diff --git a/.gitignore b/.gitignore
index 9e53a0f..766ab1a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/sudo-1.8.25p1.tar.gz
+SOURCES/sudo-1.8.29.tar.gz
diff --git a/.sudo.metadata b/.sudo.metadata
index a9c3233..5f0f2dc 100644
--- a/.sudo.metadata
+++ b/.sudo.metadata
@@ -1 +1 @@
-dc49b91ffbd9cd5e1d1eaaf001c42f71f869f377 SOURCES/sudo-1.8.25p1.tar.gz
+fdce342856f1803478eb549479190370001dca95 SOURCES/sudo-1.8.29.tar.gz
diff --git a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
deleted file mode 100644
index 25bbfe9..0000000
--- a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok
---- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200
-+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200
-@@ -34,7 +34,7 @@
- },
- {
- "Binding": [
-- { "username": "%them" }
-+ { "usergroup": "them" }
- ],
- "Options": [
- { "set_home": true }
-@@ -42,7 +42,7 @@
- },
- {
- "Binding": [
-- { "username": "%: non UNIX 0 c" }
-+ { "nonunixgroup": " non UNIX 0 c" }
- ],
- "Options": [
- { "set_home": true }
-@@ -50,7 +50,7 @@
- },
- {
- "Binding": [
-- { "username": "+net" }
-+ { "netgroup": "net" }
- ],
- "Options": [
- { "set_home": true }
-diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok
---- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200
-+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200
-@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO
- #
- DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
- DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
--DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
--DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
--DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
-+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR
-+DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR
-
- #
- DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
-diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c
---- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
-+++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200
-@@ -2395,7 +2395,7 @@ YY_RULE_SETUP
- LEXTRACE("ERROR "); /* empty string */
- LEXRETURN(ERROR);
- }
-- if (prev_state == INITIAL) {
-+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
- switch (sudoerslval.string[0]) {
- case '%':
- if (sudoerslval.string[1] == '\0' ||
-diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l
---- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200
-+++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200
-@@ -187,7 +187,7 @@ DEFVAR [a-z_]+
- LEXTRACE("ERROR "); /* empty string */
- LEXRETURN(ERROR);
- }
-- if (prev_state == INITIAL) {
-+ if (prev_state == INITIAL || prev_state == GOTDEFS) {
- switch (sudoerslval.string[0]) {
- case '%':
- if (sudoerslval.string[1] == '\0' ||
diff --git a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch
deleted file mode 100644
index 9698d23..0000000
--- a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c
---- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200
-+++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200
-@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
- if (ldap_conf.search_filter)
- sz += strlen(ldap_conf.search_filter);
-
-- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
-- sz += 29 + sudo_ldap_value_len(pw->pw_name);
-+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */
-+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name);
-
- /* Add space for primary and supplementary groups and gids */
- if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
-@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
- CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
- CHECK_STRLCAT(buf, ")", sz);
-
-+ /* Append user uid */
-+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid);
-+ (void) strlcat(buf, "(sudoUser=#", sz);
-+ (void) strlcat(buf, gidbuf, sz);
-+ (void) strlcat(buf, ")", sz);
-+
- /* Append primary group and gid */
- if (grp != NULL) {
- CHECK_STRLCAT(buf, "(sudoUser=%", sz);
diff --git a/SOURCES/sudo-1.8.23-legacy-group-processing.patch b/SOURCES/sudo-1.8.23-legacy-group-processing.patch
index 8cb6a8f..aee16eb 100644
