Summary: Allows restricted root access for specified users

Name: sudo

Version: 1.9.5p2

Release: 1%{?dist}

License: ISC

URL: https://www.sudo.ws

Source0: %{url}/dist/%{name}-%{version}.tar.gz

Source1: sudoers

Requires: pam

Recommends: vim-minimal

Recommends: %{name}-python-plugin%{?_isa} = %{version}-%{release}

Requires(post): coreutils

BuildRequires: pam-devel

BuildRequires: groff

BuildRequires: openldap-devel

BuildRequires: flex

BuildRequires: bison

BuildRequires: automake autoconf libtool

BuildRequires: audit-libs-devel libcap-devel

BuildRequires: libselinux-devel

BuildRequires: sendmail

BuildRequires: gettext

BuildRequires: zlib-devel

# don't strip

Patch1: sudo-1.6.7p5-strip.patch

%description

Sudo (superuser do) allows a system administrator to give certain

users (or groups of users) the ability to run some (or all) commands

as root while logging all commands and arguments. Sudo operates on a

per-command basis.  It is not a replacement for the shell.  Features

include: the ability to restrict what commands a user may run on a

per-host basis, copious logging of each command (providing a clear

audit trail of who did what), a configurable timeout of the sudo

command, and the ability to use the same configuration file (sudoers)

on many different machines.

%package        devel

Summary:        Development files for %{name}

Requires:       %{name} = %{version}-%{release}

%description    devel

The %{name}-devel package contains header files developing sudo

plugins that use %{name}.

%package        logsrvd

Summary:        High-performance log server for %{name}

Requires:       %{name} = %{version}-%{release}

BuildRequires:  openssl-devel

%description    logsrvd

%{name}-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.

It can be used to implement centralized logging of sudo logs.

%package        python-plugin

Summary:        Python plugin for %{name}

Requires:       %{name} = %{version}-%{release}

BuildRequires:  python3-devel

%description    python-plugin

%{name}-python-plugin allows using sudo plugins written in Python.

%prep

%setup -q

%patch1 -p1 -b .strip

%build

# Remove bundled copy of zlib

rm -rf zlib/

autoreconf -I m4 -fv --install

%ifarch s390 s390x sparc64

F_PIE=-fPIE

%else

F_PIE=-fpie

%endif

export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"

%configure \

        --prefix=%{_prefix} \

        --sbindir=%{_sbindir} \

        --libdir=%{_libdir} \

        --docdir=%{_pkgdocdir} \

        --enable-openssl \

        --disable-root-mailer \

        --with-logging=syslog \

        --with-logfac=authpriv \

        --with-pam \

        --with-pam-login \

        --with-editor=/bin/vi \

        --with-env-editor \

        --with-ignore-dot \

        --with-tty-tickets \

        --with-ldap \

        --with-selinux \

        --with-passprompt="[sudo] password for %p: " \

        --enable-python \

        --with-linux-audit \

        --with-sssd

#       --without-kerb5 \

#       --without-kerb4

make

%check

make check

%install

rm -rf $RPM_BUILD_ROOT

make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* 

install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo

install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured

install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d

install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers

#add sudo to protected packages

install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/

touch sudo.conf

echo sudo > sudo.conf

install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/

rm -f sudo.conf

chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so # for stripping, reset in %%files

# Don't package LICENSE as a doc

rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE

# Remove examples; Examples can be found in man pages too.

rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo

#Remove all .la files

find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'

# Remove sudoers.dist

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist

%find_lang sudo

%find_lang sudoers

cat sudo.lang sudoers.lang > sudo_all.lang

rm sudo.lang sudoers.lang

mkdir -p $RPM_BUILD_ROOT/etc/pam.d

cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF

#%%PAM-1.0

auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    optional     pam_keyinit.so revoke

