diff --git a/.gitignore b/.gitignore
index 59b3a3b..ffb92a8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/sudo-1.8.19p2.tar.gz
+SOURCES/sudo-1.8.23.tar.gz
diff --git a/.sudo.metadata b/.sudo.metadata
index e9bab31..30c3701 100644
--- a/.sudo.metadata
+++ b/.sudo.metadata
@@ -1 +1 @@
-78868ef825e7b6db246d99160ec16fd4e4c93f3f SOURCES/sudo-1.8.19p2.tar.gz
+8db5a01eda3a14e8b40af7ee1ed6d38660463430 SOURCES/sudo-1.8.23.tar.gz
diff --git a/SOURCES/sudo-1.8.18-testsuitefix.patch b/SOURCES/sudo-1.8.18-testsuitefix.patch
deleted file mode 100644
index 6c60292..0000000
--- a/SOURCES/sudo-1.8.18-testsuitefix.patch
+++ /dev/null
@@ -1,189 +0,0 @@
-From ea44d916b9dffe0f33c3c62d1677567bf64a26b8 Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Tue, 20 Sep 2016 15:07:53 +0200
-Subject: [PATCH 10/10] Fix upstream testsuite
-
----
- plugins/sudoers/regress/sudoers/test2.in | 60 ---------------------------
- plugins/sudoers/regress/sudoers/test2.in_ | 60 +++++++++++++++++++++++++++
- plugins/sudoers/regress/testsudoers/test3.sh | 13 ------
- plugins/sudoers/regress/testsudoers/test3.sh_ | 13 ++++++
- 4 files changed, 73 insertions(+), 73 deletions(-)
- delete mode 100644 plugins/sudoers/regress/sudoers/test2.in
- create mode 100644 plugins/sudoers/regress/sudoers/test2.in_
- delete mode 100755 plugins/sudoers/regress/testsudoers/test3.sh
- create mode 100755 plugins/sudoers/regress/testsudoers/test3.sh_
-
-diff --git a/plugins/sudoers/regress/sudoers/test2.in b/plugins/sudoers/regress/sudoers/test2.in
-deleted file mode 100644
-index cfdfaa3..0000000
---- a/plugins/sudoers/regress/sudoers/test2.in
-+++ /dev/null
-@@ -1,60 +0,0 @@
--# Check quoted user name in User_Alias
--User_Alias UA1 = "foo"
--User_Alias UA2 = "foo.bar"
--User_Alias UA3 = "foo\""
--User_Alias UA4 = "foo:bar"
--User_Alias UA5 = "foo:bar\""
--
--# Check quoted group name in User_Alias
--User_Alias UA6 = "%baz"
--User_Alias UA7 = "%baz.biz"
--
--# Check quoted non-Unix group name in User_Alias
--User_Alias UA8 = "%:C/non UNIX 0 c"
--User_Alias UA9 = "%:C/non\'UNIX\'1 c"
--User_Alias UA10 = "%:C/non\"UNIX\"0 c"
--User_Alias UA11 = "%:C/non_UNIX_0 c"
--User_Alias UA12 = "%:C/non\'UNIX_3 c"
--
--# Check quoted user name in Runas_Alias
--Runas_Alias RA1 = "foo"
--Runas_Alias RA2 = "foo\""
--Runas_Alias RA3 = "foo:bar"
--Runas_Alias RA4 = "foo:bar\""
--
--# Check quoted host name in Defaults
--Defaults@"somehost" set_home
--Defaults@"quoted\"" set_home
--
--# Check quoted user name in Defaults
--Defaults:"you" set_home
--Defaults:"us\"" set_home
--Defaults:"%them" set_home
--Defaults:"%: non UNIX 0 c" set_home
--Defaults:"+net" set_home
--
--# Check quoted runas name in Defaults
--Defaults>"someone" set_home
--Defaults>"some one" set_home
--
--# Check quoted command in Defaults
--# XXX - not currently supported
--#Defaults!"/bin/ls -l" set_home
--#Defaults!"/bin/ls -l \"foo\"" set_home
--
--# Check quoted user, runas and host name in Cmnd_Spec
--"foo" "hosta" = ("root") ALL
--"foo.bar" "hostb" = ("root") ALL
--"foo\"" "hostc" = ("root") ALL
--"foo:bar" "hostd" = ("root") ALL
--"foo:bar\"" "hoste" = ("root") ALL
--
--# Check quoted group/netgroup name in Cmnd_Spec
--"%baz" "hosta" = ("root") ALL
--"%baz.biz" "hostb" = ("root") ALL
--"%:C/non UNIX 0 c" "hostc" = ("root") ALL
--"%:C/non\'UNIX\'1 c" "hostd" = ("root") ALL
--"%:C/non\"UNIX\"0 c" "hoste" = ("root") ALL
--"%:C/non_UNIX_0 c" "hostf" = ("root") ALL
--"%:C/non\'UNIX_3 c" "hostg" = ("root") ALL
--"+netgr" "hosth" = ("root") ALL
-diff --git a/plugins/sudoers/regress/sudoers/test2.in_ b/plugins/sudoers/regress/sudoers/test2.in_
-new file mode 100644
-index 0000000..cfdfaa3
---- /dev/null
-+++ b/plugins/sudoers/regress/sudoers/test2.in_
-@@ -0,0 +1,60 @@
-+# Check quoted user name in User_Alias
-+User_Alias UA1 = "foo"
-+User_Alias UA2 = "foo.bar"
-+User_Alias UA3 = "foo\""
-+User_Alias UA4 = "foo:bar"
-+User_Alias UA5 = "foo:bar\""
-+
-+# Check quoted group name in User_Alias
-+User_Alias UA6 = "%baz"
-+User_Alias UA7 = "%baz.biz"
-+
-+# Check quoted non-Unix group name in User_Alias
-+User_Alias UA8 = "%:C/non UNIX 0 c"
-+User_Alias UA9 = "%:C/non\'UNIX\'1 c"
-+User_Alias UA10 = "%:C/non\"UNIX\"0 c"
-+User_Alias UA11 = "%:C/non_UNIX_0 c"
-+User_Alias UA12 = "%:C/non\'UNIX_3 c"
-+
-+# Check quoted user name in Runas_Alias
-+Runas_Alias RA1 = "foo"
-+Runas_Alias RA2 = "foo\""
-+Runas_Alias RA3 = "foo:bar"
-+Runas_Alias RA4 = "foo:bar\""
-+
-+# Check quoted host name in Defaults
-+Defaults@"somehost" set_home
-+Defaults@"quoted\"" set_home
-+
-+# Check quoted user name in Defaults
-+Defaults:"you" set_home
-+Defaults:"us\"" set_home
-+Defaults:"%them" set_home
-+Defaults:"%: non UNIX 0 c" set_home
-+Defaults:"+net" set_home
-+
-+# Check quoted runas name in Defaults
-+Defaults>"someone" set_home
-+Defaults>"some one" set_home
-+
-+# Check quoted command in Defaults
-+# XXX - not currently supported
-+#Defaults!"/bin/ls -l" set_home
-+#Defaults!"/bin/ls -l \"foo\"" set_home
-+
-+# Check quoted user, runas and host name in Cmnd_Spec
-+"foo" "hosta" = ("root") ALL
-+"foo.bar" "hostb" = ("root") ALL
-+"foo\"" "hostc" = ("root") ALL
-+"foo:bar" "hostd" = ("root") ALL
-+"foo:bar\"" "hoste" = ("root") ALL
-+
-+# Check quoted group/netgroup name in Cmnd_Spec
-+"%baz" "hosta" = ("root") ALL
-+"%baz.biz" "hostb" = ("root") ALL
-+"%:C/non UNIX 0 c" "hostc" = ("root") ALL
-+"%:C/non\'UNIX\'1 c" "hostd" = ("root") ALL
-+"%:C/non\"UNIX\"0 c" "hoste" = ("root") ALL
-+"%:C/non_UNIX_0 c" "hostf" = ("root") ALL
-+"%:C/non\'UNIX_3 c" "hostg" = ("root") ALL
-+"+netgr" "hosth" = ("root") ALL
-diff --git a/plugins/sudoers/regress/testsudoers/test3.sh b/plugins/sudoers/regress/testsudoers/test3.sh
-deleted file mode 100755
-index c1251b9..0000000
---- a/plugins/sudoers/regress/testsudoers/test3.sh
-+++ /dev/null
-@@ -1,13 +0,0 @@
--#!/bin/sh
--#
--# Test #include facility
--#
--
--MYUID=`\ls -lnd $TESTDIR/test3.d | awk '{print $3}'`
--MYGID=`\ls -lnd $TESTDIR/test3.d | awk '{print $4}'`
--exec 2>&1
--./testsudoers -U $MYUID -G $MYGID root id <<EOF
--#includedir $TESTDIR/test3.d
--EOF
--
--exit 0
-diff --git a/plugins/sudoers/regress/testsudoers/test3.sh_ b/plugins/sudoers/regress/testsudoers/test3.sh_
-new file mode 100755
-index 0000000..c1251b9
---- /dev/null
-+++ b/plugins/sudoers/regress/testsudoers/test3.sh_
-@@ -0,0 +1,13 @@
-+#!/bin/sh
-+#
-+# Test #include facility
-+#
-+
-+MYUID=`\ls -lnd $TESTDIR/test3.d | awk '{print $3}'`
-+MYGID=`\ls -lnd $TESTDIR/test3.d | awk '{print $4}'`
-+exec 2>&1
-+./testsudoers -U $MYUID -G $MYGID root id <<EOF
-+#includedir $TESTDIR/test3.d
-+EOF
-+
-+exit 0
---
-2.7.4
-
diff --git a/SOURCES/sudo-1.8.19p2-CVE-2017-1000368.patch b/SOURCES/sudo-1.8.19p2-CVE-2017-1000368.patch
deleted file mode 100644
index 84c1f9d..0000000
--- a/SOURCES/sudo-1.8.19p2-CVE-2017-1000368.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-diff --git a/src/ttyname.c b/src/ttyname.c
-index ff2cacc..013be95 100644
---- a/src/ttyname.c
-+++ b/src/ttyname.c
-@@ -477,26 +477,38 @@ done:
- char *
- get_process_ttyname(char *name, size_t namelen)
- {
-- char path[PATH_MAX], *line = NULL;
-+ const char path[] = "/proc/self/stat";
-+ char *cp, buf[1024];
- char *ret = NULL;
-- size_t linesize = 0;
- int serrno = errno;
-- ssize_t len;
-- FILE *fp;
-+ ssize_t nread;
-+ int fd;
- debug_decl(get_process_ttyname, SUDO_DEBUG_UTIL)
-
-- /* Try to determine the tty from tty_nr in /proc/pid/stat. */
-- snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)getpid());
-- if ((fp = fopen(path, "r")) != NULL) {
-- len = getline(&line, &linesize, fp);
-- fclose(fp);
-- if (len != -1) {
-+ /*
-+ * Try to determine the tty from tty_nr in /proc/self/stat.
-+ * Ignore /proc/self/stat if it contains embedded NUL bytes.
-+ */
-+ if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
-+ cp = buf;
-+ while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
-+ if (nread == -1) {
-+ if (errno == EAGAIN || errno == EINTR)
-+ continue;
-+ break;
-+ }
-+ cp += nread;
-+ if (cp >= buf + sizeof(buf))
-+ break;
-+ }
-+ if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
- /*
- * Field 7 is the tty dev (0 if no tty).
-- * Since the process name at field 2 "(comm)" may include spaces,
-- * start at the last ')' found.
-+ * Since the process name at field 2 "(comm)" may include
-+ * whitespace (including newlines), start at the last ')' found.
- */
-- char *cp = strrchr(line, ')');
-+ *cp = '\0';
-+ cp = strrchr(buf, ')');
- if (cp != NULL) {
- char *ep = cp;
- const char *errstr;
-@@ -527,7 +539,8 @@ get_process_ttyname(char *name, size_t namelen)
- errno = ENOENT;
-
- done:
-- free(line);
-+ if (fd != -1)
-+ close(fd);
- if (ret == NULL)
- sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
- "unable to resolve tty via %s", path);
diff --git a/SOURCES/sudo-1.8.19p2-display-privs.patch b/SOURCES/sudo-1.8.19p2-display-privs.patch
deleted file mode 100644
index 234aa8d..0000000
--- a/SOURCES/sudo-1.8.19p2-display-privs.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff -up ./plugins/sudoers/sudo_nss.c.display-privs ./plugins/sudoers/sudo_nss.c
---- ./plugins/sudoers/sudo_nss.c.display-privs 2017-01-13 23:30:15.000000000 -0500
-+++ ./plugins/sudoers/sudo_nss.c 2017-08-31 07:41:02.764738698 -0400
-@@ -348,7 +348,11 @@ display_privs(struct sudo_nss_list *snl,
- sudo_lbuf_destroy(&defs);
- sudo_lbuf_destroy(&privs);
-
-- debug_return_int(count > 0);
-+/*
-+ * This is ok, we return 1 which is success in this case
-+ * and we don't want return failure even when there is nothing to print
-+ */
-+ debug_return_int(1);
- bad:
- sudo_lbuf_destroy(&defs);
- sudo_lbuf_destroy(&privs);
diff --git a/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch b/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch
deleted file mode 100644
index 6d52342..0000000
--- a/SOURCES/sudo-1.8.19p2-error-warning-visudo-message.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From daa728fd889680cf5294fbb0e836cade9fe1a6d8 Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@courtesan.com>
-Date: Wed, 22 Feb 2017 06:38:33 -0700
-Subject: [PATCH] Go back to using a Warning/Error prefix in the message
- printed to stderr for alias problems. Requested by Tomas Sykora.
-
----
- doc/visudo.cat | 10 +++++-----
- doc/visudo.man.in | 12 ++++++------
- doc/visudo.mdoc.in | 12 ++++++------
- plugins/sudoers/regress/visudo/test2.err.ok | 2 +-
- plugins/sudoers/regress/visudo/test3.err.ok | 4 ++--
- plugins/sudoers/visudo.c | 14 ++++++++++----
- 6 files changed, 30 insertions(+), 24 deletions(-)
-
-diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c
-index 4f192b2..4793d54 100644
---- a/plugins/sudoers/visudo.c
-+++ b/plugins/sudoers/visudo.c
-@@ -1137,12 +1137,17 @@ check_alias(char *name, int type, char *file, int lineno, bool strict, bool quie
- } else {
- if (!quiet) {
- if (errno == ELOOP) {
-- sudo_warnx(U_("%s:%d cycle in %s \"%s\""),
-+ fprintf(stderr, strict ?
-+ U_("Error: %s:%d cycle in %s \"%s\"") :
-+ U_("Warning: %s:%d cycle in %s \"%s\""),
- file, lineno, alias_type_to_string(type), name);
- } else {
-- sudo_warnx(U_("%s:%d %s \"%s\" referenced but not defined"),
-+ fprintf(stderr, strict ?
-+ U_("Error: %s:%d %s \"%s\" referenced but not defined") :
-+ U_("Warning: %s:%d %s \"%s\" referenced but not defined"),
- file, lineno, alias_type_to_string(type), name);
- }
-+ fputc('\n', stderr);
- if (strict && errorfile == NULL) {
- errorfile = rcstr_addref(file);
- errorlineno = lineno;
-@@ -1292,8 +1297,9 @@ print_unused(void *v1, void *v2)
- {
- struct alias *a = (struct alias *)v1;
-
-- sudo_warnx_nodebug(U_("%s:%d unused %s \"%s\""),
-+ fprintf(stderr, U_("Warning: %s:%d unused %s \"%s\""),
- a->file, a->lineno, alias_type_to_string(a->type), a->name);
-+ fputc('\n', stderr);
- return 0;
- }
-
---
-2.7.4
-
diff --git a/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch b/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch
deleted file mode 100644
index 1c44dcc..0000000
--- a/SOURCES/sudo-1.8.19p2-fqdn-use-after-free.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-diff -up ./plugins/sudoers/sssd.c.fqdnafterfree ./plugins/sudoers/sssd.c
---- ./plugins/sudoers/sssd.c.fqdnafterfree 2017-01-14 05:30:15.000000000 +0100
-+++ ./plugins/sudoers/sssd.c 2017-04-25 14:23:39.655649726 +0200
-@@ -82,8 +82,8 @@ typedef void (*sss_sudo_free_values_t)(c
-
- struct sudo_sss_handle {
- char *domainname;
-- char *host;
-- char *shost;
-+ char *ipa_host;
-+ char *ipa_shost;
- struct passwd *pw;
- void *ssslib;
- sss_sudo_send_recv_t fn_send_recv;
-@@ -385,7 +385,7 @@ sudo_sss_open(struct sudo_nss *nss)
- debug_decl(sudo_sss_open, SUDOERS_DEBUG_SSSD);
-
- /* Create a handle container. */
-- handle = malloc(sizeof(struct sudo_sss_handle));
-+ handle = calloc(1, sizeof(struct sudo_sss_handle));
- if (handle == NULL) {
- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
- debug_return_int(ENOMEM);
-@@ -447,9 +447,6 @@ sudo_sss_open(struct sudo_nss *nss)
- debug_return_int(EFAULT);
- }
-
-- handle->domainname = NULL;
-- handle->host = user_runhost;
-- handle->shost = user_srunhost;
- handle->pw = sudo_user.pw;
- nss->handle = handle;
-
-@@ -458,7 +455,7 @@ sudo_sss_open(struct sudo_nss *nss)
- * in sssd.conf and use it in preference to user_runhost.