--- a/SOURCES/sudo-1.8.23-legacy-group-processing.patch
+++ b/SOURCES/sudo-1.8.23-legacy-group-processing.patch
@@ -1,7 +1,7 @@
diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvtsudoers.c
---- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2018-09-26 12:27:13.087680204 +0200
-+++ ./plugins/sudoers/cvtsudoers.c 2018-09-26 12:30:59.222466620 +0200
-@@ -321,6 +321,15 @@ main(int argc, char *argv[])
+--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
++++ ./plugins/sudoers/cvtsudoers.c 2019-10-30 13:32:43.309480623 +0100
+@@ -347,6 +347,15 @@ main(int argc, char *argv[])
sudo_fatalx("error: unhandled input %d", input_format);
}
@@ -18,9 +18,9 @@ diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvts
filter_userspecs(&parsed_policy, conf);
filter_defaults(&parsed_policy, conf);
diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaults.c
---- ./plugins/sudoers/defaults.c.legacy-processing 2018-09-02 14:30:08.000000000 +0200
-+++ ./plugins/sudoers/defaults.c 2018-09-26 12:27:13.087680204 +0200
-@@ -86,6 +86,7 @@ static struct early_default early_defaul
+--- ./plugins/sudoers/defaults.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100
++++ ./plugins/sudoers/defaults.c 2019-10-30 13:32:43.309480623 +0100
+@@ -93,6 +93,7 @@ static struct early_default early_defaul
{ I_FQDN },
#endif
{ I_MATCH_GROUP_BY_GID },
@@ -28,7 +28,7 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul
{ I_GROUP_PLUGIN },
{ I_RUNAS_DEFAULT },
{ I_SUDOERS_LOCALE },
-@@ -487,6 +488,8 @@ init_defaults(void)
+@@ -494,6 +495,8 @@ init_defaults(void)
}
/* First initialize the flags. */
@@ -38,10 +38,10 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul
def_long_otp_prompt = true;
#endif
diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_data.c
---- ./plugins/sudoers/def_data.c.legacy-processing 2018-08-18 16:10:15.000000000 +0200
-+++ ./plugins/sudoers/def_data.c 2018-09-26 12:27:13.087680204 +0200
-@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[]
- N_("Ignore case when matching group names"),
+--- ./plugins/sudoers/def_data.c.legacy-processing 2019-10-30 13:32:43.309480623 +0100
++++ ./plugins/sudoers/def_data.c 2019-10-30 13:37:25.914602825 +0100
+@@ -506,6 +506,10 @@ struct sudo_defs_types sudo_defs_table[]
+ N_("Log when a command is denied by sudoers"),
NULL,
}, {
+ "legacy_group_processing", T_FLAG,
@@ -52,31 +52,31 @@ diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_da
}
};
diff -up ./plugins/sudoers/def_data.h.legacy-processing ./plugins/sudoers/def_data.h
---- ./plugins/sudoers/def_data.h.legacy-processing 2018-08-18 16:10:15.000000000 +0200
-+++ ./plugins/sudoers/def_data.h 2018-09-26 12:27:13.087680204 +0200
-@@ -226,6 +226,8 @@
- #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
- #define I_CASE_INSENSITIVE_GROUP 113
- #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
-+#define I_LEGACY_GROUP_PROCESSING 114
+--- ./plugins/sudoers/def_data.h.legacy-processing 2019-10-30 13:32:43.310480638 +0100
++++ ./plugins/sudoers/def_data.h 2019-10-30 13:40:59.651713757 +0100
+@@ -232,6 +232,8 @@
+ #define def_log_allowed (sudo_defs_table[I_LOG_ALLOWED].sd_un.flag)
+ #define I_LOG_DENIED 116
+ #define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
++#define I_LEGACY_GROUP_PROCESSING 117
+#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
enum def_tuple {
never,
diff -up ./plugins/sudoers/def_data.in.legacy-processing ./plugins/sudoers/def_data.in
---- ./plugins/sudoers/def_data.in.legacy-processing 2018-08-18 16:10:15.000000000 +0200
-+++ ./plugins/sudoers/def_data.in 2018-09-26 12:27:13.088680212 +0200
-@@ -357,3 +357,6 @@ case_insensitive_user
- case_insensitive_group
+--- ./plugins/sudoers/def_data.in.legacy-processing 2019-10-30 13:32:43.310480638 +0100
++++ ./plugins/sudoers/def_data.in 2019-10-30 13:42:20.915896239 +0100
+@@ -366,3 +366,6 @@ log_allowed
+ log_denied
T_FLAG
- "Ignore case when matching group names"
+ "Log when a command is denied by sudoers"
+legacy_group_processing
+ T_FLAG
+ "Don't pre-resolve all group names"
diff -up ./plugins/sudoers/sudoers.c.legacy-processing ./plugins/sudoers/sudoers.c
