diff --git a/SOURCES/sudo-1.7.4p5-sudo-ldap.conf b/SOURCES/sudo-1.7.4p5-sudo-ldap.conf
deleted file mode 100644
index d8f8e4d..0000000
--- a/SOURCES/sudo-1.7.4p5-sudo-ldap.conf
+++ /dev/null
@@ -1,86 +0,0 @@
-## BINDDN DN
-## The BINDDN parameter specifies the identity, in the form of a Dis‐
-## tinguished Name (DN), to use when performing LDAP operations. If
-## not specified, LDAP operations are performed with an anonymous
-## identity. By default, most LDAP servers will allow anonymous
-## access.
-##
-#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
-
-## BINDPW secret
-## The BINDPW parameter specifies the password to use when performing
-## LDAP operations. This is typically used in conjunction with the
-## BINDDN parameter.
-##
-#bindpw secret
-
-## SSL start_tls
-## If the SSL parameter is set to start_tls, the LDAP server connec‐
-## tion is initiated normally and TLS encryption is begun before the
-## bind credentials are sent. This has the advantage of not requiring
-## a dedicated port for encrypted communications. This parameter is
-## only supported by LDAP servers that honor the start_tls extension,
-## such as the OpenLDAP and Tivoli Directory servers.
-##
-#ssl start_tls
-
-## TLS_CACERTFILE file name
-## The path to a certificate authority bundle which contains the cer‐
-## tificates for all the Certificate Authorities the client knows to
-## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐
-## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
-## use the same certificate database for CA and client certificates
-## (see TLS_CERT).
-##
-#tls_cacertfile /path/to/CA.crt
-
-## TLS_CHECKPEER on/true/yes/off/false/no
-## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
-## cated to be verified. If the server's TLS certificate cannot be
-## verified (usually because it is signed by an unknown certificate
-## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
-## is disabled, no check is made. Note that disabling the check cre‐
-## ates an opportunity for man-in-the-middle attacks since the
-## server's identity will not be authenticated. If possible, the CA's
-## certificate should be installed locally so it can be verified.
-## This option is not supported by the Tivoli Directory Server LDAP
-## libraries.
-#tls_checkpeer yes
-
-##
-## URI ldap[s]://[hostname[:port]] ...
-## Specifies a whitespace-delimited list of one or more
-## URIs describing the LDAP server(s) to connect to.
-##
-#uri ldap://ldapserver
-
-##
-## SUDOERS_BASE base
-## The base DN to use when performing sudo LDAP queries.
-## Multiple SUDOERS_BASE lines may be specified, in which
-## case they are queried in the order specified.
-##
-#sudoers_base ou=SUDOers,dc=example,dc=com
-
-##
-## BIND_TIMELIMIT seconds
-## The BIND_TIMELIMIT parameter specifies the amount of
-## time to wait while trying to connect to an LDAP server.
-##
-#bind_timelimit 30
-
-##
-## TIMELIMIT seconds
-## The TIMELIMIT parameter specifies the amount of time
-## to wait for a response to an LDAP query.
-##
-#timelimit 30
-
-##
-## SUDOERS_DEBUG debug_level
-## This sets the debug level for sudo LDAP queries. Debugging
-## information is printed to the standard error. A value of 1
-## results in a moderate amount of debugging information.
-## A value of 2 shows the results of the matches themselves.
-##
-#sudoers_debug 1
diff --git a/SOURCES/sudo-1.8.6p3-sigpipefix.patch b/SOURCES/sudo-1.8.6p3-sigpipefix.patch
new file mode 100644
index 0000000..ce4886b
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p3-sigpipefix.patch
@@ -0,0 +1,12 @@
+diff -up sudo-1.8.6p3/src/tgetpass.c.sigpipefix sudo-1.8.6p3/src/tgetpass.c
+--- sudo-1.8.6p3/src/tgetpass.c.sigpipefix 2015-03-03 10:23:23.219038693 +0100
++++ sudo-1.8.6p3/src/tgetpass.c 2015-03-03 10:23:43.089813184 +0100
+@@ -173,7 +173,7 @@ restore:
+ (void) sigaction(SIGTSTP, &savetstp, NULL);
+ (void) sigaction(SIGTTIN, &savettin, NULL);
+ (void) sigaction(SIGTTOU, &savettou, NULL);
+- (void) sigaction(SIGTTOU, &savepipe, NULL);
++ (void) sigaction(SIGPIPE, &savepipe, NULL);
+ if (input != STDIN_FILENO)
+ (void) close(input);
+
diff --git a/SOURCES/sudo-1.8.6p3-sudo.conf b/SOURCES/sudo-1.8.6p3-sudo.conf
deleted file mode 100644
index 3047842..0000000
--- a/SOURCES/sudo-1.8.6p3-sudo.conf
+++ /dev/null
@@ -1,57 +0,0 @@
-#
-# Default /etc/sudo.conf file
-#
-# Format:
-# Plugin plugin_name plugin_path plugin_options ...
-# Path askpass /path/to/askpass
-# Path noexec /path/to/sudo_noexec.so
-# Debug sudo /var/log/sudo_debug all@warn
-# Set disable_coredump true
-#
-# Sudo plugins:
-#
-# The plugin_path is relative to ${prefix}/libexec unless fully qualified.
-# The plugin_name corresponds to a global symbol in the plugin
-# that contains the plugin interface structure.
-# The plugin_options are optional.
-#
-# The sudoers plugin is used by default if no Plugin lines are present.
-Plugin sudoers_policy sudoers.so
-Plugin sudoers_io sudoers.so
-
-#
-# Sudo askpass:
-#
-# An askpass helper program may be specified to provide a graphical
-# password prompt for "sudo -A" support. Sudo does not ship with its
-# own passpass program but can use the OpenSSH askpass.
-#
-# Use the OpenSSH askpass
-#Path askpass /usr/X11R6/bin/ssh-askpass
-#
-# Use the Gnome OpenSSH askpass
-#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
-
-#
-# Sudo noexec:
-#
-# Path to a shared library containing dummy versions of the execv(),
-# execve() and fexecve() library functions that just return an error.
-# This is used to implement the "noexec" functionality on systems that
-# support C<LD_PRELOAD> or its equivalent.
-# The compiled-in value is usually sufficient and should only be changed
-# if you rename or move the sudo_noexec.so file.
-#
-#Path noexec /usr/libexec/sudo_noexec.so
-
-#
-# Core dumps:
-#
-# By default, sudo disables core dumps while it is executing (they
-# are re-enabled for the command that is run).
-# To aid in debugging sudo problems, you may wish to enable core
-# dumps by setting "disable_coredump" to false.
-#
-# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable
-#
-Set disable_coredump false
diff --git a/SOURCES/sudo-1.8.6p3-visudo-quiet-flag.patch b/SOURCES/sudo-1.8.6p3-visudo-quiet-flag.patch
new file mode 100644
index 0000000..30c4eef
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p3-visudo-quiet-flag.patch
@@ -0,0 +1,12 @@
+diff -up sudo-1.8.6p3/plugins/sudoers/visudo.c.fix sudo-1.8.6p3/plugins/sudoers/visudo.c
+--- sudo-1.8.6p3/plugins/sudoers/visudo.c.fix 2015-07-22 11:29:03.899122767 +0200
++++ sudo-1.8.6p3/plugins/sudoers/visudo.c 2015-07-22 11:29:33.001826535 +0200
+@@ -201,7 +201,7 @@ main(int argc, char *argv[])
+ strict = true; /* strict mode */
+ break;
+ case 'q':
+- quiet = false; /* quiet mode */
++ quiet = true; /* quiet mode */
+ break;
+ default:
+ usage(1);
diff --git a/SOURCES/sudo-1.8.6p7-14-sudoers b/SOURCES/sudo-1.8.6p7-14-sudoers
deleted file mode 100644
index a943c24..0000000
--- a/SOURCES/sudo-1.8.6p7-14-sudoers
+++ /dev/null
@@ -1,118 +0,0 @@
-## Sudoers allows particular users to run various commands as
-## the root user, without needing the root password.
-##
-## Examples are provided at the bottom of the file for collections
-## of related commands, which can then be delegated out to particular
-## users or groups.
-##
-## This file must be edited with the 'visudo' command.
-
-## Host Aliases
-## Groups of machines. You may prefer to use hostnames (perhaps using
-## wildcards for entire domains) or IP addresses instead.