- */
- if (strcmp(user_runhost, user_host) == 0) {
-- if (get_ipa_hostname(&handle->shost, &handle->host) == -1) {
-+ if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) {
- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
- free(handle);
- debug_return_int(ENOMEM);
-@@ -480,7 +477,10 @@ sudo_sss_close(struct sudo_nss *nss)
- if (nss && nss->handle) {
- handle = nss->handle;
- sudo_dso_unload(handle->ssslib);
-- free(nss->handle);
-+ free(handle->ipa_host);
-+ free(handle->ipa_shost);
-+ free(handle);
-+ nss->handle = NULL;
- }
- debug_return_int(0);
- }
-@@ -585,8 +585,9 @@ sudo_sss_checkpw(struct sudo_nss *nss, s
- static int
- sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int group_matched)
- {
-- char **val_array = NULL;
-- char *val;
-+ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost;
-+ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost;
-+ char *val, **val_array = NULL;
- int ret = false, i;
- debug_decl(sudo_sss_check_runas_user, SUDOERS_DEBUG_SSSD);
-
-@@ -656,8 +657,8 @@ sudo_sss_check_runas_user(struct sudo_ss
- switch (val[0]) {
- case '+':
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
-- if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL,
-- def_netgroup_tuple ? handle->shost : NULL, runas_pw->pw_name)) {
-+ if (netgr_matches(val, def_netgroup_tuple ? host : NULL,
-+ def_netgroup_tuple ? shost : NULL, runas_pw->pw_name)) {
- sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
- ret = true;
- }
-@@ -762,7 +763,9 @@ sudo_sss_check_runas(struct sudo_sss_han
- static bool
- sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
- {
-- char **val_array, *val;
-+ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost;
-+ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost;
-+ char *val, **val_array;
- int matched = UNSPEC;
- bool negated;
- int i;
-@@ -792,9 +795,9 @@ sudo_sss_check_host(struct sudo_sss_hand
-
- /* match any or address or netgroup or hostname */
- if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
-- netgr_matches(val, handle->host, handle->shost,
-+ netgr_matches(val, host, shost,
- def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
-- hostname_matches(handle->shost, handle->host, val)) {
-+ hostname_matches(shost, host, val)) {
-
- matched = negated ? false : true;
- }
-@@ -816,9 +819,10 @@ sudo_sss_check_host(struct sudo_sss_hand
- static bool
- sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
- {
-- int ret = false;
-+ const char *host = handle->ipa_host ? handle->ipa_host : user_runhost;
-+ const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost;
- char **val_array;
-- int i;
-+ int i, ret = false;
- debug_decl(sudo_sss_check_user, SUDOERS_DEBUG_SSSD);
-
- if (!handle || !rule)
-@@ -844,8 +848,8 @@ sudo_sss_check_user(struct sudo_sss_hand
- switch (*val) {
- case '+':
- /* Netgroup spec found, check membership. */
-- if (netgr_matches(val, def_netgroup_tuple ? handle->host : NULL,
-- def_netgroup_tuple ? handle->shost : NULL, handle->pw->pw_name)) {
-+ if (netgr_matches(val, def_netgroup_tuple ? host : NULL,
-+ def_netgroup_tuple ? shost : NULL, handle->pw->pw_name)) {
- ret = true;
- }
- break;
diff --git a/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch b/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch
deleted file mode 100644
index 8d304d5..0000000
--- a/SOURCES/sudo-1.8.19p2-get_process_ttyname.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-diff -ru sudo-1.8.20/src/ttyname.c sudo-1.8.20-Q/src/ttyname.c
---- sudo-1.8.20/src/ttyname.c 2017-05-10 08:38:44.000000000 -0700
-+++ sudo-1.8.20-Q/src/ttyname.c 2017-05-19 02:15:48.442705049 -0700
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2016 Todd C. Miller <Todd.Miller@courtesan.com>
-+ * Copyright (c) 2012-2017 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -159,6 +159,8 @@
-
- static char *ignore_devs[] = {
- "/dev/fd/",
-+ "/dev/mqueue/",
-+ "/dev/shm/",
- "/dev/stdin",
- "/dev/stdout",
- "/dev/stderr",
-@@ -493,28 +495,35 @@
- len = getline(&line, &linesize, fp);
- fclose(fp);
- if (len != -1) {
-- /* Field 7 is the tty dev (0 if no tty) */
-- char *cp = line;
-- char *ep = line;
-- const char *errstr;
-- int field = 0;
-- while (*++ep != '\0') {
-- if (*ep == ' ') {
-- *ep = '\0';
-- if (++field == 7) {
-- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
-- if (errstr) {
-- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
-- "%s: tty device %s: %s", path, cp, errstr);
-+ /*
-+ * Field 7 is the tty dev (0 if no tty).
-+ * Since the process name at field 2 "(comm)" may include spaces,
-+ * start at the last ')' found.
-+ */
-+ char *cp = strrchr(line, ')');
-+ if (cp != NULL) {
-+ char *ep = cp;
-+ const char *errstr;
-+ int field = 1;
-+
-+ while (*++ep != '\0') {
-+ if (*ep == ' ') {
-+ *ep = '\0';
-+ if (++field == 7) {
-+ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
-+ if (errstr) {
-+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
-+ "%s: tty device %s: %s", path, cp, errstr);
-+ }
-+ if (tdev > 0) {
-+ errno = serrno;
-+ ret = sudo_ttyname_dev(tdev, name, namelen);
-+ goto done;
-+ }
-+ break;
- }
-- if (tdev > 0) {
-- errno = serrno;
-- ret = sudo_ttyname_dev(tdev, name, namelen);
-- goto done;
-- }
-- break;
-+ cp = ep + 1;
- }
-- cp = ep + 1;
- }
- }
- }
-
diff --git a/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch b/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch
deleted file mode 100644
index aadb45d..0000000
--- a/SOURCES/sudo-1.8.19p2-ignore-unknown-defaults.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-From 93cef1efac4e2b4930c23cdc35c0b916365ccabc Mon Sep 17 00:00:00 2001
-From: Tomas Sykora <tosykora@redhat.com>
-Date: Tue, 21 Feb 2017 14:56:24 +0100
-Subject: [PATCH] Add ignore_unknown_defaults flag to ignore unknown Defaults
- entries in sudoers instead of producing a warning.
-
-Patch: sudo-1.8.19p2-ignore-unknown-defaults.patch
-Resolves:
-rhbz#1413160
----
- doc/sudoers.cat | 6 ++++++
- doc/sudoers.man.in | 11 +++++++++++
- doc/sudoers.mdoc.in | 10 ++++++++++
- plugins/sudoers/def_data.c | 4 ++++
- plugins/sudoers/def_data.h | 2 ++
- plugins/sudoers/def_data.in | 3 +++
- plugins/sudoers/defaults.c | 3 ++-
- 7 files changed, 38 insertions(+), 1 deletion(-)
-
-diff --git a/doc/sudoers.cat b/doc/sudoers.cat
-index 76dbf28..50cf78a 100644
---- a/doc/sudoers.cat
-+++ b/doc/sudoers.cat
-@@ -1071,6 +1071,12 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�NS�S
- meaningful for the cn=defaults section. This flag is
- _�o_�f_�f by default.
-
-+ ignore_unknown_defaults
-+ If set, s�su�ud�do�o will not produce a warning if it
-+ encounters an unknown Defaults entry in the _^Hs_^Hu_^Hd_^Ho_^He_^Hr_^Hs
-+ file or an unknown sudoOption in LDAP. This flag is
-+ _�o_�f_�f by default.
-+
- insults If set, s�su�ud�do�o will insult users when they enter an
- incorrect password. This flag is _�o_�f_�f by default.
-
-diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
-index 8673da0..4be3760 100644
---- a/doc/sudoers.man.in
-+++ b/doc/sudoers.man.in
-@@ -2266,6 +2266,17 @@ This flag is
- \fIoff\fR
- by default.
- .TP 18n
-+ignore_unknown_defaults
-+If set,
-+\fBsudo\fR
-+will not produce a warning if it encounters an unknown Defaults entry
-+in the
-+\fIsudoers\fR
-+file or an unknown sudoOption in LDAP.
-+This flag is
-+\fIoff\fR
-+by default.
-+.TP 18n
- insults
- If set,
- \fBsudo\fR
-diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
-index 74b6f01..f3fe5e6 100644
---- a/doc/sudoers.mdoc.in
-+++ b/doc/sudoers.mdoc.in
-@@ -2124,6 +2124,16 @@ section.
- This flag is
- .Em off
- by default.
-+.It ignore_unknown_defaults
-+If set,
-+.Nm sudo
-+will not produce a warning if it encounters an unknown Defaults entry
-+in the
-+.Em sudoers
-+file or an unknown sudoOption in LDAP.
-+This flag is
-+.Em off
-+by default.
- .It insults
- If set,
- .Nm sudo
-diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
-index 3926fed..3d787c2 100644
---- a/plugins/sudoers/def_data.c
-+++ b/plugins/sudoers/def_data.c
-@@ -443,6 +443,10 @@ struct sudo_defs_types sudo_defs_table[] = {
- N_("Don't pre-resolve all group names"),
- NULL,
- }, {
-+ "ignore_unknown_defaults", T_FLAG,
-+ N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"),
-+ NULL,
-+ }, {
- NULL, 0, NULL
- }
- };
-diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
-index b5e61b4..f5773a3 100644
---- a/plugins/sudoers/def_data.h
-+++ b/plugins/sudoers/def_data.h
-@@ -208,6 +208,8 @@
- #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
- #define I_LEGACY_GROUP_PROCESSING 104
- #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
-+#define I_IGNORE_UNKNOWN_DEFAULTS 105
-+#define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag)
-
- enum def_tuple {
- never,
-diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
-index f1c9265..8f63d70 100644
---- a/plugins/sudoers/def_data.in
-+++ b/plugins/sudoers/def_data.in
-@@ -328,3 +328,6 @@ cmnd_no_wait
- legacy_group_processing
- T_FLAG
- "Don't pre-resolve all group names"
-+ignore_unknown_defaults
-+ T_FLAG
-+ "Ignore unknown Defaults entries in sudoers instead of producing a warning"
-diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
-index 9e60d94..5f93f80 100644
---- a/plugins/sudoers/defaults.c
-+++ b/plugins/sudoers/defaults.c
-@@ -79,6 +79,7 @@ static struct strmap priorities[] = {
- };
-
- static struct early_default early_defaults[] = {
-+ { I_IGNORE_UNKNOWN_DEFAULTS },
- #ifdef FQDN
- { I_FQDN, true },
- #else
-@@ -206,7 +207,7 @@ find_default(const char *name, const char *file, int lineno, bool quiet)
- if (strcmp(name, sudo_defs_table[i].name) == 0)
- debug_return_int(i);
- }
-- if (!quiet) {
-+ if (!quiet && !def_ignore_unknown_defaults) {
- if (lineno > 0) {
- sudo_warnx(U_("%s:%d unknown defaults entry \"%s\""),
- file, lineno, name);
---
-2.7.4
-
diff --git a/SOURCES/sudo-1.8.19p2-iolog-zombie.patch b/SOURCES/sudo-1.8.19p2-iolog-zombie.patch
deleted file mode 100644
index ad10dc8..0000000
--- a/SOURCES/sudo-1.8.19p2-iolog-zombie.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-diff -up sudo-1.8.19p2/src/exec.c.iolog-zombie sudo-1.8.19p2/src/exec.c
---- sudo-1.8.19p2/src/exec.c.iolog-zombie 2018-05-28 09:01:13.488647060 +0200
-+++ sudo-1.8.19p2/src/exec.c 2018-05-28 09:01:13.526646940 +0200
-@@ -534,7 +534,7 @@ sudo_execute(struct command_details *det
-
- if (log_io) {
- /* Flush any remaining output and free pty-related memory. */
-- pty_close(cstat);
-+ pty_close(ec.evbase,cstat);
- }
-
- #ifdef HAVE_SELINUX
-diff -up sudo-1.8.19p2/src/exec_pty.c.iolog-zombie sudo-1.8.19p2/src/exec_pty.c
---- sudo-1.8.19p2/src/exec_pty.c.iolog-zombie 2018-05-28 09:01:13.518646965 +0200
-+++ sudo-1.8.19p2/src/exec_pty.c 2018-05-28 09:01:13.527646937 +0200
-@@ -919,12 +919,19 @@ fork_pty(struct command_details *details
- }
-
- void
--pty_close(struct command_status *cstat)
-+pty_close(struct sudo_event_base *evbase, struct command_status *cstat)
- {
- struct io_buffer *iob;
- int n;
- debug_decl(pty_close, SUDO_DEBUG_EXEC);
-
-+ /* Close the pty slave first so reads from the master don't block. */
-+ if (io_fds[SFD_SLAVE] != -1) {
-+ ev_free_by_fd(evbase, io_fds[SFD_SLAVE]);
-+ close(io_fds[SFD_SLAVE]);
-+ io_fds[SFD_SLAVE] = -1;
-+ }
-+
- /* Flush any remaining output (the plugin already got it). */
- if (io_fds[SFD_USERTTY] != -1) {
- n = fcntl(io_fds[SFD_USERTTY], F_GETFL, 0);
-@@ -965,6 +972,11 @@ pty_close(struct command_status *cstat)
- }
- }
- utmp_logout(slavename, cstat->type == CMD_WSTATUS ? cstat->val : 0); /* XXX - only if CD_SET_UTMP */
-+
-+ /* Close pty master. */
-+ if (io_fds[SFD_MASTER] != -1)
-+ close(io_fds[SFD_MASTER]);
-+
- debug_return;
- }
-
-diff -up sudo-1.8.19p2/src/sudo_exec.h.iolog-zombie sudo-1.8.19p2/src/sudo_exec.h
---- sudo-1.8.19p2/src/sudo_exec.h.iolog-zombie 2017-01-14 05:30:15.000000000 +0100
-+++ sudo-1.8.19p2/src/sudo_exec.h 2018-05-28 09:01:13.527646937 +0200
-@@ -93,7 +93,7 @@ void handler(int s, siginfo_t *info, voi
- #else
- void handler(int s);
- #endif
--void pty_close(struct command_status *cstat);
-+void pty_close(struct sudo_event_base *evbase, struct command_status *cstat);
- void pty_setup(uid_t uid, const char *tty, const char *utmp_user);
- void terminate_command(pid_t pid, bool use_pgrp);
-
diff --git a/SOURCES/sudo-1.8.19p2-iologflush.patch b/SOURCES/sudo-1.8.19p2-iologflush.patch
deleted file mode 100644
index 213566f..0000000
--- a/SOURCES/sudo-1.8.19p2-iologflush.patch
+++ /dev/null
@@ -1,317 +0,0 @@
-diff -up ./doc/sudoers.cat.orig ./doc/sudoers.cat
---- ./doc/sudoers.cat.orig 2017-03-21 13:31:00.953951199 +0100
-+++ ./doc/sudoers.cat 2017-03-21 14:14:18.679116865 +0100
-@@ -1549,6 +1549,16 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
- will be truncated and overwritten unless _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
- ends in six or more Xs.
-
-+ iolog_flush If set, s�su�ud�do�o will flush I/O log data to disk after each
-+ write instead of buffering it. This makes it possible
-+ to view the logs in real-time as the program is
-+ executing but may significantly reduce the
-+ effectiveness of I/O log compression. This flag is _�o_�f_�f
-+ by default.
-+
-+ This setting is only supported by version 1.8.20 or
-+ higher.
-+
- iolog_group The group name to look up when setting the group ID on
- new I/O log files and directories. By default, I/O log
- files and directories inherit the group ID of the
-@@ -2141,10 +2151,14 @@ I�I/�/O�O L�LO�OG�G F�FI�IL�LE�ES�S
- _�s_�t_�d_�e_�r_�r standard error to a pipe or redirected to a file
-
- All files other than _�l_�o_�g are compressed in gzip format unless the
-- _�c_�o_�m_�p_�r_�e_�s_�s_�__�i_�o option has been disabled. Due to buffering, the I/O log data
-- will not be complete until the s�su�ud�do�o command has completed. The output
-- portion of an I/O log file can be viewed with the sudoreplay(1m) utility,
-- which can also be used to list or search the available logs.
-+ _�c_�o_�m_�p_�r_�e_�s_�s_�__�i_�o flag has been disabled. Due to buffering, it is not normally
-+ possible to display the I/O logs in real-time as the program is executing
-+ The I/O log data will not be complete until the program run by s�su�ud�do�o has
-+ exited or has been terminated by a signal. The _�i_�o_�l_�o_�g_�__�f_�l_�u_�s_�h flag can be
-+ used to disable buffering, in which case I/O log data is written to disk
-+ as soon as it is available. The output portion of an I/O log file can be
-+ viewed with the sudoreplay(1m) utility, which can also be used to list or
-+ search the available logs.
-
- Note that user input may contain sensitive information such as passwords
- (even if they are not echoed to the screen), which will be stored in the
-diff -up ./doc/sudoers.man.in.orig ./doc/sudoers.man.in
---- ./doc/sudoers.man.in.orig 2017-03-21 14:22:33.804283190 +0100
-+++ ./doc/sudoers.man.in 2017-03-21 14:22:21.136664667 +0100
-@@ -3199,6 +3199,19 @@ ends in six or
- more
- \fRX\fRs.
- .TP 18n
-+iolog_flush
-+If set,
-+\fBsudo\fR
-+will flush I/O log data to disk after each write instead of buffering it.
-+This makes it possible to view the logs in real-time as the program
-+is executing but may significantly reduce the effectiveness of I/O
-+log compression.
-+This flag is
-+\fIoff\fR
-+by default.
-+.sp
-+This setting is only supported by version 1.8.20 or higher.