---- ./plugins/sudoers/sudoers.c.legacy-processing 2018-08-18 16:10:25.000000000 +0200
-+++ ./plugins/sudoers/sudoers.c 2018-09-26 12:27:13.088680212 +0200
-@@ -212,6 +212,10 @@ sudoers_policy_init(void *info, char * c
+--- ./plugins/sudoers/sudoers.c.legacy-processing 2019-10-28 13:28:53.000000000 +0100
++++ ./plugins/sudoers/sudoers.c 2019-10-30 13:32:43.310480638 +0100
+@@ -221,6 +221,10 @@ sudoers_policy_init(void *info, char * c
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
ret = true;
diff --git a/SOURCES/sudo-1.8.23-nowaitopt.patch b/SOURCES/sudo-1.8.23-nowaitopt.patch
index 6406396..4c3c603 100644
--- a/SOURCES/sudo-1.8.23-nowaitopt.patch
+++ b/SOURCES/sudo-1.8.23-nowaitopt.patch
@@ -1,7 +1,7 @@
-diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c
---- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200
-+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200
-@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[]
+diff -up ./plugins/sudoers/def_data.c.nowait ./plugins/sudoers/def_data.c
+--- ./plugins/sudoers/def_data.c.nowait 2019-10-30 13:43:48.376168944 +0100
++++ ./plugins/sudoers/def_data.c 2019-10-30 13:43:48.378168973 +0100
+@@ -510,6 +510,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Don't pre-resolve all group names"),
NULL,
}, {
@@ -12,33 +12,32 @@ diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/su
NULL, 0, NULL
}
};
-diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h
---- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200
-+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200
-@@ -228,6 +228,8 @@
- #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
- #define I_LEGACY_GROUP_PROCESSING 114
+diff -up ./plugins/sudoers/def_data.h.nowait ./plugins/sudoers/def_data.h
+--- ./plugins/sudoers/def_data.h.nowait 2019-10-30 13:43:48.378168973 +0100
++++ ./plugins/sudoers/def_data.h 2019-10-30 13:45:38.425770365 +0100
+@@ -234,6 +234,8 @@
+ #define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag)
+ #define I_LEGACY_GROUP_PROCESSING 117
#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag)
-+#define I_CMND_NO_WAIT 115
++#define I_CMND_NO_WAIT 118
+#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag)
enum def_tuple {
never,
-diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in
---- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200
-+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200
-@@ -360,3 +360,6 @@ case_insensitive_group
+diff -up ./plugins/sudoers/def_data.in.nowait ./plugins/sudoers/def_data.in
+--- ./plugins/sudoers/def_data.in.nowait 2019-10-30 13:43:48.376168944 +0100
++++ ./plugins/sudoers/def_data.in 2019-10-30 13:43:48.379168987 +0100
+@@ -369,3 +369,6 @@ log_denied
legacy_group_processing
T_FLAG
"Don't pre-resolve all group names"
+cmnd_no_wait
+ T_FLAG
+ "Don't fork and wait for the command to finish, just exec it"
-diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c
-diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c
---- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200
-+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200
-@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c
+diff -up ./plugins/sudoers/sudoers.c.nowait ./plugins/sudoers/sudoers.c
+--- ./plugins/sudoers/sudoers.c.nowait 2019-10-30 13:43:48.376168944 +0100
++++ ./plugins/sudoers/sudoers.c 2019-10-30 13:43:48.379168987 +0100
+@@ -225,6 +225,20 @@ sudoers_policy_init(void *info, char * c
def_match_group_by_gid = false;
def_legacy_group_processing = false;
}
diff --git a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch
deleted file mode 100644
index bf2078a..0000000
--- a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@sudo.ws>
-# Date 1544201494 25200
-# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5
-# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce
-The fix for bug #843 was incomplete and caused pam_end() to be called early.
-sudo_pam_approval() must not set the global pam status to an error
-value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup()
-will call pam_end() before sudo_pam_begin_session(). This resulted
-in a NULL PAM handle being used in sudo_pam_begin_session().
