypt, SUDO_DEBUG_UTIL);
++
++ switch(algo) {
++ case SUDO_DIGEST_SHA224:
++ gcry_algo = GCRY_MD_SHA224; break;
++ case SUDO_DIGEST_SHA256:
++ gcry_algo = GCRY_MD_SHA256; break;
++ case SUDO_DIGEST_SHA384:
++ gcry_algo = GCRY_MD_SHA384; break;
++ case SUDO_DIGEST_SHA512:
++ gcry_algo = GCRY_MD_SHA512; break;
++ default:
++ debug_return_int(-1);
++ }
++
++ gcry_md_open(&ctx, gcry_algo, 0);
++
++ /* Read block of data from fd and digest them */
++ while (1) {
++ const ssize_t read_bytes = read(fd, buffer, sizeof buffer);
++
++ if (read_bytes < 0) {
++ /* Error */
++ gcry_md_close(ctx);
++ debug_return_int(-1);
++ }
++ else if (read_bytes > 0) {
++ /* Some data read -- update the digest */
++ gcry_md_write(ctx, buffer, (size_t)read_bytes);
++ }
++ else {
++ /* EOF */
++ break;
++ }
++ }
++
++ /*
++ * All data digested. Finalize the digest value.
++ */
++ const unsigned char *value = gcry_md_read(ctx, gcry_algo);
++
++ if (value == NULL) {
++ debug_return_int(-1);
++ }
++
++ /*
++ * Make a copy of the digest value. The pointer
++ * returned from gcry_md_read cannot be used after
++ * gcry_md_close was called
++ */
++ (*dvalue_size) = gcry_md_get_algo_dlen(gcry_algo);
++ (*dvalue) = malloc(*dvalue_size);
++
++ if (*dvalue == NULL) {
++ debug_return_int(-1);
++ }
++
++ memcpy(*dvalue, value, *dvalue_size);
++ gcry_md_close(ctx);
++
++ debug_return_int(0);
++}
++#endif
++
++#include <stdio.h>
++
++int sudo_filedigest(const char *path, int algo, unsigned char **dvalue, size_t *dvalue_size)
++{
++ int rc = -1;
++ int fd = -1;
++ debug_decl(sudo_filedigest, SUDO_DEBUG_UTIL);
++
++ if ((fd = open(path, O_RDONLY)) < 0) {
++ debug_return_int(rc);
++ }
++
++#if defined(HAVE_LIBGCRYPT)
++ rc = sudo_filedigest_gcrypt(fd, algo, dvalue, dvalue_size);
++ close(fd);
++#else
++ rc = -1;
++ errno = ENOTSUP;
++#endif
++ debug_return_int(rc);
++}
+diff --git a/plugins/sudoers/filedigest.h b/plugins/sudoers/filedigest.h
+new file mode 100644
+index 0000000..437f02f
+--- /dev/null
++++ b/plugins/sudoers/filedigest.h
+@@ -0,0 +1,17 @@
++#include <stddef.h>
++
++#define SUDO_DIGEST_SHA224 0
++#define SUDO_DIGEST_SHA256 1
++#define SUDO_DIGEST_SHA384 2
++#define SUDO_DIGEST_SHA512 3
++#define SUDO_DIGEST_INVALID 4
++
++#define SUDO_SHA224_DIGEST_LENGTH 28
++#define SUDO_SHA256_DIGEST_LENGTH 32
++#define SUDO_SHA384_DIGEST_LENGTH 48
++#define SUDO_SHA512_DIGEST_LENGTH 64
++
++/*
++ * Compute a digest of a given file. Returns 0 on success, -1 otherwise.
++ */
++int sudo_filedigest(const char *path, int algo, unsigned char **dvalue, size_t *dvalue_size);
+diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
+index 1916bde..2a9ea4b 100644
+--- a/plugins/sudoers/match.c
++++ b/plugins/sudoers/match.c
+@@ -62,6 +62,7 @@
+
+ #include "sudoers.h"
+ #include "parse.h"
++#include "filedigest.h"
+ #include <gram.h>
+
+ #ifdef HAVE_FNMATCH
+@@ -576,6 +577,7 @@ command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const
+ }
+ #else /* !SUDOERS_NAME_MATCH */
+
++#ifndef HAVE_LIBGCRYPT /* !!! */
+ static struct digest_function {
+ const char *digest_name;
+ const unsigned int digest_len;
+@@ -616,24 +618,43 @@ static struct digest_function {
+ NULL
+ }
+ };
++#endif /* !HAVE_LIBGCRYPT */
++
++static const char *digesttype2str(int digest_type)
++{
++ switch(digest_type) {
++ case SUDO_DIGEST_SHA224:
++ return "SHA224";
++ case SUDO_DIGEST_SHA256:
++ return "SHA256";
++ case SUDO_DIGEST_SHA384:
++ return "SHA384";
++ case SUDO_DIGEST_SHA512:
++ return "SHA512";
++ }
++ return "<INVALID>";
++}
+
+ static bool
+ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
+ {
+- unsigned char file_digest[SHA512_DIGEST_LENGTH];
+- unsigned char sudoers_digest[SHA512_DIGEST_LENGTH];
++ unsigned char * file_digest = NULL;
++ unsigned char * sudoers_digest = NULL;
++ size_t digest_size;
+ unsigned char buf[32 * 1024];
+- struct digest_function *func = NULL;
+ #ifdef HAVE_FEXECVE
+ bool first = true;
+ bool is_script = false;
+ #endif /* HAVE_FEXECVE */
+ size_t nread;
+- SHA2_CTX ctx;
+ FILE *fp;
+ unsigned int i;
+ debug_decl(digest_matches, SUDOERS_DEBUG_MATCH)
+
++#ifndef HAVE_LIBGCRYPT /* !!! */
++
++ SHA2_CTX ctx;
++ struct digest_function *func = NULL;
+ for (i = 0; digest_functions[i].digest_name != NULL; i++) {
+ if (sd->digest_type == i) {
+ func = &digest_functions[i];
+@@ -644,9 +665,33 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
+ sudo_warnx(U_("unsupported digest type %d for %s"), sd->digest_type, file);
+ debug_return_bool(false);
+ }
+- if (strlen(sd->digest_str) == func->digest_len * 2) {
++
++ digest_size = func->digest_len;
++
++ file_digest = malloc(digest_size);
++ if (file_digest == NULL) {
++ debug_return_bool(false);
++ }
++
++#elif HAVE_LIBGCRYPT
++
++ if (sudo_filedigest(file, sd->digest_type,
++ &file_digest, &digest_size) != 0) {
++ sudo_warnx(U_("Cannot compute digest type %d for %s"), sd->digest_type, file);
++ goto clean_up;
++ }
++
++#endif /* !HAVE_LIBGCRYPT */
++
++ sudoers_digest = malloc(digest_size);
++ if (sudoers_digest == NULL) {
++ free(file_digest);
++ debug_return_bool(false);
++ }
++
++ if (strlen(sd->digest_str) == digest_size * 2) {
+ /* Convert the command digest from ascii hex to binary. */
+- for (i = 0; i < func->digest_len; i++) {
++ for (i = 0; i < digest_size ; i++) {
+ const int h = hexchar(&sd->digest_str[i + i]);
+ if (h == -1)
+ goto bad_format;
+@@ -654,11 +699,11 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
+ }
+ } else {
+ size_t len = base64_decode(sd->digest_str, sudoers_digest,
+- sizeof(sudoers_digest));
+- if (len != func->digest_len) {
++ digest_size);
++ if (len != digest_size) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+- "incorrect length for digest, expected %u, got %zu",
+- func->digest_len, len);
++ "incorrect length for digest, expected %zu, got %zu",
++ digest_size, len);
+ goto bad_format;
+ }
+ }
+@@ -666,10 +711,11 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
+ if ((fp = fopen(file, "r")) == NULL) {
+ sudo_debug_printf(SUDO_DEBUG_INFO, "unable to open %s: %s",
+ file, strerror(errno));
+- debug_return_bool(false);
++ goto clean_up;
+ }
+-
++#ifndef HAVE_LIBGCRYPT
+ func->init(&ctx);
++#endif /* !HAVE_LIBGCRYPT */
+ while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) {
+ #ifdef HAVE_FEXECVE
+ /* Check for #! cookie and set is_script. */
+@@ -679,21 +725,24 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
+ is_script = true;
+ }
+ #endif /* HAVE_FEXECVE */
++#ifndef HAVE_LIBGCRYPT
+ func->update(&ctx, buf, nread);
++#endif /* !HAVE_LIBGCRYPT */
+ }
+ if (ferror(fp)) {
+ sudo_warnx(U_("%s: read error"), file);
+ fclose(fp);
+- debug_return_bool(false);
++ goto clean_up;
+ }
++#ifndef HAVE_LIBGCRYPT
+ func->final(file_digest, &ctx);
+-
+- if (memcmp(file_digest, sudoers_digest, func->digest_len) != 0) {
++#endif /* !HAVE_LIBGCRYPT */
++ if (memcmp(file_digest, sudoers_digest, digest_size) != 0) {
+ fclose(fp);
+ sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO,
+ "%s digest mismatch for %s, expecting %s",