-+.TP 18n
- iolog_group
- The group name to look up when setting the group ID on new I/O log
- files and directories.
-@@ -4298,10 +4311,16 @@ All files other than
- \fIlog\fR
- are compressed in gzip format unless the
- \fIcompress_io\fR
--option has been disabled.
--Due to buffering, the I/O log data will not be complete until the
-+flag has been disabled.
-+Due to buffering, it is not normally possible to display the I/O logs in
-+real-time as the program is executing
-+The I/O log data will not be complete until the program run by
- \fBsudo\fR
--command has completed.
-+has exited or has been terminated by a signal.
-+The
-+\fIiolog_flush\fR
-+flag can be used to disable buffering, in which case I/O log data
-+is written to disk as soon as it is available.
- The output portion of an I/O log file can be viewed with the
- sudoreplay(@mansectsu@)
- utility, which can also be used to list or search the available logs.
-diff -up ./doc/sudoers.mdoc.in.orig ./doc/sudoers.mdoc.in
---- ./doc/sudoers.mdoc.in.orig 2017-03-21 14:23:46.652089432 +0100
-+++ ./doc/sudoers.mdoc.in 2017-03-21 14:26:43.686758162 +0100
-@@ -2998,6 +2998,18 @@ overwritten unless
- ends in six or
- more
- .Li X Ns s .
-+.It iolog_flush
-+If set,
-+.Nm sudo
-+will flush I/O log data to disk after each write instead of buffering it.
-+This makes it possible to view the logs in real-time as the program
-+is executing but may significantly reduce the effectiveness of I/O
-+log compression.
-+This flag is
-+.Em off
-+by default.
-+.Pp
-+This setting is only supported by version 1.8.20 or higher.
- .It iolog_group
- The group name to look up when setting the group ID on new I/O log
- files and directories.
-@@ -3991,10 +4003,16 @@ All files other than
- .Pa log
- are compressed in gzip format unless the
- .Em compress_io
--option has been disabled.
--Due to buffering, the I/O log data will not be complete until the
--.Nm sudo
--command has completed.
-+flag has been disabled.
-+Due to buffering, it is not normally possible to display the I/O logs in
-+real-time as the program is executing
-+The I/O log data will not be complete until the program run by
-+.Nm sudo
-+has exited or has been terminated by a signal.
-+The
-+.Em iolog_flush
-+flag can be used to disable buffering, in which case I/O log data
-+is written to disk as soon as it is available.
- The output portion of an I/O log file can be viewed with the
- .Xr sudoreplay @mansectsu@
- utility, which can also be used to list or search the available logs.
-diff -up ./plugins/sudoers/def_data.c.orig ./plugins/sudoers/def_data.c
---- ./plugins/sudoers/def_data.c.orig 2017-03-21 13:24:10.682064806 +0100
-+++ ./plugins/sudoers/def_data.c 2017-03-21 13:25:09.805322057 +0100
-@@ -447,6 +447,10 @@ struct sudo_defs_types sudo_defs_table[]
- N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"),
- NULL,
- }, {
-+ "iolog_flush", T_FLAG,
-+ N_("Flush I/O log data to disk immediately instead of buffering it"),
-+ NULL,
-+ }, {
- NULL, 0, NULL
- }
- };
-diff -up ./plugins/sudoers/def_data.h.orig ./plugins/sudoers/def_data.h
---- ./plugins/sudoers/def_data.h.orig 2017-03-21 13:25:20.489006524 +0100
-+++ ./plugins/sudoers/def_data.h 2017-03-21 13:28:09.251022290 +0100
-@@ -210,6 +210,8 @@
- #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
- #define I_IGNORE_UNKNOWN_DEFAULTS 105
- #define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag)
-+#define I_IOLOG_FLUSH 106
-+#define def_iolog_flush (sudo_defs_table[I_IOLOG_FLUSH].sd_un.flag)
-
- enum def_tuple {
- never,
-diff -up ./plugins/sudoers/def_data.in.orig ./plugins/sudoers/def_data.in
---- ./plugins/sudoers/def_data.in.orig 2017-03-21 13:28:35.115258413 +0100
-+++ ./plugins/sudoers/def_data.in 2017-03-21 13:30:03.239655739 +0100
-@@ -331,3 +331,6 @@ legacy_group_processing
- ignore_unknown_defaults
- T_FLAG
- "Ignore unknown Defaults entries in sudoers instead of producing a warning"
-+iolog_flush
-+ T_FLAG
-+ "Flush I/O log data to disk immediately instead of buffering it"
-diff -up ./plugins/sudoers/iolog.c.orig ./plugins/sudoers/iolog.c
---- ./plugins/sudoers/iolog.c.orig 2017-03-21 13:12:39.471464160 +0100
-+++ ./plugins/sudoers/iolog.c 2017-03-21 13:21:49.279230759 +0100
-@@ -709,6 +709,7 @@ iolog_deserialize_info(struct iolog_deta
-
- /*
- * Write the "/log" file that contains the user and command info.
-+ * This file is not compressed.
- */
- static bool
- write_info_log(char *pathbuf, size_t len, struct iolog_details *details,
-@@ -747,6 +748,57 @@ write_info_log(char *pathbuf, size_t len
- debug_return_bool(ret);
- }
-
-+#ifdef HAVE_ZLIB_H
-+static const char *
-+gzstrerror(gzFile file)
-+{
-+ int errnum;
-+
-+ return gzerror(file, &errnum);
-+}
-+#endif /* HAVE_ZLIB_H */
-+
-+/*
-+ * Write to an I/O log, compressing if iolog_compress is enabled.
-+ * If def_iolog_flush is true, flush the buffer immediately.
-+ */
-+static const char *
-+iolog_write(const void *buf, unsigned int len, int idx)
-+{
-+ const char *errstr = NULL;
-+ debug_decl(iolog_write, SUDOERS_DEBUG_PLUGIN)
-+
-+#ifdef HAVE_ZLIB_H
-+ if (iolog_compress) {
-+ if (gzwrite(io_log_files[idx].fd.g, buf, len) != (int)len) {
-+ errstr = gzstrerror(io_log_files[idx].fd.g);
-+ goto done;
-+ }
-+ if (def_iolog_flush) {
-+ if (gzflush(io_log_files[idx].fd.g, Z_SYNC_FLUSH) != Z_OK) {
-+ errstr = gzstrerror(io_log_files[idx].fd.g);
-+ goto done;
-+ }
-+ }
-+ } else
-+#endif
-+ {
-+ if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) {
-+ errstr = strerror(errno);
-+ goto done;
-+ }
-+ if (def_iolog_flush) {
-+ if (fflush(io_log_files[idx].fd.f) != 0) {
-+ errstr = strerror(errno);
-+ goto done;
-+ }
-+ }
-+ }
-+
-+done:
-+ debug_return_const_str(errstr);
-+}
-+
- static int
- sudoers_io_open(unsigned int version, sudo_conv_t conversation,
- sudo_printf_t plugin_printf, char * const settings[],
-@@ -914,13 +966,15 @@ sudoers_io_version(int verbose)
-
- /*
- * Generic I/O logging function. Called by the I/O logging entry points.
-+ * Returns 1 on success and -1 on error.
- */
- static int
- sudoers_io_log(const char *buf, unsigned int len, int idx)
- {
- struct timeval now, delay;
-+ char tbuf[1024];
- const char *errstr = NULL;
-- int ret = true;
-+ int ret = -1;
- debug_decl(sudoers_io_version, SUDOERS_DEBUG_PLUGIN)
-
- if (io_log_files[idx].fd.v == NULL) {
-@@ -931,41 +985,28 @@ sudoers_io_log(const char *buf, unsigned
-
- gettimeofday(&now, NULL);
-
--#ifdef HAVE_ZLIB_H
-- if (iolog_compress) {
-- if (gzwrite(io_log_files[idx].fd.g, (const voidp)buf, len) != (int)len) {
-- int errnum;
-+ /* Write I/O log file entry. */
-+ errstr = iolog_write(buf, len, idx);
-+ if (errstr != NULL)
-+ goto done;
-
-- errstr = gzerror(io_log_files[idx].fd.g, &errnum);
-- ret = -1;
-- }
-- } else
--#endif
-- {
-- if (fwrite(buf, 1, len, io_log_files[idx].fd.f) != len) {
-- errstr = strerror(errno);
-- ret = -1;
-- }
-- }
-+ /* Write timing file entry. */
- sudo_timevalsub(&now, &last_time, &delay);
--#ifdef HAVE_ZLIB_H
-- if (iolog_compress) {
-- if (gzprintf(io_log_files[IOFD_TIMING].fd.g, "%d %f %u\n", idx,
-- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) == 0) {
-- int errnum;
--
-- errstr = gzerror(io_log_files[IOFD_TIMING].fd.g, &errnum);
-- ret = -1;
-- }
-- } else
--#endif
-- {
-- if (fprintf(io_log_files[IOFD_TIMING].fd.f, "%d %f %u\n", idx,
-- delay.tv_sec + ((double)delay.tv_usec / 1000000), len) < 0) {
-- errstr = strerror(errno);
-- ret = -1;
-- }
-+ len = (unsigned int)snprintf(tbuf, sizeof(tbuf), "%d %f %u\n", idx,
-+ delay.tv_sec + ((double)delay.tv_usec / 1000000), len);
-+ if (len >= sizeof(tbuf)) {
-+ /* Not actually possible due to the size of tbuf[]. */
-+ errstr = strerror(EOVERFLOW);
-+ goto done;
- }
-+ errstr = iolog_write(tbuf, len, IOFD_TIMING);
-+ if (errstr != NULL)
-+ goto done;
-+
-+ /* Success. */
-+ ret = 1;
-+
-+done:
- last_time.tv_sec = now.tv_sec;
- last_time.tv_usec = now.tv_usec;
-
-@@ -979,7 +1020,7 @@ sudoers_io_log(const char *buf, unsigned
-
- /* Ignore errors if they occur if the policy says so. */
- if (iolog_details.ignore_iolog_errors)
-- ret = true;
-+ ret = 1;
- }
-
- debug_return_int(ret);
diff --git a/SOURCES/sudo-1.8.19p2-iologtruncate.patch b/SOURCES/sudo-1.8.19p2-iologtruncate.patch
deleted file mode 100644
index ee358eb..0000000
--- a/SOURCES/sudo-1.8.19p2-iologtruncate.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-diff --git a/src/exec_pty.c b/src/exec_pty.c
-index 7403506..56b2899 100644
---- a/src/exec_pty.c
-+++ b/src/exec_pty.c
-@@ -711,8 +711,10 @@ io_buf_new(int rfd, int wfd,
- int
- fork_pty(struct command_details *details, int sv[], sigset_t *omask)
- {
-+ struct plugin_container *plugin;
- struct command_status cstat;
-- int io_pipe[3][2];
-+ int io_pipe[3][2] = { { -1, -1 }, { -1, -1 }, { -1, -1 } };
-+ bool interpose[3] = { false, false, false };
- sigaction_t sa;
- sigset_t mask;
- pid_t child;
-@@ -738,6 +740,16 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask)
- sigaddset(&ttyblock, SIGTTIN);
- sigaddset(&ttyblock, SIGTTOU);
-
-+ /* Determine whether any of std{in,out,err} should be logged. */
-+ TAILQ_FOREACH(plugin, &io_plugins, entries) {
-+ if (plugin->u.io->log_stdin)
-+ interpose[STDIN_FILENO] = true;
-+ if (plugin->u.io->log_stdout)
-+ interpose[STDOUT_FILENO] = true;
-+ if (plugin->u.io->log_stderr)
-+ interpose[STDERR_FILENO] = true;
-+ }
-+
- /*
- * Setup stdin/stdout/stderr for child, to be duped after forking.
- * In background mode there is no stdin.
-@@ -763,35 +775,64 @@ fork_pty(struct command_details *details, int sv[], sigset_t *omask)
- }
-
- /*
-- * If either stdin, stdout or stderr is not a tty we use a pipe
-- * to interpose ourselves instead of duping the pty fd.
-+ * If stdin, stdout or stderr is not a tty and logging is enabled,
-+ * use a pipe to interpose ourselves instead of using the pty fd.
- */
-- memset(io_pipe, 0, sizeof(io_pipe));
- if (io_fds[SFD_STDIN] == -1 || !isatty(STDIN_FILENO)) {
-- sudo_debug_printf(SUDO_DEBUG_INFO, "stdin not a tty, creating a pipe");
-- pipeline = true;
-- if (pipe(io_pipe[STDIN_FILENO]) != 0)
-- sudo_fatal(U_("unable to create pipe"));
-- io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1],
-- log_stdin, &iobufs);
-- io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0];
-- }
-- if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) {
-- sudo_debug_printf(SUDO_DEBUG_INFO, "stdout not a tty, creating a pipe");
-- pipeline = true;
-- if (pipe(io_pipe[STDOUT_FILENO]) != 0)
-- sudo_fatal(U_("unable to create pipe"));
-- io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO,
-- log_stdout, &iobufs);
-- io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1];
-- }
-- if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) {
-- sudo_debug_printf(SUDO_DEBUG_INFO, "stderr not a tty, creating a pipe");
-- if (pipe(io_pipe[STDERR_FILENO]) != 0)
-- sudo_fatal(U_("unable to create pipe"));
-- io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO,
-- log_stderr, &iobufs);
-- io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1];
-+ if (!interpose[STDIN_FILENO]) {
-+ /* Not logging stdin, do not interpose. */
-+ sudo_debug_printf(SUDO_DEBUG_INFO,
-+ "stdin not a tty, not logging");
-+ io_fds[SFD_STDIN] = dup(STDIN_FILENO);
-+ if (io_fds[SFD_STDIN] == -1)
-+ sudo_fatal("dup");
-+ } else {
-+ sudo_debug_printf(SUDO_DEBUG_INFO,
-+ "stdin not a tty, creating a pipe");
-+ pipeline = true;
-+ if (pipe(io_pipe[STDIN_FILENO]) != 0)
-+ sudo_fatal(U_("unable to create pipe"));
-+ io_buf_new(STDIN_FILENO, io_pipe[STDIN_FILENO][1],
-+ log_stdin, &iobufs);
-+ io_fds[SFD_STDIN] = io_pipe[STDIN_FILENO][0];
-+ }
-+ }
-+ if (io_fds[SFD_STDOUT] == -1 || !isatty(STDOUT_FILENO)) {
-+ if (!interpose[STDOUT_FILENO]) {
-+ /* Not logging stdout, do not interpose. */
-+ sudo_debug_printf(SUDO_DEBUG_INFO,
-+ "stdout not a tty, not logging");
-+ io_fds[SFD_STDOUT] = dup(STDOUT_FILENO);
-+ if (io_fds[SFD_STDOUT] == -1)
-+ sudo_fatal("dup");
-+ } else {
-+ sudo_debug_printf(SUDO_DEBUG_INFO,
-+ "stdout not a tty, creating a pipe");
-+ pipeline = true;
-+ if (pipe(io_pipe[STDOUT_FILENO]) != 0)
-+ sudo_fatal(U_("unable to create pipe"));
-+ io_buf_new(io_pipe[STDOUT_FILENO][0], STDOUT_FILENO,
-+ log_stdout, &iobufs);
-+ io_fds[SFD_STDOUT] = io_pipe[STDOUT_FILENO][1];
-+ }
-+ }
-+ if (io_fds[SFD_STDERR] == -1 || !isatty(STDERR_FILENO)) {
-+ if (!interpose[STDERR_FILENO]) {
-+ /* Not logging stderr, do not interpose. */
-+ sudo_debug_printf(SUDO_DEBUG_INFO,
-+ "stderr not a tty, not logging");
-+ io_fds[SFD_STDERR] = dup(STDERR_FILENO);
-+ if (io_fds[SFD_STDERR] == -1)
-+ sudo_fatal("dup");
-+ } else {
-+ sudo_debug_printf(SUDO_DEBUG_INFO,
-+ "stderr not a tty, creating a pipe");
-+ if (pipe(io_pipe[STDERR_FILENO]) != 0)
-+ sudo_fatal(U_("unable to create pipe"));
-+ io_buf_new(io_pipe[STDERR_FILENO][0], STDERR_FILENO,
-+ log_stderr, &iobufs);
-+ io_fds[SFD_STDERR] = io_pipe[STDERR_FILENO][1];
-+ }
- }
-
- /* We don't want to receive SIGTTIN/SIGTTOU, getting EIO is preferable. */
-@@ -1549,10 +1590,24 @@ exec_pty(struct command_details *details,
- setpgid(0, self);
-
- /* Wire up standard fds, note that stdout/stderr may be pipes. */
-- if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1 ||
-- dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1 ||
-- dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1)
-- sudo_fatal("dup2");
-+ if (io_fds[SFD_STDIN] != STDIN_FILENO) {
-+ if (dup2(io_fds[SFD_STDIN], STDIN_FILENO) == -1)
-+ sudo_fatal("dup2");
-+ if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE])
-+ close(io_fds[SFD_STDIN]);
-+ }
-+ if (io_fds[SFD_STDOUT] != STDOUT_FILENO) {
-+ if (dup2(io_fds[SFD_STDOUT], STDOUT_FILENO) == -1)
-+ sudo_fatal("dup2");
-+ if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE])
-+ close(io_fds[SFD_STDOUT]);
-+ }
-+ if (io_fds[SFD_STDERR] != STDERR_FILENO) {
-+ if (dup2(io_fds[SFD_STDERR], STDERR_FILENO) == -1)
-+ sudo_fatal("dup2");
-+ if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE])
-+ close(io_fds[SFD_STDERR]);
-+ }
-
- /* Wait for parent to grant us the tty if we are foreground. */
- if (foreground && !ISSET(details->flags, CD_EXEC_BG)) {
-@@ -1561,15 +1616,9 @@ exec_pty(struct command_details *details,
- nanosleep(&ts, NULL);
- }
-
-- /* We have guaranteed that the slave fd is > 2 */
-+ /* Done with the pty slave, don't leak it. */
- if (io_fds[SFD_SLAVE] != -1)
- close(io_fds[SFD_SLAVE]);
-- if (io_fds[SFD_STDIN] != io_fds[SFD_SLAVE])
-- close(io_fds[SFD_STDIN]);
-- if (io_fds[SFD_STDOUT] != io_fds[SFD_SLAVE])
-- close(io_fds[SFD_STDOUT]);
-- if (io_fds[SFD_STDERR] != io_fds[SFD_SLAVE])
-- close(io_fds[SFD_STDERR]);
-
- /* Execute command; only returns on error. */
- exec_cmnd(details, cstat, errfd);
diff --git a/SOURCES/sudo-1.8.19p2-lecture-boolean.patch b/SOURCES/sudo-1.8.19p2-lecture-boolean.patch
deleted file mode 100644
index 482bc6b..0000000
--- a/SOURCES/sudo-1.8.19p2-lecture-boolean.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-commit 631d458b6fc7341363a121c390e086cf676ecc83
-Author: Todd C. Miller <Todd.Miller@courtesan.com>
-Date: Wed May 3 09:28:36 2017 -0600
-
- Allow a tuple to be set to boolean true. Regression introduced by
- refactor of set_default_entry() in sudo 1.8.18.