-
-diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c
---- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700
-+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700
-@@ -210,59 +210,68 @@
- sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
- {
- const char *s;
-+ int rc, status = AUTH_SUCCESS;
- int *pam_status = (int *) auth->data;
- debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
-
-- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT);
-- switch (*pam_status) {
-+ rc = pam_acct_mgmt(pamh, PAM_SILENT);
-+ switch (rc) {
- case PAM_SUCCESS:
-- debug_return_int(AUTH_SUCCESS);
-+ break;
- case PAM_AUTH_ERR:
- log_warningx(0, N_("account validation failure, "
- "is your account locked?"));
-- debug_return_int(AUTH_FATAL);
-+ status = AUTH_FATAL;
-+ break;
- case PAM_NEW_AUTHTOK_REQD:
- /* Ignore if user is exempt from password restrictions. */
- if (exempt)
-- debug_return_int(AUTH_SUCCESS);
-+ break;
- /* New password required, try to change it. */
- log_warningx(0, N_("Account or password is "
- "expired, reset your password and try again"));
-- *pam_status = pam_chauthtok(pamh,
-- PAM_CHANGE_EXPIRED_AUTHTOK);
-- if (*pam_status == PAM_SUCCESS)
-- debug_return_int(AUTH_SUCCESS);
-- if ((s = pam_strerror(pamh, *pam_status)) == NULL)
-+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-+ if (rc == PAM_SUCCESS)
-+ break;
-+ if ((s = pam_strerror(pamh, rc)) == NULL)
- s = "unknown error";
- log_warningx(0,
- N_("unable to change expired password: %s"), s);
-- debug_return_int(AUTH_FAILURE);
-+ status = AUTH_FAILURE;
-+ break;
- case PAM_AUTHTOK_EXPIRED:
- /* Ignore if user is exempt from password restrictions. */
- if (exempt)
-- debug_return_int(AUTH_SUCCESS);
-+ break;
- /* Password expired, cannot be updated by user. */
- log_warningx(0,
- N_("Password expired, contact your system administrator"));
-- debug_return_int(AUTH_FATAL);
-+ status = AUTH_FATAL;
-+ break;
- case PAM_ACCT_EXPIRED:
- log_warningx(0,
- N_("Account expired or PAM config lacks an \"account\" "
- "section for sudo, contact your system administrator"));
-- debug_return_int(AUTH_FATAL);
-+ status = AUTH_FATAL;
-+ break;
- case PAM_AUTHINFO_UNAVAIL:
- case PAM_MAXTRIES:
- case PAM_PERM_DENIED:
-- s = pam_strerror(pamh, *pam_status);
-+ s = pam_strerror(pamh, rc);
- log_warningx(0, N_("PAM account management error: %s"),
- s ? s : "unknown error");
-- debug_return_int(AUTH_FAILURE);
-+ status = AUTH_FAILURE;
-+ break;
- default:
-- s = pam_strerror(pamh, *pam_status);
-+ s = pam_strerror(pamh, rc);
- log_warningx(0, N_("PAM account management error: %s"),
- s ? s : "unknown error");
-- debug_return_int(AUTH_FATAL);
-+ status = AUTH_FATAL;
-+ break;
- }
-+ /* Ignore errors if user is exempt from password restrictions. */
-+ *pam_status = exempt ? PAM_SUCCESS : rc;
-+ debug_return_int(status);
- }
-
- int
-
diff --git a/SOURCES/sudo-1.8.23-who-am-i.patch b/SOURCES/sudo-1.8.23-who-am-i.patch
deleted file mode 100644
index 2be1c3c..0000000
--- a/SOURCES/sudo-1.8.23-who-am-i.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5
-Author: Todd C. Miller <Todd.Miller@sudo.ws>
-Date: Wed Jan 2 07:39:33 2019 -0700
-
- Fix setting of utmp entry when running command in a pty.
- Regression introduced in sudo 1.8.22.
-
-diff --git a/src/exec_pty.c b/src/exec_pty.c
-index cbcccca3..68312a98 100644
---- a/src/exec_pty.c
-+++ b/src/exec_pty.c
-@@ -140,7 +140,7 @@ pty_cleanup(void)
- * and slavename globals.