-# Host_Alias FILESERVERS = fs1, fs2
-# Host_Alias MAILSERVERS = smtp, smtp2
-
-## User Aliases
-## These aren't often necessary, as you can use regular groups
-## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
-## rather than USERALIAS
-# User_Alias ADMINS = jsmith, mikem
-
-
-## Command Aliases
-## These are groups of related commands...
-
-## Networking
-# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
-
-## Installation and management of software
-# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
-
-## Services
-# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
-
-## Updating the locate database
-# Cmnd_Alias LOCATE = /usr/bin/updatedb
-
-## Storage
-# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
-
-## Delegating permissions
-# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
-
-## Processes
-# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
-
-## Drivers
-# Cmnd_Alias DRIVERS = /sbin/modprobe
-
-# Defaults specification
-
-#
-# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
-# You have to run "ssh -t hostname sudo <cmd>".
-#
-Defaults requiretty
-
-#
-# Refuse to run if unable to disable echo on the tty. This setting should also be
-# changed in order to be able to use sudo without a tty. See requiretty above.
-#
-Defaults !visiblepw
-
-#
-# Preserving HOME has security implications since many programs
-# use it when searching for configuration files. Note that HOME
-# is already set when the the env_reset option is enabled, so
-# this option is only effective for configurations where either
-# env_reset is disabled or HOME is present in the env_keep list.
-#
-Defaults always_set_home
-
-Defaults env_reset
-Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
-Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
-Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
-Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
-Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
-
-#
-# Adding HOME to env_keep may enable a user to run unrestricted
-# commands via sudo.
-#
-# Defaults env_keep += "HOME"
-
-Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
-
-## Next comes the main part: which users can run what software on
-## which machines (the sudoers file can be shared between multiple
-## systems).
-## Syntax:
-##
-## user MACHINE=COMMANDS
-##
-## The COMMANDS section may have other options added to it.
-##
-## Allow root to run any commands anywhere
-root ALL=(ALL) ALL
-
-## Allows members of the 'sys' group to run networking, software,
-## service management apps and more.
-# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
-
-## Allows people in group wheel to run all commands
-%wheel ALL=(ALL) ALL
-
-## Same thing without a password
-# %wheel ALL=(ALL) NOPASSWD: ALL
-
-## Allows members of the users group to mount and unmount the
-## cdrom as root
-# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
-
-## Allows members of the users group to shutdown this system
-# %users localhost=/sbin/shutdown -h now
-
-## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
-#includedir /etc/sudoers.d
diff --git a/SOURCES/sudo-1.8.6p7-digest_race_doc.patch b/SOURCES/sudo-1.8.6p7-digest_race_doc.patch
new file mode 100644
index 0000000..32544b3
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-digest_race_doc.patch
@@ -0,0 +1,88 @@
+diff -up sudo-1.8.6p7/doc/sudoers.cat.digest_race_doc sudo-1.8.6p7/doc/sudoers.cat
+--- sudo-1.8.6p7/doc/sudoers.cat.digest_race_doc 2016-05-11 13:53:51.125141217 +0200
++++ sudo-1.8.6p7/doc/sudoers.cat 2016-05-11 13:56:10.678178899 +0200
+@@ -301,13 +301,11 @@ S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�
+
+ If a command name is prefixed with a Digest_Spec, the command will only
+ match successfully if it can be verified using the specified SHA-2
+- digest. This may be useful in situations where the user invoking s�su�ud�do�o
+- has write access to the command or its parent directory. The following
+- digest formats are supported: sha224, sha256, sha384 and sha512. The
+- string may be specified in either hex or base64 format (base64 is more
+- compact). There are several utilities capable of generating SHA-2
+- digests in hex format such as openssl, shasum, sha224sum, sha256sum,
+- sha384sum, sha512sum.
++ digest. The following digest formats are supported: sha224, sha256,
++ sha384 and sha512. The string may be specified in either hex or base64
++ format (base64 is more compact). There are several utilities capable of
++ generating SHA-2 digests in hex format such as openssl, shasum,
++ sha224sum, sha256sum, sha384sum, sha512sum.
+
+ For example, using openssl:
+
+@@ -319,6 +317,11 @@ S�SU�UD�DO�OE�ER�RS�S F�FI�IL�LE�E F�FO�
+ $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+
++ If the user has write access to either the command itself or the
++ directory in which the command is located (directly or via a s�su�ud�do�o
++ command) it may be possible for the user to replace the command after the
++ digest check has been performed but before the command is executed.
++
+ D�De�ef�fa�au�ul�lt�ts�s
+ Certain configuration options may be changed from their default values at
+ run-time via one or more Default_Entry lines. These may affect all users
+diff -up sudo-1.8.6p7/doc/sudoers.man.in.digest_race_doc sudo-1.8.6p7/doc/sudoers.man.in
+--- sudo-1.8.6p7/doc/sudoers.man.in.digest_race_doc 2016-05-11 13:54:01.005002291 +0200
++++ sudo-1.8.6p7/doc/sudoers.man.in 2016-05-11 13:58:28.541240345 +0200
+@@ -679,9 +679,6 @@ is prefixed with a
+ \fRDigest_Spec\fR,
+ the command will only match successfully if it can be verified
+ using the specified SHA-2 digest.
+-This may be useful in situations where the user invoking
+-\fBsudo\fR
+-has write access to the command or its parent directory.
+ The following digest formats are supported: sha224, sha256, sha384 and sha512.
+ The string may be specified in either hex or base64 format
+ (base64 is more compact).
+@@ -705,6 +702,13 @@ $ openssl dgst -binary -sha224 /bin/ls |
+ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+ .RE
+ .fi
++.PP
++If the user has write access to either the command itself or the
++directory in which the command is located (directly or via a
++\fBsudo\fR
++command) it may be possible for the user to replace the command
++after the digest check has been performed but before the command
++is executed.
+ .SS "Defaults"
+ Certain configuration options may be changed from their default
+ values at run-time via one or more
+diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.digest_race_doc sudo-1.8.6p7/doc/sudoers.mdoc.in
+--- sudo-1.8.6p7/doc/sudoers.mdoc.in.digest_race_doc 2016-05-11 13:54:07.749907447 +0200
++++ sudo-1.8.6p7/doc/sudoers.mdoc.in 2016-05-11 13:59:22.263484933 +0200
+@@ -655,9 +655,6 @@ is prefixed with a
+ .Li Digest_Spec ,
+ the command will only match successfully if it can be verified
+ using the specified SHA-2 digest.
+-This may be useful in situations where the user invoking
+-.Nm sudo
+-has write access to the command or its parent directory.
+ The following digest formats are supported: sha224, sha256, sha384 and sha512.
+ The string may be specified in either hex or base64 format
+ (base64 is more compact).
+@@ -675,6 +672,13 @@ It is also possible to use openssl to ge
+ $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+ .Ed
++.Pp
++If the user has write access to either the command itself or the
++directory in which the command is located (directly or via a
++.Nm sudo
++command) it may be possible for the user to replace the command
++after the digest check has been performed but before the command
++is executed.