-
-diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
-index 89788477..91b47eeb 100644
---- a/plugins/sudoers/defaults.c
-+++ b/plugins/sudoers/defaults.c
-@@ -238,19 +238,31 @@ parse_default_entry(struct sudo_defs_types *def, const char *val, int op,
- int rc;
- debug_decl(parse_default_entry, SUDOERS_DEBUG_DEFAULTS)
-
-- if (val == NULL && !ISSET(def->type, T_FLAG)) {
-- /* Check for bogus boolean usage or missing value if non-boolean. */
-- if (!ISSET(def->type, T_BOOL) || op != false) {
-- if (!quiet) {
-- if (lineno > 0) {
-- sudo_warnx(U_("%s:%d no value specified for \"%s\""),
-- file, lineno, def->name);
-- } else {
-- sudo_warnx(U_("%s: no value specified for \"%s\""),
-- file, def->name);
-+ /*
-+ * If no value specified, the boolean flag must be set for non-flags.
-+ * Only flags and tuples support boolean "true".
-+ */
-+ if (val == NULL) {
-+ switch (def->type & T_MASK) {
-+ case T_FLAG:
-+ break;
-+ case T_TUPLE:
-+ if (ISSET(def->type, T_BOOL))
-+ break;
-+ /* FALLTHROUGH */
-+ default:
-+ if (!ISSET(def->type, T_BOOL) || op != false) {
-+ if (!quiet) {
-+ if (lineno > 0) {
-+ sudo_warnx(U_("%s:%d no value specified for \"%s\""),
-+ file, lineno, def->name);
-+ } else {
-+ sudo_warnx(U_("%s: no value specified for \"%s\""),
-+ file, def->name);
-+ }
- }
-+ debug_return_bool(false);
- }
-- debug_return_bool(false);
- }
- }
-
diff --git a/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch b/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch
deleted file mode 100644
index af85676..0000000
--- a/SOURCES/sudo-1.8.19p2-lookup-issue-doc.patch
+++ /dev/null
@@ -1,164 +0,0 @@
-diff -up ./doc/sudoers.cat.lookup ./doc/sudoers.cat
---- ./doc/sudoers.cat.lookup 2017-04-25 13:17:51.073190114 +0200
-+++ ./doc/sudoers.cat 2017-04-25 13:17:51.081190069 +0200
-@@ -1140,24 +1140,39 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
- _�o_�n by default.
-
- match_group_by_gid
-- By default, when matching groups, s�su�ud�do�oe�er�rs�s will first
-- resolve all the user's group IDs to group names and
-- then compare those group names to any group names
-- listed in the _�s_�u_�d_�o_�e_�r_�s file. This works well on systems
-- where the number of groups listed in the _�s_�u_�d_�o_�e_�r_�s file
-- is larger than the number of groups a typical user
-- belongs to. On systems where group lookups are slow,
-- where users may belong to a large number of groups, and
-- where the number of groups listed in the _�s_�u_�d_�o_�e_�r_�s file
-- is relatively small, it may be prohibitively expensive
-- and running commands via s�su�ud�do�o may take longer than
-- normal. On such systems it may be faster to use the
-+ By default, s�su�ud�do�oe�er�rs�s will look up each group the user is
-+ a member of by group ID to determine the group name
-+ (this is only done once). The resulting list of the
-+ user's group names is used when matching groups listed
-+ in the _�s_�u_�d_�o_�e_�r_�s file. This works well on systems where
-+ the number of groups listed in the _�s_�u_�d_�o_�e_�r_�s file is
-+ larger than the number of groups a typical user belongs
-+ to. On systems where group lookups are slow, where
-+ users may belong to a large number of groups, and where
-+ the number of groups listed in the _�s_�u_�d_�o_�e_�r_�s file is
-+ relatively small, it may be prohibitively expensive and
-+ running commands via s�su�ud�do�o may take longer than normal.
-+ On such systems it may be faster to use the
- _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d flag to avoid resolving the user's
-- group IDs to group names and instead resolve all group
-- names listed in the _�s_�u_�d_�o_�e_�r_�s file, matching by group ID
-- instead of by group name. The _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d flag
-- has no effect when _�s_�u_�d_�o_�e_�r_�s data is stored in LDAP.
-- This flag is _�o_�f_�f by default.
-+ group IDs to group names. In this case, s�su�ud�do�oe�er�rs�s must
-+ look up any group name listed in the _�s_�u_�d_�o_�e_�r_�s file and
-+ use the group ID instead of the group name when
-+ determining whether the user is a member of the group.
-+
-+ Note that if _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d is enabled, group
-+ database lookups performed by s�su�ud�do�oe�er�rs�s will be keyed by
-+ group name as opposed to group ID. On systems where
-+ there are multiple sources for the group database, it
-+ is possible to have conflicting group names or group
-+ IDs in the local _�/_�e_�t_�c_�/_�g_�r_�o_�u_�p file and the remote group
-+ database. On such systems, enabling or disabling
-+ _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d can be used to choose whether group
-+ database queries are performed by name (enabled) or ID
-+ (disabled), which may aid in working around group entry
-+ conflicts.
-+
-+ The _�m_�a_�t_�c_�h_�__�g_�r_�o_�u_�p_�__�b_�y_�__�g_�i_�d flag has no effect when _�s_�u_�d_�o_�e_�r_�s
-+ data is stored in LDAP. This flag is _�o_�f_�f by default.
-
- This setting is only supported by version 1.8.18 or
- higher.
-diff -up ./doc/sudoers.man.in.lookup ./doc/sudoers.man.in
---- ./doc/sudoers.man.in.lookup 2017-04-25 13:17:51.074190108 +0200
-+++ ./doc/sudoers.man.in 2017-04-25 13:17:51.082190064 +0200
-@@ -2423,10 +2423,12 @@ This flag is
- by default.
- .TP 18n
- match_group_by_gid
--By default, when matching groups,
-+By default,
- \fBsudoers\fR
--will first resolve all the user's group IDs to group names and then
--compare those group names to any group names listed in the
-+will look up each group the user is a member of by group ID to
-+determine the group name (this is only done once).
-+The resulting list of the user's group names is used when matching
-+groups listed in the
- \fIsudoers\fR
- file.
- This works well on systems where the number of groups listed in the
-@@ -2442,10 +2444,29 @@ running commands via
- may take longer than normal.
- On such systems it may be faster to use the
- \fImatch_group_by_gid\fR
--flag to avoid resolving the user's group IDs to group names and
--instead resolve all group names listed in the
-+flag to avoid resolving the user's group IDs to group names.
-+In this case,
-+\fBsudoers\fR
-+must look up any group name listed in the
- \fIsudoers\fR
--file, matching by group ID instead of by group name.
-+file and use the group ID instead of the group name when determining
-+whether the user is a member of the group.
-+.sp
-+Note that if
-+\fImatch_group_by_gid\fR
-+is enabled, group database lookups performed by
-+\fBsudoers\fR
-+will be keyed by group name as opposed to group ID.
-+On systems where there are multiple sources for the group database,
-+it is possible to have conflicting group names or group IDs in the local
-+\fI/etc/group\fR
-+file and the remote group database.
-+On such systems, enabling or disabling
-+\fImatch_group_by_gid\fR
-+can be used to choose whether group database queries are performed
-+by name (enabled) or ID (disabled), which may aid in working around
-+group entry conflicts.
-+.sp
- The
- \fImatch_group_by_gid\fR
- flag has no effect when
-diff -up ./doc/sudoers.mdoc.in.lookup ./doc/sudoers.mdoc.in
---- ./doc/sudoers.mdoc.in.lookup 2017-04-25 13:17:51.075190102 +0200
-+++ ./doc/sudoers.mdoc.in 2017-04-25 13:17:51.082190064 +0200
-@@ -2268,10 +2268,12 @@ This flag is
- .Em @mail_no_user@
- by default.
- .It match_group_by_gid
--By default, when matching groups,
-+By default,
- .Nm
--will first resolve all the user's group IDs to group names and then
--compare those group names to any group names listed in the
-+will look up each group the user is a member of by group ID to
-+determine the group name (this is only done once).
-+The resulting list of the user's group names is used when matching
-+groups listed in the
- .Em sudoers
- file.
- This works well on systems where the number of groups listed in the
-@@ -2287,10 +2289,29 @@ running commands via
- may take longer than normal.
- On such systems it may be faster to use the
- .Em match_group_by_gid
--flag to avoid resolving the user's group IDs to group names and
--instead resolve all group names listed in the
-+flag to avoid resolving the user's group IDs to group names.
-+In this case,
-+.Nm
-+must look up any group name listed in the
- .Em sudoers
--file, matching by group ID instead of by group name.
-+file and use the group ID instead of the group name when determining
-+whether the user is a member of the group.
-+.Pp
-+Note that if
-+.Em match_group_by_gid
-+is enabled, group database lookups performed by
-+.Nm
-+will be keyed by group name as opposed to group ID.
-+On systems where there are multiple sources for the group database,
-+it is possible to have conflicting group names or group IDs in the local
-+.Pa /etc/group
-+file and the remote group database.
-+On such systems, enabling or disabling
-+.Em match_group_by_gid
-+can be used to choose whether group database queries are performed
-+by name (enabled) or ID (disabled), which may aid in working around
-+group entry conflicts.
-+.Pp
- The
- .Em match_group_by_gid
- flag has no effect when
diff --git a/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch b/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch
deleted file mode 100644
index acb4daa..0000000
--- a/SOURCES/sudo-1.8.19p2-manpage-use_pty.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-diff -up ./doc/sudoers.cat.manpage ./doc/sudoers.cat
---- ./doc/sudoers.cat.manpage 2017-09-11 15:16:47.443869930 +0200
-+++ ./doc/sudoers.cat 2017-09-11 15:42:15.140500826 +0200
-@@ -1088,13 +1088,19 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
- connected to the user's tty, due to I/O redirection or
- because the command is part of a pipeline, that input
- is also captured and stored in a separate log file.
-- For more information, see the _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S section.
-- This flag is _�o_�f_�f by default.
-+ Anything sent to the standard input will be consumed,
-+ regardless of whether or not the command run via s�su�ud�do�o
-+ is actually reading the standard input. This may have
-+ unexpected results when using s�su�ud�do�o in a shell script
-+ that expects to process the standard input. For more
-+ information about I/O logging, see the _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S
-+ section. This flag is _�o_�f_�f by default.
-
- log_output If set, s�su�ud�do�o will run the command in a pseudo-tty and
- log all output that is sent to the screen, similar to
-- the script(1) command. For more information, see the
-- _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S section. This flag is _�o_�f_�f by default.
-+ the script(1) command. For more information about I/O
-+ logging, see the _�I_�/_�O _�L_�O_�G _�F_�I_�L_�E_�S section. This flag is
-+ _�o_�f_�f by default.
-
- log_year If set, the four-digit year will be logged in the (non-
- syslog) s�su�ud�do�o log file. This flag is _�o_�f_�f by default.
-@@ -1396,13 +1402,18 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
- not needed, this option can be disabled to reduce the
- load on the LDAP server. This flag is _�o_�n by default.
-
-- use_pty If set, s�su�ud�do�o will run the command in a pseudo-pty even
-- if no I/O logging is being gone. A malicious program
-- run under s�su�ud�do�o could conceivably fork a background
-- process that retains to the user's terminal device
-- after the main program has finished executing. Use of
-- this option will make that impossible. This flag is
-- _�o_�f_�f by default.
-+ use_pty If set, and s�su�ud�do�o is running in a terminal, the command
-+ will be run in a pseudo-pty (even if no I/O logging is
-+ being done). If the s�su�ud�do�o process is not attached to a
-+ terminal, _�u_�s_�e_�__�p_�t_�y has no effect.
-+
-+ A malicious program run under s�su�ud�do�o may be capable of
-+ injecting injecting commands into the user's terminal
-+ or running a background process that retains access to
-+ the user's terminal device even after the main program
-+ has finished executing. By running the command in a
-+ separate pseudo-pty, this attack is no longer possible.
-+ This flag is _�o_�f_�f by default.
-
- utmp_runas If set, s�su�ud�do�o will store the name of the runas user when
- updating the utmp (or utmpx) file. By default, s�su�ud�do�o
-@@ -2135,11 +2146,11 @@ L�LO�OG�G F�FO�OR�RM�MA�AT�T
-
- I�I/�/O�O L�LO�OG�G F�FI�IL�LE�ES�S
- When I/O logging is enabled, s�su�ud�do�o will run the command in a pseudo-tty
-- and log all user input and/or output. I/O is logged to the directory
-- specified by the _�i_�o_�l_�o_�g_�__�d_�i_�r option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a
-- unique session ID that is included in the s�su�ud�do�o log line, prefixed with
-- ``TSID=''. The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e option may be used to control the format of
-- the session ID.
-+ and log all user input and/or output, depending on which options are
-+ are enabled. I/O is logged to the directory specified by the _�i_�o_�l_�o_�g_�__�d_�i_�r
-+ option (_�/_�v_�a_�r_�/_�l_�o_�g_�/_�s_�u_�d_�o_�-_�i_�o by default) using a unique session ID that is
-+ included in the s�su�ud�do�o log line, prefixed with "TSID=". The _�i_�o_�l_�o_�g_�__�f_�i_�l_�e
-+ option may be used to control the format of the session ID.
-
- Each I/O log is stored in a separate directory that contains the
- following files:
-diff -up ./doc/sudoers.man.in.manpage ./doc/sudoers.man.in
---- ./doc/sudoers.man.in.manpage 2017-09-11 15:16:47.444869925 +0200
-+++ ./doc/sudoers.man.in 2017-09-11 15:16:47.456869864 +0200
-@@ -2300,7 +2300,14 @@ will run the command in a pseudo-tty and
- If the standard input is not connected to the user's tty, due to
- I/O redirection or because the command is part of a pipeline, that
- input is also captured and stored in a separate log file.
--For more information, see the
-+Anything sent to the standard input will be consumed, regardless of
-+whether or not the command run via
-+\fBsudo\fR
-+is actually reading the standard input.
-+This may have unexpected results when using
-+\fBsudo\fR
-+in a shell script that expects to process the standard input.
-+For more information about I/O logging, see the
- \fII/O LOG FILES\fR
- section.
- This flag is
-@@ -2314,7 +2321,7 @@ will run the command in a pseudo-tty and
- to the screen, similar to the
- script(1)
- command.
--For more information, see the
-+For more information about I/O logging, see the
- \fII/O LOG FILES\fR
- section.
- This flag is
-@@ -2934,14 +2941,24 @@ This flag is
- by default.
- .TP 18n
- use_pty
--If set,
-+If set, and
- \fBsudo\fR
--will run the command in a pseudo-pty even if no I/O logging is being gone.
-+is running in a terminal, the command will be run in a pseudo-pty
-+(even if no I/O logging is being done).
-+If the
-+\fBsudo\fR
-+process is not attached to a terminal,
-+\fIuse_pty\fR
-+has no effect.
-+.sp
- A malicious program run under
- \fBsudo\fR
--could conceivably fork a background process that retains to the user's
--terminal device after the main program has finished executing.
--Use of this option will make that impossible.
-+may be capable of injecting injecting commands into the user's
-+terminal or running a background process that retains access to the
-+user's terminal device even after the main program has finished
-+executing.
-+By running the command in a separate pseudo-pty, this attack is
-+no longer possible.
- This flag is
- \fIoff\fR
- by default.
-@@ -4281,7 +4298,8 @@ word wrap will be disabled.
- .SH "I/O LOG FILES"
- When I/O logging is enabled,
- \fBsudo\fR
--will run the command in a pseudo-tty and log all user input and/or output.
-+will run the command in a pseudo-tty and log all user input and/or output,
-+depending on which options are enabled.