- */
- static bool
--pty_setup(uid_t uid, const char *tty)
-+pty_setup(struct command_details *details, const char *tty)
- {
- debug_decl(pty_setup, SUDO_DEBUG_EXEC);
-
-@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty)
- }
-
- if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE],
-- slavename, sizeof(slavename), uid))
-+ slavename, sizeof(slavename), details->euid))
- sudo_fatal(U_("unable to allocate pty"));
-
- /* Add entry to utmp/utmpx? */
-- if (utmp_user != NULL)
-+ if (ISSET(details->flags, CD_SET_UTMP)) {
-+ utmp_user =
-+ details->utmp_user ? details->utmp_user : user_details.username;
- utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user);
-+ }
-
- sudo_debug_printf(SUDO_DEBUG_INFO,
- "%s: %s fd %d, pty master fd %d, pty slave fd %d",
-@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat)
- /*
- * Allocate a pty.
- */
-- if (pty_setup(details->euid, user_details.tty)) {
-- if (ISSET(details->flags, CD_SET_UTMP))
-- utmp_user = details->utmp_user ? details->utmp_user : user_details.username;
-- } else if (TAILQ_EMPTY(&io_plugins)) {
-- /* Not logging I/O and didn't allocate a pty. */
-- debug_return_bool(false);
-+ if (!pty_setup(details, user_details.tty)) {
-+ if (TAILQ_EMPTY(&io_plugins)) {
-+ /* Not logging I/O and didn't allocate a pty. */
-+ debug_return_bool(false);
-+ }
- }
-
- /*
diff --git a/SOURCES/sudo-1.8.25-c-option-help.patch b/SOURCES/sudo-1.8.25-c-option-help.patch
deleted file mode 100644
index 5836052..0000000
--- a/SOURCES/sudo-1.8.25-c-option-help.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 142b370c1f928549db3b357a495d151c7cd87f65 Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Tue, 11 Dec 2018 09:05:04 -0700
-Subject: [PATCH 2/4] The -c option was missing from the help info; from
- Radovan Sroka
-
----
- plugins/sudoers/cvtsudoers.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c
-index 795936c1..0221314b 100644
---- a/plugins/sudoers/cvtsudoers.c
-+++ b/plugins/sudoers/cvtsudoers.c
-@@ -1315,6 +1315,7 @@ help(void)
- usage(0);
- (void) puts(_("\nOptions:\n"
- " -b, --base=dn the base DN for sudo LDAP queries\n"
-+ " -c, --config=conf_file the path to the configuration file\n"
- " -d, --defaults=deftypes only convert Defaults of the specified types\n"
- " -e, --expand-aliases expand aliases when converting\n"
- " -f, --output-format=format set output format: JSON, LDIF or sudoers\n"
---
-2.17.2
-
diff --git a/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch b/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch
deleted file mode 100644
index 88fa081..0000000
--- a/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-diff -up ./plugins/sudoers/sudoreplay.c.sudoreplay-help ./plugins/sudoers/sudoreplay.c
---- ./plugins/sudoers/sudoreplay.c.sudoreplay-help 2018-12-11 18:12:56.715098760 +0100
-+++ ./plugins/sudoers/sudoreplay.c 2018-12-11 18:18:34.345184173 +0100
-@@ -1582,13 +1582,16 @@ help(void)
- (void) printf(_("%s - replay sudo session logs\n\n"), getprogname());
- usage(0);
- (void) puts(_("\nOptions:\n"
-- " -d, --directory=dir specify directory for session logs\n"
-- " -f, --filter=filter specify which I/O type(s) to display\n"
-- " -h, --help display help message and exit\n"
-- " -l, --list list available session IDs, with optional expression\n"
-- " -m, --max-wait=num max number of seconds to wait between events\n"
-- " -s, --speed=num speed up or slow down output\n"
-- " -V, --version display version information and exit"));
-+ " -d, --directory=dir specify directory for session logs\n"
-+ " -f, --filter=filter specify which I/O type(s) to display\n"
-+ " -h, --help display help message and exit\n"
-+ " -l, --list list available session IDs, with optional expression\n"
-+ " -m, --max-wait=num max number of seconds to wait between events\n"
-+ " -n, --non-interactive no prompts, session is sent to the standard output\n"
-+ " -R, --no-resize do not attempt to re-size the terminal\n"
-+ " -S, --suspend-wait wait while the command was suspended\n"
-+ " -s, --speed=num speed up or slow down output\n"
-+ " -V, --version display version information and exit"));
- exit(0);
- }
-
diff --git a/SOURCES/sudo-1.8.25-typos-manpages.patch b/SOURCES/sudo-1.8.25-typos-manpages.patch
deleted file mode 100644
index 32c645e..0000000
--- a/SOURCES/sudo-1.8.25-typos-manpages.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 04a4b3c1fcc1526ff1ea73597a1764cb160d400b Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Tue, 11 Dec 2018 09:02:30 -0700
-Subject: [PATCH 1/4] Fix some typos; reported by Radovan Sroka
-
----
- doc/cvtsudoers.cat | 6 +++---
- doc/cvtsudoers.man.in | 6 +++---
- doc/cvtsudoers.mdoc.in | 6 +++---
- 3 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat
-index 61bf3a28..9c1ef140 100644
---- a/doc/cvtsudoers.cat
-+++ b/doc/cvtsudoers.cat
-@@ -24,7 +24,7 @@ D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
- -�-b�b _�d_�n, -�--�-b�ba�as�se�e=_�d_�n
- The base DN (distinguished name) that will be used when
- performing LDAP queries. Typically this is of the form
-- ou=SUDOers,dc=-mydomain,dc=com for the domain my-domain.com.
