diff -up sudo-1.8.6p7/doc/sudoers.cat.digest-backport-docs sudo-1.8.6p7/doc/sudoers.cat
--- sudo-1.8.6p7/doc/sudoers.cat.digest-backport-docs	2015-07-07 13:06:11.078653045 +0200
+++ sudo-1.8.6p7/doc/sudoers.cat	2015-07-07 13:12:05.170955417 +0200
@@ -260,6 +260,14 @@ SSUUDDOOEERRSS FFIILLEE FFO
      ``localhost'' will only match if that is the actual host name, which is
      usually only the case for non-networked systems.
 
+     digest ::= [A-Fa-f0-9]+ |
+                [[A-Za-z0-9+/=]+
+
+     Digest_Spec ::= "sha224" ':' digest |
+                     "sha256" ':' digest |
+                     "sha384" ':' digest |
+                     "sha512" ':' digest
+
      Cmnd_List ::= Cmnd |
                    Cmnd ',' Cmnd_List
 
@@ -267,7 +275,7 @@ SSUUDDOOEERRSS FFIILLEE FFO
                       file name args |
                       file name '""'
 
-     Cmnd ::= '!'* command name |
+     Cmnd ::= Digest_Spec? '!'* command name |
               '!'* directory |
               '!'* "sudoedit" |
               '!'* Cmnd_Alias
@@ -291,6 +299,26 @@ SSUUDDOOEERRSS FFIILLEE FFO
      to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt).  It may
      take command line arguments just as a normal command does.
 
+     If a command name is prefixed with a Digest_Spec, the command will only
+     match successfully if it can be verified using the specified SHA-2
+     digest.  This may be useful in situations where the user invoking ssuuddoo
+     has write access to the command or its parent directory.  The following
+     digest formats are supported: sha224, sha256, sha384 and sha512.  The
+     string may be specified in either hex or base64 format (base64 is more
+     compact).  There are several utilities capable of generating SHA-2
+     digests in hex format such as openssl, shasum, sha224sum, sha256sum,
+     sha384sum, sha512sum.
+
+     For example, using openssl:
+
+     $ openssl dgst -sha224 /bin/ls
+     SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+
+     It is also possible to use openssl to generate base64 output:
+
+     $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+     EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+
    DDeeffaauullttss
      Certain configuration options may be changed from their default values at
      run-time via one or more Default_Entry lines.  These may affect all users
@@ -1797,7 +1825,9 @@ EEXXAAMMPPLLEESS
 
      # Cmnd alias specification
      Cmnd_Alias      DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
-                             /usr/sbin/restore, /usr/sbin/rrestore
+                             /usr/sbin/restore, /usr/sbin/rrestore\
+                             sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+                             /home/operator/bin/start_backups
      Cmnd_Alias      KILL = /usr/bin/kill
      Cmnd_Alias      PRINTING = /usr/sbin/lpc, /usr/bin/lprm
      Cmnd_Alias      SHUTDOWN = /usr/sbin/shutdown
@@ -1867,7 +1897,11 @@ EEXXAAMMPPLLEESS
      The ooppeerraattoorr user may run commands limited to simple maintenance.  Here,
      those are commands related to backups, killing processes, the printing
      system, shutting down the system, and any commands in the directory
-     _/_u_s_r_/_o_p_e_r_/_b_i_n_/.
+     _/_u_s_r_/_o_p_e_r_/_b_i_n_/. Note that one command in the DUMPS Cmnd_Alias includes a
+     sha224 digest, _/_h_o_m_e_/_o_p_e_r_a_t_o_r_/_b_i_n_/_s_t_a_r_t___b_a_c_k_u_p_s.  This is because the
+     directory containing the script is writable by the operator user.  If the
+     script is modified (resulting in a digest mismatch) it will no longer be
+     possible to run it via ssuuddoo.
 
      joe             ALL = /usr/bin/su operator
 
diff -up sudo-1.8.6p7/doc/sudoers.man.in.digest-backport-docs sudo-1.8.6p7/doc/sudoers.man.in
--- sudo-1.8.6p7/doc/sudoers.man.in.digest-backport-docs	2015-07-07 13:06:28.363472547 +0200
+++ sudo-1.8.6p7/doc/sudoers.man.in	2015-07-07 13:16:05.250448374 +0200
@@ -602,6 +602,14 @@ only the case for non-networked systems.
 .nf
 .sp
 .RS 0n
+digest ::= [A-Fa-f0-9]+ |
+	   [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+		"sha256" ':' digest |
+		"sha384" ':' digest |
+		"sha512" ':' digest
+
 Cmnd_List ::= Cmnd |
               Cmnd ',' Cmnd_List
 
@@ -609,7 +617,7 @@ command name ::= file name |
                  file name args |
                  file name '""'
 