- I/O is logged to the directory specified by the
- \fIiolog_dir\fR
- option
-diff -up ./doc/sudoers.mdoc.in.manpage ./doc/sudoers.mdoc.in
---- ./doc/sudoers.mdoc.in.manpage 2017-09-11 15:16:47.445869920 +0200
-+++ ./doc/sudoers.mdoc.in 2017-09-11 15:16:47.456869864 +0200
-@@ -2155,7 +2155,14 @@ will run the command in a pseudo-tty and
- If the standard input is not connected to the user's tty, due to
- I/O redirection or because the command is part of a pipeline, that
- input is also captured and stored in a separate log file.
--For more information, see the
-+Anything sent to the standard input will be consumed, regardless of
-+whether or not the command run via
-+.Nm sudo
-+is actually reading the standard input.
-+This may have unexpected results when using
-+.Nm sudo
-+in a shell script that expects to process the standard input.
-+For more information about I/O logging, see the
- .Sx "I/O LOG FILES"
- section.
- This flag is
-@@ -2168,7 +2175,7 @@ will run the command in a pseudo-tty and
- to the screen, similar to the
- .Xr script 1
- command.
--For more information, see the
-+For more information about I/O logging, see the
- .Sx "I/O LOG FILES"
- section.
- This flag is
-@@ -2752,14 +2759,24 @@ This flag is
- .Em on
- by default.
- .It use_pty
--If set,
-+If set, and
- .Nm sudo
--will run the command in a pseudo-pty even if no I/O logging is being gone.
-+is running in a terminal, the command will be run in a pseudo-pty
-+(even if no I/O logging is being done).
-+If the
-+.Nm sudo
-+process is not attached to a terminal,
-+.Em use_pty
-+has no effect.
-+.Pp
- A malicious program run under
- .Nm sudo
--could conceivably fork a background process that retains to the user's
--terminal device after the main program has finished executing.
--Use of this option will make that impossible.
-+may be capable of injecting injecting commands into the user's
-+terminal or running a background process that retains access to the
-+user's terminal device even after the main program has finished
-+executing.
-+By running the command in a separate pseudo-pty, this attack is
-+no longer possible.
- This flag is
- .Em off
- by default.
-@@ -3976,7 +3993,8 @@ word wrap will be disabled.
- .Sh I/O LOG FILES
- When I/O logging is enabled,
- .Nm sudo
--will run the command in a pseudo-tty and log all user input and/or output.
-+will run the command in a pseudo-tty and log all user input and/or output,
-+depending on which options are enabled.
- I/O is logged to the directory specified by the
- .Em iolog_dir
- option
diff --git a/SOURCES/sudo-1.8.19p2-sssd-double-free.patch b/SOURCES/sudo-1.8.19p2-sssd-double-free.patch
deleted file mode 100644
index d53eb4c..0000000
--- a/SOURCES/sudo-1.8.19p2-sssd-double-free.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@sudo.ws>
-# Date 1511893724 25200
-# Node ID 14dacdea331942a38d443a75d1b08f67eafaa5eb
-# Parent b456101fe5091540e9f6429db7568fa32b6d4da8
-Avoid a double free when ipa_hostname is set in sssd.conf and it
-is an unqualified host name. From Daniel Kopecek.
-
-Also move the "unable to allocate memory" warning into get_ipa_hostname()
-itself to make it easier to see where the allocation failed in the
-debug log.
-
-diff -r b456101fe509 -r 14dacdea3319 plugins/sudoers/sssd.c
---- a/plugins/sudoers/sssd.c Tue Nov 28 09:48:43 2017 -0700
-+++ b/plugins/sudoers/sssd.c Tue Nov 28 11:28:44 2017 -0700
-@@ -349,6 +349,8 @@
- *lhostp = lhost;
- ret = true;
- } else {
-+ sudo_warnx(U_("%s: %s"), __func__,
-+ U_("unable to allocate memory"));
- free(shost);
- free(lhost);
- ret = -1;
-@@ -456,7 +458,6 @@
- */
- if (strcmp(user_runhost, user_host) == 0) {
- if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) {
-- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
- free(handle);
- debug_return_int(ENOMEM);
- }
-@@ -478,7 +479,8 @@
- handle = nss->handle;
- sudo_dso_unload(handle->ssslib);
- free(handle->ipa_host);
-- free(handle->ipa_shost);
-+ if (handle->ipa_host != handle->ipa_shost)
-+ free(handle->ipa_shost);
- free(handle);
- nss->handle = NULL;
- }
-
diff --git a/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch b/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch
deleted file mode 100644
index 62d0cf2..0000000
--- a/SOURCES/sudo-1.8.19p2-sudo-l-sssd.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From 1f37620953699fe71b09760fe01e33eb6ada771c Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@courtesan.com>
-Date: Wed, 15 Nov 2017 12:27:39 -0700
-Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep
- checking even after we get a match since the value of doauth may depend on
- evaluating all the results. From Radovan Sroka of RedHat.
-
-In list (-l) or verify (-v) mode, if we have a match but authentication
-is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
-set to "all" and there are multiple sudoers sources a password will
-be required unless none of the entries in all sources require
-authentication. From Radovan Sroka of RedHat
-
-Avoid calling cmnd_matches() in list/verify mode if we already have
-a match.
----
- plugins/sudoers/ldap.c | 5 ++++-
- plugins/sudoers/parse.c | 10 +++++++---
- plugins/sudoers/sssd.c | 5 ++++-
- 3 files changed, 15 insertions(+), 5 deletions(-)
-
-diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
-index 46309cba..c5c18360 100644
---- a/plugins/sudoers/ldap.c
-+++ b/plugins/sudoers/ldap.c
-@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
- (pwcheck == all && doauth != true)) {
- doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate");
- }
-+ if (matched == true)
-+ continue;
- /* Only check the command when listing another user. */
- if (user_uid == 0 || list_pw == NULL ||
- user_uid == list_pw->pw_uid ||
- sudo_ldap_check_command(ld, entry, NULL) == true) {
- matched = true;
-- break;
- }
- }
- if (matched == true || user_uid == 0) {
-@@ -3339,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
- case any:
- if (doauth == false)
- SET(ret, FLAG_NOPASSWD);
-+ else
-+ CLR(ret, FLAG_NOPASSWD);
- break;
- default:
- break;
-diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
-index 749a3eb2..a12e88c5 100644
---- a/plugins/sudoers/parse.c
-+++ b/plugins/sudoers/parse.c
-@@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
- if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW)
- continue;
- TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
-+ if ((pwcheck == any && cs->tags.nopasswd == true) ||
-+ (pwcheck == all && cs->tags.nopasswd != true))
-+ nopass = cs->tags.nopasswd;
-+ if (match == ALLOW)
-+ continue;
- /* Only check the command when listing another user. */
- if (user_uid == 0 || list_pw == NULL ||
- user_uid == list_pw->pw_uid ||
- cmnd_matches(cs->cmnd) == ALLOW)
- match = ALLOW;
-- if ((pwcheck == any && cs->tags.nopasswd == true) ||
-- (pwcheck == all && cs->tags.nopasswd != true))
-- nopass = cs->tags.nopasswd;
- }
- }
- }
-@@ -202,6 +204,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
- SET(validated, FLAG_CHECK_USER);
- else if (nopass == true)
- SET(validated, FLAG_NOPASSWD);
-+ else
-+ CLR(validated, FLAG_NOPASSWD);
- debug_return_int(validated);
- }
-
-diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
-index 65b4d875..09ca9fee 100644
---- a/plugins/sudoers/sssd.c
-+++ b/plugins/sudoers/sssd.c
-@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
- (pwcheck == all && doauth != true)) {
- doauth = !!sudo_sss_check_bool(handle, rule, "authenticate");
- }
-+ if (matched == true)
-+ continue;
- /* Only check the command when listing another user. */
- if (user_uid == 0 || list_pw == NULL ||
- user_uid == list_pw->pw_uid ||
- sudo_sss_check_command(handle, rule, NULL) == true) {
- matched = true;
-- break;
- }
- }
- }
-@@ -1341,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
- case any:
- if (doauth == false)
- SET(ret, FLAG_NOPASSWD);
-+ else
-+ CLR(ret, FLAG_NOPASSWD);
- break;
- default:
- break;
---
-2.14.3
-
diff --git a/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch b/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch
deleted file mode 100644
index ef2946c..0000000
--- a/SOURCES/sudo-1.8.19p2-upstream-testsuitefix.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -up ./plugins/sudoers/regress/visudo/test2.err.ok.orig ./plugins/sudoers/regress/visudo/test2.err.ok
---- ./plugins/sudoers/regress/visudo/test2.err.ok.orig 2017-04-10 10:12:53.003000000 -0400
-+++ ./plugins/sudoers/regress/visudo/test2.err.ok 2017-04-10 10:13:36.771000000 -0400
-@@ -1 +1 @@
--visudo: stdin:1 cycle in User_Alias "FOO"
-+Error: stdin:1 cycle in User_Alias "FOO"
-diff -up ./plugins/sudoers/regress/visudo/test3.err.ok.orig ./plugins/sudoers/regress/visudo/test3.err.ok
---- ./plugins/sudoers/regress/visudo/test3.err.ok.orig 2017-04-10 10:13:12.141000000 -0400
-+++ ./plugins/sudoers/regress/visudo/test3.err.ok 2017-04-10 10:13:56.842000000 -0400
-@@ -1,2 +1,2 @@
--visudo: stdin:1 unused User_Alias "A"
--visudo: stdin:2 unused User_Alias "B"
-+Warning: stdin:1 unused User_Alias "A"
-+Warning: stdin:2 unused User_Alias "B"
diff --git a/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch b/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch
deleted file mode 100644
index 8da9603..0000000
--- a/SOURCES/sudo-1.8.21-ldap-pass2-filter.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
-index f21a99ee..83202e28 100644
---- a/plugins/sudoers/ldap.c
-+++ b/plugins/sudoers/ldap.c
-@@ -1847,12 +1847,10 @@ sudo_ldap_build_pass2(void)
- ldap_conf.timed ? timebuffer : "",
- (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
- } else {
-- len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s",
-- (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
-+ len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)",
- ldap_conf.search_filter ? ldap_conf.search_filter : "",
- query_netgroups ? "+" : "%:",
-- ldap_conf.timed ? timebuffer : "",
-- (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
-+ ldap_conf.timed ? timebuffer : "");
- }
- if (len == -1)
- sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
diff --git a/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch b/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch
new file mode 100644
index 0000000..826e734
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch
@@ -0,0 +1,161 @@
+From 0f303a2de843c31afb03b558dfb7287be79e6e17 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Thu, 26 Jul 2018 12:31:29 -0600
+Subject: [PATCH] Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors
+ from pam_acct_mgmt() if authentication is disabled for the user. Bug #843
+
+---
+ plugins/sudoers/auth/bsdauth.c | 2 +-
+ plugins/sudoers/auth/pam.c | 10 +++++++++-
+ plugins/sudoers/auth/sudo_auth.c | 4 ++--
+ plugins/sudoers/auth/sudo_auth.h | 6 +++---
+ plugins/sudoers/check.c | 4 +++-
+ plugins/sudoers/sudoers.h | 2 +-
+ 6 files changed, 19 insertions(+), 9 deletions(-)
+
+diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c
+index 444cd337..390263d3 100644
+--- a/plugins/sudoers/auth/bsdauth.c
++++ b/plugins/sudoers/auth/bsdauth.c
+@@ -168,7 +168,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con
+ }
+
+ int
+-bsdauth_approval(struct passwd *pw, sudo_auth *auth)
++bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
+ {
+ struct bsdauth_state *state = auth->data;
+ debug_decl(bsdauth_approval, SUDOERS_DEBUG_AUTH)
+diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
+index 347289da..a4749448 100644
+--- a/plugins/sudoers/auth/pam.c
++++ b/plugins/sudoers/auth/pam.c
+@@ -202,7 +202,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co
+ }
+
+ int
+-sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
++sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
+ {
+ const char *s;
+ int *pam_status = (int *) auth->data;
+@@ -217,6 +217,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
+ "is your account locked?"));
+ debug_return_int(AUTH_FATAL);
+ case PAM_NEW_AUTHTOK_REQD:
++ /* Ignore if user is exempt from password restrictions. */
++ if (exempt)
++ debug_return_int(AUTH_SUCCESS);
++ /* New password required, try to change it. */
+ log_warningx(0, N_("Account or password is "
+ "expired, reset your password and try again"));
+ *pam_status = pam_chauthtok(pamh,
+@@ -229,6 +233,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth)
+ N_("unable to change expired password: %s"), s);
+ debug_return_int(AUTH_FAILURE);
+ case PAM_AUTHTOK_EXPIRED:
++ /* Ignore if user is exempt from password restrictions. */
++ if (exempt)
++ debug_return_int(AUTH_SUCCESS);
++ /* Password expired, cannot be updated by user. */
+ log_warningx(0,
+ N_("Password expired, contact your system administrator"));
+ debug_return_int(AUTH_FATAL);
+diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c
+index 6ef9bd72..5d9382dc 100644
+--- a/plugins/sudoers/auth/sudo_auth.c
++++ b/plugins/sudoers/auth/sudo_auth.c
+@@ -163,7 +163,7 @@ sudo_auth_init(struct passwd *pw)
+ * Returns true on success, false on failure and -1 on error.
+ */
+ int
+-sudo_auth_approval(struct passwd *pw, int validated)
++sudo_auth_approval(struct passwd *pw, int validated, bool exempt)
+ {
+ sudo_auth *auth;
+ debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH)
+@@ -171,7 +171,7 @@ sudo_auth_approval(struct passwd *pw, int validated)
+ /* Call approval routines. */
+ for (auth = auth_switch; auth->name; auth++) {
+ if (auth->approval && !IS_DISABLED(auth)) {
+- int status = (auth->approval)(pw, auth);
++ int status = (auth->approval)(pw, auth, exempt);
+ if (status != AUTH_SUCCESS) {
+ /* Assume error msg already printed. */
+ log_auth_failure(validated, 0);
+diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h
+index ea5ed9cd..9ae69cd5 100644
+--- a/plugins/sudoers/auth/sudo_auth.h
++++ b/plugins/sudoers/auth/sudo_auth.h
+@@ -31,7 +31,7 @@ typedef struct sudo_auth {
+ int (*init)(struct passwd *pw, struct sudo_auth *auth);
+ int (*setup)(struct passwd *pw, char **prompt, struct sudo_auth *auth);
+ int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback);
+- int (*approval)(struct passwd *pw, struct sudo_auth *auth);
++ int (*approval)(struct passwd *pw, struct sudo_auth *auth, bool exempt);
+ int (*cleanup)(struct passwd *pw, struct sudo_auth *auth);
+ int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth);
+ int (*end_session)(struct passwd *pw, struct sudo_auth *auth);
+@@ -56,7 +56,7 @@ extern sudo_conv_t sudo_conv;
+ /* Prototypes for standalone methods */
+ int bsdauth_init(struct passwd *pw, sudo_auth *auth);
+ int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
+-int bsdauth_approval(struct passwd *pw, sudo_auth *auth);
++int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
+ int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth);
+ int sudo_aix_init(struct passwd *pw, sudo_auth *auth);
+ int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback);
+@@ -67,7 +67,7 @@ int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth);
+ int sudo_pam_init(struct passwd *pw, sudo_auth *auth);
+ int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth);
+ int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
+-int sudo_pam_approval(struct passwd *pw, sudo_auth *auth);
++int sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt);
+ int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth);
+ int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth);
+ int sudo_pam_end_session(struct passwd *pw, sudo_auth *auth);
+diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
+index ed49d63a..486a80d8 100644
+--- a/plugins/sudoers/check.c
++++ b/plugins/sudoers/check.c
+@@ -175,6 +175,7 @@ check_user(int validated, int mode)
+ {
+ struct passwd *auth_pw;
+ int ret = -1;
++ bool exempt = false;
+ debug_decl(check_user, SUDOERS_DEBUG_AUTH)
+
+ /*
+@@ -194,6 +195,7 @@ check_user(int validated, int mode)
+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__,
+ !def_authenticate ? "authentication disabled" :
+ "user exempt from authentication");
++ exempt = true;
+ ret = true;
+ goto done;
+ }
+@@ -218,7 +220,7 @@ check_user(int validated, int mode)
+ done:
+ if (ret == true) {
+ /* The approval function may disallow a user post-authentication. */
+- ret = sudo_auth_approval(auth_pw, validated);
++ ret = sudo_auth_approval(auth_pw, validated, exempt);
+ }
+ sudo_auth_cleanup(auth_pw);
+ sudo_pw_delref(auth_pw);
+diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
+index 57db74c1..956cb084 100644
+--- a/plugins/sudoers/sudoers.h
++++ b/plugins/sudoers/sudoers.h
+@@ -265,7 +265,7 @@ int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv
+ int sudo_auth_begin_session(struct passwd *pw, char **user_env[]);
+ int sudo_auth_end_session(struct passwd *pw);
+ int sudo_auth_init(struct passwd *pw);
+-int sudo_auth_approval(struct passwd *pw, int validated);
++int sudo_auth_approval(struct passwd *pw, int validated, bool exempt);
+ int sudo_auth_cleanup(struct passwd *pw);
+
+ /* set_perms.c */
+--
+2.13.6
+
diff --git a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
new file mode 100644
index 0000000..25bbfe9
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
@@ -0,0 +1,70 @@
+diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok
+--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200
++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200
+@@ -34,7 +34,7 @@
+ },
+ {
+ "Binding": [
+- { "username": "%them" }
++ { "usergroup": "them" }
+ ],
+ "Options": [
+ { "set_home": true }
+@@ -42,7 +42,7 @@
+ },
+ {
+ "Binding": [
+- { "username": "%: non UNIX 0 c" }
++ { "nonunixgroup": " non UNIX 0 c" }
+ ],
+ "Options": [
+ { "set_home": true }
+@@ -50,7 +50,7 @@
+ },
+ {
+ "Binding": [
+- { "username": "+net" }
++ { "netgroup": "net" }
+ ],
+ "Options": [
+ { "set_home": true }
+diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok
+--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200
++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200
+@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO
+ #
+ DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+ DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
++DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR
+
+ #
+ DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
+diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c
+--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200
+@@ -2395,7 +2395,7 @@ YY_RULE_SETUP
+ LEXTRACE("ERROR "); /* empty string */
+ LEXRETURN(ERROR);
+ }
+- if (prev_state == INITIAL) {
++ if (prev_state == INITIAL || prev_state == GOTDEFS) {
+ switch (sudoerslval.string[0]) {
+ case '%':
+ if (sudoerslval.string[1] == '\0' ||
+diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l
+--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200
+@@ -187,7 +187,7 @@ DEFVAR [a-z_]+
+ LEXTRACE("ERROR "); /* empty string */
+ LEXRETURN(ERROR);
+ }
+- if (prev_state == INITIAL) {
++ if (prev_state == INITIAL || prev_state == GOTDEFS) {
+ switch (sudoerslval.string[0]) {
+ case '%':
+ if (sudoerslval.string[1] == '\0' ||
diff --git a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch
new file mode 100644
index 0000000..9698d23
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch
@@ -0,0 +1,27 @@
+diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c
+--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200
+@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
+ if (ldap_conf.search_filter)
+ sz += strlen(ldap_conf.search_filter);
+
+- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
+- sz += 29 + sudo_ldap_value_len(pw->pw_name);
++ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
++ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
+
+ /* Add space for primary and supplementary groups and gids */
+ if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
+@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
+ CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
+ CHECK_STRLCAT(buf, ")", sz);
+
++ /* Append user uid */
++ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
++ (void) strlcat(buf, "(sudoUser=#", sz);
++ (void) strlcat(buf, gidbuf, sz);
++ (void) strlcat(buf, ")", sz);
++
+ /* Append primary group and gid */
+ if (grp != NULL) {
+ CHECK_STRLCAT(buf, "(sudoUser=%", sz);
diff --git a/SOURCES/sudo-1.8.23-legacy-group-processing.patch b/SOURCES/sudo-1.8.23-legacy-group-processing.patch
new file mode 100644
index 0000000..f838215
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-legacy-group-processing.patch
@@ -0,0 +1,89 @@
+diff -up sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/cvtsudoers.c
+--- sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing 2018-06-28 11:24:25.966475241 +0200
++++ sudo-1.8.23/plugins/sudoers/cvtsudoers.c 2018-06-28 11:26:40.215025493 +0200
+@@ -321,6 +321,15 @@ main(int argc, char *argv[])
+ sudo_fatalx("error: unhandled input %d", input_format);
+ }
+
++ /*
++ * cvtsudoers group filtering doesn't work if def_match_group_by_gid
++ * is set to true by default (at compile-time). It cannot be set to false
++ * because cvtsudoers doesn't apply the parsed Defaults.