-+ ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com.
- If this option is not specified, the value of the
- SUDOERS_BASE environment variable will be used instead. Only
- necessary when converting to LDIF format.
-@@ -60,7 +60,7 @@ D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
- Expand aliases in _�i_�n_�p_�u_�t_�__�f_�i_�l_�e. Aliases are preserved by
- default when the output _�f_�o_�r_�m_�a_�t is JSON or sudoers.
-
-- -�-f�f _�o_�u_�t_�p_�u_�t_�__�f_�o_�r_�m_�a_�t, -�--�-f�fo�or�rm�ma�at�t=_�o_�u_�t_�p_�u_�t_�__�f_�o_�r_�m_�a_�t
-+ -�-f�f _�o_�u_�t_�p_�u_�t_�__�f_�o_�r_�m_�a_�t, -�--�-o�ou�ut�tp�pu�ut�t-�-f�fo�or�rm�ma�at�t=_�o_�u_�t_�p_�u_�t_�__�f_�o_�r_�m_�a_�t
- Specify the output format (case-insensitive). The following
- formats are supported:
-
-diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in
-index b159ee5d..2f45ee1d 100644
---- a/doc/cvtsudoers.man.in
-+++ b/doc/cvtsudoers.man.in
-@@ -59,7 +59,7 @@ The options are as follows:
- The base DN (distinguished name) that will be used when performing
- LDAP queries.
- Typically this is of the form
--\fRou=SUDOers,dc=-mydomain,dc=com\fR
-+\fRou=SUDOers,dc=my-domain,dc=com\fR
- for the domain
- \fRmy-domain.com\fR.
- If this option is not specified, the value of the
-@@ -125,7 +125,7 @@ Aliases are preserved by default when the output
- \fIformat\fR
- is JSON or sudoers.
- .TP 12n
--\fB\-f\fR \fIoutput_format\fR, \fB\--format\fR=\fIoutput_format\fR
-+\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR
- Specify the output format (case-insensitive).
- The following formats are supported:
- .PP
-diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in
-index 1812bc67..8261ddc6 100644
---- a/doc/cvtsudoers.mdoc.in
-+++ b/doc/cvtsudoers.mdoc.in
-@@ -57,7 +57,7 @@ The options are as follows:
- The base DN (distinguished name) that will be used when performing
- LDAP queries.
- Typically this is of the form
--.Li ou=SUDOers,dc=-mydomain,dc=com
-+.Li ou=SUDOers,dc=my-domain,dc=com
- for the domain
- .Li my-domain.com .
- If this option is not specified, the value of the
-@@ -110,7 +110,7 @@ Expand aliases in
- Aliases are preserved by default when the output
- .Ar format
- is JSON or sudoers.
--.It Fl f Ar output_format , Fl -format Ns = Ns Ar output_format
-+.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format
- Specify the output format (case-insensitive).