+ .Ss Defaults
+ Certain configuration options may be changed from their default
+ values at run-time via one or more
diff --git a/SOURCES/sudo-1.8.6p7-ldap_sssd_parse_whitespaces.patch b/SOURCES/sudo-1.8.6p7-ldap_sssd_parse_whitespaces.patch
new file mode 100644
index 0000000..5f0a575
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-ldap_sssd_parse_whitespaces.patch
@@ -0,0 +1,91 @@
+diff -up sudo-1.8.6p7/common/fmt_string.c.ldap_sssd_parse_whitespaces sudo-1.8.6p7/common/fmt_string.c
+--- sudo-1.8.6p7/common/fmt_string.c.ldap_sssd_parse_whitespaces 2013-02-25 20:42:44.000000000 +0100
++++ sudo-1.8.6p7/common/fmt_string.c 2016-05-11 10:31:30.206090322 +0200
+@@ -38,6 +38,8 @@
+ # include <strings.h>
+ #endif /* HAVE_STRINGS_H */
+
++#include <ctype.h>
++
+ #include "missing.h"
+ #include "sudo_debug.h"
+
+@@ -64,3 +66,17 @@ fmt_string(const char *var, const char *
+
+ debug_return_str(str);
+ }
++
++char * rm_whitespaces(char * str){
++ int state = 1;
++ char * c;
++ for (c = str ; *c != '\0' ; c++){
++ if (state && isspace(*c))str++;
++ else if (!isspace(*c))state = 0;
++ else if (!state && isspace(*c)){
++ *c = '\0';
++ break;
++ }
++ }
++ return str;
++}
+diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.ldap_sssd_parse_whitespaces sudo-1.8.6p7/plugins/sudoers/ldap.c
+--- sudo-1.8.6p7/plugins/sudoers/ldap.c.ldap_sssd_parse_whitespaces 2016-05-11 10:31:30.202090379 +0200
++++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-11 10:31:30.207090307 +0200
+@@ -1012,17 +1012,17 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMe
+ if (op == '+' || op == '-') {
+ *(val - 2) = '\0'; /* found, remove extra char */
+ /* case var+=val or var-=val */
+- set_default(var, strunquote(val), (int) op);
++ set_default(rm_whitespaces(var), strunquote(val), (int) op);
+ } else {
+ /* case var=val */
+- set_default(var, strunquote(val), true);
++ set_default(rm_whitespaces(var), strunquote(val), true);
+ }
+ } else if (*var == '!') {
+ /* case !var Boolean False */
+- set_default(var + 1, NULL, false);
++ set_default(rm_whitespaces(var + 1), NULL, false);
+ } else {
+ /* case var Boolean True */
+- set_default(var, NULL, true);
++ set_default(rm_whitespaces(var), NULL, true);
+ }
+ efree(var);
+ }
+diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.ldap_sssd_parse_whitespaces sudo-1.8.6p7/plugins/sudoers/sssd.c
+--- sudo-1.8.6p7/plugins/sudoers/sssd.c.ldap_sssd_parse_whitespaces 2016-05-11 10:31:30.202090379 +0200
++++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2016-05-11 10:31:30.207090307 +0200
+@@ -1004,17 +1004,17 @@ sudo_sss_parse_options(struct sudo_sss_h
+ if (op == '+' || op == '-') {
+ *(val - 2) = '\0'; /* found, remove extra char */
+ /* case var+=val or var-=val */
+- set_default(v, strunquote(val), (int) op);
++ set_default(rm_whitespaces(v), strunquote(val), (int) op);
+ } else {
+ /* case var=val */
+- set_default(v, strunquote(val), true);
++ set_default(rm_whitespaces(v), strunquote(val), true);
+ }
+ } else if (*v == '!') {
+ /* case !var Boolean False */
+- set_default(v + 1, NULL, false);
++ set_default(rm_whitespaces(v + 1), NULL, false);
+ } else {
+ /* case var Boolean True */
+- set_default(v, NULL, true);
++ set_default(rm_whitespaces(v), NULL, true);
+ }
+ efree(v);
+ }
+diff -up sudo-1.8.6p7/plugins/sudoers/sudoers.h.ldap_sssd_parse_whitespaces sudo-1.8.6p7/plugins/sudoers/sudoers.h
+--- sudo-1.8.6p7/plugins/sudoers/sudoers.h.ldap_sssd_parse_whitespaces 2016-05-11 10:31:30.204090350 +0200
++++ sudo-1.8.6p7/plugins/sudoers/sudoers.h 2016-05-11 10:31:30.207090307 +0200
+@@ -346,6 +346,7 @@ int sudoers_hook_unsetenv(const char *na
+
+ /* fmt_string.c */
+ char *fmt_string(const char *, const char *);
++char *rm_whitespaces(char * str);
+
+ /* sudoers.c */
+ void plugin_cleanup(int);
diff --git a/SOURCES/sudo-1.8.6p7-ldapusermatchfix.patch b/SOURCES/sudo-1.8.6p7-ldapusermatchfix.patch
new file mode 100644
index 0000000..c922924
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-ldapusermatchfix.patch
@@ -0,0 +1,47 @@
+diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.ldapusermatchfix sudo-1.8.6p7/plugins/sudoers/ldap.c
+--- sudo-1.8.6p7/plugins/sudoers/ldap.c.ldapusermatchfix 2016-05-09 15:33:10.933510674 +0200
++++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-09 15:33:10.937510618 +0200
+@@ -2735,22 +2735,37 @@ sudo_ldap_result_get(struct sudo_nss *ns
+ result = NULL;
+ rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt,
+ NULL, 0, NULL, NULL, tvp, 0, &result);
+- if (rc != LDAP_SUCCESS) {
++ if (rc != LDAP_SUCCESS || result == NULL) {
+ DPRINTF(("nothing found for '%s'", filt), 1);
+ continue;
+ }
+- lres->user_matches = true;
++
++ DPRINTF(("search result has %d entries (do_netgr=%s)",
++ ldap_count_entries(ld, result), do_netgr ? "true" : "false"), 1);
++ /*
++ * Only set user_matches if we got some results back and if we are
++ * NOT searching for netgroup entries. For the netgroup case, user_maches
++ * will be set only if a netgroup match was found.
++ */
++ lres->user_matches = lres->user_matches ? true : ldap_count_entries(ld, result) > 0 && !do_netgr;
+
+ /* Add the seach result to list of search results. */
+ DPRINTF(("adding search result"), 1);
+ sudo_ldap_result_add_search(lres, ld, result);
+ LDAP_FOREACH(entry, ld, result) {
+- if ((!do_netgr ||
+- sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) &&
++ if (do_netgr) {
++ if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
+ sudo_ldap_check_host(ld, entry)) {
+- lres->host_matches = true;
+- sudo_ldap_result_add_entry(lres, entry);
++ lres->host_matches = true;
++ lres->user_matches = true;
++ sudo_ldap_result_add_entry(lres, entry);
++ }
++ } else {
++ if (sudo_ldap_check_host(ld, entry)) {
++ lres->host_matches = true;
++ sudo_ldap_result_add_entry(lres, entry);
+ }
++ }
+ }
+ DPRINTF(("result now has %d entries", lres->nentries), 1);
+ }
diff --git a/SOURCES/sudo-1.8.6p7-logsudouser.patch b/SOURCES/sudo-1.8.6p7-logsudouser.patch
new file mode 100644
index 0000000..59e577f
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-logsudouser.patch
@@ -0,0 +1,77 @@
+diff -up sudo-1.8.6p7/plugins/sudoers/logging.c.logsudouser sudo-1.8.6p7/plugins/sudoers/logging.c
+--- sudo-1.8.6p7/plugins/sudoers/logging.c.logsudouser 2013-02-25 20:46:09.000000000 +0100
++++ sudo-1.8.6p7/plugins/sudoers/logging.c 2016-05-09 16:24:10.831703862 +0200
+@@ -146,7 +146,7 @@ do_syslog(int pri, char *msg)
+ * Log the full line, breaking into multiple syslog(3) calls if necessary
+ */
+ fmt = _(FMT_FIRST);
+- maxlen = MAXSYSLOGLEN - (strlen(fmt) - 5 + strlen(user_name));
++ maxlen = MAXSYSLOGLEN - (strlen(fmt) - 5 + strlen(sudo_user_name));
+ for (p = msg; *p != '\0'; ) {
+ len = strlen(p);
+ if (len > maxlen) {
+@@ -162,7 +162,7 @@ do_syslog(int pri, char *msg)
+ save = *tmp;
+ *tmp = '\0';
+
+- mysyslog(pri, fmt, user_name, p);
++ mysyslog(pri, fmt, sudo_user_name, p);
+
+ *tmp = save; /* restore saved character */
+
+@@ -170,11 +170,11 @@ do_syslog(int pri, char *msg)
+ for (p = tmp; *p == ' '; p++)
+ ;
+ } else {
+- mysyslog(pri, fmt, user_name, p);
++ mysyslog(pri, fmt, sudo_user_name, p);
+ p += len;
+ }
+ fmt = _(FMT_CONTD);
+- maxlen = MAXSYSLOGLEN - (strlen(fmt) - 5 + strlen(user_name));
++ maxlen = MAXSYSLOGLEN - (strlen(fmt) - 5 + strlen(sudo_user_name));
+ }
+
+ #ifdef HAVE_SETLOCALE
+@@ -216,17 +216,17 @@ do_logfile(char *msg)
+ /* Don't pretty-print long log file lines (hard to grep) */
+ if (def_log_host)
+ (void) fprintf(fp, "%s : %s : HOST=%s : %s\n",
+- get_timestr(now, def_log_year), user_name, user_shost, msg);
++ get_timestr(now, def_log_year), sudo_user_name, user_shost, msg);
+ else
+ (void) fprintf(fp, "%s : %s : %s\n",
+- get_timestr(now, def_log_year), user_name, msg);
++ get_timestr(now, def_log_year), sudo_user_name, msg);
+ } else {
+ if (def_log_host)
+ len = easprintf(&full_line, "%s : %s : HOST=%s : %s",
+- get_timestr(now, def_log_year), user_name, user_shost, msg);
++ get_timestr(now, def_log_year), sudo_user_name, user_shost, msg);
+ else
+ len = easprintf(&full_line, "%s : %s : %s",
+- get_timestr(now, def_log_year), user_name, msg);
++ get_timestr(now, def_log_year), sudo_user_name, msg);
+
+ /*
+ * Print out full_line with word wrap around def_loglinelen chars.
