Merge commit 'upstream/1.7.6p1'

diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644 (file)
index 0000000..d59d56f
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,24 @@
+sudo (1.7.4p4-2) unstable; urgency=low
+
+  The HOME and MAIL environment variables are now reset based on the
+  target user's password database entry when the env_reset sudoers option
+  is enabled (which is the case in the default configuration).  Users
+  wishing to preserve the original values should use a sudoers entry like:
+     Defaults env_keep += HOME
+  to preserve the old value of HOME and
+     Defaults env_keep += MAIL
+  to preserve the old value of MAIL.
+
+  The change in handling of HOME is known to affect programs like pbuilder.
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 08 Sep 2010 14:29:16 -0600
+
+sudo (1.6.8p12-5) unstable; urgency=low
+
+  The sudo package is no longer configured --with-exempt=sudo.  If you 
+  depend on members of group sudo being able to run sudo without needing
+  a password, you will need to put "%sudo ALL=NOPASSWD: ALL" in 
+  /etc/sudoers to preserve equivalent functionality.
+
+ -- Bdale Garbee <bdale@gag.com>  Tue,  3 Apr 2007 21:13:39 -0600
+

diff --git a/debian/OPTIONS b/debian/OPTIONS
new file mode 100644 (file)
index 0000000..35710ba
--- /dev/null
+++ b/debian/OPTIONS
@@ -0,0 +1,59 @@
+The following options were used to configure sudo for Debian GNU/Linux.
+
+  --with-devel
+
+       Force flex and bison runs on each build.
+
+  --with-pam 
+       
+       Support for pluggable authentication modules.
+
+  --with-ldap
+
+       Support for LDAP authentication, in the sudo-ldap package version only.
+
+  --with-fqdn 
+
+       Allow use of fully qualified domain names in the sudoers file.
+
+  --disable-root-mailer
+
+       Send mail as the invoking user, not as root.
+
+  --with-logging=syslog
+  --with-logfac=authpriv 
+
+       Where logging information goes.
+
+  --with-env-editor 
+  --with-editor=/usr/bin/editor
+
+       Honor the EDITOR and VISUAL environment variables.  If they are not
+       present, default to the preferred systemwide default editor.
+
+  --with-timeout=15 
+  --with-password-timeout=0 
+
+       Allow 15 minutes before a user has to re-type their passord, versus
+       the sudo usual default of 5.  Never time out while waiting for a
+       password to be typed, this is a seriously big deal for Debian package
+       developers using 'dpkg-buildpackage -rsudo'.
+
+  --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:\
+       /sbin:/bin:/usr/X11R6/bin"  
+
+       Give a reasonable default path for commands run as root via sudo.
+
+  --with-all-insults
+
+       Include all the insults in the binary, won't be enabled unless turned
+       on in the sudoers file.
+
+  --with-sendmail=/usr/sbin/sendmail
+
+       Use Debian policy to know the location of sendmail instead of trying 
+       to detect it at build time.
+
+  --disable-setresuid
+
+       Linux 2.2 kernels don't support setresgid.

diff --git a/debian/README b/debian/README
new file mode 100644 (file)
index 0000000..3de537c
--- /dev/null
+++ b/debian/README
@@ -0,0 +1,17 @@
+#
+# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
+# installation of the package now includes the directive:
+# 
+#      #includedir /etc/sudoers.d
+# 
+# This will cause sudo to read and parse any files in the /etc/sudoers.d 
+# directory that do not end in '~' or contain a '.' character.
+# 
+# Note that there must be at least one file in the sudoers.d directory (this
+# one will do), and all files in this directory should be mode 0440.
+# 
+# Note also, that because sudoers contents can vary widely, no attempt is 
+# made to add this directive to existing sudoers files on upgrade.  Feel free
+# to add the above directive to the end of your /etc/sudoers file to enable 
+# this functionality for existing installations if you wish!
+#

diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644 (file)
index 0000000..e1ecb3e
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,48 @@
+The version of sudo that ships with Debian by default resets the
+environment, as described by the "env_reset" flag in the sudoers file.
+
+This implies that all environment variables are removed, except for
+LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, XAPPLRESDIR, 
+XFILESEARCHPATH, XUSERFILESEARCHPATH, LANG, LANGUAGE, LC_*, and USER.
+
+In case you want sudo to preserve more environment variables, you must
+specify the env_keep variable in the sudoers file. You should edit the
+sudoers file using the visudo tool.
