import sudo-1.9.15-7.p5.el10

.gitignore

@@ -0,0 +1 @@
+SOURCES/sudo-1.9.15p5.tar.gz

.sudo.metadata

@@ -0,0 +1 @@
+d86f3f4cee508609a6ff515ac9f462fb713a730e SOURCES/sudo-1.9.15p5.tar.gz

SOURCES/coverity.patch

@@ -0,0 +1,37 @@
+diff -up ./plugins/sudoers/auth/pam.c.fix ./plugins/sudoers/auth/pam.c
+--- ./plugins/sudoers/auth/pam.c.fix	2024-08-19 06:34:03.914643249 +0200
++++ ./plugins/sudoers/auth/pam.c	2024-08-19 06:48:46.136167294 +0200
+@@ -454,11 +454,6 @@ sudo_pam_begin_session(const struct sudo
+     if (pw == NULL) {
+ 	if (pamh != NULL) {
+ 	    rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
+-	    if (rc != PAM_SUCCESS) {
+-		errstr = sudo_pam_strerror(pamh, rc);
+-		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+-		    "pam_end: %s", errstr);
+-	    }
+ 	    pamh = NULL;
+ 	}
+ 	goto done;
+@@ -517,11 +512,6 @@ sudo_pam_begin_session(const struct sudo
+ 	    errstr = sudo_pam_strerror(pamh, rc);
+ 	    log_warningx(ctx, 0, N_("%s: %s"), "pam_open_session", errstr);
+ 	    rc = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
+-	    if (rc != PAM_SUCCESS) {
+-		errstr = sudo_pam_strerror(pamh, rc);
+-		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+-		    "pam_end: %s", errstr);
+-	    }
+ 	    pamh = NULL;
+ 	    status = AUTH_ERROR;
+ 	    goto done;
+@@ -577,9 +567,6 @@ sudo_pam_end_session(sudo_auth *auth)
+ 	}
+ 	rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
+ 	if (rc != PAM_SUCCESS) {
+-	    errstr = sudo_pam_strerror(pamh, rc);
+-	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+-		"pam_end: %s", errstr);
+ 	    status = AUTH_ERROR;
+ 	}
+ 	pamh = NULL;

SOURCES/sudo-conf.patch

@@ -0,0 +1,25 @@
+diff -up ./examples/sudo.conf.in.fix ./examples/sudo.conf.in
+--- ./examples/sudo.conf.in.fix	2024-08-20 16:32:04.223791138 +0200
++++ ./examples/sudo.conf.in	2024-08-20 16:33:02.470003955 +0200
+@@ -11,9 +11,9 @@
+ # The plugin_options are optional.
+ #
+ # The sudoers plugin is used by default if no Plugin lines are present.
+-#Plugin sudoers_policy @sudoers_plugin@
+-#Plugin sudoers_io @sudoers_plugin@
+-#Plugin sudoers_audit @sudoers_plugin@
++Plugin sudoers_policy @sudoers_plugin@
++Plugin sudoers_io @sudoers_plugin@
++Plugin sudoers_audit @sudoers_plugin@
+ 
+ #
+ # Sudo askpass:
+@@ -85,7 +85,7 @@
+ # To aid in debugging sudo problems, you may wish to enable core
+ # dumps by setting "disable_coredump" to false.
+ #
+-#Set disable_coredump false
++Set disable_coredump false
+ 
+ #
+ # User groups:

SOURCES/sudo-ldap.conf

@@ -0,0 +1,86 @@
+## BINDDN DN
+##  The BINDDN parameter specifies the identity, in the form of a Dis‐
+##  tinguished Name (DN), to use when performing LDAP operations.  If
+##  not specified, LDAP operations are performed with an anonymous
+##  identity.  By default, most LDAP servers will allow anonymous
+##  access.
+##
+#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+## BINDPW secret
+##  The BINDPW parameter specifies the password to use when performing
+##  LDAP operations.  This is typically used in conjunction with the
+##  BINDDN parameter.
+##
+#bindpw secret
+
+## SSL start_tls
+##  If the SSL parameter is set to start_tls, the LDAP server connec‐
+##  tion is initiated normally and TLS encryption is begun before the
+##  bind credentials are sent.  This has the advantage of not requiring
+##  a dedicated port for encrypted communications.  This parameter is
+##  only supported by LDAP servers that honor the start_tls extension,
+##  such as the OpenLDAP and Tivoli Directory servers.
+##
+#ssl start_tls
+
+## TLS_CACERTFILE file name
+##  The path to a certificate authority bundle which contains the cer‐
+##  tificates for all the Certificate Authorities the client knows to
+##  be valid, e.g. /etc/ssl/ca-bundle.pem.  This option is only sup‐
+##  ported by the OpenLDAP libraries.  Netscape-derived LDAP libraries
+##  use the same certificate database for CA and client certificates
+##  (see TLS_CERT).
+##
+#tls_cacertfile /path/to/CA.crt
+
+## TLS_CHECKPEER on/true/yes/off/false/no
+##  If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐
+##  cated to be verified.  If the server's TLS certificate cannot be
+##  verified (usually because it is signed by an unknown certificate
+##  authority), sudo will be unable to connect to it.  If TLS_CHECKPEER
+##  is disabled, no check is made.  Note that disabling the check cre‐
+##  ates an opportunity for man-in-the-middle attacks since the
+##  server's identity will not be authenticated.  If possible, the CA's
+##  certificate should be installed locally so it can be verified.
+##  This option is not supported by the Tivoli Directory Server LDAP
+##  libraries.
+#tls_checkpeer yes
+
+##
+## URI ldap[s]://[hostname[:port]] ...
+##  Specifies a whitespace-delimited list of one or more
+##  URIs describing the LDAP server(s) to connect to. 
+##
+#uri ldap://ldapserver
+
+##
+## SUDOERS_BASE base
+##  The base DN to use when performing sudo LDAP queries.
+##  Multiple SUDOERS_BASE lines may be specified, in which
+##  case they are queried in the order specified.
+##
+#sudoers_base ou=SUDOers,dc=example,dc=com
+
+##
+## BIND_TIMELIMIT seconds
+##  The BIND_TIMELIMIT parameter specifies the amount of
+##  time to wait while trying to connect to an LDAP server.
+##
+#bind_timelimit 30
+
+##
+## TIMELIMIT seconds
+##  The TIMELIMIT parameter specifies the amount of time
+##  to wait for a response to an LDAP query.
+##
+#timelimit 30
+
+##
+## SUDOERS_DEBUG debug_level
+##  This sets the debug level for sudo LDAP queries. Debugging
+##  information is printed to the standard error. A value of 1
+##  results in a moderate amount of debugging information.
+##  A value of 2 shows the results of the matches themselves.
+##
+#sudoers_debug 1

SOURCES/sudoers

@@ -0,0 +1,120 @@
+## Sudoers allows particular users to run various commands as
+## the root user, without needing the root password.
+##
+## Examples are provided at the bottom of the file for collections
+## of related commands, which can then be delegated out to particular
+## users or groups.
+## 
+## This file must be edited with the 'visudo' command.
+
+## Host Aliases
+## Groups of machines. You may prefer to use hostnames (perhaps using 
+## wildcards for entire domains) or IP addresses instead.
+# Host_Alias     FILESERVERS = fs1, fs2
+# Host_Alias     MAILSERVERS = smtp, smtp2
+
+## User Aliases
+## These aren't often necessary, as you can use regular groups
+## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
+## rather than USERALIAS
+# User_Alias ADMINS = jsmith, mikem
+
+
+## Command Aliases
+## These are groups of related commands...
+
+## Networking
+# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+
+## Installation and management of software
+# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
+
+## Services
+# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable
+
+## Updating the locate database
+# Cmnd_Alias LOCATE = /usr/bin/updatedb
+
+## Storage
+# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
+
+## Delegating permissions
+# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 
+
+## Processes
+# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
+
+## Drivers
+# Cmnd_Alias DRIVERS = /sbin/modprobe
+
+# Defaults specification
+
+#
+# Refuse to run if unable to disable echo on the tty.
+#
+Defaults   !visiblepw
+
+#
+# Preserving HOME has security implications since many programs
+# use it when searching for configuration files. Note that HOME
+# is already set when the the env_reset option is enabled, so
+# this option is only effective for configurations where either
+# env_reset is disabled or HOME is present in the env_keep list.
+#
+Defaults    always_set_home
+Defaults    match_group_by_gid
+
+# Prior to version 1.8.15, groups listed in sudoers that were not
+# found in the system group database were passed to the group
+# plugin, if any. Starting with 1.8.15, only groups of the form
+# %:group are resolved via the group plugin by default.
+# We enable always_query_group_plugin to restore old behavior.
+# Disable this option for new behavior.
+Defaults    always_query_group_plugin
+
+Defaults    env_reset
+Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+#
+# Adding HOME to env_keep may enable a user to run unrestricted
+# commands via sudo.
+#
+# Defaults   env_keep += "HOME"
+
+Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Next comes the main part: which users can run what software on 
+## which machines (the sudoers file can be shared between multiple
+## systems).
+## Syntax:
+##
+## 	user	MACHINE=COMMANDS
+##
+## The COMMANDS section may have other options added to it.
+##
+## Allow root to run any commands anywhere 
+root	ALL=(ALL) 	ALL
+
+## Allows members of the 'sys' group to run networking, software, 
+## service management apps and more.
+# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
+
+## Allows people in group wheel to run all commands
+%wheel	ALL=(ALL)	ALL
+
+## Same thing without a password
+# %wheel	ALL=(ALL)	NOPASSWD: ALL
+
+## Allows members of the users group to mount and unmount the 
+## cdrom as root
+# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
+
+## Allows members of the users group to shutdown this system
+# %users  localhost=/sbin/shutdown -h now
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d