+@@ -689,7 +689,7 @@ send_mail(const char *fmt, ...)
+ #endif /* HAVE_NL_LANGINFO */
+
+ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host,
+- get_timestr(time(NULL), def_log_year), user_name);
++ get_timestr(time(NULL), def_log_year), sudo_user_name);
+ va_start(ap, fmt);
+ (void) vfprintf(mail, fmt, ap);
+ va_end(ap);
+diff -up sudo-1.8.6p7/plugins/sudoers/sudoers.h.logsudouser sudo-1.8.6p7/plugins/sudoers/sudoers.h
+--- sudo-1.8.6p7/plugins/sudoers/sudoers.h.logsudouser 2016-05-09 16:24:10.815704088 +0200
++++ sudo-1.8.6p7/plugins/sudoers/sudoers.h 2016-05-09 16:24:10.831703862 +0200
+@@ -171,6 +171,7 @@ struct sudo_user {
+ /*
+ * Shortcuts for sudo_user contents.
+ */
++#define sudo_user_name (sudo_user.pw->pw_name)
+ #define user_name (sudo_user.name)
+ #define user_uid (sudo_user.uid)
+ #define user_gid (sudo_user.gid)
diff --git a/SOURCES/sudo-1.8.6p7-netgroup_tuple.patch b/SOURCES/sudo-1.8.6p7-netgroup_tuple.patch
new file mode 100644
index 0000000..42f3ac2
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-netgroup_tuple.patch
@@ -0,0 +1,194 @@
+diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/defaults.c
+--- sudo-1.8.6p7/plugins/sudoers/defaults.c.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200
++++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2016-05-09 15:34:41.066246485 +0200
+@@ -362,6 +362,7 @@ init_defaults(void)
+ }
+
+ /* First initialize the flags. */
++ def_netgroup_tuple = false;
+ def_legacy_group_processing = true;
+ #ifdef LONG_OTP_PROMPT
+ def_long_otp_prompt = true;
+diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/def_data.c
+--- sudo-1.8.6p7/plugins/sudoers/def_data.c.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200
++++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2016-05-09 15:34:41.066246485 +0200
+@@ -359,6 +359,10 @@ struct sudo_defs_types sudo_defs_table[]
+ N_("Don't pre-resolve all group names"),
+ NULL,
+ }, {
++ "netgroup_tuple", T_FLAG,
++ N_("Use both user and host/domain fields when matching netgroups"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/def_data.h
+--- sudo-1.8.6p7/plugins/sudoers/def_data.h.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200
++++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2016-05-09 15:34:41.066246485 +0200
+@@ -166,6 +166,8 @@
+ #define I_CMND_NO_WAIT 82
+ #define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
+ #define I_LEGACY_GROUP_PROCESSING 83
++#define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag)
++#define I_NETGROUP_TUPLE 84
+
+ enum def_tuple {
+ never,
+diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/ldap.c
+--- sudo-1.8.6p7/plugins/sudoers/ldap.c.netgroup_tuple 2016-05-09 15:34:41.065246499 +0200
++++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-09 15:34:41.066246485 +0200
+@@ -636,8 +636,12 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
+ for (p = bv; *p != NULL && !ret; p++) {
+ val = (*p)->bv_val;
+ /* match any */
+- if (netgr_matches(val, NULL, NULL, user))
+- ret = true;
++ if (netgr_matches(val,
++ def_netgroup_tuple ? user_host : NULL,
++ def_netgroup_tuple ? user_shost : NULL,
++ user)) {
++ ret = true;
++ }
+ DPRINTF(("ldap sudoUser netgroup '%s' ... %s", val,
+ ret ? "MATCH!" : "not"), 2 + ((ret) ? 0 : 1));
+ }
+@@ -652,7 +656,7 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
+ * host match, else false.
+ */
+ static bool
+-sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry)
++sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, char *user)
+ {
+ struct berval **bv, **p;
+ char *val;
+@@ -672,7 +676,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessa
+ val = (*p)->bv_val;
+ /* match any or address or netgroup or hostname */
+ if (!strcmp(val, "ALL") || addr_matches(val) ||
+- netgr_matches(val, user_host, user_shost, NULL) ||
++ netgr_matches(val, user_host, user_shost, def_netgroup_tuple ? user : NULL) ||
+ hostname_matches(user_shost, user_host, val))
+ ret = true;
+ DPRINTF(("ldap sudoHost '%s' ... %s", val,
+@@ -729,7 +733,10 @@ sudo_ldap_check_runas_user(LDAP *ld, LDA
+ val = (*p)->bv_val;
+ switch (val[0]) {
+ case '+':
+- if (netgr_matches(val, NULL, NULL, runas_pw->pw_name))
++ if (netgr_matches(val,
++ def_netgroup_tuple ? user_host : NULL,
++ def_netgroup_tuple ? user_shost : NULL,
++ runas_pw->pw_name))
+ ret = true;
+ break;
+ case '%':
+@@ -2755,13 +2762,13 @@ sudo_ldap_result_get(struct sudo_nss *ns
+ LDAP_FOREACH(entry, ld, result) {
+ if (do_netgr) {
+ if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
+- sudo_ldap_check_host(ld, entry)) {
++ sudo_ldap_check_host(ld, entry, pw->pw_name)) {
+ lres->host_matches = true;
+ lres->user_matches = true;
+ sudo_ldap_result_add_entry(lres, entry);
+ }
+ } else {
+- if (sudo_ldap_check_host(ld, entry)) {
++ if (sudo_ldap_check_host(ld, entry, pw->pw_name)) {
+ lres->host_matches = true;
+ sudo_ldap_result_add_entry(lres, entry);
+ }
+diff -up sudo-1.8.6p7/plugins/sudoers/match.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/match.c
+--- sudo-1.8.6p7/plugins/sudoers/match.c.netgroup_tuple 2016-05-09 15:34:41.062246541 +0200
++++ sudo-1.8.6p7/plugins/sudoers/match.c 2016-05-09 15:34:41.067246471 +0200
+@@ -117,7 +117,10 @@ userlist_matches(struct passwd *pw, stru
+ matched = !m->negated;
+ break;
+ case NETGROUP:
+- if (netgr_matches(m->name, NULL, NULL, pw->pw_name))
++ if (netgr_matches(m->name,
++ def_netgroup_tuple ? user_host : NULL,
++ def_netgroup_tuple ? user_shost : NULL,
++ pw->pw_name))
+ matched = !m->negated;
+ break;
+ case USERGROUP:
+@@ -172,7 +175,10 @@ runaslist_matches(struct member_list *us
+ user_matched = !m->negated;
+ break;
+ case NETGROUP:
+- if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name))
++ if (netgr_matches(m->name,
++ def_netgroup_tuple ? user_host : NULL,
++ def_netgroup_tuple ? user_shost : NULL,
++ runas_pw->pw_name))
+ user_matched = !m->negated;
+ break;
+ case USERGROUP:
+@@ -269,7 +275,7 @@ hostlist_matches(struct member_list *lis
+ matched = !m->negated;
+ break;
+ case NETGROUP:
+- if (netgr_matches(m->name, user_host, user_shost, NULL))
++ if (netgr_matches(m->name, user_host, user_shost, def_netgroup_tuple ? user_name : NULL))
+ matched = !m->negated;
+ break;
+ case NTWKADDR:
+diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/sssd.c
+--- sudo-1.8.6p7/plugins/sudoers/sssd.c.netgroup_tuple 2016-05-09 15:34:41.056246625 +0200
++++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2016-05-09 15:34:41.067246471 +0200
+@@ -452,7 +452,10 @@ sudo_sss_check_runas_user(struct sudo_ss
+ switch (val[0]) {
+ case '+':
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
+- if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) {
++ if (netgr_matches(val,
++ def_netgroup_tuple ? user_host : NULL,
++ def_netgroup_tuple ? user_shost : NULL,