+
+Examples:
+Preserve the default variables plus the EDITOR variable:
+
+    Defaults env_keep+="EDITOR"
+
+Preserve the default variables plus all variables starting with LC_:
+
+    Defaults env_keep+="LC_*"
+
+       - - - - -
+
+If you're using the sudo-ldap package, note that it is now configured to 
+look for /etc/sudo-ldap.conf.  Depending on your system configuration, it
+probably makes sense for this to be a symlink to /etc/ldap.conf, or perhaps
+to /etc/libnss-ldap.conf or /etc/pam_ldap.conf.  By default, no symlink or
+file is provided, you'll need to decide what to do and create a suitable
+file before sudo-ldap will work.
+
+       - - - - -
+
+As of version 1.7, sudo-ldap now requires the LDAP source to be specified
+in /etc/nsswitch.conf with a line like:
+
+  sudoers:     ldap
+
+       - - - - -
+
+See the file OPTIONS in this directory for more information on the sudo
+build options used in building the Debian package.
+
+       - - - - -
+
+If you're having trouble grasping the fundamental idea of what sudo is all
+about, here's a succinct and humorous take on it...   
+
+       http://www.xkcd.com/c149.html
+

diff --git a/debian/changelog b/debian/changelog
new file mode 100644 (file)
index 0000000..a5a0804
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,896 @@
+sudo (1.7.4p6-2) UNRELEASED; urgency=low
+
+  * include common-session-noninteractive in pam config, closes: #607199
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 09 Feb 2011 15:03:08 -0700
+
+sudo (1.7.4p6-1) unstable; urgency=low
+
+  * new upstream version
+  * touch the right stamp name after configuring, closes: #611287
+  * patch from Svante Signell to fix build problem on Hurd, closes: #611290
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 09 Feb 2011 11:32:58 -0700
+
+sudo (1.7.4p4-6) unstable; urgency=low
+
+  * update /etc/sudoers.d/README now that sudoers is a conffile
+  * patch from upstream to fix special case in password checking code
+    when only the gid is changing, closes: #609641
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 11 Jan 2011 10:22:39 -0700
+
+sudo (1.7.4p4-5) unstable; urgency=low
+
+  * patch from Jakub Wilk to add noopt and nostrip build option support,
+    closes: #605580
+  * make sudoers a conffile, closes: #605130
+  * add descriptions to LSB init headers, closes: #604619
+  * change default sudoers %sudo entry to allow gid changes, closes: #602699
+  * add Vcs entries to the control file
+  * use debhelper install files instead of explicit installs in rules
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 01 Dec 2010 20:32:31 -0700
+
+sudo (1.7.4p4-4) unstable; urgency=low
+
+  * patch from upstream to resolve problem always prompting for a password
+    when run without a tty, closes: #599376
+  * patch from upstream to resolve interoperability problem between HOME in
+    env_keep and the -H flag, closes: #596493
+  * change path syntax to avoid tar error when /var/run/sudo exists but is
+    empty, closes: #598877
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 07 Oct 2010 15:59:06 -0600
+
+sudo (1.7.4p4-3) unstable; urgency=low
+
+  * make postinst clause for handling /var/run -> /var/lib transition less
+    fragile, closes: #585514
+  * cope with upstream's Makefile trying to install ChangeLog in our doc
+    directory, closes: #597389
+  * fix README.Debian to reflect that HOME is no longer preserved by default,
+    closes: #596847
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 21 Sep 2010 23:53:08 -0600
+
+sudo (1.7.4p4-2) unstable; urgency=low
+
+  * add a NEWS item about change in $HOME handling that impacts programs
+    like pbuilder
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 08 Sep 2010 14:29:16 -0600
+
+sudo (1.7.4p4-1) unstable; urgency=high
+
+  * new upstream version, urgency high due to fix for flaw in Runas group 
+    matching (CVE-2010-2956), closes: #595935
+  * handle transition of /var/run/sudo to /var/lib/sudo better, to avoid
+    re-lecturing existing users, and to clean up after ourselves on upgrade,
+    and remove the RAMRUN section from README.Debian since the new state dir
+    should fix the original problem, closes: #585514
+  * deliver README.Debian to both package flavors, closes: #593579
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 07 Sep 2010 12:22:42 -0600
+