+- func->digest_name, file, sd->digest_str);
+- debug_return_bool(false);
++ digesttype2str(sd->digest_type), file, sd->digest_str);
++ goto clean_up;
+ }
+
+ #ifdef HAVE_FEXECVE
+@@ -705,7 +754,7 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
+ sudo_debug_printf(SUDO_DEBUG_INFO, "unable to dup %s: %s",
+ file, strerror(errno));
+ fclose(fp);
+- debug_return_bool(false);
++ goto clean_up;
+ }
+ /*
+ * Shell scripts go through namei twice and so we can't set the close
+@@ -715,10 +764,17 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
+ (void)fcntl(*fd, F_SETFD, FD_CLOEXEC);
+ #endif /* HAVE_FEXECVE */
+ fclose(fp);
++ free(file_digest);
++ free(sudoers_digest);
+ debug_return_bool(true);
+ bad_format:
+ sudo_warnx(U_("digest for %s (%s) is not in %s form"), file,
+- sd->digest_str, func->digest_name);
++ sd->digest_str, digesttype2str(sd->digest_type));
++clean_up:
++ if (file_digest)
++ free(file_digest);
++ if (sudoers_digest)
++ free(sudoers_digest);
+ debug_return_bool(false);
+ }
+
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch
new file mode 100644
index 0000000..d3991f0
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch
@@ -0,0 +1,119 @@
+From b1f3fcf8d6e9a8e5326771a12fac8e08ed81f766 Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Fri, 19 Aug 2016 10:21:27 +0200
+Subject: [PATCH] Sudo with ldap doesn't work with 'user id'
+
+in sudoUser option.
+
+Rebased from:
+Patch39: sudo-1.8.6p7-ldapsearchuidfix.patch
+
+Resolves:
+rhbz#1135539
+---
+ plugins/sudoers/def_data.c | 4 ++++
+ plugins/sudoers/def_data.h | 2 ++
+ plugins/sudoers/def_data.in | 3 +++
+ plugins/sudoers/defaults.c | 2 ++
+ plugins/sudoers/ldap.c | 10 ++++++++--
+ plugins/sudoers/sudoers.c | 4 ++++
+ 6 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
+index d8b1ada..3926fed 100644
+--- a/plugins/sudoers/def_data.c
++++ b/plugins/sudoers/def_data.c
+@@ -439,6 +439,10 @@ struct sudo_defs_types sudo_defs_table[] = {
+ N_("Don't fork and wait for the command to finish, just exec it"),
+ NULL,
+ }, {
++ "legacy_group_processing", T_FLAG,
++ N_("Don't pre-resolve all group names"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
+index 1b6be3d..5246e41 100644
+--- a/plugins/sudoers/def_data.h
++++ b/plugins/sudoers/def_data.h
+@@ -206,6 +206,8 @@
+ #define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode)
+ #define I_CMND_NO_WAIT 103
+ #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
++#define I_LEGACY_GROUP_PROCESSING 104
++#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
+index 5200fe3..f1c9265 100644
+--- a/plugins/sudoers/def_data.in
++++ b/plugins/sudoers/def_data.in
+@@ -325,3 +325,6 @@ iolog_mode
+ cmnd_no_wait
+ T_FLAG
+ "Don't fork and wait for the command to finish, just exec it"
++legacy_group_processing
++ T_FLAG
++ "Don't pre-resolve all group names"
+diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
+index 5eaf8ea..9e60d94 100644
+--- a/plugins/sudoers/defaults.c
++++ b/plugins/sudoers/defaults.c
+@@ -450,6 +450,8 @@ init_defaults(void)
+ }
+
+ /* First initialize the flags. */
++ def_legacy_group_processing = true;
++ def_match_group_by_gid = true;
+ #ifdef LONG_OTP_PROMPT
+ def_long_otp_prompt = true;
+ #endif
+diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
+index 3fe27c7..96a0709 100644
+--- a/plugins/sudoers/ldap.c
++++ b/plugins/sudoers/ldap.c
+@@ -1666,8 +1666,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
+ if (ldap_conf.search_filter)
+ sz += strlen(ldap_conf.search_filter);
+
+- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
+- sz += 29 + sudo_ldap_value_len(pw->pw_name);
++ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
++ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
+
+ /* Add space for primary and supplementary groups and gids */
+ if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
+@@ -1730,6 +1730,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
+ CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
+ CHECK_STRLCAT(buf, ")", sz);
+
++ /* Append user uid */
++ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
++ (void) strlcat(buf, "(sudoUser=#", sz);
++ (void) strlcat(buf, gidbuf, sz);
++ (void) strlcat(buf, ")", sz);
++
+ /* Append primary group and gid */
+ if (grp != NULL) {
+ CHECK_STRLCAT(buf, "(sudoUser=%", sz);
+diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
+index 539177a..673ee5d 100644
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -208,6 +208,10 @@ sudoers_policy_init(void *info, char * const envp[])
+ if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
+ ret = true;
+
++ if (!def_match_group_by_gid || !def_legacy_group_processing) {
++ def_match_group_by_gid = false;
++ def_legacy_group_processing = false;
++ }
+ cleanup:
+ if (!restore_perms())
+ ret = -1;
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.6p7-logsudouser.patch b/SOURCES/sudo-1.8.6p7-logsudouser.patch
new file mode 100644
index 0000000..c3742a0
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-logsudouser.patch
@@ -0,0 +1,90 @@
+From 06b46ae226fecd4188af372ac0ccd7aa582e21c8 Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Wed, 17 Aug 2016 10:12:11 +0200
+Subject: [PATCH] Sudo logs username root instead of realuser
+
+RHEL7 sudo logs username root instead of realuser in /var/log/secure
+
+Rebased from:
+Patch50: sudo-1.8.6p7-logsudouser.patch
+
+Resolves:
+rhbz#1312486
+---
+ plugins/sudoers/logging.c | 14 +++++++-------
+ plugins/sudoers/sudoers.h | 1 +
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c
+index 45cae67..74b2220 100644
+--- a/plugins/sudoers/logging.c
++++ b/plugins/sudoers/logging.c
+@@ -104,7 +104,7 @@ do_syslog(int pri, char *msg)
+ * Log the full line, breaking into multiple syslog(3) calls if necessary
+ */
+ fmt = _("%8s : %s");
+- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
+ for (p = msg; *p != '\0'; ) {
+ len = strlen(p);
+ if (len > maxlen) {
+@@ -120,7 +120,7 @@ do_syslog(int pri, char *msg)
+ save = *tmp;
+ *tmp = '\0';
+
+- mysyslog(pri, fmt, user_name, p);
++ mysyslog(pri, fmt, sudo_user_name, p);
+
+ *tmp = save; /* restore saved character */
+
+@@ -128,11 +128,11 @@ do_syslog(int pri, char *msg)
+ for (p = tmp; *p == ' '; p++)
+ continue;
+ } else {
+- mysyslog(pri, fmt, user_name, p);
++ mysyslog(pri, fmt, sudo_user_name, p);
+ p += len;
+ }
+ fmt = _("%8s : (command continued) %s");
+- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name));
++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name));
+ }
+
+ sudoers_setlocale(oldlocale, NULL);
+@@ -179,10 +179,10 @@ do_logfile(const char *msg)
+ timestr = "invalid date";
+ if (def_log_host) {
+ len = asprintf(&full_line, "%s : %s : HOST=%s : %s",
+- timestr, user_name, user_srunhost, msg);
++ timestr, sudo_user_name, user_srunhost, msg);
+ } else {
+ len = asprintf(&full_line, "%s : %s : %s",
+- timestr, user_name, msg);
++ timestr, sudo_user_name, msg);
+ }
+ if (len == -1) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+@@ -746,7 +746,7 @@ send_mail(const char *fmt, ...)