++ runas_pw->pw_name)) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
+ ret = true;
+ }
+@@ -551,7 +554,7 @@ sudo_sss_check_runas(struct sudo_sss_han
+ debug_return_bool(ret);
+ }
+
+-static bool sudo_sss_ipa_hostname_matches(const char *hostname_val)
++static bool sudo_sss_ipa_hostname_matches(const char *hostname_val, char *user)
+ {
+ bool ret = false;
+ char *ipa_hostname_val;
+@@ -559,7 +562,7 @@ static bool sudo_sss_ipa_hostname_matche
+
+ if ((ipa_hostname_val = ipa_hostname()) != NULL) {
+ ret = hostname_matches(ipa_hostname_val, ipa_hostname_val, hostname_val) || \
+- netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, NULL);
++ netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, def_netgroup_tuple ? user : NULL);
+ }
+
+ sudo_debug_printf(SUDO_DEBUG_TRACE, "IPA hostname (%s) matches %s => %s",
+@@ -600,8 +603,9 @@ sudo_sss_check_host(struct sudo_sss_hand
+
+ /* match any or address or netgroup or hostname */
+ if (!strcmp(val, "ALL") || addr_matches(val) ||
+- sudo_sss_ipa_hostname_matches(val) ||
+- netgr_matches(val, user_host, user_shost, NULL) ||
++ sudo_sss_ipa_hostname_matches(val, handle->pw->pw_name) ||
++ netgr_matches(val, user_host, user_shost,
++ def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
+ hostname_matches(user_shost, user_host, val))
+ ret = true;
+
+@@ -649,7 +653,10 @@ bool sudo_sss_filter_sudoUser(struct sud
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
+ if (*val == '+') {
+ /* Netgroup spec found, check netgroup membership */
+- if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
++ if (netgr_matches(val,
++ def_netgroup_tuple ? user_host : NULL,
++ def_netgroup_tuple ? user_shost : NULL,
++ handle->pw->pw_name)) {
+ ret = true;
+ sudo_debug_printf(SUDO_DEBUG_DIAG,
+ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);
diff --git a/SOURCES/sudo-1.8.6p7-nproc-nowait.patch b/SOURCES/sudo-1.8.6p7-nproc-nowait.patch
new file mode 100644
index 0000000..0d75031
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-nproc-nowait.patch
@@ -0,0 +1,48 @@
+diff -up sudo-1.8.6p7/src/exec.c.nproc-nowait sudo-1.8.6p7/src/exec.c
+--- sudo-1.8.6p7/src/exec.c.nproc-nowait 2016-05-11 12:56:58.694022525 +0200
++++ sudo-1.8.6p7/src/exec.c 2016-05-11 12:56:58.759021618 +0200
+@@ -298,6 +298,7 @@ sudo_execute(struct command_details *det
+ */
+ if (details->flags & CD_DONTWAIT) {
+ if (exec_setup(details, NULL, -1) == true) {
++ restore_nproc();
+ /* headed for execve() */
+ sudo_debug_execve(SUDO_DEBUG_INFO, details->command,
+ details->argv, details->envp);
+diff -up sudo-1.8.6p7/src/sudo.c.nproc-nowait sudo-1.8.6p7/src/sudo.c
+--- sudo-1.8.6p7/src/sudo.c.nproc-nowait 2016-05-11 12:56:58.758021632 +0200
++++ sudo-1.8.6p7/src/sudo.c 2016-05-11 13:12:21.833116202 +0200
+@@ -145,6 +145,7 @@ static struct rlimit corelimit;
+ #endif /* RLIMIT_CORE */
+ #if defined(__linux__)
+ static struct rlimit nproclimit;
++static struct rlimit orig_nproc_limit;
+ #endif
+
+ int
+@@ -853,6 +854,17 @@ unlimit_nproc(void)
+ debug_return;
+ }
+
++void restore_nproc(void)
++{
++ debug_decl(restore_nproc, SUDO_DEBUG_EXEC);
++#if defined(__linux__)
++ if (setrlimit(RLIMIT_NPROC, &orig_nproc_limit) != 0) {
++ errorx(1, _("Cannot restore nproc rlimit: errno=%d"), errno);
++ }
++#endif
++ debug_return;
++}
++
+ #ifdef HAVE_PROJECT_H
+ static void
+ set_project(struct passwd *pw)
+@@ -1089,6 +1101,7 @@ exec_setup(struct command_details *detai
+ */
+ #if defined(__linux__) && defined(_SC_CHILD_MAX)
+ {
++ getrlimit(RLIMIT_NPROC, &orig_nproc_limit);
+ struct rlimit rl;
+ long l;
+ errno = 0;
diff --git a/SOURCES/sudo-1.8.6p7-null_exception.patch b/SOURCES/sudo-1.8.6p7-null_exception.patch
new file mode 100644
index 0000000..f48b952
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-null_exception.patch
@@ -0,0 +1,13 @@
+diff -up sudo-1.8.6p7/src/sudo.c.null_exception sudo-1.8.6p7/src/sudo.c
+--- sudo-1.8.6p7/src/sudo.c.null_exception 2016-05-11 10:39:56.466888652 +0200
++++ sudo-1.8.6p7/src/sudo.c 2016-05-11 10:39:56.530887742 +0200
+@@ -483,6 +483,9 @@ get_user_info(struct user_details *ud)
+ errorx(1, _("unable to allocate memory"));
+ ud->cwd = user_info[i] + sizeof("cwd=") - 1;
+ }
++ else {
++ errorx(1, _("unable to resolve current working directory"));
++ }
+
+ if ((cp = get_process_ttyname()) != NULL) {
+ user_info[++i] = fmt_string("tty", cp);
diff --git a/SOURCES/sudo-1.8.6p7-pam_servicebackport.patch b/SOURCES/sudo-1.8.6p7-pam_servicebackport.patch
new file mode 100644
index 0000000..53017f2
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-pam_servicebackport.patch
@@ -0,0 +1,221 @@
+diff -up sudo-1.8.6p7/configure.in.pam_servicebackport sudo-1.8.6p7/configure.in
+--- sudo-1.8.6p7/configure.in.pam_servicebackport 2016-05-09 15:36:30.213715598 +0200
++++ sudo-1.8.6p7/configure.in 2016-05-09 15:36:30.237715261 +0200
+@@ -121,6 +121,7 @@ AC_SUBST([nsswitch_conf])
+ AC_SUBST([netsvc_conf])
+ AC_SUBST([secure_path])
+ AC_SUBST([editor])
++AC_SUBST([pam_login_service])
+ #
+ # Begin initial values for man page substitution
+ #
+@@ -160,6 +161,7 @@ netsvc_conf=/etc/netsvc.conf
+ noexec_file=/usr/local/libexec/sudo_noexec.so
+ nsswitch_conf=/etc/nsswitch.conf
+ secure_path="not set"
++pam_login_service=sudo
+ #
+ # End initial values for man page substitution
+ #
+@@ -2717,6 +2719,7 @@ if test ${with_pam-"no"} != "no"; then
+ yes) AC_DEFINE([HAVE_PAM_LOGIN])
+ AC_MSG_CHECKING(whether to use PAM login)
+ AC_MSG_RESULT(yes)
++ pam_login_service="sudo-i"
+ ;;
+ no) ;;
+ *) AC_MSG_ERROR(["--with-pam-login does not take an argument."])
+diff -up sudo-1.8.6p7/configure.pam_servicebackport sudo-1.8.6p7/configure
+--- sudo-1.8.6p7/configure.pam_servicebackport 2013-02-25 20:48:02.000000000 +0100
++++ sudo-1.8.6p7/configure 2016-05-09 15:36:30.238715247 +0200
+@@ -658,6 +658,7 @@ OBJEXT
+ EXEEXT
+ ac_ct_CC
+ CC
++pam_login_service
+ editor
+ secure_path
+ netsvc_conf
+@@ -2959,6 +2960,7 @@ netsvc_conf=/etc/netsvc.conf
+ noexec_file=/usr/local/libexec/sudo_noexec.so
+ nsswitch_conf=/etc/nsswitch.conf
+ secure_path="not set"
++pam_login_service=sudo
+ #
+ # End initial values for man page substitution
+ #
+@@ -18631,6 +18633,7 @@ if test "${with_pam_login+set}" = set; t
+ $as_echo_n "checking whether to use PAM login... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+ $as_echo "yes" >&6; }
++ pam_login_service="sudo-i"
+ ;;
+ no) ;;
+ *) as_fn_error $? "\"--with-pam-login does not take an argument.\"" "$LINENO" 5
+diff -up sudo-1.8.6p7/doc/sudoers.cat.pam_servicebackport sudo-1.8.6p7/doc/sudoers.cat
+--- sudo-1.8.6p7/doc/sudoers.cat.pam_servicebackport 2016-05-09 15:36:30.222715472 +0200
++++ sudo-1.8.6p7/doc/sudoers.cat 2016-05-09 15:36:30.239715233 +0200
+@@ -1245,6 +1245,18 @@ S�SU�UD�DO�OE�ER�RS�S O�OP�PT�TI�IO�ON�N
+ noexec file should now be set in the _�/_�e_�t_�c_�/_�s_�u_�d_�o_�._�c_�o_�n_�f
+ file.