+sudo (1.7.2p7-1) unstable; urgency=high
+
+  * new upstream release with security fix for secure path (CVE-2010-1646),
+    closes: #585394
+  * move timestamps from /var/run/sudo to /var/lib/sudo, so that the state
+    about whether to give the lecture is preserved across reboots even when
+    RAMRUN is set, closes: #581393
+  * add a note to README.Debian about LDAP needing an entry in 
+    /etc/nsswitch.conf, closes: #522065
+  * add a note to README.Debian about how to turn off lectures if using
+    RAMRUN in /etc/default/rcS, closes: #581393
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 10 Jun 2010 15:42:14 -0600
+
+sudo (1.7.2p6-1) unstable; urgency=low
+
+  * new upstream version fixing CVE-2010-1163, closes: #578275, #570737
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 19 Apr 2010 10:45:47 -0600
+
+sudo (1.7.2p5-1) unstable; urgency=low
+
+  * new upstream release, closes a bug filed upstream regarding missing man 
+    page processing scripts in the 1.7.2p1 tarball, also includes the fix
+    for CVE-2010-0426 previously the subject of a security team nmu
+  * move to source format 3.0 (quilt) and restructure changes as patches
+  * fix unprocessed substitution variables in man pages, closes: #557204
+  * apply patch from Neil Moore to fix Debian-specific content in the
+    visudo man page, closes: #555013
+  * update descriptions to better explain sudo-ldap, closes: #573108
+  * eliminate spurious 'and' in man page, closes: #571620
+  * fix confusing text in default sudoers, closes: #566607
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 11 Mar 2010 15:44:53 -0700
+
+sudo (1.7.2p1-1) unstable; urgency=low
+
+  * new upstream version
+  * add support for /etc/sudoers.d using #includedir in default sudoers, 
+    which I think is also a good solution to the request for a crontab-like
+    API requested in March of 2001, closes: #539994, #271813, #89743
+  * move init.d script from using rcS.d to rc[0-6].d, closes: #542924
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 31 Aug 2009 14:09:32 -0600
+
+sudo (1.7.2-2) unstable; urgency=low
+
+  * further improve initial sudoers to not include the NOPASSWD option on 
+    the group sudo exception, closes: #539136, #198991
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 29 Jul 2009 16:21:04 +0200
+
+sudo (1.7.2-1) unstable; urgency=low
+
+  * new upstream version, closes: #537103
+  * improve initial sudoers by having the exemption for users in group
+    sudo on by default, and including the ability to run any command as
+    any user.  This makes the default install roughly equivalent to our 
+    old use of the --with-exempt=sudo build option, closes: #536220, #536222
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 15 Jul 2009 01:29:46 -0600
+
+sudo (1.7.0-1) unstable; urgency=low
+
+  * new upstream version, closes: #510179, #128268, #520274, #508514
+  * fix ldap config file path for sudo-ldap package, including creating
+    a symlink in postinst and cleaning it up in postrm for the sudo-ldap
+    package, closes: #430826
+  * fix NOPASSWD entry location in default config file for the sudo-ldap
+    instance too, closes: #479616
+
+ -- Bdale Garbee <bdale@gag.com>  Sat, 28 Mar 2009 15:15:01 -0600
+
+sudo (1.6.9p17-2) unstable; urgency=high
+
+  * patch from upstream to fix privilege escalation with certain 
+    configurations, CVE-2009-0034
+  * typo in sudoers man page, closes: #507163
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 27 Jan 2009 11:49:02 -0700
+
+sudo (1.6.9p17-1) unstable; urgency=low
+
+  * new upstream version, closes: #481008
+  * deliver schemas to doc directory in sudo-ldap package, closes: #474331
+  * re-apply patch from Petter Reinholdtsen to improve init.d apparently lost
+    in move from CVS to git for package management, closes: #475821
+  * re-instate the init.d for the sudo-ldap package too... /o\
+
+ -- Bdale Garbee <bdale@gag.com>  Sun, 06 Jul 2008 01:16:31 -0600
+
+sudo (1.6.9p15-2) unstable; urgency=low
+
+  * revert the fix for 388659 such that visudo once again defaults to using
+    /usr/bin/editor.  I was always ambivalent about this change, it has caused
+    more confusion and frustration than it cured, and I find Justin's line of
+    reasoning persuasive.  Update the man page source to reflect this choice
+    and the related use of --with-env-editor.  Closes: #474197.