+
+ if ((timestr = get_timestr(time(NULL), def_log_year)) == NULL)
+ timestr = "invalid date";
+- (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, user_name);
++ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, sudo_user_name);
+ va_start(ap, fmt);
+ (void) vfprintf(mail, fmt, ap);
+ va_end(ap);
+diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
+index cfd5abb..c69a043 100644
+--- a/plugins/sudoers/sudoers.h
++++ b/plugins/sudoers/sudoers.h
+@@ -180,6 +180,7 @@ struct sudo_user {
+ /*
+ * Shortcuts for sudo_user contents.
+ */
++#define sudo_user_name (sudo_user.pw->pw_name)
+ #define user_name (sudo_user.name)
+ #define user_uid (sudo_user.uid)
+ #define user_gid (sudo_user.gid)
+--
+2.7.4
+
diff --git a/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch b/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch
new file mode 100644
index 0000000..8d46dbe
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch
@@ -0,0 +1,50 @@
+From 447b3f0c91f019c1d30b5703c61316b583f5bce1 Mon Sep 17 00:00:00 2001
+From: Tomas Sykora <tosykora@redhat.com>
+Date: Mon, 15 Aug 2016 15:15:40 +0200
+Subject: [PATCH] RHEL7 failed RPMdiff testing
+
+Package sudo-1.8.3p1-7.el7 failed RHEL7 RPMdiff testing
+
+Rebased from:
+Patch16: sudo-1.8.6p7-sudoldapconfman.patch
+
+Resolves:
+rhbz#881258
+---
+ doc/Makefile.in | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/doc/Makefile.in b/doc/Makefile.in
+index a6f2ea2..e27c6e0 100644
+--- a/doc/Makefile.in
++++ b/doc/Makefile.in
+@@ -319,10 +319,16 @@ install-doc: install-dirs
+ rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
++ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
++ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
+ else \
+ rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
++ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
++ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
+ fi
+
+ install-plugin:
+@@ -336,7 +342,8 @@ uninstall:
+ $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
+ $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
+ $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
+- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
++ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \
++ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)
+
+ splint:
+
+--
+2.7.4
+
diff --git a/SOURCES/sudo-ldap.conf b/SOURCES/sudo-ldap.conf
new file mode 100644
index 0000000..d8f8e4d
--- /dev/null
+++ b/SOURCES/sudo-ldap.conf
@@ -0,0 +1,86 @@
+## BINDDN DN
+## The BINDDN parameter specifies the identity, in the form of a Dis‐
+## tinguished Name (DN), to use when performing LDAP operations. If
+## not specified, LDAP operations are performed with an anonymous
+## identity. By default, most LDAP servers will allow anonymous
+## access.
+##
+#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+## BINDPW secret
+## The BINDPW parameter specifies the password to use when performing
+## LDAP operations. This is typically used in conjunction with the
+## BINDDN parameter.
+##
+#bindpw secret
+
+## SSL start_tls
+## If the SSL parameter is set to start_tls, the LDAP server connec‐
+## tion is initiated normally and TLS encryption is begun before the
+## bind credentials are sent. This has the advantage of not requiring
+## a dedicated port for encrypted communications. This parameter is
+## only supported by LDAP servers that honor the start_tls extension,
+## such as the OpenLDAP and Tivoli Directory servers.
+##
+#ssl start_tls
+
+## TLS_CACERTFILE file name
+## The path to a certificate authority bundle which contains the cer‐
+## tificates for all the Certificate Authorities the client knows to
+## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐
+## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
+## use the same certificate database for CA and client certificates
+## (see TLS_CERT).
+##
+#tls_cacertfile /path/to/CA.crt
+
+## TLS_CHECKPEER on/true/yes/off/false/no
+## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
+## cated to be verified. If the server's TLS certificate cannot be
+## verified (usually because it is signed by an unknown certificate
+## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
+## is disabled, no check is made. Note that disabling the check cre‐
+## ates an opportunity for man-in-the-middle attacks since the
+## server's identity will not be authenticated. If possible, the CA's
+## certificate should be installed locally so it can be verified.
+## This option is not supported by the Tivoli Directory Server LDAP
+## libraries.
+#tls_checkpeer yes
+
+##
+## URI ldap[s]://[hostname[:port]] ...
+## Specifies a whitespace-delimited list of one or more
+## URIs describing the LDAP server(s) to connect to.
+##
+#uri ldap://ldapserver
+
+##
+## SUDOERS_BASE base
+## The base DN to use when performing sudo LDAP queries.
+## Multiple SUDOERS_BASE lines may be specified, in which
+## case they are queried in the order specified.
+##
+#sudoers_base ou=SUDOers,dc=example,dc=com
+
+##
+## BIND_TIMELIMIT seconds
+## The BIND_TIMELIMIT parameter specifies the amount of
+## time to wait while trying to connect to an LDAP server.
+##
+#bind_timelimit 30
+
+##
+## TIMELIMIT seconds
+## The TIMELIMIT parameter specifies the amount of time
+## to wait for a response to an LDAP query.
+##
+#timelimit 30
+
+##
+## SUDOERS_DEBUG debug_level
+## This sets the debug level for sudo LDAP queries. Debugging
+## information is printed to the standard error. A value of 1
+## results in a moderate amount of debugging information.
+## A value of 2 shows the results of the matches themselves.
+##
+#sudoers_debug 1
diff --git a/SOURCES/sudo.conf b/SOURCES/sudo.conf
new file mode 100644
index 0000000..3047842
--- /dev/null
+++ b/SOURCES/sudo.conf
@@ -0,0 +1,57 @@
+#
+# Default /etc/sudo.conf file
+#
+# Format:
+# Plugin plugin_name plugin_path plugin_options ...
+# Path askpass /path/to/askpass
+# Path noexec /path/to/sudo_noexec.so
+# Debug sudo /var/log/sudo_debug all@warn
+# Set disable_coredump true
+#
+# Sudo plugins:
+#
+# The plugin_path is relative to ${prefix}/libexec unless fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+# The sudoers plugin is used by default if no Plugin lines are present.
+Plugin sudoers_policy sudoers.so
+Plugin sudoers_io sudoers.so
+
+#
+# Sudo askpass:
+#
+# An askpass helper program may be specified to provide a graphical
+# password prompt for "sudo -A" support. Sudo does not ship with its
+# own passpass program but can use the OpenSSH askpass.