session    required     pam_limits.so

session    include      system-auth

EOF

cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF

#%%PAM-1.0

auth       include      sudo

account    include      sudo

password   include      sudo

session    optional     pam_keyinit.so force revoke

session    include      sudo

EOF

%files -f sudo_all.lang

%attr(0440,root,root) %config(noreplace) /etc/sudoers

%attr(0750,root,root) %dir /etc/sudoers.d/

%config(noreplace) /etc/pam.d/sudo

%config(noreplace) /etc/pam.d/sudo-i

%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf

%attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf

%attr(0640,root,root) %config(noreplace) /etc/sudo.conf

%dir /var/db/sudo

%dir /var/db/sudo/lectured

%attr(4111,root,root) %{_bindir}/sudo

%{_bindir}/sudoedit

%attr(0111,root,root) %{_bindir}/sudoreplay

%attr(0755,root,root) %{_sbindir}/visudo

%{_bindir}/cvtsudoers

%dir %{_libexecdir}/sudo

%attr(0755,root,root) %{_libexecdir}/sudo/sesh

%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so

%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so

%attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so

%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so

%attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so

%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so

%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?

%{_libexecdir}/sudo/libsudo_util.so.?

%{_libexecdir}/sudo/libsudo_util.so

%{_mandir}/man5/sudoers.5*

%{_mandir}/man5/sudoers.ldap.5*

%{_mandir}/man5/sudo.conf.5*

%{_mandir}/man8/sudo.8*

%{_mandir}/man8/sudoedit.8*

%{_mandir}/man8/sudoreplay.8*

%{_mandir}/man8/visudo.8*

%{_mandir}/man1/cvtsudoers.1.gz

%{_mandir}/man5/sudoers_timestamp.5.gz

%dir %{_pkgdocdir}/

%{_pkgdocdir}/*

%{!?_licensedir:%global license %%doc}

%license doc/LICENSE

%exclude %{_pkgdocdir}/ChangeLog

%files devel

%doc plugins/sample/sample_plugin.c

%{_includedir}/sudo_plugin.h

%{_mandir}/man8/sudo_plugin.8*

%files logsrvd

%attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf

%attr(0755,root,root) %{_sbindir}/sudo_logsrvd

%attr(0755,root,root) %{_sbindir}/sudo_sendlog

%{_mandir}/man5/sudo_logsrv.proto.5.gz

%{_mandir}/man5/sudo_logsrvd.conf.5.gz

%{_mandir}/man8/sudo_logsrvd.8.gz

%{_mandir}/man8/sudo_sendlog.8.gz

%files python-plugin

%{_mandir}/man8/sudo_plugin_python.8.gz

%attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so

%changelog

* Tue Jan 26 2021 Matthew Miller <mattdm@fedoraproject.org> - 1.9.5p2-1

- rebase to 1.9.5p2

Resolves: rhbz#1920611

- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing

Resolves: rhbz#1920618

* Mon Jan 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p1-1

- rebase to 1.9.5p1

-  updated sudo url

Resolves: rhbz#1902758

- enabled python plugin as a subpackage

Resolves: rhbz#1909299

- fixed double free in sss_to_sudoers

Resolves: rhbz#1885874

- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit

Resolves: rhbz#1915055

- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit

Resolves: rhbz#1915054

* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1

- rebase to 1.9.2

Resolves: rhbz#1859577

- added logsrvd subpackage

- added openssl-devel buildrequires

Resolves: rhbz#1860653

- fixed sudo runstatedir path

- it was generated as /sudo instead of /run/sudo

Resolves: rhbz#1868215

- added /var/lib/snapd/snap/bin to secure_path variable

Resolves: rhbz#1691996

* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4

- update to latest development version 1.9.0b4

Resolves: rhbz#1816593

- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix

Resolves: rhbz#1773148

* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1

- update to latest development version 1.9.0b1

- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages

Resolves: rhbz#1787823

- Stack based buffer overflow in when pwfeedback is enabled

Resolves: rhbz#1796945

- fixes: CVE-2019-18634 

- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account

Resolves: rhbz#1786709

- fixes CVE-2019-19234

- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user

Resolves: rhbz#1786705

- fixes CVE-2019-19232

* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-1

- rebase to 1.8.29

Resolves: rhbz#1766233

* Tue Oct 22 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1

- rebase to 1.8.28p1

Resolves: rhbz#1762350

* Tue Oct 15 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28-1

- rebase to 1.8.28

Resolves: rhbz#1761533

- set always_set_home by default

Resolves: rhbz#1728687

- Sync sudoers options from rhel8 to fedora

Resolves: rhbz#1761781

- CVE-2019-14287

Resolves: rhbz#1761584

* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.27-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Sun Mar 31 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.27-2