+  * patch from Petter Reinholdtsen to improve init.d, closes: #475821
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 16 Apr 2008 00:38:56 -0600
+
+sudo (1.6.9p15-1) unstable; urgency=low
+
+  * new upstream version, closes: #467126, #473337
+  * remove pointless postrm scripts, leaving debhelper do its thing if needed,
+    thanks to Justin Pryzby for pointing this out
+  * reinstate the init.d, since bootclean doesn't quite do what we want.  This
+    also means we don't need the preinst scripts any more.  Update the lintian
+    overrides since postinst is a Perl script lintian apparently isn't parsing
+    well.  closes: #330868
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 03 Apr 2008 14:25:56 -0600
+
+sudo (1.6.9p12-1) unstable; urgency=low
+
+  * new upstream version, closes: #464890
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 19 Feb 2008 11:19:54 +0900
+
+sudo (1.6.9p11-3) unstable; urgency=low
+
+  * patch for configure to fix FTBFS on GNU/kFreeBSD, closes: #465956
+
+ -- Bdale Garbee <bdale@gag.com>  Fri, 15 Feb 2008 10:54:21 -0700
+
+sudo (1.6.9p11-2) unstable; urgency=low
+
+  * update version compared in preinst when removing obsolete init.d,
+    closes: #459681
+  * implement pam session config suggestions from Elizabeth Fong, 
+    closes: #452457, #402329
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 04 Feb 2008 21:26:23 -0700
+
+sudo (1.6.9p11-1) unstable; urgency=low
+
+  * new upstream version
+
+ -- Bdale Garbee <bdale@gag.com>  Fri, 11 Jan 2008 01:54:35 -0700
+
+sudo (1.6.9p10-1) unstable; urgency=low
+
+  * new upstream version
+  * tweak default password prompt as %u doesn't make sense.  Accept patch from 
+    Patrick Schoenfeld (recommend upstream accept it too) that adds a %p and 
+    uses it by default, closes: #454409
+  * accept patch from Martin Pitt that adds a prerm making it difficult to
+    "accidentally" remove sudo when there is no root password set on the 
+    system, closes: #451241
+
+ -- Bdale Garbee <bdale@gag.com>  Fri, 28 Dec 2007 11:44:30 -0700
+
+sudo (1.6.9p9-1) unstable; urgency=low
+
+  * new upstream version
+  * debian/rules: configure a more informative default password prompt to 
+    reduce confusion when using sudo to invoke commands which also ask for 
+    passwords, closes: #343268
+  * auth/pam.c: don't use the PAM prompt if the user explicitly requested 
+    a custom prompt, closes: #448628.
+  * fix configure's ability to discover that libc has dirfd, closes: #451324
+  * make default editor be /usr/bin/vi instead of /usr/bin/editor, so that
+    the command 'visudo' invokes a vi variant by default as documented,
+    closes: #388659
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 03 Dec 2007 10:26:51 -0700
+
+sudo (1.6.9p6-1) unstable; urgency=low
+
+  * new upstream version, closes: #442815, #446146, #438699, #435768, #435314
+    closes: #434832, #434608, #430382
+  * eliminate the now-redundant init.d scripts, closes: #397090
+  * fix typo in TROUBLESHOOTING file, closes: #439624
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 24 Oct 2007 21:13:41 -0600
+
+sudo (1.6.8p12-6) unstable; urgency=low
+
+  * fix typos in visudo.pod relating to env_editor variable, closes: #418886
+  * have init.d touch directories in /var/run/sudo, not just files, as a 
+    followup to #330868.