++ *
++ * Related: sudo-1.8.23-legacy-group-processing.patch
++ */
++ def_match_group_by_gid = def_legacy_group_processing = false;
++
+ /* Apply filters. */
+ filter_userspecs(conf);
+ filter_defaults(conf);
+diff -up sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/defaults.c
+--- sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/defaults.c 2018-06-28 11:24:25.966475241 +0200
+@@ -87,6 +87,7 @@ static struct early_default early_defaul
+ { I_FQDN },
+ #endif
+ { I_MATCH_GROUP_BY_GID },
++ { I_LEGACY_GROUP_PROCESSING },
+ { I_GROUP_PLUGIN },
+ { I_RUNAS_DEFAULT },
+ { I_SUDOERS_LOCALE },
+@@ -488,6 +489,8 @@ init_defaults(void)
+ }
+
+ /* First initialize the flags. */
++ def_legacy_group_processing = true;
++ def_match_group_by_gid = true;
+ #ifdef LONG_OTP_PROMPT
+ def_long_otp_prompt = true;
+ #endif
+diff -up sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.c
+--- sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-28 11:24:25.966475241 +0200
+@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[]
+ N_("Ignore case when matching group names"),
+ NULL,
+ }, {
++ "legacy_group_processing", T_FLAG,
++ N_("Don't pre-resolve all group names"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff -up sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.h
+--- sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-28 11:24:25.967475238 +0200
+@@ -226,6 +226,8 @@
+ #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
+ #define I_CASE_INSENSITIVE_GROUP 113
+ #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
++#define I_LEGACY_GROUP_PROCESSING 114
++#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff -up sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.in
+--- sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-28 11:24:25.967475238 +0200
+@@ -357,3 +357,6 @@ case_insensitive_user
+ case_insensitive_group
+ T_FLAG
+ "Ignore case when matching group names"
++legacy_group_processing
++ T_FLAG
++ "Don't pre-resolve all group names"
+diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/sudoers.c
+--- sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200
++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-28 11:24:25.967475238 +0200
+@@ -209,6 +209,10 @@ sudoers_policy_init(void *info, char * c
+ if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
+ ret = true;
+
++ if (!def_match_group_by_gid || !def_legacy_group_processing) {
++ def_match_group_by_gid = false;
++ def_legacy_group_processing = false;
++ }
+ cleanup:
+ if (!restore_perms())
+ ret = -1;
diff --git a/SOURCES/sudo-1.8.23-nowaitopt.patch b/SOURCES/sudo-1.8.23-nowaitopt.patch
new file mode 100644
index 0000000..6406396
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-nowaitopt.patch
@@ -0,0 +1,61 @@
+diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c
+--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200
++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200
+@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[]
+ N_("Don't pre-resolve all group names"),
+ NULL,
+ }, {
++ "cmnd_no_wait", T_FLAG,
++ N_("Don't fork and wait for the command to finish, just exec it"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h
+--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200
++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200
+@@ -228,6 +228,8 @@
+ #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
+ #define I_LEGACY_GROUP_PROCESSING 114
+ #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
++#define I_CMND_NO_WAIT 115
++#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in
+--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200
++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200
+@@ -360,3 +360,6 @@ case_insensitive_group
+ legacy_group_processing
+ T_FLAG
+ "Don't pre-resolve all group names"
++cmnd_no_wait
++ T_FLAG
++ "Don't fork and wait for the command to finish, just exec it"
+diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c
+diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c
+--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200
++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200
+@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c
+ def_match_group_by_gid = false;
+ def_legacy_group_processing = false;
+ }
++
++ /*
++ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation
++ * and I/O logging. This will cause sudo to execute the given command
++ * directly instead of forking a separate process for it.
++ */
++ if (def_cmnd_no_wait) {
++ def_pam_setcred = false;
++ def_pam_session = false;
++ def_use_pty = false;
++ def_log_input = false;
++ def_log_output = false;
++ }
++
+ cleanup:
+ if (!restore_perms())
+ ret = -1;
diff --git a/SOURCES/sudo-1.8.23-sudoldapconfman.patch b/SOURCES/sudo-1.8.23-sudoldapconfman.patch
new file mode 100644
index 0000000..3b52ea8
--- /dev/null
+++ b/SOURCES/sudo-1.8.23-sudoldapconfman.patch
@@ -0,0 +1,32 @@
+diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in
+--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-05-23 13:38:08.347538854 +0200
++++ sudo-1.8.23/doc/Makefile.in 2018-05-23 13:38:12.806523146 +0200
+@@ -345,10 +345,16 @@ install-doc: install-dirs
+ rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
+ ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
++ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
++ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
+ else \
+ rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
+ ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
++ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
++ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
+ fi
+
+ install-plugin:
+@@ -363,8 +369,9 @@ uninstall:
+ $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
+ $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
+ $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
+- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform)
+- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
++ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \
++ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \
++ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)
+
+ splint:
+
diff --git a/SOURCES/sudo-1.8.6p3-doublequotefix.patch b/SOURCES/sudo-1.8.6p3-doublequotefix.patch
deleted file mode 100644
index c028017..0000000
--- a/SOURCES/sudo-1.8.6p3-doublequotefix.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 1b16310c7ec5ba23fbe066c7d000016e534b4448 Mon Sep 17 00:00:00 2001
-From: Tomas Sykora <tosykora@redhat.com>
-Date: Tue, 16 Aug 2016 09:54:06 +0200
-Subject: [PATCH] Double quotes are not accepted in sudoers
-
-Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers
-
-Rebased from:
-Patch25: sudo-1.8.6p3-doublequotefix.patch
-
-Resolves:
-rhbz#1092499
----
- plugins/sudoers/toke.c | 2 +-
- plugins/sudoers/toke.l | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c
-index e5b4d97..3b510bb 100644
---- a/plugins/sudoers/toke.c
-+++ b/plugins/sudoers/toke.c
-@@ -2385,7 +2385,7 @@ YY_RULE_SETUP
- LEXTRACE("ERROR "); /* empty string */
- LEXRETURN(ERROR);
- }
-- if (prev_state == INITIAL) {
-+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
- switch (sudoerslval.string[0]) {
- case '%':
- if (sudoerslval.string[1] == '\0' ||
-diff --git a/plugins/sudoers/toke.l b/plugins/sudoers/toke.l
-index b63edd0..82724aa 100644
---- a/plugins/sudoers/toke.l
-+++ b/plugins/sudoers/toke.l
-@@ -185,7 +185,7 @@ DEFVAR [a-z_]+
- LEXTRACE("ERROR "); /* empty string */
- LEXRETURN(ERROR);
- }
-- if (prev_state == INITIAL) {
-+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
- switch (sudoerslval.string[0]) {
- case '%':
- if (sudoerslval.string[1] == '\0' ||
---
-2.7.4
-
diff --git a/SOURCES/sudo-1.8.6p3-nowaitopt.patch b/SOURCES/sudo-1.8.6p3-nowaitopt.patch
deleted file mode 100644
index df51500..0000000
--- a/SOURCES/sudo-1.8.6p3-nowaitopt.patch
+++ /dev/null
@@ -1,161 +0,0 @@
-From 9b1f0f16bfe7552810b4adb6b17ac3674da660f9 Mon Sep 17 00:00:00 2001
-From: Tomas Sykora <tosykora@redhat.com>
-Date: Mon, 15 Aug 2016 15:13:31 +0200
-Subject: [PATCH] Backport direct exec of command from sudo
-
-Added cmnd_no_wait option
-Sudo does not run command in a new child process,
-when cmnd_no_wait is enabled.
-
-!!!
-Upstream can do that too now in 1.8.17 with combination of
-pam_session, pam_setcred and use_pty option.
-They must be disabled and I/O logging must not be configured.
-See "man sudoers".
-
-rebased from:
-Patch8: sudo-1.8.6p3-nowaitopt.patch
-
-Resolves:
-rhbz#840980
----
- plugins/sudoers/def_data.c | 4 ++++
- plugins/sudoers/def_data.h | 2 ++
- plugins/sudoers/def_data.in | 3 +++
- plugins/sudoers/policy.c | 4 ++++
- src/exec.c | 34 ++++++++++++++++++++++++++++++++++
- src/sudo.c | 5 +++++
- src/sudo.h | 1 +
- 7 files changed, 53 insertions(+)
-
-diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
-index 00caa8b..d8b1ada 100644
---- a/plugins/sudoers/def_data.c
-+++ b/plugins/sudoers/def_data.c
-@@ -435,6 +435,10 @@ struct sudo_defs_types sudo_defs_table[] = {
- N_("File mode to use for the I/O log files: 0%o"),
- NULL,
- }, {
-+ "cmnd_no_wait", T_FLAG,
-+ N_("Don't fork and wait for the command to finish, just exec it"),
-+ NULL,
-+ }, {
- NULL, 0, NULL
- }
- };
-diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
-index d83d2c3..1b6be3d 100644
---- a/plugins/sudoers/def_data.h
-+++ b/plugins/sudoers/def_data.h
-@@ -204,6 +204,8 @@
- #define def_iolog_group (sudo_defs_table[I_IOLOG_GROUP].sd_un.str)
- #define I_IOLOG_MODE 102
- #define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode)
-+#define I_CMND_NO_WAIT 103
-+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
-
- enum def_tuple {
- never,
-diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
-index 9f069f1..5200fe3 100644
---- a/plugins/sudoers/def_data.in
-+++ b/plugins/sudoers/def_data.in
-@@ -322,3 +322,6 @@ iolog_group
- iolog_mode
- T_MODE
- "File mode to use for the I/O log files: 0%o"
-+cmnd_no_wait
-+ T_FLAG
-+ "Don't fork and wait for the command to finish, just exec it"
-diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
-index 4ee1e28..93df1dd 100644
---- a/plugins/sudoers/policy.c
-+++ b/plugins/sudoers/policy.c
-@@ -564,6 +564,10 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
- if ((command_info[info_len++] = strdup("use_pty=true")) == NULL)
- goto oom;
- }
-+ if (def_cmnd_no_wait) {
-+ if ((command_info[info_len++] = strdup("cmnd_no_wait=true")) == NULL)
-+ goto oom;
-+ }
- if (def_utmp_runas) {
- if ((command_info[info_len++] = sudo_new_key_val("utmp_user", runas_pw->pw_name)) == NULL)
- goto oom;
-diff --git a/src/exec.c b/src/exec.c
-index 56da013..08bc86d 100644
---- a/src/exec.c
-+++ b/src/exec.c
-@@ -384,6 +384,41 @@ sudo_execute(struct command_details *details, struct command_status *cstat)
- }
-
- /*
-+ * If we don't want to wait for the command to exit, then just exec it.
-+ * THIS WILL BREAK SEVERAL THINGS including SELinux, PAM sessions and I/O
-+ * logging. Implemented because of rhbz#840980 (backwards compatibility).
-+ * In 1.8.x branch this is even harder to get back, since the nowait code
-+ * was completely removed.
-+ */
-+ if (details->flags & CD_DONTWAIT) {
-+ if (exec_setup(details, NULL, -1) == true) {
-+ restore_signals();
-+ /* headed for execve() */
-+ sudo_debug_execve(SUDO_DEBUG_INFO, details->command,
-+ details->argv, details->envp);
-+ if (details->closefrom >= 0) {
-+ closefrom(details->closefrom);
-+ }
-+#ifdef HAVE_SELINUX
-+ if (ISSET(details->flags, CD_RBAC_ENABLED)) {
-+ selinux_execve(-1, details->command, details->argv, details->envp,
-+ ISSET(details->flags, CD_NOEXEC));
-+ } else
-+#endif
-+ {
-+ sudo_execve(-1, details->command, details->argv, details->envp,
-+ ISSET(details->flags, CD_NOEXEC));
-+ }
-+ sudo_debug_printf(SUDO_DEBUG_ERROR, "unable to exec %s: %s",
-+ details->command, strerror(errno));
-+ }
-+ cstat->type = CMD_ERRNO;
-+ cstat->val = errno;
-+ return 127;
-+ }
-+
-+
-+ /*
- * We communicate with the child over a bi-directional pair of sockets.
- * Parent sends signal info to child and child sends back wait status.
- */
-diff --git a/src/sudo.c b/src/sudo.c
-index 5dd090d..0606a19 100644
---- a/src/sudo.c
-+++ b/src/sudo.c
-@@ -670,6 +670,11 @@ command_info_to_details(char * const info[], struct command_details *details)
- sudo_fatalx(U_("%s: %s"), info[i], U_(errstr));
- break;
- }
-+ if (strncmp("cmnd_no_wait=", info[i], sizeof("cmnd_no_wait=") - 1) == 0) {
-+ if (sudo_strtobool(info[i] + sizeof("cmnd_no_wait=") - 1) == true)
-+ SET(details->flags, CD_DONTWAIT);
-+ break;
-+ }
- break;
- case 'e':
- SET_FLAG("exec_background=", CD_EXEC_BG)
-diff --git a/src/sudo.h b/src/sudo.h
-index 3ac2c9d..f07ba11 100644
---- a/src/sudo.h
-+++ b/src/sudo.h
-@@ -130,6 +130,7 @@ struct user_details {
- #define CD_SUDOEDIT_FOLLOW 0x10000
- #define CD_SUDOEDIT_CHECKDIR 0x20000
- #define CD_SET_GROUPS 0x40000
-+#define CD_DONTWAIT 0x80000
-
- struct preserved_fd {
- TAILQ_ENTRY(preserved_fd) entries;
---
-2.7.4
-
diff --git a/SOURCES/sudo-1.8.6p7-digest-backport.patch b/SOURCES/sudo-1.8.6p7-digest-backport.patch
deleted file mode 100644
index a814b2c..0000000
--- a/SOURCES/sudo-1.8.6p7-digest-backport.patch
+++ /dev/null
@@ -1,435 +0,0 @@
-From c8a6eecf768d8102a9a77f5fdb5b516e571d462e Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Tue, 23 Aug 2016 13:43:08 +0200
-Subject: [PATCH] Using libgcrypt
-
-Using libgcrypt and not sudo implementation of SHA...
-
-Rebased patch of digest backport.