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
          '!'* directory |
          '!'* "sudoedit" |
          '!'* Cmnd_Alias
@@ -664,6 +672,39 @@ with the
 option (or as
 \fBsudoedit\fR).
 It may take command line arguments just as a normal command does.
+.PP
+If a
+\fRcommand name\fR
+is prefixed with a
+\fRDigest_Spec\fR,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+\fBsudo\fR
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The string may be specified in either hex or base64 format
+(base64 is more compact).
+There are several utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.PP
+For example, using openssl:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.RE
+.fi
+.PP
+It is also possible to use openssl to generate base64 output:
+.nf
+.sp
+.RS 0n
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.RE
+.fi
 .SS "Defaults"
 Certain configuration options may be changed from their default
 values at run-time via one or more
@@ -3684,7 +3725,9 @@ Host_Alias	CDROM = orion, perseus, hercu
 
 # Cmnd alias specification
 Cmnd_Alias	DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-			/usr/sbin/restore, /usr/sbin/rrestore
+			/usr/sbin/restore, /usr/sbin/rrestore\e
+			sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+			/home/operator/bin/start_backups
 Cmnd_Alias	KILL = /usr/bin/kill
 Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown
@@ -3836,6 +3879,15 @@ Here, those are commands related to back
 printing system, shutting down the system, and any commands in the
 directory
 \fI/usr/oper/bin/\fR.
+Note that one command in the
+\fRDUMPS\fR
+Cmnd_Alias includes a sha224 digest,
+\fI/home/operator/bin/start_backups\fR.
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+\fBsudo\fR.
 .nf
 .sp
 .RS 0n
diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.digest-backport-docs sudo-1.8.6p7/doc/sudoers.mdoc.in
--- sudo-1.8.6p7/doc/sudoers.mdoc.in.digest-backport-docs	2015-07-07 13:06:18.919571166 +0200
+++ sudo-1.8.6p7/doc/sudoers.mdoc.in	2015-07-07 13:23:45.072854748 +0200
@@ -579,6 +579,14 @@ Also, the host name
 will only match if that is the actual host name, which is usually
 only the case for non-networked systems.
 .Bd -literal
+digest ::= [A-Fa-f0-9]+ |
+	   [[A-Za-z0-9\+/=]+
+
+Digest_Spec ::= "sha224" ':' digest |
+		"sha256" ':' digest |
+		"sha384" ':' digest |
+		"sha512" ':' digest
+
 Cmnd_List ::= Cmnd |
               Cmnd ',' Cmnd_List
 
@@ -586,7 +594,7 @@ command name ::= file name |
                  file name args |
                  file name '""'
 
-Cmnd ::= '!'* command name |
+Cmnd ::= Digest_Spec? '!'* command name |
          '!'* directory |
          '!'* "sudoedit" |
          '!'* Cmnd_Alias
@@ -640,6 +648,33 @@ with the
 option (or as
 .Nm sudoedit ) .
 It may take command line arguments just as a normal command does.
+.Pp
+If a
+.Li command name
+is prefixed with a
+.Li Digest_Spec ,
+the command will only match successfully if it can be verified
+using the specified SHA-2 digest.
+This may be useful in situations where the user invoking
+.Nm sudo
+has write access to the command or its parent directory.
+The following digest formats are supported: sha224, sha256, sha384 and sha512.
+The string may be specified in either hex or base64 format
+(base64 is more compact).
+There are several utilities capable of generating SHA-2 digests in hex
+format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
+.Pp
+For example, using openssl:
+.Bd -literal
+$ openssl dgst -sha224 /bin/ls
+SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+.Ed
+.Pp
+It is also possible to use openssl to generate base64 output:
+.Bd -literal
+$ openssl dgst -binary -sha224 /bin/ls | openssl base64
+EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+.Ed
 .Ss Defaults
 Certain configuration options may be changed from their default
 values at run-time via one or more
@@ -3407,7 +3442,9 @@ Host_Alias	CDROM = orion, perseus, hercu
 
 # Cmnd alias specification
 Cmnd_Alias	DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-			/usr/sbin/restore, /usr/sbin/rrestore
+			/usr/sbin/restore, /usr/sbin/rrestore\e
+			sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
+			/home/operator/bin/start_backups
 Cmnd_Alias	KILL = /usr/bin/kill
 Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
 Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown
@@ -3540,6 +3577,15 @@ Here, those are commands related to back
 printing system, shutting down the system, and any commands in the
 directory
 .Pa /usr/oper/bin/ .
+Note that one command in the
+.Li DUMPS
+Cmnd_Alias includes a sha224 digest,
+.Pa /home/operator/bin/start_backups .
+This is because the directory containing the script is writable by the
+operator user.
+If the script is modified (resulting in a digest mismatch) it will no longer
+be possible to run it via
+.Nm sudo .
 .Bd -literal
 joe		ALL = /usr/bin/su operator
 .Ed