- resolves rhbz#1676925

- Removed PS1, PS2 from sudoers 

* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> 1.8.27-1

- rebase sudo to 1.8.27

* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.25p1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Mon Oct 01 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25p1-1

- rebase sudo to 1.8.25p1

* Mon Sep 10 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25-1

- rebase sudo to latest stawble version

- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo (1626968)

* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.23-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Tue Jul 03 2018 Matthew Miller <mattdm@fedoraproject.org> - 1.8.23-2

- remove defattr, as default is now sane

* Wed May 09 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-1

- update to 1.8.23

* Wed Apr 18 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-0.1.b3

- update to 1.8.23b3

* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.22-0.2.b1

- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

* Thu Dec 14 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.22b1-1

- update to 1.8.22b1

- Added /usr/local/sbin and /usr/local/bin to secure path rhbz#1166185

* Thu Sep 21 2017 Marek Tamaskovic <mtamasko@redhat.com> - 1.8.21p2-1

- update to 1.8.21p2

- Moved libsudo_util.so from the -devel sub-package to main package (1481225) 

* Wed Sep 06 2017 Matthew Miller <mattdm@fedoraproject.org> - 1.8.20p2-4

- replace file-based requirements with package-level ones:

- /etc/pam.d/system-auth to 'pam'

- /bin/chmod to 'coreutils' (bug #1488934)

- /usr/bin/vi to vim-minimal

- ... and make vim-minimal "recommends" instead of "requires", because

  other editors can be configured.

* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.20p2-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.20p2-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Thu Jun 01 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p2-1

- update to 1.8.20p2

* Wed May 31 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p1-1

- update to 1.8.20p1

- fixes CVE-2017-1000367

  Resolves: rhbz#1456884

* Fri Apr 07 2017 Jiri Vymazal <jvymazal@redhat.com> - 1.8.20-0.1.b1

- update to latest development version 1.8.20b1

- added sudo to dnf/yum protected packages

  Resolves: rhbz#1418756

* Mon Feb 13 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-1

- update to 1.8.19p2

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.19-0.3.20161108git738c3cb

- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Tue Nov 08 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.19-0.2.20161108git738c3cb

- update to latest development version

- fixes CVE-2016-7076

* Fri Sep 23 2016 Radovan Sroka <rsroka@redhat.com> 1.8.19-0.1.20160923git90e4538

- we were not able to update from rc and beta versions to stable one

- so this is a new snapshot package which resolves it

* Wed Sep 21 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18-1

- update to 1.8.18

* Fri Sep 16 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18rc4-1

- update to 1.8.18rc4

* Wed Sep 14 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18rc2-1

- update to 1.8.18rc2

- dropped sudo-1.8.14p1-ldapconfpatch.patch

  upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html

* Fri Aug 26 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18b2-1

- update to 1.8.18b2

- added --disable-root-mailer as configure option

  Resolves: rhbz#1324091

* Fri Jun 24 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.17p1-1

- update to 1.8.17p1

- install the /var/db/sudo/lectured

  Resolves: rhbz#1321414

* Tue May 31 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-4

- removed INPUTRC from env_keep to prevent a possible info leak

  Resolves: rhbz#1340701

* Fri May 13 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-3

- fixed upstream patch for rhbz#1328735

* Thu May 12 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-2

- fixed invalid sesh argument array construction

* Mon Apr 04 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-1

- update to 1.8.16

* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.15-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Thu Nov  5 2015 Daniel Kopecek <dkopecek@redhat.com> 1.8.15-1

- update to 1.8.15

- fixes CVE-2015-5602

* Mon Aug 24 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-3

- enable upstream test suite

* Mon Aug 24 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-2

- add patch that resolves initialization problem before sudo_strsplit call

- add patch that resolves deadcode in visudo.c 

- add patch that removes extra while in visudo.c and sudoers.c

* Mon Jul 27 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-1

- update to 1.8.14p3

* Mon Jul 20 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p1-1

- update to 1.8.14p1-1

- rebase sudo-1.8.14b3-ldapconfpatch.patch -> sudo-1.8.14p1-ldapconfpatch.patch

- rebase sudo-1.8.14b4-docpassexpire.patch -> sudo-1.8.14p1-docpassexpire.patch

* Tue Jul 14 2015 Radovan Sroka <rsroka@redhat.com> 1.8.12-2

- add patch3 sudo.1.8.14b4-passexpire.patch that makes change in documentation about timestamp_time