+#
+# Use the OpenSSH askpass
+#Path askpass /usr/X11R6/bin/ssh-askpass
+#
+# Use the Gnome OpenSSH askpass
+#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
+
+#
+# Sudo noexec:
+#
+# Path to a shared library containing dummy versions of the execv(),
+# execve() and fexecve() library functions that just return an error.
+# This is used to implement the "noexec" functionality on systems that
+# support C<LD_PRELOAD> or its equivalent.
+# The compiled-in value is usually sufficient and should only be changed
+# if you rename or move the sudo_noexec.so file.
+#
+#Path noexec /usr/libexec/sudo_noexec.so
+
+#
+# Core dumps:
+#
+# By default, sudo disables core dumps while it is executing (they
+# are re-enabled for the command that is run).
+# To aid in debugging sudo problems, you may wish to enable core
+# dumps by setting "disable_coredump" to false.
+#
+# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable
+#
+Set disable_coredump false
diff --git a/SOURCES/sudoers b/SOURCES/sudoers
new file mode 100644
index 0000000..2fdc62f
--- /dev/null
+++ b/SOURCES/sudoers
@@ -0,0 +1,112 @@
+## Sudoers allows particular users to run various commands as
+## the root user, without needing the root password.
+##
+## Examples are provided at the bottom of the file for collections
+## of related commands, which can then be delegated out to particular
+## users or groups.
+##
+## This file must be edited with the 'visudo' command.
+
+## Host Aliases
+## Groups of machines. You may prefer to use hostnames (perhaps using
+## wildcards for entire domains) or IP addresses instead.
+# Host_Alias FILESERVERS = fs1, fs2
+# Host_Alias MAILSERVERS = smtp, smtp2
+
+## User Aliases
+## These aren't often necessary, as you can use regular groups
+## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
+## rather than USERALIAS
+# User_Alias ADMINS = jsmith, mikem
+
+
+## Command Aliases
+## These are groups of related commands...
+
+## Networking
+# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+
+## Installation and management of software
+# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
+
+## Services
+# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
+
+## Updating the locate database
+# Cmnd_Alias LOCATE = /usr/bin/updatedb
+
+## Storage
+# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
+
+## Delegating permissions
+# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
+
+## Processes
+# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
+
+## Drivers
+# Cmnd_Alias DRIVERS = /sbin/modprobe
+
+# Defaults specification
+
+#
+# Refuse to run if unable to disable echo on the tty.
+#
+Defaults !visiblepw
+
+#
+# Preserving HOME has security implications since many programs
+# use it when searching for configuration files. Note that HOME
+# is already set when the the env_reset option is enabled, so
+# this option is only effective for configurations where either
+# env_reset is disabled or HOME is present in the env_keep list.
+#
+Defaults always_set_home
+Defaults match_group_by_gid
+
+Defaults env_reset
+Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+#
+# Adding HOME to env_keep may enable a user to run unrestricted
+# commands via sudo.
+#
+# Defaults env_keep += "HOME"
+
+Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Next comes the main part: which users can run what software on
+## which machines (the sudoers file can be shared between multiple
+## systems).
+## Syntax:
+##
+## user MACHINE=COMMANDS
+##
+## The COMMANDS section may have other options added to it.
+##
+## Allow root to run any commands anywhere
+root ALL=(ALL) ALL
+
+## Allows members of the 'sys' group to run networking, software,
+## service management apps and more.
+# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
+
+## Allows people in group wheel to run all commands
+%wheel ALL=(ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL) NOPASSWD: ALL
+
+## Allows members of the users group to mount and unmount the
+## cdrom as root
+# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
+
+## Allows members of the users group to shutdown this system
+# %users localhost=/sbin/shutdown -h now
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
new file mode 100644
index 0000000..01af92f
--- /dev/null
+++ b/SPECS/sudo.spec
@@ -0,0 +1,1013 @@
+Summary: Allows restricted root access for specified users
+Name: sudo
+Version: 1.8.19p2
+Release: 13%{?dist}
+License: ISC
+Group: Applications/System
+URL: http://www.courtesan.com/sudo/
+Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
+Source1: sudoers
+Source2: sudo-ldap.conf
+Source3: sudo.conf
+Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Requires: /etc/pam.d/system-auth, vim-minimal, libgcrypt
+
+BuildRequires: pam-devel
+BuildRequires: groff
+BuildRequires: openldap-devel
+BuildRequires: flex
+BuildRequires: bison
+BuildRequires: automake autoconf libtool
+BuildRequires: audit-libs-devel libcap-devel
+BuildRequires: libgcrypt-devel
+BuildRequires: libselinux-devel
+BuildRequires: /usr/sbin/sendmail
+BuildRequires: gettext
+BuildRequires: zlib-devel
+BuildRequires: libgcrypt-devel
+
+# don't strip
+Patch1: sudo-1.6.7p5-strip.patch
+# configure.in fix
+Patch2: sudo-1.7.2p1-envdebug.patch
+# 840980 - sudo creates a new parent process
+# Adds cmnd_no_wait Defaults option
+Patch3: sudo-1.8.6p3-nowaitopt.patch
+# 881258 - rpmdiff: added missing sudo-ldap.conf manpage
+Patch4: sudo-1.8.6p7-sudoldapconfman.patch
+# 1092499 - Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers
+Patch5: sudo-1.8.6p3-doublequotefix.patch
+# 1183818 - backport of command digest specification feature
+Patch6: sudo-1.8.6p7-digest-backport.patch
+# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option
+Patch7: sudo-1.8.6p7-ldapsearchuidfix.patch
+# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure
+Patch8: sudo-1.8.6p7-logsudouser.patch
+# fix upstream testsuite - disabling 2 tests, working only with non-root user
+Patch9: sudo-1.8.18-testsuitefix.patch
+# 1413160 - backport ignore_unknown_defaults flag
+Patch10: sudo-1.8.19p2-ignore-unknown-defaults.patch
+# 1424575 - backport visudo severity of the message
+Patch11: sudo-1.8.19p2-error-warning-visudo-message.patch
+# 1369856 - synchronous (real-time) writes in sudo i/o logs
+Patch12: sudo-1.8.19p2-iologflush.patch
+# 1293306 - Sudo group lookup issue.
+Patch13: sudo-1.8.19p2-lookup-issue-doc.patch
+# 1360687 - sudo rhel-7 rebase - comment11
+Patch14: sudo-1.8.19p2-upstream-testsuitefix.patch
+# 1360687 - sudo rhel-7 rebase - comment13
+Patch15: sudo-1.8.19p2-fqdn-use-after-free.patch
+# 1360687 - sudo rhel-7 rebase - comment13
+Patch16: sudo-1.8.19p2-lecture-boolean.patch
+# 1455402 - CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing
+Patch17: sudo-1.8.19p2-get_process_ttyname.patch
+# 1459152 - CVE-2017-1000368: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)
+Patch18: sudo-1.8.19p2-CVE-2017-1000368.patch
+# 1485397 - sudo breaking who ldap and local users after upgrade
+Patch19: sudo-1.8.21-ldap-pass2-filter.patch
+# 1458696 - successful sudo -l returns non-zero if asking for other user
+Patch20: sudo-1.8.19p2-display-privs.patch
+# 1454571 - Sudo, with I/O Logging log_output option enabled, truncate output in case of cycle over standard input
+Patch21: sudo-1.8.19p2-iologtruncate.patch
+# 1490358 - Update use_pty and IO logging man page
+Patch22: sudo-1.8.19p2-manpage-use_pty.patch
+# 1505409 - Regression in "sudo -l" when using IPA / sssd
+Patch23: sudo-1.8.19p2-sudo-l-sssd.patch
+# 1518104 - sudo crashed: double free or corruption (fasttop)
+Patch24: sudo-1.8.19p2-sssd-double-free.patch
+
+%description
+Sudo (superuser do) allows a system administrator to give certain
+users (or groups of users) the ability to run some (or all) commands
+as root while logging all commands and arguments. Sudo operates on a
+per-command basis. It is not a replacement for the shell. Features
+include: the ability to restrict what commands a user may run on a
+per-host basis, copious logging of each command (providing a clear
+audit trail of who did what), a configurable timeout of the sudo
+command, and the ability to use the same configuration file (sudoers)
+on many different machines.