+  * fix various typos in sudoers.pod, closes: #419749
+  * don't let Makefile strip binaries, closes: #438073
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 05 Sep 2007 11:26:58 +0100
+
+sudo (1.6.8p12-5) unstable; urgency=low
+
+  * update debian/copyright to reflect new upstream URL, closes: #368746
+  * add sandwich cartoon URL to the README.Debian
+  * don't remove sudoers on purge.  can cause problems when moving between
+    sudo and sudo-ldap.  leaving sudoers around on purge seems like the least
+    evil choice for now, closes: #401366
+  * also preserve XAPPLRESDIR, XFILESEARCHPATH, and XUSERFILESEARCHPATH,
+    closes: #374509
+  * accept patch that improves debian/rules from Ted Percival, closes: #382122
+  * no longer build with --with-exempt=sudo, provide an example entry in the
+    default sudoers file instead, closes: #296605
+  * add --with-devel to configure and augment build dependencies so that flex
+    and yacc files get re-generated on every build, closes: #316249
+
+ -- Bdale Garbee <bdale@gag.com>  Tue,  3 Apr 2007 21:48:45 -0600
+
+sudo (1.6.8p12-4) unstable; urgency=low
+
+  * patch from Petter Reinholdtsen for the LSB info block in the init.d
+    script, closes: #361055
+  * deliver sudoers sample again, closes: #361593
+
+ -- Bdale Garbee <bdale@gag.com>  Sat, 15 Apr 2006 01:38:04 -0600
+
+sudo (1.6.8p12-3) unstable; urgency=low
+
+  * force-feed configure knowledge of nroff's path so we get unformatted man
+    pages installed without build-depending on groff-base, closes: #360894
+  * add a reference to OPTIONS in the man page, closes: #186226
+
+ -- Bdale Garbee <bdale@gag.com>  Wed,  5 Apr 2006 17:53:13 -0700
+
+sudo (1.6.8p12-2) unstable; urgency=low
+
+  * fix typos in init scripts, closes: #346325
+  * update to debhelper compat level 5
+  * build depend on autotools-dev to ensure config.sub/guess are fresh
+  * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and 
+    use it here as well.  Thanks to Martin and the debian-security team.
+    closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085
+    closes: #315115, #315718, #203874
+    * Non-maintainer upload by the Security Team
+    * Reworked the former patch to limit environment variables from being
+      passed through, set env_reset as default instead [sudo.c, env.c,
+      sudoers.pod, Bug#342948, CVE-2005-4158]
+    * env_reset is now set by default
+    * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM,
+      DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER
+      (in addition to the SUDO_* variables)
+    * Rebuild sudoers.man.in from the POD file
+    * Added README.Debian
+  * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431
+  * simplify rules file by using more of Makefile, despite having to override
+    default directories with more arguments to configure, closes: #292833
+  * update sudo man page to reflect use of SECURE_PATH, closes: #228551
+  * inconsistencies in sudoers man page resolved, closes: #220808, #161012
+  * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are
+    unresolveable (requires adding bison as build dep), closes: #314949
+
+ -- Bdale Garbee <bdale@gag.com>  Sun,  2 Apr 2006 14:26:20 -0700
+
+sudo (1.6.8p12-1) unstable; urgency=low
+
+  * new upstream version, closes: #342948 (CVE-2005-4158)
+  * add env_reset to the sudoers file we create if none already exists,
+    as a further precaution in response to discussion about CVS-2005-4158
+  * split ldap support into a new sudo-ldap package.  I was trying to avoid
+    doing this, but the impact of going from 4 to 17 linked shlibs on the 
+    autobuilder chroots is sufficient motivation for me.
+    closes: #344034
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 28 Dec 2005 13:49:10 -0700
+
+sudo (1.6.8p9-4) unstable; urgency=low
+
+  * enable ldap support, deliver README.LDAP and sudoers2ldif, closes: #283231 
+  * merge patch from Martin Pitt / Ubuntu to be more robust about resetting
+    timestamps in the init.d script, closes: #330868
+  * add dependency header to init.d script, closes: #332849
+
+ -- Bdale Garbee <bdale@gag.com>  Sat, 10 Dec 2005 07:47:07 -0800
+
+sudo (1.6.8p9-3) unstable; urgency=high
+
+  * update debhelper compatibility level from 2 to 4
+  * add man page symlink for sudoedit
+  * Clean SHELLOPTS and PS4 from the environment before executing programs
+    with sudo permissions [env.c, CAN-2005-2959]
+  * fix typo in manpage pointed out by Moray Allen, closes: #285995