-Added option --with-gcrypt
-
-Rebased from:
-Patch35: sudo-1.8.6p7-digest-backport.patch
-
-Resolves:
-rhbz#1183818
----
- configure.ac | 16 +++++++
- plugins/sudoers/Makefile.in | 9 +++-
- plugins/sudoers/filedigest.c | 104 +++++++++++++++++++++++++++++++++++++++++++
- plugins/sudoers/filedigest.h | 17 +++++++
- plugins/sudoers/match.c | 94 ++++++++++++++++++++++++++++++--------
- 5 files changed, 219 insertions(+), 21 deletions(-)
- create mode 100644 plugins/sudoers/filedigest.c
- create mode 100644 plugins/sudoers/filedigest.h
-
-diff --git a/configure.ac b/configure.ac
-index 13c3c1b..54929b2 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -35,6 +35,7 @@ AC_SUBST([SUDO_OBJS])
- AC_SUBST([LIBS])
- AC_SUBST([SUDO_LIBS])
- AC_SUBST([SUDOERS_LIBS])
-+AC_SUBST([LIBPARSESUDOERS_LIBS])
- AC_SUBST([STATIC_SUDOERS])
- AC_SUBST([NET_LIBS])
- AC_SUBST([AFS_LIBS])
-@@ -1517,6 +1518,19 @@ AC_ARG_WITH(selinux, [AS_HELP_STRING([--with-selinux], [enable SELinux support])
- ;;
- esac], [with_selinux=no])
-
-+AC_ARG_WITH(gcrypt, [AS_HELP_STRING([--with-gcrypt], [enable libgcrypt support])],
-+[case $with_gcrypt in
-+ yes)
-+ AC_DEFINE(HAVE_LIBGCRYPT)
-+ LIBPARSESUDOERS_LIBS="${LIBPARSESUDOERS_LIBS} -lgcrypt"
-+ AC_CHECK_LIB([gcrypt], [gcry_md_open],
-+ [AC_DEFINE(HAVE_GCRY_MD_OPEN)])
-+ ;;
-+ no) ;;
-+ *) AC_MSG_ERROR(["--with-gcrypt does not take an argument."])
-+ ;;
-+esac])
-+
- dnl
- dnl gss_krb5_ccache_name() may not work on Heimdal so we don't use it by default
- dnl
-@@ -4344,6 +4358,8 @@ AH_TEMPLATE(HAVE_PROJECT_H, [Define to 1 if you have the <project.h> header file
- AH_TEMPLATE(HAVE_SECURID, [Define to 1 if you use SecurID for authentication.])
- AH_TEMPLATE(HAVE_SELINUX, [Define to 1 to enable SELinux RBAC support.])
- AH_TEMPLATE(HAVE_SETKEYCREATECON, [Define to 1 if you have the `setkeycreatecon' function.])
-+AH_TEMPLATE(HAVE_LIBGCRYPT, [Define to 1 to enable libgcrypt support.])
-+AH_TEMPLATE(HAVE_GCRY_MD_OPEN, [Define to 1 if you have the `gcry_md_open' function.])
- AH_TEMPLATE(HAVE_SHL_LOAD, [Define to 1 if you have the `shl_load' function.])
- AH_TEMPLATE(HAVE_SKEY, [Define to 1 if you use S/Key.])
- AH_TEMPLATE(HAVE_SKEYACCESS, [Define to 1 if your S/Key library has skeyaccess().])
-diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in
-index f36f9ef..32c0ed0 100644
---- a/plugins/sudoers/Makefile.in
-+++ b/plugins/sudoers/Makefile.in
-@@ -55,6 +55,7 @@ LT_LIBS = $(top_builddir)/lib/util/libsudo_util.la
- LIBS = $(LT_LIBS)
- NET_LIBS = @NET_LIBS@
- SUDOERS_LIBS = @SUDOERS_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) @ZLIB@ @LIBMD@
-+LIBPARSESUDOERS_LIBS = @LIBPARSESUDOERS_LIBS@
- REPLAY_LIBS = @REPLAY_LIBS@ @ZLIB@
- VISUDO_LIBS = $(NET_LIBS) @LIBMD@
- TESTSUDOERS_LIBS = $(NET_LIBS) @LIBMD@
-@@ -153,7 +154,7 @@ AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@
- LIBPARSESUDOERS_OBJS = alias.lo audit.lo base64.lo defaults.lo hexchar.lo \
- gram.lo match.lo match_addr.lo pwutil.lo pwutil_impl.lo \
- rcstr.lo redblack.lo sudoers_debug.lo timestr.lo \
-- toke.lo toke_util.lo
-+ toke.lo toke_util.lo filedigest.lo
-
- SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo editor.lo env.lo find_path.lo \
- gc.lo goodpath.lo group_plugin.lo interfaces.lo iolog.lo \
-@@ -217,7 +218,7 @@ Makefile: $(srcdir)/Makefile.in
- (cd $(top_builddir) && ./config.status --file plugins/sudoers/Makefile)
-
- libparsesudoers.la: $(LIBPARSESUDOERS_OBJS)
-- $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) -no-install
-+ $(LIBTOOL) --mode=link $(CC) -o $@ $(LIBPARSESUDOERS_OBJS) $(LIBPARSESUDOERS_LIBS) -no-install
-
- sudoers.la: $(SUDOERS_OBJS) $(LT_LIBS) libparsesudoers.la @LT_LDDEP@
- case "$(LT_LDFLAGS)" in \
-@@ -656,6 +657,10 @@ env.lo: $(srcdir)/env.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
- $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
- $(top_builddir)/pathnames.h
- $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/env.c
-+filedigest.lo: $(srcdir)/filedigest.c $(top_builddir)/config.h \
-+ $(incdir)/sudo_debug.h
-+ $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/filedigest.c
-+filedigest.o: filedigest.lo
- find_path.lo: $(srcdir)/find_path.c $(devdir)/def_data.h \
- $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
- $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
-diff --git a/plugins/sudoers/filedigest.c b/plugins/sudoers/filedigest.c
-new file mode 100644
-index 0000000..c173741
---- /dev/null
-+++ b/plugins/sudoers/filedigest.c
-@@ -0,0 +1,104 @@
-+#include <config.h>
-+#include <errno.h>
-+#include <stddef.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+#include <unistd.h>
-+#include "filedigest.h"
-+#include "sudo_compat.h"
-+#include "sudo_debug.h"
-+
-+#if defined(HAVE_LIBGCRYPT)
-+#include <gcrypt.h>
-+
-+static int sudo_filedigest_gcrypt(int fd, int algo, unsigned char **dvalue, size_t *dvalue_size)
-+{
-+ char buffer[4096];
-+ gcry_md_hd_t ctx;
-+ int gcry_algo;
-+ debug_decl(sudo_filedigest_gcrypt, SUDO_DEBUG_UTIL);
-+
-+ switch(algo) {
-+ case SUDO_DIGEST_SHA224:
-+ gcry_algo = GCRY_MD_SHA224; break;
-+ case SUDO_DIGEST_SHA256:
-+ gcry_algo = GCRY_MD_SHA256; break;
-+ case SUDO_DIGEST_SHA384:
-+ gcry_algo = GCRY_MD_SHA384; break;
-+ case SUDO_DIGEST_SHA512:
-+ gcry_algo = GCRY_MD_SHA512; break;
-+ default:
-+ debug_return_int(-1);
-+ }
-+
-+ gcry_md_open(&ctx, gcry_algo, 0);
-+
-+ /* Read block of data from fd and digest them */
-+ while (1) {
-+ const ssize_t read_bytes = read(fd, buffer, sizeof buffer);
-+
-+ if (read_bytes < 0) {
-+ /* Error */
-+ gcry_md_close(ctx);
-+ debug_return_int(-1);
-+ }
-+ else if (read_bytes > 0) {
-+ /* Some data read -- update the digest */
-+ gcry_md_write(ctx, buffer, (size_t)read_bytes);
-+ }
-+ else {
-+ /* EOF */
-+ break;
-+ }
-+ }
-+
-+ /*
-+ * All data digested. Finalize the digest value.
-+ */
-+ const unsigned char *value = gcry_md_read(ctx, gcry_algo);
-+
-+ if (value == NULL) {
-+ debug_return_int(-1);
-+ }
-+
-+ /*
-+ * Make a copy of the digest value. The pointer
-+ * returned from gcry_md_read cannot be used after
-+ * gcry_md_close was called
-+ */
-+ (*dvalue_size) = gcry_md_get_algo_dlen(gcry_algo);
-+ (*dvalue) = malloc(*dvalue_size);
-+
-+ if (*dvalue == NULL) {
-+ debug_return_int(-1);
-+ }
-+
-+ memcpy(*dvalue, value, *dvalue_size);
-+ gcry_md_close(ctx);
-+
-+ debug_return_int(0);
-+}
-+#endif
-+
-+#include <stdio.h>
-+
-+int sudo_filedigest(const char *path, int algo, unsigned char **dvalue, size_t *dvalue_size)
-+{
-+ int rc = -1;
-+ int fd = -1;
-+ debug_decl(sudo_filedigest, SUDO_DEBUG_UTIL);
-+
-+ if ((fd = open(path, O_RDONLY)) < 0) {
-+ debug_return_int(rc);
-+ }
-+
-+#if defined(HAVE_LIBGCRYPT)
-+ rc = sudo_filedigest_gcrypt(fd, algo, dvalue, dvalue_size);
-+ close(fd);
-+#else
-+ rc = -1;
-+ errno = ENOTSUP;
-+#endif
-+ debug_return_int(rc);
-+}
-diff --git a/plugins/sudoers/filedigest.h b/plugins/sudoers/filedigest.h
-new file mode 100644
-index 0000000..437f02f
---- /dev/null
-+++ b/plugins/sudoers/filedigest.h
-@@ -0,0 +1,17 @@
-+#include <stddef.h>
-+
-+#define SUDO_DIGEST_SHA224 0
-+#define SUDO_DIGEST_SHA256 1
-+#define SUDO_DIGEST_SHA384 2
-+#define SUDO_DIGEST_SHA512 3
-+#define SUDO_DIGEST_INVALID 4
-+
-+#define SUDO_SHA224_DIGEST_LENGTH 28
-+#define SUDO_SHA256_DIGEST_LENGTH 32
-+#define SUDO_SHA384_DIGEST_LENGTH 48
-+#define SUDO_SHA512_DIGEST_LENGTH 64
-+
-+/*
-+ * Compute a digest of a given file. Returns 0 on success, -1 otherwise.
-+ */
-+int sudo_filedigest(const char *path, int algo, unsigned char **dvalue, size_t *dvalue_size);
-diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
-index 1916bde..2a9ea4b 100644
---- a/plugins/sudoers/match.c
-+++ b/plugins/sudoers/match.c
-@@ -62,6 +62,7 @@
-
- #include "sudoers.h"
- #include "parse.h"
-+#include "filedigest.h"
- #include <gram.h>
-
- #ifdef HAVE_FNMATCH
-@@ -576,6 +577,7 @@ command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const
- }
- #else /* !SUDOERS_NAME_MATCH */
-
-+#ifndef HAVE_LIBGCRYPT /* !!! */
- static struct digest_function {
- const char *digest_name;
- const unsigned int digest_len;
-@@ -616,24 +618,43 @@ static struct digest_function {
- NULL
- }
- };
-+#endif /* !HAVE_LIBGCRYPT */
-+
-+static const char *digesttype2str(int digest_type)
-+{
-+ switch(digest_type) {
-+ case SUDO_DIGEST_SHA224:
-+ return "SHA224";
-+ case SUDO_DIGEST_SHA256:
-+ return "SHA256";
-+ case SUDO_DIGEST_SHA384:
-+ return "SHA384";
-+ case SUDO_DIGEST_SHA512:
-+ return "SHA512";
-+ }
-+ return "<INVALID>";
-+}
-
- static bool
- digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
- {
-- unsigned char file_digest[SHA512_DIGEST_LENGTH];
-- unsigned char sudoers_digest[SHA512_DIGEST_LENGTH];
-+ unsigned char * file_digest = NULL;
-+ unsigned char * sudoers_digest = NULL;
-+ size_t digest_size;
- unsigned char buf[32 * 1024];
-- struct digest_function *func = NULL;
- #ifdef HAVE_FEXECVE
- bool first = true;
- bool is_script = false;
- #endif /* HAVE_FEXECVE */
- size_t nread;
-- SHA2_CTX ctx;
- FILE *fp;
- unsigned int i;
- debug_decl(digest_matches, SUDOERS_DEBUG_MATCH)
-
-+#ifndef HAVE_LIBGCRYPT /* !!! */
-+
-+ SHA2_CTX ctx;
-+ struct digest_function *func = NULL;
- for (i = 0; digest_functions[i].digest_name != NULL; i++) {
- if (sd->digest_type == i) {
- func = &digest_functions[i];
-@@ -644,9 +665,33 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
- sudo_warnx(U_("unsupported digest type %d for %s"), sd->digest_type, file);
- debug_return_bool(false);
- }
-- if (strlen(sd->digest_str) == func->digest_len * 2) {
-+
-+ digest_size = func->digest_len;
-+
-+ file_digest = malloc(digest_size);
-+ if (file_digest == NULL) {
-+ debug_return_bool(false);
-+ }
-+
-+#elif HAVE_LIBGCRYPT
-+
-+ if (sudo_filedigest(file, sd->digest_type,
-+ &file_digest, &digest_size) != 0) {
-+ sudo_warnx(U_("Cannot compute digest type %d for %s"), sd->digest_type, file);
-+ goto clean_up;
-+ }
-+
-+#endif /* !HAVE_LIBGCRYPT */
-+
-+ sudoers_digest = malloc(digest_size);
-+ if (sudoers_digest == NULL) {
-+ free(file_digest);
-+ debug_return_bool(false);
-+ }
-+
-+ if (strlen(sd->digest_str) == digest_size * 2) {
- /* Convert the command digest from ascii hex to binary. */
-- for (i = 0; i < func->digest_len; i++) {
-+ for (i = 0; i < digest_size ; i++) {
- const int h = hexchar(&sd->digest_str[i + i]);
- if (h == -1)
- goto bad_format;
-@@ -654,11 +699,11 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
- }
- } else {
- size_t len = base64_decode(sd->digest_str, sudoers_digest,
-- sizeof(sudoers_digest));
-- if (len != func->digest_len) {
-+ digest_size);
-+ if (len != digest_size) {
- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
-- "incorrect length for digest, expected %u, got %zu",
-- func->digest_len, len);
-+ "incorrect length for digest, expected %zu, got %zu",
-+ digest_size, len);
- goto bad_format;
- }
- }
-@@ -666,10 +711,11 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
- if ((fp = fopen(file, "r")) == NULL) {
- sudo_debug_printf(SUDO_DEBUG_INFO, "unable to open %s: %s",
- file, strerror(errno));
-- debug_return_bool(false);
-+ goto clean_up;
- }
--
-+#ifndef HAVE_LIBGCRYPT
- func->init(&ctx);
-+#endif /* !HAVE_LIBGCRYPT */
- while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) {
- #ifdef HAVE_FEXECVE
- /* Check for #! cookie and set is_script. */
-@@ -679,21 +725,24 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
- is_script = true;
- }
- #endif /* HAVE_FEXECVE */
-+#ifndef HAVE_LIBGCRYPT
- func->update(&ctx, buf, nread);
-+#endif /* !HAVE_LIBGCRYPT */
- }
- if (ferror(fp)) {
- sudo_warnx(U_("%s: read error"), file);
- fclose(fp);
-- debug_return_bool(false);
-+ goto clean_up;
- }
-+#ifndef HAVE_LIBGCRYPT
- func->final(file_digest, &ctx);
--
-- if (memcmp(file_digest, sudoers_digest, func->digest_len) != 0) {
-+#endif /* !HAVE_LIBGCRYPT */
-+ if (memcmp(file_digest, sudoers_digest, digest_size) != 0) {
- fclose(fp);
- sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO,
- "%s digest mismatch for %s, expecting %s",
-- func->digest_name, file, sd->digest_str);
-- debug_return_bool(false);
-+ digesttype2str(sd->digest_type), file, sd->digest_str);
-+ goto clean_up;
- }
-
- #ifdef HAVE_FEXECVE
-@@ -705,7 +754,7 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
- sudo_debug_printf(SUDO_DEBUG_INFO, "unable to dup %s: %s",
- file, strerror(errno));
- fclose(fp);
-- debug_return_bool(false);
-+ goto clean_up;
- }
- /*
- * Shell scripts go through namei twice and so we can't set the close
-@@ -715,10 +764,17 @@ digest_matches(const char *file, const struct sudo_digest *sd, int *fd)
- (void)fcntl(*fd, F_SETFD, FD_CLOEXEC);
- #endif /* HAVE_FEXECVE */
- fclose(fp);
-+ free(file_digest);
-+ free(sudoers_digest);
- debug_return_bool(true);
- bad_format:
- sudo_warnx(U_("digest for %s (%s) is not in %s form"), file,
-- sd->digest_str, func->digest_name);
-+ sd->digest_str, digesttype2str(sd->digest_type));
-+clean_up:
-+ if (file_digest)
-+ free(file_digest);
-+ if (sudoers_digest)
-+ free(sudoers_digest);
- debug_return_bool(false);
- }
-
---
-2.7.4
-
diff --git a/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch
deleted file mode 100644
index d3991f0..0000000
--- a/SOURCES/sudo-1.8.6p7-ldapsearchuidfix.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From b1f3fcf8d6e9a8e5326771a12fac8e08ed81f766 Mon Sep 17 00:00:00 2001
-From: Tomas Sykora <tosykora@redhat.com>
-Date: Fri, 19 Aug 2016 10:21:27 +0200
-Subject: [PATCH] Sudo with ldap doesn't work with 'user id'
-
-in sudoUser option.