+
+%package devel
+Summary: Development files for %{name}
+Group: Development/Libraries
+Requires: %{name} = %{version}-%{release}
+
+%description devel
+The %{name}-devel package contains header files developing sudo
+plugins that use %{name}.
+
+%prep
+%setup -q
+
+%patch1 -p1 -b .strip
+%patch2 -p1 -b .envdebug
+%patch3 -p1 -b .nowaitopt
+%patch4 -p1 -b .sudoldapconfman
+%patch5 -p1 -b .doublequotefix
+%patch6 -p1 -b .digest-backport
+%patch7 -p1 -b .ldapsearchuidfix
+%patch8 -p1 -b .logsudouser
+%patch9 -p1 -b .testsuite
+%patch10 -p1 -b .ignoreunknowndefaults
+%patch11 -p1 -b .errorwarningvisudomsg
+%patch12 -p1 -b .iologflush
+%patch13 -p1 -b .lookup
+%patch14 -p1 -b .testsuite
+%patch15 -p1 -b .fqdnafterfree
+%patch16 -p1 -b .lecture
+%patch17 -p1 -b .get_process_ttyname
+%patch18 -p1 -b .CVE-2017-1000368
+%patch19 -p1 -b .ldap-pass2-filter
+%patch20 -p1 -b .display-privs
+%patch21 -p1 -b .iologtruncate
+%patch22 -p1 -b .manpage
+%patch23 -p1 -b .sudo-l
+%patch24 -p1 -b .double-free
+
+%build
+autoreconf -I m4 -fv --install
+
+%ifarch s390 s390x sparc64
+F_PIE=-fPIE
+%else
+F_PIE=-fpie
+%endif
+
+export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHLIB_MODE=755
+
+%configure \
+ --prefix=%{_prefix} \
+ --sbindir=%{_sbindir} \
+ --libdir=%{_libdir} \
+ --docdir=%{_datadir}/doc/%{name}-%{version} \
+ --with-logging=syslog \
+ --with-logfac=authpriv \
+ --with-pam \
+ --with-pam-login \
+ --with-editor=/bin/vi \
+ --with-env-editor \
+ --with-gcrypt \
+ --with-ignore-dot \
+ --with-tty-tickets \
+ --with-ldap \
+ --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \
+ --with-selinux \
+ --with-passprompt="[sudo] password for %p: " \
+ --with-linux-audit \
+ --with-sssd
+# --without-kerb5 \
+# --without-kerb4
+make
+
+make check
+
+%install
+rm -rf $RPM_BUILD_ROOT
+
+# Update README.LDAP (#736653)
+sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP
+
+make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
+chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
+install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
+install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
+install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
+install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
+install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf
+install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf
+
+# Remove execute permission on this script so we don't pull in perl deps
+chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
+
+#Remove all .la files
+find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
+
+%find_lang sudo
+%find_lang sudoers
+
+cat sudo.lang sudoers.lang > sudo_all.lang
+rm sudo.lang sudoers.lang
+
+mkdir -p $RPM_BUILD_ROOT/etc/pam.d
+cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
+#%%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session optional pam_keyinit.so revoke
+session required pam_limits.so
+EOF
+
+cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
+#%%PAM-1.0
+auth include sudo
+account include sudo
+password include sudo
+session optional pam_keyinit.so force revoke
+session required pam_limits.so
+EOF
+
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files -f sudo_all.lang
+%defattr(-,root,root)
+%attr(0440,root,root) %config(noreplace) /etc/sudoers
+%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
+%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf
+%attr(0750,root,root) %dir /etc/sudoers.d/
+%config(noreplace) /etc/pam.d/sudo
+%config(noreplace) /etc/pam.d/sudo-i
+%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
+%dir /var/db/sudo
+%dir /var/db/sudo/lectured
+%attr(4111,root,root) %{_bindir}/sudo
+%{_bindir}/sudoedit
+%attr(0111,root,root) %{_bindir}/sudoreplay
+%attr(0755,root,root) %{_sbindir}/visudo
+%attr(0755,root,root) %{_libexecdir}/sudo/sesh
+%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
+%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
+%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
+%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
+%{_libexecdir}/sudo/libsudo_util.so.?
+%{_libexecdir}/sudo/libsudo_util.so
+%{_mandir}/man5/sudoers.5*
+%{_mandir}/man5/sudoers.ldap.5*
+%{_mandir}/man5/sudo-ldap.conf.5*
+%{_mandir}/man5/sudo.conf.5*
+%{_mandir}/man8/sudo.8*
+%{_mandir}/man8/sudoedit.8*
+%{_mandir}/man8/sudoreplay.8*
+%{_mandir}/man8/visudo.8*
+%dir %{_docdir}/sudo-%{version}
+%{_docdir}/sudo-%{version}/*
+
+
+# Make sure permissions are ok even if we're updating
+%post
+/bin/chmod 0440 /etc/sudoers || :
+
+%files devel
+%defattr(-,root,root,-)
+%doc plugins/sample/sample_plugin.c
+%{_includedir}/sudo_plugin.h
+%{_mandir}/man8/sudo_plugin.8*
+
+%changelog
+* Thu Nov 30 2017 Radovan Sroka <rsroka@redhat.com> 1.8.19p2-13
+- RHEL 7.5 erratum
+- Fixed sudo -l checking results whether user should be authenticated
+- Enabled LDAP filter patch
+- Fixed double free in sssd
+
+ Resolves: rhbz#1505409
+ Resolves: rhbz#1511850
+ Resolves: rhbz#1518104
+
+* Mon Oct 02 2017 Radovan Sroka <rsroka@redhat.com> 1.8.19p2-12
+- RHEL 7.5 erratum
+- Fixed exit codes for `sudo -l -U <user>`
+- Fixed truncated output when log_output is enabled
+- Updated use_pty and IO logging manpage
+
+ Resolves: rhbz#1458696
+ Resolves: rhbz#1454571
+ Resolves: rhbz#1490358
+
+- Fixed second pass LDAP filter expression in the sudoers ldap backend
+ - inclomplete patch for rhbz#1485397
+
+* Mon Aug 14 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-11
+- Moved libsudo_util.so from the -devel sub-package to main package
+ Resolves: rhbz#1481225
+
+* Wed Jun 07 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-10
+- RHEL 7.4 erratum
+- Fix CVE-2017-1000368
+ Resolves: rhbz#1459411
+
+* Tue Jun 06 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.19p2-9
+- RHEL 7.4 erratum
+- removed patch for output truncation (1454571) which introduced regression
+ Resolves: rhbz#1360687
+
+* Thu May 25 2017 Jakub Jelen <jjelen@redhat.com> - 1.8.19p2-8
+- RHEL 7.4 erratum
+- Fixes CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing
+ Resolves: rhbz#1455402
+
+* Tue May 23 2017 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-7
+- RHEL 7.4 erratum
+- added patch to fix output truncation (in some cases) when log_output
+ option is enabled
+ Resolves: rhbz#1454571
+
+* Thu May 04 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.19p2-6
+- RHEL 7.4 erratum
+- added patch that fixes lecture option used as bolean
+ Resolves rhbz#1360687
+
+* Tue Apr 25 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.19p2-5
+- RHEL 7.4 erratum
+- added doc patch about sudo lookup issue
+ Resolves: rhbz#1293306
+- added test suite patch
+ Resolves: rhbz#1360687
+- fixed use after free fqdn problem
+ Resolves: rhbz#1360687
+
+* Tue Mar 21 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-4
+- RHEL 7.4 erratum
+- fixed cmnd_no_wait patch
+- backported iolog_flush sudoers default
+ Resolves: rhbz#1369856
+ Resolves: rhbz#1425853
+
+* Wed Mar 08 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-3
+- RHEL 7.4 eratum
+- Fixes semicolon typo in digest backport patch from the previous build
+ Resolves: rhbz#1360687
+
+* Wed Mar 08 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-2
+- RHEL 7.4 erratum
+- Fixes coverity scan issues created by our patches:
+ - fixed resource leaks and a compiler warning in digest backport patch
+ - removed needless code from cmnd_no_wait patch causing clang warning
+ - format of the last changelog message causes problems to rhpkg push,
+ so don't use that as a commit message
+ Resolves: rhbz#1360687
+
+* Wed Mar 01 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-1
+- RHEL 7.4 erratum
+ - Resolves: rhbz#1360687 - rebase to 1.8.19p2
+ - Resolves: rhbz#1123526 - performance improvement
+ - Resolves: rhbz#1308789 - add MAIL and NOMAIL tags
+ - Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale
+ - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command
+ was runnable even if denied by sudoers when using LDAP or SSSD backend.