+  * fix paths in sample complex sudoers file, closes: #303542
+  * fix type in sudoers man page, closes: #311244
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 28 Sep 2005 01:18:04 -0600
+
+sudo (1.6.8p9-2) unstable; urgency=high
+
+  * merge the NMU fix for sudoedit symlink problem that was in 1.6.8p7-1.1,
+    closes: #305735
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 28 Jun 2005 16:18:47 -0400
+
+sudo (1.6.8p9-1) unstable; urgency=high
+
+  * new upstream version, fixes a race condition in sudo's pathname
+    validation, which is a security issue (CAN-2005-1993), 
+    closes: #315115, #315718
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 28 Jun 2005 15:33:11 -0400
+
+sudo (1.6.8p7-1) unstable; urgency=low
+
+  * new upstream version, closes: #299585
+  * update lintian overrides to squelch the postinst warning
+  * change sudoedit from a hard to a soft link, closes: #296896
+  * fix regex doc in sudoers man page, closes: #300361
+
+ -- Bdale Garbee <bdale@gag.com>  Sat, 26 Mar 2005 22:18:34 -0700
+
+sudo (1.6.8p5-1) unstable; urgency=high
+
+  * new upstream version
+  * restores ability to use config tuples without a value, which was causing
+    problems on upgrade closes: #283306
+  * deliver sudoedit, closes: #283078
+  * marking urgency high since 283306 is a serious upgrade incompatibility
+
+ -- Bdale Garbee <bdale@gag.com>  Fri,  3 Dec 2004 10:11:16 -0700
+
+sudo (1.6.8p3-2) unstable; urgency=high
+
+  * update pam.d deliverable so ldap works again, closes: #282191
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 22 Nov 2004 11:44:46 -0700
+
+sudo (1.6.8p3-1) unstable; urgency=high
+
+  * new upstream version, fixes a flaw in sudo's environment sanitizing that 
+    could allow a malicious user with permission to run a shell script that 
+    utilized the bash shell to run arbitrary commands, closes: #281665
+  * patch the sample sudoers to have the proper path for kill on Debian
+    systems, closes: #263486
+  * patch the sudo manpage to reflect Debian's choice of exempt_group 
+    default setting, closes: #236465
+  * patch the sudo manpage to reflect Debian's choice of no timeout on the
+    password prompt, closes: #271194
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 16 Nov 2004 23:23:41 -0700
+
+sudo (1.6.7p5-2) unstable; urgency=low
+
+  * Jeff Bailey reports that seteuid works on current sparc systems, so we
+    no longer need the "grosshack" stuff in the sudo rules file
+  * add a postrm that removes /etc/sudoers on purge.  don't do this with the
+    normal conffile mechanism since it would generate noise on every upgrade,
+    closes: #245405
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 20 Jul 2004 12:29:48 -0400
+
+sudo (1.6.7p5-1) unstable; urgency=low
+
+  * new upstream version, closes: #190265, #193222, #197244
+  * change from '.' to ':' in postinst chown call, closes: #208369
+
+ -- Bdale Garbee <bdale@gag.com>  Tue,  2 Sep 2003 21:27:06 -0600
+
+sudo (1.6.7p3-2) unstable; urgency=low
+
+  * add --disable-setresuid to configure call since 2.2 kernels don't support
+    setresgid, closes: #189044
+  * cosmetic cleanups to debian/rules as long as I'm there
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 15 Apr 2003 16:04:48 -0600
+
+sudo (1.6.7p3-1) unstable; urgency=low
+
+  * new upstream version
+  * add overrides to quiet lintian about things it doesn't understand,
+    except the source one that can't be overridden until 129510 is fixed
+
+ -- Bdale Garbee <bdale@gag.com>  Mon,  7 Apr 2003 17:34:05 -0600
+
+sudo (1.6.6-3) unstable; urgency=low
+
+  * add code to rules file to update config.sub/guess, closes: #164501
+
+ -- Bdale Garbee <bdale@gag.com>  Sat, 12 Oct 2002 15:35:22 -0600
+
+sudo (1.6.6-2) unstable; urgency=low
+
+  * adopt suggestion from Marcus Brinkmann to feed --with-sendmail option to
+    configure, and lose the build dependency on mail-transport-agent
+  * incorporate changes from LaMont's NMU, closes: #144665, #144737
+  * update init.d to not try and set time on nonexistent timestamp files, 
+    closes: #132616
+  * build with --with-all-insults, admin must edit sudoers to turn insults 
+    on at runtime if desired, closes: #135374
+  * stop setting /usr/doc symlink in postinst
+
+ -- Bdale Garbee <bdale@gag.com>  Sat, 12 Oct 2002 01:54:24 -0600
+
+sudo (1.6.6-1.1) unstable; urgency=high
+
+  * NMU - patch from Colin Watson <cjwatson@debian.org>, in bts.
+  * Revert patch to auth/pam.c that left pass uninitialized, causing a
+    segfault (Closes: #144665).