-
-Rebased from:
-Patch39: sudo-1.8.6p7-ldapsearchuidfix.patch
-
-Resolves:
-rhbz#1135539
----
- plugins/sudoers/def_data.c | 4 ++++
- plugins/sudoers/def_data.h | 2 ++
- plugins/sudoers/def_data.in | 3 +++
- plugins/sudoers/defaults.c | 2 ++
- plugins/sudoers/ldap.c | 10 ++++++++--
- plugins/sudoers/sudoers.c | 4 ++++
- 6 files changed, 23 insertions(+), 2 deletions(-)
-
-diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
-index d8b1ada..3926fed 100644
---- a/plugins/sudoers/def_data.c
-+++ b/plugins/sudoers/def_data.c
-@@ -439,6 +439,10 @@ struct sudo_defs_types sudo_defs_table[] = {
- N_("Don't fork and wait for the command to finish, just exec it"),
- NULL,
- }, {
-+ "legacy_group_processing", T_FLAG,
-+ N_("Don't pre-resolve all group names"),
-+ NULL,
-+ }, {
- NULL, 0, NULL
- }
- };
-diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
-index 1b6be3d..5246e41 100644
---- a/plugins/sudoers/def_data.h
-+++ b/plugins/sudoers/def_data.h
-@@ -206,6 +206,8 @@
- #define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode)
- #define I_CMND_NO_WAIT 103
- #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
-+#define I_LEGACY_GROUP_PROCESSING 104
-+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
-
- enum def_tuple {
- never,
-diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
-index 5200fe3..f1c9265 100644
---- a/plugins/sudoers/def_data.in
-+++ b/plugins/sudoers/def_data.in
-@@ -325,3 +325,6 @@ iolog_mode
- cmnd_no_wait
- T_FLAG
- "Don't fork and wait for the command to finish, just exec it"
-+legacy_group_processing
-+ T_FLAG
-+ "Don't pre-resolve all group names"
-diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
-index 5eaf8ea..9e60d94 100644
---- a/plugins/sudoers/defaults.c
-+++ b/plugins/sudoers/defaults.c
-@@ -450,6 +450,8 @@ init_defaults(void)
- }
-
- /* First initialize the flags. */
-+ def_legacy_group_processing = true;
-+ def_match_group_by_gid = true;
- #ifdef LONG_OTP_PROMPT
- def_long_otp_prompt = true;
- #endif
-diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
-index 3fe27c7..96a0709 100644
---- a/plugins/sudoers/ldap.c
-+++ b/plugins/sudoers/ldap.c
-@@ -1666,8 +1666,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
- if (ldap_conf.search_filter)
- sz += strlen(ldap_conf.search_filter);
-
-- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
-- sz += 29 + sudo_ldap_value_len(pw->pw_name);
-+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
-+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
-
- /* Add space for primary and supplementary groups and gids */
- if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
-@@ -1730,6 +1730,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct passwd *pw)
- CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
- CHECK_STRLCAT(buf, ")", sz);
-
-+ /* Append user uid */
-+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
-+ (void) strlcat(buf, "(sudoUser=#", sz);
-+ (void) strlcat(buf, gidbuf, sz);
-+ (void) strlcat(buf, ")", sz);
-+
- /* Append primary group and gid */
- if (grp != NULL) {
- CHECK_STRLCAT(buf, "(sudoUser=%", sz);
-diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
-index 539177a..673ee5d 100644
---- a/plugins/sudoers/sudoers.c
-+++ b/plugins/sudoers/sudoers.c
-@@ -208,6 +208,10 @@ sudoers_policy_init(void *info, char * const envp[])
- if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
- ret = true;
-
-+ if (!def_match_group_by_gid || !def_legacy_group_processing) {
-+ def_match_group_by_gid = false;
-+ def_legacy_group_processing = false;
-+ }
- cleanup:
- if (!restore_perms())
- ret = -1;
---
-2.7.4
-
diff --git a/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch b/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch
deleted file mode 100644
index 8d46dbe..0000000
--- a/SOURCES/sudo-1.8.6p7-sudoldapconfman.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 447b3f0c91f019c1d30b5703c61316b583f5bce1 Mon Sep 17 00:00:00 2001
-From: Tomas Sykora <tosykora@redhat.com>
-Date: Mon, 15 Aug 2016 15:15:40 +0200
-Subject: [PATCH] RHEL7 failed RPMdiff testing
-
-Package sudo-1.8.3p1-7.el7 failed RHEL7 RPMdiff testing
-
-Rebased from:
-Patch16: sudo-1.8.6p7-sudoldapconfman.patch
-
-Resolves:
-rhbz#881258
----
- doc/Makefile.in | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/doc/Makefile.in b/doc/Makefile.in
-index a6f2ea2..e27c6e0 100644
---- a/doc/Makefile.in
-+++ b/doc/Makefile.in
-@@ -319,10 +319,16 @@ install-doc: install-dirs
- rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
- echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
- ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \
-+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
-+ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
-+ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \
- else \
- rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
- echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
- ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \
-+ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
-+ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
-+ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \
- fi
-
- install-plugin:
-@@ -336,7 +342,8 @@ uninstall:
- $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \
- $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \
- $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \
-- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
-+ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \
-+ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)
-
- splint:
-
---
-2.7.4
-
diff --git a/SOURCES/sudoers b/SOURCES/sudoers
index 2fdc62f..93e02ba 100644
--- a/SOURCES/sudoers
+++ b/SOURCES/sudoers
@@ -64,6 +64,14 @@ Defaults !visiblepw
Defaults always_set_home
Defaults match_group_by_gid
+# Prior to version 1.8.15, groups listed in sudoers that were not
+# found in the system group database were passed to the group
+# plugin, if any. Starting with 1.8.15, only groups of the form
+# %:group are resolved via the group plugin by default.
+# We enable always_query_group_plugin to restore old behavior.
+# Disable this option for new behavior.
+Defaults always_query_group_plugin
+
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index c8d2f64..2dd0195 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
-Version: 1.8.19p2
-Release: 14%{?dist}
+Version: 1.8.23
+Release: 3%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@@ -9,74 +9,48 @@ Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
Source1: sudoers
Source2: sudo-ldap.conf
Source3: sudo.conf
-Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: /etc/pam.d/system-auth, vim-minimal, libgcrypt
+Requires: /etc/pam.d/system-auth
+Requires: /usr/bin/vi
-BuildRequires: pam-devel
-BuildRequires: groff
-BuildRequires: openldap-devel
-BuildRequires: flex
+BuildRequires: /usr/sbin/sendmail
+BuildRequires: autoconf
+BuildRequires: automake
BuildRequires: bison
-BuildRequires: automake autoconf libtool
-BuildRequires: audit-libs-devel libcap-devel
+BuildRequires: flex
+BuildRequires: gettext
+BuildRequires: groff
+BuildRequires: libtool
+BuildRequires: audit-libs-devel
+BuildRequires: libcap-devel
+BuildRequires: libgcrypt-devel
BuildRequires: libgcrypt-devel
BuildRequires: libselinux-devel
-BuildRequires: /usr/sbin/sendmail
-BuildRequires: gettext
+BuildRequires: openldap-devel
+BuildRequires: pam-devel
BuildRequires: zlib-devel
-BuildRequires: libgcrypt-devel
# don't strip
Patch1: sudo-1.6.7p5-strip.patch
# configure.in fix
Patch2: sudo-1.7.2p1-envdebug.patch
-# 840980 - sudo creates a new parent process
-# Adds cmnd_no_wait Defaults option
-Patch3: sudo-1.8.6p3-nowaitopt.patch
# 881258 - rpmdiff: added missing sudo-ldap.conf manpage
-Patch4: sudo-1.8.6p7-sudoldapconfman.patch
-# 1092499 - Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers
-Patch5: sudo-1.8.6p3-doublequotefix.patch
-# 1183818 - backport of command digest specification feature
-Patch6: sudo-1.8.6p7-digest-backport.patch
+Patch3: sudo-1.8.23-sudoldapconfman.patch
+# 1247591 - Sudo taking a long time when user information is stored externally.
+Patch4: sudo-1.8.23-legacy-group-processing.patch
# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option
-Patch7: sudo-1.8.6p7-ldapsearchuidfix.patch
+Patch5: sudo-1.8.23-ldapsearchuidfix.patch
# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure
-Patch8: sudo-1.8.6p7-logsudouser.patch
-# fix upstream testsuite - disabling 2 tests, working only with non-root user
-Patch9: sudo-1.8.18-testsuitefix.patch
-# 1413160 - backport ignore_unknown_defaults flag
-Patch10: sudo-1.8.19p2-ignore-unknown-defaults.patch
-# 1424575 - backport visudo severity of the message
-Patch11: sudo-1.8.19p2-error-warning-visudo-message.patch
-# 1369856 - synchronous (real-time) writes in sudo i/o logs
-Patch12: sudo-1.8.19p2-iologflush.patch
-# 1293306 - Sudo group lookup issue.
-Patch13: sudo-1.8.19p2-lookup-issue-doc.patch
-# 1360687 - sudo rhel-7 rebase - comment11
-Patch14: sudo-1.8.19p2-upstream-testsuitefix.patch
-# 1360687 - sudo rhel-7 rebase - comment13
-Patch15: sudo-1.8.19p2-fqdn-use-after-free.patch
-# 1360687 - sudo rhel-7 rebase - comment13
-Patch16: sudo-1.8.19p2-lecture-boolean.patch
-# 1455402 - CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing
-Patch17: sudo-1.8.19p2-get_process_ttyname.patch
-# 1459152 - CVE-2017-1000368: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367)
-Patch18: sudo-1.8.19p2-CVE-2017-1000368.patch
-# 1485397 - sudo breaking who ldap and local users after upgrade
-Patch19: sudo-1.8.21-ldap-pass2-filter.patch
-# 1458696 - successful sudo -l returns non-zero if asking for other user
-Patch20: sudo-1.8.19p2-display-privs.patch
-# 1454571 - Sudo, with I/O Logging log_output option enabled, truncate output in case of cycle over standard input
-Patch21: sudo-1.8.19p2-iologtruncate.patch
-# 1490358 - Update use_pty and IO logging man page
-Patch22: sudo-1.8.19p2-manpage-use_pty.patch
-# 1505409 - Regression in "sudo -l" when using IPA / sssd
-Patch23: sudo-1.8.19p2-sudo-l-sssd.patch
-# 1518104 - sudo crashed: double free or corruption (fasttop)
-Patch24: sudo-1.8.19p2-sssd-double-free.patch
-# 1560657 - sudo blocks in poll() for /dev/ptmx with iolog enabled
-Patch25: sudo-1.8.19p2-iolog-zombie.patch
+Patch6: sudo-1.8.6p7-logsudouser.patch
+# 840980 - sudo creates a new parent process
+# Adds cmnd_no_wait Defaults option
+Patch7: sudo-1.8.23-nowaitopt.patch
+# 1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers
+# This is fix of a regression in the referenced feature request. It was fixed
+# in newer versions of sudo and we backport it to prevent future regression
+# bz in RHEL. The feature itself was delivered via the rebase to 1.8.23.
+Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch
+# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
+Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -103,29 +77,13 @@ plugins that use %{name}.
%patch1 -p1 -b .strip
%patch2 -p1 -b .envdebug
-%patch3 -p1 -b .nowaitopt
-%patch4 -p1 -b .sudoldapconfman
-%patch5 -p1 -b .doublequotefix
-%patch6 -p1 -b .digest-backport
-%patch7 -p1 -b .ldapsearchuidfix
-%patch8 -p1 -b .logsudouser
-%patch9 -p1 -b .testsuite
-%patch10 -p1 -b .ignoreunknowndefaults
-%patch11 -p1 -b .errorwarningvisudomsg
-%patch12 -p1 -b .iologflush
-%patch13 -p1 -b .lookup
-%patch14 -p1 -b .testsuite
-%patch15 -p1 -b .fqdnafterfree
-%patch16 -p1 -b .lecture
-%patch17 -p1 -b .get_process_ttyname
-%patch18 -p1 -b .CVE-2017-1000368
-%patch19 -p1 -b .ldap-pass2-filter
-%patch20 -p1 -b .display-privs
-%patch21 -p1 -b .iologtruncate
-%patch22 -p1 -b .manpage
-%patch23 -p1 -b .sudo-l
-%patch24 -p1 -b .double-free
-%patch25 -p1 -b .iolog-zombie
+%patch3 -p1 -b .sudoldapconfman
+%patch4 -p1 -b .legacy-group-processing
+%patch5 -p1 -b .ldapsearchuidfix
+%patch6 -p1 -b .logsudouser
+%patch7 -p1 -b .nowaitopt
+%patch8 -p1 -b .pam-mgmt-ignore-errors
+%patch9 -p1 -b .defaults-double-quote-fix
%build
autoreconf -I m4 -fv --install
@@ -147,9 +105,9 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL
--with-logfac=authpriv \
--with-pam \
--with-pam-login \
- --with-editor=/bin/vi \
+ --with-editor=/usr/bin/vi \
--with-env-editor \
- --with-gcrypt \
+ --enable-gcrypt \
--with-ignore-dot \
--with-tty-tickets \
--with-ldap \
@@ -158,32 +116,33 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL
--with-passprompt="[sudo] password for %p: " \
--with-linux-audit \
--with-sssd
-# --without-kerb5 \
-# --without-kerb4
+
make
+%check
make check
%install
-rm -rf $RPM_BUILD_ROOT
+rm -rf %{buildroot}
# Update README.LDAP (#736653)
sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP
-make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
-chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
-install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
-install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
-install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
-install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
-install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf
-install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf
+make install DESTDIR="%{buildroot}" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
+
+chmod 755 %{buildroot}%{_bindir}/* %{buildroot}%{_sbindir}/*
+install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo
+install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo/lectured
+install -p -d -m 750 %{buildroot}%{_sysconfdir}/sudoers.d
+install -p -c -m 0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers
+install -p -c -m 0640 %{SOURCE3} %{buildroot}%{_sysconfdir}/sudo.conf
+install -p -c -m 0640 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudo-ldap.conf
-# Remove execute permission on this script so we don't pull in perl deps
-chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
+# Remove upstream sudoers file
+rm -f %{buildroot}%{_sysconfdir}/sudoers.dist
-#Remove all .la files
-find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
+# Remove all .la files
+find %{buildroot} -name '*.la' -exec rm -f {} ';'
%find_lang sudo
%find_lang sudoers
@@ -191,42 +150,44 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
cat sudo.lang sudoers.lang > sudo_all.lang
rm sudo.lang sudoers.lang
-mkdir -p $RPM_BUILD_ROOT/etc/pam.d
-cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
+mkdir -p %{buildroot}%{_sysconfdir}/pam.d
+cat > %{buildroot}%{_sysconfdir}/pam.d/sudo << EOF
#%%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
+session include system-auth
EOF
-cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
+cat > %{buildroot}%{_sysconfdir}/pam.d/sudo-i << EOF
#%%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so
+session include sudo
EOF
-
%clean
-rm -rf $RPM_BUILD_ROOT
+rm -rf %{buildroot}
%files -f sudo_all.lang
%defattr(-,root,root)
-%attr(0440,root,root) %config(noreplace) /etc/sudoers
-%attr(0640,root,root) %config(noreplace) /etc/sudo.conf
+%attr(0440,root,root) %config(noreplace) %{_sysconfdir}/sudoers
+%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf
%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf
-%attr(0750,root,root) %dir /etc/sudoers.d/
-%config(noreplace) /etc/pam.d/sudo
-%config(noreplace) /etc/pam.d/sudo-i
+%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d/
+%config(noreplace) %{_sysconfdir}/pam.d/sudo
+%config(noreplace) %{_sysconfdir}/pam.d/sudo-i
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
-%dir /var/db/sudo
-%dir /var/db/sudo/lectured
+%dir %{_localstatedir}/db/sudo
+%dir %{_localstatedir}/db/sudo/lectured
%attr(4111,root,root) %{_bindir}/sudo
%{_bindir}/sudoedit
+%{_bindir}/cvtsudoers
%attr(0111,root,root) %{_bindir}/sudoreplay
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
@@ -245,13 +206,14 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudoedit.8*
%{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8*
+%{_mandir}/man1/cvtsudoers.1.gz
+%{_mandir}/man5/sudoers_timestamp.5.gz
%dir %{_docdir}/sudo-%{version}
%{_docdir}/sudo-%{version}/*
-
# Make sure permissions are ok even if we're updating
%post
-/bin/chmod 0440 /etc/sudoers || :
+/bin/chmod 0440 %{_sysconfdir}/sudoers || :
%files devel
%defattr(-,root,root,-)
@@ -260,9 +222,25 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8*
%changelog
-* Mon May 28 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.19p2-14
-- Fixed deadlocking after command termination when iolog is enabled
- Resolves: rhbz#1582155
+* Mon Sep 24 2018 Daniel Kopecek <dkopecek@redhat.com> 1.8.23-3
+- RHEL-7.6 erratum
+ Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version
+
+* Fri Sep 21 2018 Daniel Kopecek <dkopecek@redhat.com> 1.8.23-2
+- RHEL-7.6 erratum
+ Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers
+ Resolves: rhbz#1506025 - Latest update broke sudo for ldap users.
+ Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets
+
+* Thu Jun 28 2018 Daniel Kopecek <dkopecek@redhat.com> 1.8.23-1
+- RHEL-7.6 erratum
+ Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version (1.8.23)
+ Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets
+ Resolves: rhbz#1506025 - Latest update broke sudo for ldap users.
+ Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers
+ Resolves: rhbz#1548380 - RFE: Create flag to filter to sudo -l output
+ Resolves: rhbz#1510002 - Ensure that the command input (stdin) eating behaviour of Default log_input is documented
+ Resolves: rhbz#1596032 - Why does sudo package depend on vim-minimal?
* Thu Nov 30 2017 Radovan Sroka <rsroka@redhat.com> 1.8.19p2-13
- RHEL 7.5 erratum