+
++ pam_login_service
++ On systems that use PAM for authentication, this is the
++ service name used when the -^H-i^Hi option is specified. The
++ default value is ``sudo''. See the description of
++ _^Hp_^Ha_^Hm_^H__^Hs_^He_^Hr_^Hv_^Hi_^Hc_^He for more information.
++
++ pam_service On systems that use PAM for authentication, the service
++ name specifies the PAM policy to apply. This usually
++ corresponds to an entry in the _^Hp_^Ha_^Hm_^H._^Hc_^Ho_^Hn_^Hf file or a fi
++ in the _^H/_^He_^Ht_^Hc_^H/_^Hp_^Ha_^Hm_^H._^Hd directory. The default valu
++ ``sudo''.
++
+ passprompt The default prompt to use when asking for a password;
+ can be overridden via the -�-p�p option or the SUDO_PROMPT
+ environment variable. The following percent (`%')
+diff -up sudo-1.8.6p7/doc/sudoers.man.in.pam_servicebackport sudo-1.8.6p7/doc/sudoers.man.in
+--- sudo-1.8.6p7/doc/sudoers.man.in.pam_servicebackport 2016-05-09 15:36:30.223715458 +0200
++++ sudo-1.8.6p7/doc/sudoers.man.in 2016-05-09 15:36:30.239715233 +0200
+@@ -2628,6 +2628,29 @@ The path to the noexec file should now b
+ \fI@sysconfdir@/sudo.conf\fR
+ file.
+ .TP 18n
++pam_login_service
++.br
++On systems that use PAM for authentication, this is the service
++name used when the
++\fB\-i\fR
++option is specified.
++The default value is
++``\fR@pam_login_service@\fR''.
++See the description of
++\fIpam_service\fR
++for more information.
++.TP 18n
++pam_service
++On systems that use PAM for authentication, the service name
++specifies the PAM policy to apply.
++This usually corresponds to an entry in the
++\fIpam.conf\fR
++file or a file in the
++\fI/etc/pam.d\fR
++directory.
++The default value is
++``\fRsudo\fR''.
++.TP 18n
+ passprompt
+ The default prompt to use when asking for a password; can be overridden via the
+ \fB\-p\fR
+diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.pam_servicebackport sudo-1.8.6p7/doc/sudoers.mdoc.in
+--- sudo-1.8.6p7/doc/sudoers.mdoc.in.pam_servicebackport 2016-05-09 15:36:30.223715458 +0200
++++ sudo-1.8.6p7/doc/sudoers.mdoc.in 2016-05-09 15:36:30.240715219 +0200
+@@ -2464,6 +2464,26 @@ This option is no longer supported.
+ The path to the noexec file should now be set in the
+ .Pa @sysconfdir@/sudo.conf
+ file.
++.It pam_login_service
++On systems that use PAM for authentication, this is the service
++name used when the
++.Fl i
++option is specified.
++The default value is
++.Dq Li @pam_login_service@ .
++See the description of
++.Em pam_service
++for more information.
++.It pam_service
++On systems that use PAM for authentication, the service name
++specifies the PAM policy to apply.
++This usually corresponds to an entry in the
++.Pa pam.conf
++file or a file in the
++.Pa /etc/pam.d
++directory.
++The default value is
++.Dq Li sudo .
+ .It passprompt
+ The default prompt to use when asking for a password; can be overridden via the
+ .Fl p
+diff -up sudo-1.8.6p7/plugins/sudoers/auth/pam.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/auth/pam.c
+--- sudo-1.8.6p7/plugins/sudoers/auth/pam.c.pam_servicebackport 2016-05-09 15:36:30.202715752 +0200
++++ sudo-1.8.6p7/plugins/sudoers/auth/pam.c 2016-05-09 15:36:30.240715219 +0200
+@@ -90,12 +90,8 @@ sudo_pam_init(struct passwd *pw, sudo_au
+ if (auth != NULL)
+ auth->data = (void *) &pam_status;
+ pam_conv.conv = converse;
+-#ifdef HAVE_PAM_LOGIN
+- if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
+- pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
+- else
+-#endif
+- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
++ pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
++ def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
+ if (pam_status != PAM_SUCCESS) {
+ log_error(USE_ERRNO|NO_MAIL, _("unable to initialize PAM"));
+ debug_return_int(AUTH_FATAL);
+diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/defaults.c
+--- sudo-1.8.6p7/plugins/sudoers/defaults.c.pam_servicebackport 2016-05-09 15:36:30.234715304 +0200
++++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2016-05-09 15:36:30.240715219 +0200
+@@ -424,6 +424,13 @@ init_defaults(void)
+ def_env_reset = ENV_RESET;
+ def_set_logname = true;
+ def_closefrom = STDERR_FILENO + 1;
++ def_pam_service = estrdup("sudo");
++#ifdef HAVE_PAM_LOGIN
++ def_pam_login_service = estrdup("sudo-i");
++#else
++ def_pam_login_service = estrdup("sudo");
++#endif
++
+
+ /* Syslog options need special care since they both strings and ints */
+ #if (LOGGING & SLOG_SYSLOG)
+diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.c
+--- sudo-1.8.6p7/plugins/sudoers/def_data.c.pam_servicebackport 2016-05-09 15:36:30.234715304 +0200
++++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2016-05-09 15:36:30.240715219 +0200
+@@ -363,6 +363,14 @@ struct sudo_defs_types sudo_defs_table[]
+ N_("Use both user and host/domain fields when matching netgroups"),
+ NULL,
+ }, {
++ "pam_service", T_STR,
++ N_("PAM service name to use"),
++ NULL,
++ }, {
++ "pam_login_service", T_STR,
++ N_("PAM service name to use for login shells"),
++ NULL,
++ }, {
+ NULL, 0, NULL
+ }
+ };
+diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.h
+--- sudo-1.8.6p7/plugins/sudoers/def_data.h.pam_servicebackport 2016-05-09 15:36:30.235715289 +0200
++++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2016-05-09 15:36:30.240715219 +0200
+@@ -168,6 +168,11 @@
+ #define I_LEGACY_GROUP_PROCESSING 83
+ #define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag)
+ #define I_NETGROUP_TUPLE 84
++#define def_pam_service (sudo_defs_table[85].sd_un.str)
++#define I_PAM_SERVICE 85
++#define def_pam_login_service (sudo_defs_table[86].sd_un.str)
++#define I_PAM_LOGIN_SERVICE 86
++
+
+ enum def_tuple {
+ never,
+diff -up sudo-1.8.6p7/plugins/sudoers/def_data.in.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.in
+--- sudo-1.8.6p7/plugins/sudoers/def_data.in.pam_servicebackport 2013-02-25 20:42:44.000000000 +0100
++++ sudo-1.8.6p7/plugins/sudoers/def_data.in 2016-05-09 15:36:30.240715219 +0200
+@@ -259,3 +259,10 @@ privs
+ limitprivs
+ T_STR
+ "Set of limit privileges"
++pam_service
++ T_STR
++ "PAM service name to use"
++pam_login_service
++ T_STR
++ "PAM service name to use for login shells"
++
diff --git a/SOURCES/sudo-1.8.6p7-segfault-null-group-list.patch b/SOURCES/sudo-1.8.6p7-segfault-null-group-list.patch
new file mode 100644
index 0000000..609c872
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-segfault-null-group-list.patch
@@ -0,0 +1,13 @@
+diff -up sudo-1.8.6p7/plugins/sudoers/match.c.segfault-null-group-list sudo-1.8.6p7/plugins/sudoers/match.c
+--- sudo-1.8.6p7/plugins/sudoers/match.c.segfault-null-group-list 2016-05-11 10:22:29.201786896 +0200
++++ sudo-1.8.6p7/plugins/sudoers/match.c 2016-05-11 10:22:29.212786739 +0200
+@@ -164,6 +164,9 @@ runaslist_matches(struct member_list *us
+ int group_matched = UNSPEC;
+ debug_decl(runaslist_matches, SUDO_DEBUG_MATCH)
+
++ if (user_list == NULL)user_list = ∅
++ if (group_list == NULL)group_list = ∅
++
+ if (runas_pw != NULL) {
+ /* If no runas user or runas group listed in sudoers, use default. */
+ if (tq_empty(user_list) && tq_empty(group_list))
diff --git a/SOURCES/sudo-1.8.6p7-unprivileged-list-fix.patch b/SOURCES/sudo-1.8.6p7-unprivileged-list-fix.patch
new file mode 100644
index 0000000..231ac8f
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-unprivileged-list-fix.patch
@@ -0,0 +1,37 @@
+diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.unprivileged-list-fix sudo-1.8.6p7/plugins/sudoers/ldap.c
+--- sudo-1.8.6p7/plugins/sudoers/ldap.c.unprivileged-list-fix 2016-05-09 15:58:36.581120998 +0200
++++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-09 15:58:36.588120900 +0200
+@@ -2494,12 +2494,12 @@ sudo_ldap_lookup(struct sudo_nss *nss, i
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+- sudo_ldap_check_command(ld, entry, NULL)) {
++ sudo_ldap_check_command(ld, entry, NULL) == true) {
+ matched = true;
+ break;
+ }
+ }
+- if (matched || user_uid == 0) {
++ if (matched == true || user_uid == 0) {
+ SET(ret, VALIDATE_OK);
+ CLR(ret, VALIDATE_NOT_OK);
+ if (def_authenticate) {
+diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.unprivileged-list-fix sudo-1.8.6p7/plugins/sudoers/sssd.c
+--- sudo-1.8.6p7/plugins/sudoers/sssd.c.unprivileged-list-fix 2016-05-09 15:58:36.581120998 +0200
++++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2016-05-09 15:58:36.589120886 +0200
+@@ -1062,13 +1062,13 @@ sudo_sss_lookup(struct sudo_nss *nss, in
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+- sudo_sss_check_command(handle, rule, NULL)) {
++ sudo_sss_check_command(handle, rule, NULL) == true) {
+ matched = true;
+ break;
+ }
+ }
+ }
+- if (matched || user_uid == 0) {
++ if (matched == true || user_uid == 0) {
+ SET(ret, VALIDATE_OK);
+ CLR(ret, VALIDATE_NOT_OK);
+ if (def_authenticate) {
diff --git a/SOURCES/sudo-1.8.6p7-visudocontent.patch b/SOURCES/sudo-1.8.6p7-visudocontent.patch
new file mode 100644
index 0000000..1177797
--- /dev/null
+++ b/SOURCES/sudo-1.8.6p7-visudocontent.patch
@@ -0,0 +1,20 @@
+diff -up ./plugins/sudoers/visudo.c.fix ./plugins/sudoers/visudo.c
+--- ./plugins/sudoers/visudo.c.fix 2015-09-15 10:00:25.957642667 +0200
++++ ./plugins/sudoers/visudo.c 2015-09-15 12:37:43.478306234 +0200
+@@ -479,6 +479,7 @@ reparse_sudoers(char *editor, char *args
+ * Parse the edited sudoers files and do sanity checking
+ */
+ do {
++ parse_error = NULL;
+ sp = tq_first(&sudoerslist);
+ last = tq_last(&sudoerslist);
+ fp = fopen(sp->tpath, "r+");
+@@ -544,7 +545,7 @@ reparse_sudoers(char *editor, char *args
+ continue;
+ edit_sudoers(sp, editor, args, errorlineno);
+ }
+- } while (parse_error && sp != NULL);
++ } while (parse_error);
+
+ debug_return;
+ }
diff --git a/SOURCES/sudo-ldap.conf b/SOURCES/sudo-ldap.conf
new file mode 100644
index 0000000..d8f8e4d
--- /dev/null
+++ b/SOURCES/sudo-ldap.conf
@@ -0,0 +1,86 @@
+## BINDDN DN
+## The BINDDN parameter specifies the identity, in the form of a Dis‐
+## tinguished Name (DN), to use when performing LDAP operations. If
+## not specified, LDAP operations are performed with an anonymous
+## identity. By default, most LDAP servers will allow anonymous
+## access.
+##
+#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+## BINDPW secret
+## The BINDPW parameter specifies the password to use when performing
+## LDAP operations. This is typically used in conjunction with the
+## BINDDN parameter.
+##
+#bindpw secret
+
+## SSL start_tls
+## If the SSL parameter is set to start_tls, the LDAP server connec‐
+## tion is initiated normally and TLS encryption is begun before the
+## bind credentials are sent. This has the advantage of not requiring
+## a dedicated port for encrypted communications. This parameter is
+## only supported by LDAP servers that honor the start_tls extension,
+## such as the OpenLDAP and Tivoli Directory servers.
+##
+#ssl start_tls
+
+## TLS_CACERTFILE file name
+## The path to a certificate authority bundle which contains the cer‐
+## tificates for all the Certificate Authorities the client knows to
+## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐
+## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries
+## use the same certificate database for CA and client certificates
+## (see TLS_CERT).
+##
+#tls_cacertfile /path/to/CA.crt
+
+## TLS_CHECKPEER on/true/yes/off/false/no
+## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
+## cated to be verified. If the server's TLS certificate cannot be
+## verified (usually because it is signed by an unknown certificate
+## authority), sudo will be unable to connect to it. If TLS_CHECKPEER
+## is disabled, no check is made. Note that disabling the check cre‐
+## ates an opportunity for man-in-the-middle attacks since the
+## server's identity will not be authenticated. If possible, the CA's
+## certificate should be installed locally so it can be verified.
+## This option is not supported by the Tivoli Directory Server LDAP
+## libraries.
+#tls_checkpeer yes
+
+##
+## URI ldap[s]://[hostname[:port]] ...
+## Specifies a whitespace-delimited list of one or more
+## URIs describing the LDAP server(s) to connect to.
+##
+#uri ldap://ldapserver
+
+##
+## SUDOERS_BASE base
+## The base DN to use when performing sudo LDAP queries.
+## Multiple SUDOERS_BASE lines may be specified, in which
+## case they are queried in the order specified.
+##
+#sudoers_base ou=SUDOers,dc=example,dc=com
+
+##
+## BIND_TIMELIMIT seconds
+## The BIND_TIMELIMIT parameter specifies the amount of
+## time to wait while trying to connect to an LDAP server.
+##
+#bind_timelimit 30
+
+##
+## TIMELIMIT seconds
+## The TIMELIMIT parameter specifies the amount of time
+## to wait for a response to an LDAP query.
+##
+#timelimit 30
+
+##
+## SUDOERS_DEBUG debug_level
+## This sets the debug level for sudo LDAP queries. Debugging
+## information is printed to the standard error. A value of 1
+## results in a moderate amount of debugging information.
+## A value of 2 shows the results of the matches themselves.
+##
+#sudoers_debug 1
diff --git a/SOURCES/sudo.conf b/SOURCES/sudo.conf
new file mode 100644
index 0000000..3047842
--- /dev/null
+++ b/SOURCES/sudo.conf
@@ -0,0 +1,57 @@
+#
+# Default /etc/sudo.conf file
+#
+# Format:
+# Plugin plugin_name plugin_path plugin_options ...
+# Path askpass /path/to/askpass
+# Path noexec /path/to/sudo_noexec.so
+# Debug sudo /var/log/sudo_debug all@warn
+# Set disable_coredump true
+#
+# Sudo plugins:
+#
+# The plugin_path is relative to ${prefix}/libexec unless fully qualified.
+# The plugin_name corresponds to a global symbol in the plugin
+# that contains the plugin interface structure.
+# The plugin_options are optional.
+#
+# The sudoers plugin is used by default if no Plugin lines are present.
+Plugin sudoers_policy sudoers.so
+Plugin sudoers_io sudoers.so
+
+#
+# Sudo askpass:
+#
+# An askpass helper program may be specified to provide a graphical
+# password prompt for "sudo -A" support. Sudo does not ship with its
+# own passpass program but can use the OpenSSH askpass.
+#
+# Use the OpenSSH askpass
+#Path askpass /usr/X11R6/bin/ssh-askpass
+#
+# Use the Gnome OpenSSH askpass
+#Path askpass /usr/libexec/openssh/gnome-ssh-askpass
+
+#
+# Sudo noexec:
+#
+# Path to a shared library containing dummy versions of the execv(),
+# execve() and fexecve() library functions that just return an error.
+# This is used to implement the "noexec" functionality on systems that
+# support C<LD_PRELOAD> or its equivalent.
+# The compiled-in value is usually sufficient and should only be changed
+# if you rename or move the sudo_noexec.so file.
+#
+#Path noexec /usr/libexec/sudo_noexec.so
+
+#
+# Core dumps:
+#
+# By default, sudo disables core dumps while it is executing (they
+# are re-enabled for the command that is run).