+ - Resolves: rhbz#1387303 - add ignore_iolog_errors option
+ - Resolves: rhbz#1389360 - wrong log file group ownership
+ - Resolves: rhbz#1389735 - add iolog_group, iolog_mode, iolog_user options
+ - Resolves: rhbz#1397169 - maxseq and ignore_iolog_errors options
+ - Resolves: rhbz#1403051 - add support for querying netgroups directly via LDAP
+ - Resolves: rhbz#1410086 - race condition while creating /var/log/sudo-io dir
+ - Resolves: rhbz#1413160 - add ignore_unknown_defaults flag
+ - Resolves: rhbz#1254772 - ability to export sudoers in json format
+ - Resolves: rhbz#1417187 - wrong reference to config file in systax error message
+ - Resolves: rhbz#1424575 - visudo was not printing severity of error/warning message
+
+* Wed Nov 23 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-21
+- Update noexec syscall blacklist
+- Fixes CVE-2016-7032 and CVE-2016-7076
+ Resolves: rhbz#1391940
+
+* Tue Jul 19 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-20
+- RHEL 7.3 erratum
+ - fixed visudo's -q flag
+ Resolves: rhbz#1350828
+
+* Tue Jun 14 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-19
+- RHEL 7.3 erratum
+ - removed INPUTRC from env_keep to prevent a potential info leak
+ Resolves: rhbz#1340700
+
+* Wed May 11 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-18
+- RHEL 7.3 erratum
+ - removed requiretty flag from the default sudoers policy
+ - backported pam_service and pam_login_service defaults options
+ - implemented netgroup_tuple defaults option for changing netgroup
+ processing semantics
+ - fixed user matching logic in the LDAP nss backend
+ - don't allow visudo to accept an invalid sudoers file
+ - fixed a bug causing that non-root users can list privileges of
+ other users
+ - modified digest check documentation to mention the raciness of
+ the checking mechanism
+ Resolves: rhbz#1196451
+ Resolves: rhbz#1247230
+ Resolves: rhbz#1334331
+ Resolves: rhbz#1334360
+ Resolves: rhbz#1261998
+ Resolves: rhbz#1313364
+ Resolves: rhbz#1312486
+ Resolves: rhbz#1268958
+ Resolves: rhbz#1335039
+ Resolves: rhbz#1335042
+ Resolves: rhbz#1335045
+ Resolves: rhbz#1273243
+ Resolves: rhbz#1299883
+
+* Mon Feb 15 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-17
+- fixed bug in closefrom_override defaults option
+ Resolves: rhbz#1297062
+
+* Tue Sep 1 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-16
+- RHEL 7.2 erratum
+ - show the digest type in warning messages
+ Resolves: rhbz#1183818
+
+* Tue Sep 1 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-15
+- RHEL 7.2 erratum
+ - fixed compilation of testing binaries during make check
+ - added legacy group processing patch
+ - replaced buggy base64 decoder with a public domain implementation
+ Resolves: rhbz#1254621
+ Resolves: rhbz#1183818
+ Resolves: rhbz#1247591
+
+* Tue Jul 7 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-14
+- RHEL 7.2 erratum
+ - backported command digest specification
+ - fixed CVE-2014-9680 sudo: unsafe handling of TZ environment variable
+ - fixed typos in sudoers.ldap man page
+ - fixed handling of double-quoted sudoOption values in ldap, sssd sources
+ - fixed numeric uid specification support in ldap source
+ - fixed authentication flag logic in ldap source
+ - added the systemctl command to the SERVICES alias in the default sudoers file
+ Resolves: rhbz#1144446
+ Resolves: rhbz#1235570
+ Resolves: rhbz#1138259
+ Resolves: rhbz#1183818
+ Resolves: rhbz#1233607
+ Resolves: rhbz#1144419
+ Resolves: rhbz#1135539
+ Resolves: rhbz#1215400
+
+* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-13
+- RHEL 7.1 erratum
+ - fixed issues found by covscan/clang-analyzer
+ Resolves: rhbz#1147616
+
+* Mon Sep 29 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-12
+- RHEL 7.1 erratum
+ - don't retry authentication when ctrl-c pressed
+ - fix double-quote processing in Defaults options
+ - handle the "(none)" hostname correctly
+ - SSSD: fix sudoUser netgroup specification filtering
+ - SSSD: list correct user when -U <user> -l specified
+ - SSSD: show rule names on long listing (-ll)
+ - fix infinite loop when duplicate entries are specified on the
+ sudoers nsswitch.conf line
+ Resolves: rhbz#1084488
+ Resolves: rhbz#1088464
+ Resolves: rhbz#1088825
+ Resolves: rhbz#1092499
+ Resolves: rhbz#1093099
+ Resolves: rhbz#1096813
+ Resolves: rhbz#1147497
+ Resolves: rhbz#1147557
+
+* Wed Feb 26 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-11
+- Fixed incorrect login shell path construction in sesh
+ (thanks fkrska@redhat.com for the patch)
+ Resolves: rhbz#1065418
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.8.6p7-10
+- Mass rebuild 2014-01-24
+
+* Wed Jan 15 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-9
+- allow the wheel group to use sudo
+ Resolves: rhbz#994623
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.8.6p7-8
+- Mass rebuild 2013-12-27
+
+* Fri Nov 08 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-7
+- dropped wrong patch and fixed patch comments
+ Resolves: rhbz#1000389
+
+* Thu Nov 07 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-6
+- fixed alias cycle detection code
+- added debug messages for tracing of netgroup matching
+- fixed aborting on realloc when displaying allowed commands
+- sssd: filter netgroups in the sudoUser attribute
+- parse uids/gids more strictly
+- added debug messages to trace netgroup matching
+ Resolves: rhbz#1026904
+ Resolves: rhbz#1026890
+ Resolves: rhbz#1007014
+ Resolves: rhbz#1026894
+ Resolves: rhbz#1000389
+ Resolves: rhbz#994566
+
+* Mon Aug 05 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-5
+- added standalone manpage for sudo.conf and sudo-ldap.conf
+- spec file cleanup
+ Resolves: rhbz#881258
+
+* Mon Jul 29 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-4
+- added RHEL 6 patches
+
+* Wed Jul 24 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-3
+- synced sudoers, configure options & configuration files with
+ expected RHEL configuration
+ Resolves: rhbz#969373
+ Resolves: rhbz#971009
+ Resolves: rhbz#965124
+ Resolves: rhbz#971013
+ Resolves: rhbz#839705
+
+* Thu Apr 11 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-2
+- depend on /usr/sbin/sendmail instead of the sendmail package
+ Resolves: rhbz#927842
+
+* Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1
+- update to 1.8.6p7
+- fixes CVE-2013-1775 and CVE-2013-1776
+- fixed several packaging issues (thanks to ville.skytta@iki.fi)
+ - build with system zlib.