+
+ -- LaMont Jones <lamont@debian.org>  Fri, 26 Apr 2002 22:36:04 -0600
+
+sudo (1.6.6-1) unstable; urgency=high
+
+  * new upstream version, fixes security problem with crafty prompts, 
+    closes: #144540
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 25 Apr 2002 12:45:49 -0600
+
+sudo (1.6.5p1-4) unstable; urgency=high
+
+  * apply patch for auth/pam.c to fix yet another way to make sudo segfault
+    if ctrl/C'ed at password prompt, closes: #131235
+
+ -- Bdale Garbee <bdale@gag.com>  Sun,  3 Mar 2002 23:18:56 -0700
+
+sudo (1.6.5p1-3) unstable; urgency=high
+
+  * ugly hack to add --disable-saved-ids when building on sparc in response 
+    to 131592, which will be reassigned to glibc for a real fix
+  * urgency high since the sudo currently in testing for sparc is worthless
+
+ -- Bdale Garbee <bdale@gag.com>  Sun, 17 Feb 2002 22:42:10 -0700
+
+sudo (1.6.5p1-2) unstable; urgency=high
+
+  * patch from upstream to fix seg faults caused by versions of pam that
+    follow a NULL pointer, closes: #129512
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 22 Jan 2002 01:50:13 -0700
+
+sudo (1.6.5p1-1) unstable; urgency=high
+
+  * new upstream version
+  * add --disable-root-mailer option supported by new version to configure 
+    call in rules file, closes: #129648
+
+ -- Bdale Garbee <bdale@gag.com>  Fri, 18 Jan 2002 11:29:37 -0700
+
+sudo (1.6.4p1-1) unstable; urgency=high
+
+  * new upstream version, with fix for segfaulting problem in 1.6.4
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 14 Jan 2002 20:09:46 -0700
+
+sudo (1.6.4-1) unstable; urgency=high
+
+  * new upstream version, includes an important security fix, closes: #127576
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 14 Jan 2002 09:35:48 -0700
+
+sudo (1.6.3p7-5) unstable; urgency=low
+
+  * only touch /var/run/sudo/* if /var/run/sudo is there, closes: #126872
+  * fix spelling error in init.d, closes: #126847
+
+ -- Bdale Garbee <bdale@gag.com>  Sat, 29 Dec 2001 11:21:43 -0700
+
+sudo (1.6.3p7-4) unstable; urgency=medium
+
+  * use touch to set status files to an ancient date instead of removing them
+    outright on reboot.  this achieves the desired effect of keeping elevated 
+    privs from living across reboots, without forcing everyone to see the 
+    new-sudo-user lecture after every reboot.  pick a time that's 'old enough'
+    for systems with good clocks, and 'recent enough' that broken PC hardware
+    setting the clock to commonly-seen bogus dates trips over the "don't trust
+    future timestamps" rule.  closes: #76529, #123559
+  * apply patch from Steve Langasek to fix seg faults due to interaction with
+    PAM code.  upstream confirms the problem, and says they're fixing this 
+    differently for their next release... but this should be useful in the 
+    meantime, and would be good to get into woody.  closes: #119147
+  * only run the init.d at boot, not on each runlevel change... and don't run
+    it during package configure.  closes: #125935
+  * add DEB_BUILD_OPTIONS support to rules file, closes: #94952
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 26 Dec 2001 12:40:44 -0700
+
+sudo (1.6.3p7-3) unstable; urgency=low
+
+  * apply patch from Fumitoshi UKAI that fixes segfaults when hostname not 
+    resolvable, closes: #86062, #69430, #77852, #82744, #55716, #56718,
+  * fix a typo in the manpage, closes: #97368
+  * apply patch to configure.in and run autoconf to fix problem building on
+    the hurd, closes: #96325
+  * add an init.d to clean out /var/run/sudo at boot, so privs are guaranteed
+    to not last across reboots, closes: #76529
+  * clean up lintian-noticed cosmetic packaging issues
+
+ -- Bdale Garbee <bdale@gag.com>  Sat,  1 Dec 2001 02:59:52 -0700
+
+sudo (1.6.3p7-2) unstable; urgency=low
+
+  * update config.sub/guess for hppa support
+
+ -- Bdale Garbee <bdale@gag.com>  Sun, 22 Apr 2001 23:23:42 -0600
+
+sudo (1.6.3p7-1) unstable; urgency=low
+
+  * new upstream version