+# To aid in debugging sudo problems, you may wish to enable core
+# dumps by setting "disable_coredump" to false.
+#
+# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable
+#
+Set disable_coredump false
diff --git a/SOURCES/sudoers b/SOURCES/sudoers
new file mode 100644
index 0000000..9737a8b
--- /dev/null
+++ b/SOURCES/sudoers
@@ -0,0 +1,111 @@
+## Sudoers allows particular users to run various commands as
+## the root user, without needing the root password.
+##
+## Examples are provided at the bottom of the file for collections
+## of related commands, which can then be delegated out to particular
+## users or groups.
+##
+## This file must be edited with the 'visudo' command.
+
+## Host Aliases
+## Groups of machines. You may prefer to use hostnames (perhaps using
+## wildcards for entire domains) or IP addresses instead.
+# Host_Alias FILESERVERS = fs1, fs2
+# Host_Alias MAILSERVERS = smtp, smtp2
+
+## User Aliases
+## These aren't often necessary, as you can use regular groups
+## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
+## rather than USERALIAS
+# User_Alias ADMINS = jsmith, mikem
+
+
+## Command Aliases
+## These are groups of related commands...
+
+## Networking
+# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+
+## Installation and management of software
+# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
+
+## Services
+# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
+
+## Updating the locate database
+# Cmnd_Alias LOCATE = /usr/bin/updatedb
+
+## Storage
+# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
+
+## Delegating permissions
+# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
+
+## Processes
+# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
+
+## Drivers
+# Cmnd_Alias DRIVERS = /sbin/modprobe
+
+# Defaults specification
+
+#
+# Refuse to run if unable to disable echo on the tty.
+#
+Defaults !visiblepw
+
+#
+# Preserving HOME has security implications since many programs
+# use it when searching for configuration files. Note that HOME
+# is already set when the the env_reset option is enabled, so
+# this option is only effective for configurations where either
+# env_reset is disabled or HOME is present in the env_keep list.
+#
+Defaults always_set_home
+
+Defaults env_reset
+Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+#
+# Adding HOME to env_keep may enable a user to run unrestricted
+# commands via sudo.
+#
+# Defaults env_keep += "HOME"
+
+Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Next comes the main part: which users can run what software on
+## which machines (the sudoers file can be shared between multiple
+## systems).
+## Syntax:
+##
+## user MACHINE=COMMANDS
+##
+## The COMMANDS section may have other options added to it.
+##
+## Allow root to run any commands anywhere
+root ALL=(ALL) ALL
+
+## Allows members of the 'sys' group to run networking, software,
+## service management apps and more.
+# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
+
+## Allows people in group wheel to run all commands
+%wheel ALL=(ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL) NOPASSWD: ALL
+
+## Allows members of the users group to mount and unmount the
+## cdrom as root
+# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
+
+## Allows members of the users group to shutdown this system
+# %users localhost=/sbin/shutdown -h now
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 9efa9d9..ad1cab7 100644
--- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec
@@ -1,14 +1,14 @@
Summary: Allows restricted root access for specified users
Name: sudo
Version: 1.8.6p7
-Release: 17%{?dist}
+Release: 20%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
-Source1: sudo-1.8.6p7-14-sudoers
-Source2: sudo-1.7.4p5-sudo-ldap.conf
-Source3: sudo-1.8.6p3-sudo.conf
+Source1: sudoers
+Source2: sudo-ldap.conf
+Source3: sudo.conf
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: /etc/pam.d/system-auth, vim-minimal
@@ -116,8 +116,34 @@ Patch41: sudo-1.8.6p7-legacy-group-processing.patch
Patch42: sudo-1.8.6p7-newbase64decoder.patch
# 1183818 - [RFE] store checksum alongside the command being permitted
Patch43: sudo-1.8.6p7-digestmessagesfix.patch
-# 1308495 - closefrom_override sudo option not working
+# 1297062 - closefrom_override sudo option not working
Patch44: sudo-1.8.6p7-closefrom-override-fix.patch
+# 1334360 - sudo option mail_no_user doesn't work
+Patch45: sudo-1.8.6p7-ldapusermatchfix.patch
+# 1334331 - [RFE] Implement sudoers option to change netgroup processing semantics
+Patch46: sudo-1.8.6p7-netgroup_tuple.patch
+# 1247230 - Backport pam_service and pam_login_service sudoers options
+Patch47: sudo-1.8.6p7-pam_servicebackport.patch
+# 1261998 - visudo accept non valid content
+Patch48: sudo-1.8.6p7-visudocontent.patch
+# 1313364 - non-root user can list privileges of other users
+Patch49: sudo-1.8.6p7-unprivileged-list-fix.patch
+# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure
+Patch50: sudo-1.8.6p7-logsudouser.patch
+# 1268958 - sudo - cmnd_no_wait can cause child processes to ignore SIGPIPE
+Patch51: sudo-1.8.6p3-sigpipefix.patch
+# 1335039 - sudo segfault segfault at 8 i error 4 in sudoers.so[7f4a87ef1000+45000]
+Patch52: sudo-1.8.6p7-segfault-null-group-list.patch
+# 1335042 - sudo command throwing error when defaults records are added in ldap based on sudoers2ldif generated ldif.
+Patch53: sudo-1.8.6p7-ldap_sssd_parse_whitespaces.patch
+# 1335045 - getcwd failed, resulting in Null pointer exception
+Patch54: sudo-1.8.6p7-null_exception.patch
+# 1273243 - sudo improperly sets RLIMIT_NPROC=0 when using Defaults cmnd_no_wait
+Patch55: sudo-1.8.6p7-nproc-nowait.patch
+# 1299883 - sudo: document raciness of the digest check
+Patch56: sudo-1.8.6p7-digest_race_doc.patch
+# 1350828 - [RHEL7] visudo ignores -q flag
+Patch57: sudo-1.8.6p3-visudo-quiet-flag.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -186,6 +212,19 @@ plugins that use %{name}.
%patch42 -p1 -b .newbase64decoder
%patch43 -p1 -b .digestmessagesfix
%patch44 -p1 -b .closefrom-override-fix
+%patch45 -p1 -b .ldapusermatchfix
+%patch46 -p1 -b .netgroup_tuple
+%patch47 -p1 -b .pam_servicebackport
+%patch48 -p1 -b .visudocontent
+%patch49 -p1 -b .unprivileged-list-fix
+%patch50 -p1 -b .logsudouser
+%patch51 -p1 -b .sigpipefix
+%patch52 -p1 -b .segfault-null-group-list
+%patch53 -p1 -b .ldap_sssd_parse_whitespaces
+%patch54 -p1 -b .null_exception
+%patch55 -p1 -b .nproc-nowait
+%patch56 -p1 -b .digest_race_doc
+%patch57 -p1 -b .visudo-quiet-flag
%build
autoreconf -I m4 -fv --install
@@ -307,9 +346,45 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sudo_plugin.8*
%changelog
-* Wed Feb 17 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-17
+* Tue Jul 19 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-20
+- RHEL 7.3 erratum
+ - fixed visudo's -q flag
+ Resolves: rhbz#1350828
+
+* Tue Jun 14 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-19
+- RHEL 7.3 erratum
+ - removed INPUTRC from env_keep to prevent a potential info leak
+ Resolves: rhbz#1340700
+
+* Wed May 11 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-18
+- RHEL 7.3 erratum
+ - removed requiretty flag from the default sudoers policy
+ - backported pam_service and pam_login_service defaults options
+ - implemented netgroup_tuple defaults option for changing netgroup
+ processing semantics
+ - fixed user matching logic in the LDAP nss backend
+ - don't allow visudo to accept an invalid sudoers file
+ - fixed a bug causing that non-root users can list privileges of
+ other users
+ - modified digest check documentation to mention the raciness of
+ the checking mechanism
+ Resolves: rhbz#1196451
+ Resolves: rhbz#1247230
+ Resolves: rhbz#1334331
+ Resolves: rhbz#1334360
+ Resolves: rhbz#1261998
+ Resolves: rhbz#1313364
+ Resolves: rhbz#1312486
+ Resolves: rhbz#1268958
+ Resolves: rhbz#1335039
+ Resolves: rhbz#1335042
+ Resolves: rhbz#1335045
+ Resolves: rhbz#1273243
+ Resolves: rhbz#1299883
+
+* Mon Feb 15 2016 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-17
- fixed bug in closefrom_override defaults option
- Resolves: rhbz#1308495
+ Resolves: rhbz#1297062
* Tue Sep 1 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-16
- RHEL 7.2 erratum