- The following formats are supported:
- .Bl -tag -width 8n
---
-2.17.2
-
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 5279cd9..aac09cf 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users
Name: sudo
-Version: 1.8.25p1
-Release: 5%{?dist}
+Version: 1.8.29
+Release: 2%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
@@ -39,25 +39,11 @@ Patch2: sudo-1.8.23-sudoldapconfman.patch
Patch3: sudo-1.7.2p1-envdebug.patch
# 1247591 - Sudo taking a long time when user information is stored externally.
Patch4: sudo-1.8.23-legacy-group-processing.patch
-# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option
-Patch5: sudo-1.8.23-ldapsearchuidfix.patch
# 840980 - sudo creates a new parent process
# Adds cmnd_no_wait Defaults option
-Patch6: sudo-1.8.23-nowaitopt.patch
+Patch5: sudo-1.8.23-nowaitopt.patch
# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure
-Patch7: sudo-1.8.6p7-logsudouser.patch
-# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version
-Patch8: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch
-# 1613327 - Man page scan results for sudo
-Patch9: sudo-1.8.25-typos-manpages.patch
-Patch10: sudo-1.8.25-c-option-help.patch
-Patch11: sudo-1.8.25-sudoreplay-missing-options-help.patch
-
-# RHEL 8.1
-# 1673886 - Problem with sudo-1.8.23 and 'who am i'
-Patch12: sudo-1.8.23-who-am-i.patch
-# 1676819 - Backporting sudo bug with expired passwords
-Patch13: sudo-1.8.23-pam-expired-passwords.patch
+Patch6: sudo-1.8.6p7-logsudouser.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -86,17 +72,8 @@ plugins that use %{name}.
%patch2 -p1 -b .sudoldapconfman
%patch3 -p1 -b .env-debug
%patch4 -p1 -b .legacy-processing
-%patch5 -p1 -b .ldap-search-uid
-%patch6 -p1 -b .nowait
-%patch7 -p1 -b .logsudouser
-%patch8 -p1 -b .double-quote
-
-%patch9 -p1 -b .typos
-%patch10 -p1 -b .c-option
-%patch11 -p1 -b .sudoreplay-help
-
-%patch12 -p1 -b .whoami
-%patch13 -p1 -b .pam-expired
+%patch5 -p1 -b .nowait
+%patch6 -p1 -b .logsudouser
%build
# Remove bundled copy of zlib
@@ -256,21 +233,50 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8*
%changelog
+* Wed Oct 30 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-2
+- RHEL 8.2 ERRATUM
+- rebase to 1.8.29
+Resolves: rhbz#1733961
+Resolves: rhbz#1651662
+
+* Fri Oct 25 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
+- RHEL 8.2 ERRATUM
+- rebase to 1.8.28p1
+Resolves: rhbz#1733961
+- fixed man page for always_set_home
+Resolves: rhbz#1576880
+- sudo does not work with notbefore/after
+Resolves: rhbz#1679508
+- NOTBEFORE showing value of sudoNotAfter Ldap attribute
+Resolves: rhbz#1715516
+- CVE-2019-14287 sudo
+- Privilege escalation via 'Runas' specification with 'ALL' keyword
+Resolves: rhbz#1760697
+
+* Fri Aug 16 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-7
+- RHEL 8.1 ERRATUM
+- sudo ipa_hostname not honored
+Resolves: rhbz#1738662
+
+* Mon Aug 12 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-6
+- RHEL 8.1 ERRATUM
+- Fixed The LDAP backend which is not properly parsing sudoOptions,
+ resulting in selinux roles not being applied
+Resolves: rhbz#1738326
+
* Tue May 28 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.25-5
- RHEL 8.1 ERRATUM
- Fixed problem with sudo-1.8.23 and 'who am i'
Resolves: rhbz#1673886
- Backporting sudo bug with expired passwords
Resolves: rhbz#1676819
-- Added baseos CI into gating.yaml
-Resolves: rhbz#1682511
* Tue Dec 11 2018 Radovan Sroka <rsroka@redhat.com> - 1.8.25-4
- Fix most of the man page scans problems
- Resolves: rhbz#1613327
* Fri Oct 12 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-3
-- bump release for new build after gating tests fixes
+- bump release for new build
Resolves: rhbz#1625683
* Thu Oct 11 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.25-2