- Resolves: rhbz#1162070

* Fri Jul 10 2015 Radovan Sroka <rsroka@redhat.com> - 1.8.14b4-1

- Update to 1.8.14b4

- Add own %%{_tmpfilesdir}/sudo.conf

* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.12-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Wed Feb 18 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.12

- update to 1.8.12

- fixes CVE-2014-9680

* Mon Nov  3 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11p2-1

- update to 1.8.11p2

- added patch to fix upstream bug #671 -- exiting immediately

  when audit is disabled

* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1

- update to 1.8.11

- major changes & fixes:

  - when running a command in the background, sudo will now forward

    SIGINFO to the command

  - the passwords in ldap.conf and ldap.secret may now be encoded in base64. 

  - SELinux role changes are now audited. For sudoedit, we now audit

    the actual editor being run, instead of just the sudoedit command. 

  - it is now possible to match an environment variable's value as well as

    its name using env_keep and env_check

  - new files created via sudoedit as a non-root user now have the proper group id

  - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support

  - it is now possible to disable network interface probing in sudo.conf by

    changing the value of the probe_interfaces setting

  - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt

    for the user's password even if the targetpw, rootpw or runaspw options are set.

  - the new use_netgroups sudoers option can be used to explicitly enable or disable

    netgroups support

  - visudo can now export a sudoers file in JSON format using the new -x flag

- added patch to read ldap.conf more closely to nss_ldap

- require /usr/bin/vi instead of vim-minimal

- include pam.d/system-auth in PAM session phase from pam.d/sudo

- include pam.d/sudo in PAM session phase from pam.d/sudo-i

* Tue Aug  5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-6

- fix license handling

* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.8-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Sat May 31 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.8-4

- Drop ChangeLog, we ship NEWS

* Mon Mar 10 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-3

- remove bundled copy of zlib before compilation

- drop the requiretty Defaults setting from sudoers

* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 1.8.8-2

- Own the %%{_libexecdir}/sudo dir.

* Mon Sep 30 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-1

- update to 1.8.8

- major changes & fixes:

  - LDAP SASL support now works properly with Kerberos

  - root may no longer change its SELinux role without entering a password

  - user messages are now always displayed in the user's locale, even when

    the same message is being logged or mailed in a different locale.

  - log files created by sudo now explicitly have the group set to group

    ID 0 rather than relying on BSD group semantics

  - sudo now stores its libexec files in a sudo subdirectory instead of in

    libexec itself

  - system_group and group_file sudoers group provider plugins are now

    installed by default

  - the paths to ldap.conf and ldap.secret may now be specified as arguments

    to the sudoers plugin in the sudo.conf file

  - ...and many new features and settings. See the upstream ChangeLog for the

    full list.

- several sssd support fixes

- added patch to make uid/gid specification parsing more strict (don't accept

  an invalid number as uid/gid)

- use the _pkgdocdir macro

  (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs)

- fixed several bugs found by the clang static analyzer

- added %%post dependency on chmod

* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p7-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1

- update to 1.8.6p7

- fixes CVE-2013-1775 and CVE-2013-1776

- fixed several packaging issues (thanks to ville.skytta@iki.fi)

  - build with system zlib.

  - let rpmbuild strip libexecdir/*.so.

  - own the %%{_docdir}/sudo-* dir.

  - fix some rpmlint warnings (spaces vs tabs, unescaped macros).

  - fix bogus %%changelog dates.

* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p3-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild

* Mon Nov 12 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-2

- added upstream patch for a regression

- don't include arch specific files in the -devel subpackage

- ship only one sample plugin in the -devel subpackage

* Tue Sep 25 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-1

- update to 1.8.6p3

- drop -pipelist patch (fixed in upstream)

* Thu Sep  6 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6-1

- update to 1.8.6

* Thu Jul 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-4

- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com)

- re-enabled SSSD support

- removed libsss_sudo dependency

* Tue Jul 24 2012 Bill Nottingham <notting@redhat.com> - 1.8.5-3

- flip sudoers2ldif executable bit after make install, not in setup

* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.5-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild

* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1

- update to 1.8.5

- fixed CVE-2012-2337

- temporarily disabled SSSD support 

* Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6

- fixed problems with undefined symbols (rhbz#798517)

* Wed Feb 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-5

- SSSD patch update

* Tue Feb  7 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-4

- added SSSD support

* Thu Jan 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-3

- added patch for CVE-2012-0809

* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.3p1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

* Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1

- update to 1.8.3p1

- disable output word wrapping if the output is piped 

* Wed Sep  7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2

- Remove execute bit from sample script in docs so we don't pull in perl

* Tue Jul 12 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.1p2-1

- rebase to 1.8.1p2

- removed .sudoi patch

- fixed typo: RELPRO -> RELRO

- added -devel subpackage for the sudo_plugin.h header file

- use default ldap configuration files again

* Fri Jun  3 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-4

- build with RELRO

* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.4p5-3

- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

* Mon Jan 17 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-2

- rebase to 1.7.4p5

- fixed sudo-1.7.4p4-getgrouplist.patch

- fixes CVE-2011-0008, CVE-2011-0010

* Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5

- anybody in the wheel group has now root access (using password) (rhbz#656873)

- sync configuration paths with the nss_ldap package (rhbz#652687)

* Wed Sep 29 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-4

- added upstream patch to fix rhbz#638345

* Mon Sep 20 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-3

- added patch for #635250

- /var/run/sudo -> /var/db/sudo in .spec

* Tue Sep  7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-2

- sudo now uses /var/db/sudo for timestamps

* Tue Sep  7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1

- update to new upstream version

- new command available: sudoreplay

- use native audit support

- corrected license field value: BSD -> ISC

* Wed Jun  2 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-2

- added patch that fixes insufficient environment sanitization issue (#598154)

* Wed Apr 14 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-1

- update to new upstream version

- merged .audit and .libaudit patch

- added sudoers.ldap.5* to files

* Mon Mar  1 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p5-2

- update to new upstream version

* Tue Feb 16 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-5

- fixed no valid sudoers sources found (#558875)

* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-4

- audit related Makefile.in and configure.in corrections

- added --with-audit configure option

- removed call to libtoolize

* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-3

- fixed segfault when #include directive is used in cycles (#561336)

* Fri Jan  8 2010 Ville Skyttä <ville.skytta@iki.fi> - 1.7.2p2-2

- Add /etc/sudoers.d dir and use it in default config (#551470).

- Drop *.pod man page duplicates from docs.

* Thu Jan 07 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-1

- new upstream version 1.7.2p2-1

- commented out unused aliases in sudoers to make visudo happy (#550239)

* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.7.1-7

- rebuilt with new audit

* Thu Aug 20 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-6

- moved secure_path from compile-time option to sudoers file (#517428)

* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.1-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

* Thu Jul 09 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-4

- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch)

- epoch number sync

* Mon Jun 22 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-1

- updated sudo to version 1.7.1

- fixed small bug in configure.in (sudo-1.7.1-conffix.patch)

* Tue Feb 24 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-6

- fixed building with new libtool

- fix for incorrect handling of groups in Runas_User

- added /usr/local/sbin to secure-path

* Tue Jan 13 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-3

- build with sendmail installed

- Added /usr/local/bin to secure-path

* Tue Sep 02 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-2

- adjust audit patch, do not scream when kernel is

  compiled without audit netlink support (#401201)

* Fri Jul 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-1

- upgrade

* Wed Jun 18 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-7

- build with newer autoconf-2.62 (#449614)

* Tue May 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-6

- compiled with secure path (#80215)

* Mon May 05 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-5

- fix path to updatedb in /etc/sudoers (#445103)

* Mon Mar 31 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-4

- include ldap files in rpm package (#439506)

* Thu Mar 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-3

- include [sudo] in password prompt (#437092)

* Tue Mar 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-2

- audit support improvement

* Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1

- upgrade to the latest upstream release

* Wed Feb 06 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p12-1

- upgrade to the latest upstream release

- add selinux support

* Mon Feb 04 2008 Dennis Gilmore <dennis@ausil.us> 1.6.9p4-6

- sparc64 needs to be in the -fPIE list with s390

* Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5

- fix complains about audit_log_user_command(): Connection 

  refused (#401201)

* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-4