+ - let rpmbuild strip libexecdir/*.so.
+ - own the %%{_docdir}/sudo-* dir.
+ - fix some rpmlint warnings (spaces vs tabs, unescaped macros).
+ - fix bogus %%changelog dates.
+
+* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Nov 12 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-2
+- added upstream patch for a regression
+- don't include arch specific files in the -devel subpackage
+- ship only one sample plugin in the -devel subpackage
+
+* Tue Sep 25 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-1
+- update to 1.8.6p3
+- drop -pipelist patch (fixed in upstream)
+
+* Thu Sep 6 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6-1
+- update to 1.8.6
+
+* Thu Jul 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-4
+- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com)
+- re-enabled SSSD support
+- removed libsss_sudo dependency
+
+* Tue Jul 24 2012 Bill Nottingham <notting@redhat.com> - 1.8.5-3
+- flip sudoers2ldif executable bit after make install, not in setup
+
+* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1
+- update to 1.8.5
+- fixed CVE-2012-2337
+- temporarily disabled SSSD support
+
+* Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6
+- fixed problems with undefined symbols (rhbz#798517)
+
+* Wed Feb 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-5
+- SSSD patch update
+
+* Tue Feb 7 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-4
+- added SSSD support
+
+* Thu Jan 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-3
+- added patch for CVE-2012-0809
+
+* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.3p1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1
+- update to 1.8.3p1
+- disable output word wrapping if the output is piped
+
+* Wed Sep 7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2
+- Remove execute bit from sample script in docs so we don't pull in perl
+
+* Tue Jul 12 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.1p2-1
+- rebase to 1.8.1p2
+- removed .sudoi patch
+- fixed typo: RELPRO -> RELRO
+- added -devel subpackage for the sudo_plugin.h header file
+- use default ldap configuration files again
+
+* Fri Jun 3 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-4
+- build with RELRO
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.4p5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Mon Jan 17 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-2
+- rebase to 1.7.4p5
+- fixed sudo-1.7.4p4-getgrouplist.patch
+- fixes CVE-2011-0008, CVE-2011-0010
+
+* Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5
+- anybody in the wheel group has now root access (using password) (rhbz#656873)
+- sync configuration paths with the nss_ldap package (rhbz#652687)
+
+* Wed Sep 29 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-4
+- added upstream patch to fix rhbz#638345
+
+* Mon Sep 20 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-3
+- added patch for #635250
+- /var/run/sudo -> /var/db/sudo in .spec
+
+* Tue Sep 7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-2
+- sudo now uses /var/db/sudo for timestamps
+
+* Tue Sep 7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1
+- update to new upstream version
+- new command available: sudoreplay
+- use native audit support
+- corrected license field value: BSD -> ISC
+
+* Wed Jun 2 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-2
+- added patch that fixes insufficient environment sanitization issue (#598154)
+
+* Wed Apr 14 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-1
+- update to new upstream version
+- merged .audit and .libaudit patch
+- added sudoers.ldap.5* to files
+
+* Mon Mar 1 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p5-2
+- update to new upstream version
+
+* Tue Feb 16 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-5
+- fixed no valid sudoers sources found (#558875)
+
+* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-4
+- audit related Makefile.in and configure.in corrections
+- added --with-audit configure option
+- removed call to libtoolize
+
+* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-3
+- fixed segfault when #include directive is used in cycles (#561336)
+
+* Fri Jan 8 2010 Ville Skyttä <ville.skytta@iki.fi> - 1.7.2p2-2
+- Add /etc/sudoers.d dir and use it in default config (#551470).
+- Drop *.pod man page duplicates from docs.
+
+* Thu Jan 07 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-1
+- new upstream version 1.7.2p2-1
+- commented out unused aliases in sudoers to make visudo happy (#550239)
+
+* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.7.1-7
+- rebuilt with new audit
+
+* Thu Aug 20 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-6
+- moved secure_path from compile-time option to sudoers file (#517428)
+
+* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Jul 09 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-4
+- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch)
+- epoch number sync
+
+* Mon Jun 22 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-1
+- updated sudo to version 1.7.1
+- fixed small bug in configure.in (sudo-1.7.1-conffix.patch)
+
+* Tue Feb 24 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-6
+- fixed building with new libtool
+- fix for incorrect handling of groups in Runas_User
+- added /usr/local/sbin to secure-path
+
+* Tue Jan 13 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-3
+- build with sendmail installed
+- Added /usr/local/bin to secure-path
+
+* Tue Sep 02 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-2
+- adjust audit patch, do not scream when kernel is
+ compiled without audit netlink support (#401201)
+
+* Fri Jul 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-1
+- upgrade
+
+* Wed Jun 18 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-7
+- build with newer autoconf-2.62 (#449614)
+
+* Tue May 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-6
+- compiled with secure path (#80215)
+
+* Mon May 05 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-5
+- fix path to updatedb in /etc/sudoers (#445103)
+
+* Mon Mar 31 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-4
+- include ldap files in rpm package (#439506)
+
+* Thu Mar 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-3
+- include [sudo] in password prompt (#437092)
+
+* Tue Mar 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-2
+- audit support improvement
+
+* Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1
+- upgrade to the latest upstream release
+
+* Wed Feb 06 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p12-1
+- upgrade to the latest upstream release
+- add selinux support
+
+* Mon Feb 04 2008 Dennis Gilmore <dennis@ausil.us> 1.6.9p4-6
+- sparc64 needs to be in the -fPIE list with s390
+
+* Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5
+- fix complains about audit_log_user_command(): Connection
+ refused (#401201)
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-4
+- Rebuild for deps
+
+* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-3
+- Rebuild for openssl bump
+
+* Thu Aug 30 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-2
+- fix autotools stuff and add audit support
+
+* Mon Aug 20 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-1
+- upgrade to upstream release
+
+* Thu Apr 12 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-14
+- also use getgrouplist() to determine group membership (#235915)
+
+* Mon Feb 26 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-13
+- fix some spec file issues
+
+* Thu Dec 14 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-12
+- fix rpmlint issue
+
+* Thu Oct 26 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-11
+- fix typo in sudoers file (#212308)
+
+* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-10
+- rebuilt for unwind info generation, broken in gcc-4.1.1-21
+
+* Thu Sep 21 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-9
+- fix sudoers file, X apps didn't work (#206320)
+
+* Tue Aug 08 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-8
+- use Red Hat specific default sudoers file
+
+* Sun Jul 16 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-7
+- fix #198755 - make login processes (sudo -i) initialise session keyring
+ (thanks for PAM config files to David Howells)
+- add IPv6 support (patch by Milan Zazrivec)
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-6.1
+- rebuild
+
+* Mon May 29 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-6
+- fix #190062 - "ssh localhost sudo su" will show the password in clear
+
+* Tue May 23 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-5
+- add LDAP support (#170848)
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-4.1
+- bump again for double-long bug on ppc(64)
+
+* Wed Feb 8 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-4
+- reset env. by default
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-3.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Mon Jan 23 2006 Dan Walsh <dwalsh@redhat.com> 1.6.8p12-3
+- Remove selinux patch. It has been decided that the SELinux patch for sudo is
+- no longer necessary. In tageted policy it had no effect. In strict/MLS policy
+- We require the person using sudo to execute newrole before using sudo.
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Fri Nov 25 2005 Karel Zak <kzak@redhat.com> 1.6.8p12-1
+- new upstream version 1.6.8p12
+
+* Tue Nov 8 2005 Karel Zak <kzak@redhat.com> 1.6.8p11-1
+- new upstream version 1.6.8p11
+
+* Thu Oct 13 2005 Tomas Mraz <tmraz@redhat.com> 1.6.8p9-6
+- use include instead of pam_stack in pam config
+
+* Tue Oct 11 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-5
+- enable interfaces in selinux patch
+- merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch
+
+* Mon Sep 19 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-4
+- fix debuginfo
+
+* Mon Sep 19 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-3
+- fix #162623 - sesh hangs when child suspends
+
+* Mon Aug 1 2005 Dan Walsh <dwalsh@redhat.com> 1.6.8p9-2
+- Add back in interfaces call, SELinux has been fixed to work around
+
+* Tue Jun 21 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-1
+- new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution)
+
+* Tue May 24 2005 Karel Zak <kzak@redhat.com> 1.6.8p8-2
+- fix #154511 - sudo does not use limits.conf
+
+* Mon Apr 4 2005 Thomas Woerner <twoerner@redhat.com> 1.6.8p8-1
+- new version 1.6.8p8: new sudoedit and sudo_noexec
+
+* Wed Feb 9 2005 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-31
+- rebuild
+
+* Mon Oct 4 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-30.1
+- added missing BuildRequires for libselinux-devel (#132883)
+
+* Wed Sep 29 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-30
+- Fix missing param error in sesh
+
+* Mon Sep 27 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-29
+- Remove full patch check from sesh
+
+* Thu Jul 8 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-28
+- Fix selinux patch to switch to root user
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Apr 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-26
+- Eliminate tty handling from selinux
+
+* Thu Apr 1 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-25
+- fixed spec file: sesh in file section with selinux flag (#119682)
+
+* Tue Mar 30 2004 Colin Walters <walters@redhat.com> 1.6.7p5-24
+- Enhance sesh.c to fork/exec children itself, to avoid
+ having sudo reap all domains.
+- Only reinstall default signal handlers immediately before
+ exec of child with SELinux patch
+
+* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-23
+- change to default to sysadm_r
+- Fix tty handling
+
+* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-22
+- Add /bin/sesh to run selinux code.
+- replace /bin/bash -c with /bin/sesh
+
+* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-21
+- Hard code to use "/bin/bash -c" for selinux
+
+* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-20
+- Eliminate closing and reopening of terminals, to match su.
+
+* Mon Mar 15 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-19
+- SELinux fixes to make transitions work properly
+
+* Fri Mar 5 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-18
+- pied sudo
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Tue Jan 27 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-16
+- Eliminate interfaces call, since this requires big SELinux privs
+- and it seems to be useless.
+
+* Tue Jan 27 2004 Karsten Hopp <karsten@redhat.de> 1.6.7p5-15
+- visudo requires vim-minimal or setting EDITOR to something useful (#68605)
+
+* Mon Jan 26 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-14
+- Fix is_selinux_enabled call
+
+* Tue Jan 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-13
+- Clean up patch on failure
+
+* Tue Jan 6 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-12
+- Remove sudo.te for now.
+
+* Fri Jan 2 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-11
+- Fix usage message
+
+* Mon Dec 22 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-10
+- Clean up sudo.te to not blow up if pam.te not present
+
+* Thu Dec 18 2003 Thomas Woerner <twoerner@redhat.com>
+- added missing BuildRequires for groff
+
+* Tue Dec 16 2003 Jeremy Katz <katzj@redhat.com> 1.6.7p5-9
+- remove left-over debugging code
+
+* Tue Dec 16 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-8
+- Fix terminal handling that caused Sudo to exit on non selinux machines.
+
+* Mon Dec 15 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-7
+- Remove sudo_var_run_t which is now pam_var_run_t
+
+* Fri Dec 12 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-6
+- Fix terminal handling and policy
+
+* Thu Dec 11 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-5
+- Fix policy
+
+* Thu Nov 13 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-4.sel
+- Turn on SELinux support
+
+* Tue Jul 29 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-3
+- Add support for SELinux
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Mon May 19 2003 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-1
+
+* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
+- rebuilt
+
+* Tue Nov 12 2002 Nalin Dahyabhai <nalin@redhat.com> 1.6.6-2
+- remove absolute path names from the PAM configuration, ensuring that the
+ right modules get used for whichever arch we're built for
+- don't try to install the FAQ, which isn't there any more
+
+* Thu Jun 27 2002 Bill Nottingham <notting@redhat.com> 1.6.6-1
+- update to 1.6.6
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu May 23 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Thu Apr 18 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p2-2
+- Fix bug #63768
+
+* Thu Mar 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p2-1
+- 1.6.5p2
+
+* Fri Jan 18 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p1-1
+- 1.6.5p1
+- Hope this "a new release per day" madness stops ;)
+
+* Thu Jan 17 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5-1
+- 1.6.5
+
+* Tue Jan 15 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.4p1-1
+- 1.6.4p1
+
+* Mon Jan 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.4-1
+- Update to 1.6.4
+
+* Mon Jul 23 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.3p7-2
+- Add build requirements (#49706)
+- s/Copyright/License/
+- bzip2 source
+
+* Sat Jun 16 2001 Than Ngo <than@redhat.com>
+- update to 1.6.3p7
+- use %%{_tmppath}
+
+* Fri Feb 23 2001 Bernhard Rosenkraenzer <bero@redhat.com>
+- 1.6.3p6, fixes buffer overrun
+
+* Tue Oct 10 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- 1.6.3p5
+
+* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
+- automatic rebuild
+
+* Tue Jun 06 2000 Karsten Hopp <karsten@redhat.de>
+- fixed owner of sudo and visudo
+
+* Thu Jun 1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- modify PAM setup to use system-auth
+- clean up buildrooting by using the makeinstall macro
+
+* Tue Apr 11 2000 Bernhard Rosenkraenzer <bero@redhat.com>
+- initial build in main distrib
+- update to 1.6.3
+- deal with compressed man pages
+
+* Tue Dec 14 1999 Preston Brown <pbrown@redhat.com>
+- updated to 1.6.1 for Powertools 6.2
+- config files are now noreplace.
+
+* Thu Jul 22 1999 Tim Powers <timp@redhat.com>
+- updated to 1.5.9p2 for Powertools 6.1
+
+* Wed May 12 1999 Bill Nottingham <notting@redhat.com>
+- sudo is configured with pam. There's no pam.d file. Oops.
+
+* Mon Apr 26 1999 Preston Brown <pbrown@redhat.com>
+- upgraded to 1.59p1 for powertools 6.0
+
+* Tue Oct 27 1998 Preston Brown <pbrown@redhat.com>
+- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)
+
+* Thu Oct 08 1998 Michael Maher <mike@redhat.com>
+- built package for 5.2
+
+* Mon May 18 1998 Michael Maher <mike@redhat.com>
+- updated SPEC file
+
+* Thu Jan 29 1998 Otto Hammersmith <otto@redhat.com>
+- updated to 1.5.4
+
+* Tue Nov 18 1997 Otto Hammersmith <otto@redhat.com>
+- built for glibc, no problems
+
+* Fri Apr 25 1997 Michael Fulbright <msf@redhat.com>
+- Fixed for 4.2 PowerTools
+- Still need to be pamified
+- Still need to move stmp file to /var/log
+
+* Mon Feb 17 1997 Michael Fulbright <msf@redhat.com>
+- First version for PowerCD.
+