+  * add build dependency on mail-transport-agent, closes: #90685
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 12 Apr 2001 17:02:42 -0600
+
+sudo (1.6.3p6-1) unstable; urgency=high
+
+  * new upstream version, fixes buffer overflow problem, 
+    closes: #87259, #87278, #87263
+  * revert to using --with-secure-path option at build time, since the option
+    available in sudoers is parsed too late to be useful, and upstream says
+    it won't get fixed quickly.  This reopens 85123, which I will mark as
+    forwarded.  Closes: #86199, #86117, #85676
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 26 Feb 2001 11:02:51 -0700
+
+sudo (1.6.3p5-2) unstable; urgency=low
+
+  * lose the dh_suidregister call since it's obsolete
+  * stop using the --with-secure-path option at build time, and instead show
+    how to set it in sudoers.  Closes: #85123
+  * freshen config.sub and config.guess for ia64 and hppa
+  * update sudoers man page to indicate exempt_group is on by default, 
+    closes: #70847
+
+ -- Bdale Garbee <bdale@gag.com>  Sat, 10 Feb 2001 02:05:17 -0700
+
+sudo (1.6.3p5-1) unstable; urgency=low
+
+  * new upstream version, closes: #63940, #59175, #61817, #64652, #65743
+  * this version restores core dumps before the exec, while leaving them
+    disabled during sudo's internal execution, closes: #58289
+  * update debhelper calls in rules file
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 16 Aug 2000 00:13:15 -0600
+
+sudo (1.6.2p2-1) frozen unstable; urgency=medium
+
+  * new upstream source resulting from direct collaboration with the upstream
+    author to fix ugly pam-related problems on Debian in 1.6.1 and later.
+    Closes: #56129, #55978, #55979, #56550, #56772
+  * include more upstream documentation, closes: #55054
+  * pam.d fragment update, closes: #56129
+
+ -- Bdale Garbee <bdale@gag.com>  Sun, 27 Feb 2000 11:48:48 -0700
+
+sudo (1.6.1-1) unstable; urgency=low
+
+  * new upstream source, closes: #52750
+
+ -- Bdale Garbee <bdale@gag.com>  Fri,  7 Jan 2000 21:01:42 -0700
+
+sudo (1.6-2) unstable; urgency=low
+
+  * drop suidregister support for this package.  The sudo executable is 
+    essentially worthless unless it is setuid root, and making suidregister
+    work involves shipping a non-setuid executable in the .deb and setting the
+    perms in the postinst.  On a long upgrade run, this can leave the sudo
+    executable 'broken' for a long time, which is unacceptable.  With this
+    version, we ship the executable setuid root in the .deb.  Closes: #51742
+
+ -- Bdale Garbee <bdale@gag.com>  Wed,  1 Dec 1999 19:59:44 -0700
+
+sudo (1.6-1) unstable; urgency=low
+
+  * new upstream version, many options previously set at compile-time are now
+    configurable at runtime.  
+    Closes: #39255, #20996, #29812, #50705, #49148, #48435, #47190, #45639
+  * FHS support
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 23 Nov 1999 16:51:22 -0700
+
+sudo (1.5.9p4-1) unstable; urgency=low
+
+  * new upstream version, closes: #43464
+  * empty password handling was fixed in 1.5.8, closes: #31863
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 26 Aug 1999 00:00:57 -0600
+
+sudo (1.5.9p1-1) unstable; urgency=low
+
+  * new upstream version
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 15 Apr 1999 22:43:29 -0600
+
+sudo (1.5.8p1-1) unstable; urgency=medium
+
+  * new upstream version, closes 33690
+  * add dependency on libpam-modules, closes 34215, 33432
+
+ -- Bdale Garbee <bdale@gag.com>  Mon,  8 Mar 1999 10:27:42 -0700
+
+sudo (1.5.7p4-2) unstable; urgency=medium
+
+  * update the pam fragment provided so that sudo works with latest pam bits,
+    closes 33432
+
+ -- Bdale Garbee <bdale@gag.com>  Sun, 21 Feb 1999 00:22:44 -0700
+
+sudo (1.5.7p4-1) unstable; urgency=low
+
+  * new upstream release
+
+ -- Bdale Garbee <bdale@gag.com>  Sun, 27 Dec 1998 16:13:53 -0700               
+
+sudo (1.5.6p5-1) unstable; urgency=low
+
+  * new upstream patch release
+  * add PAM support, closes 28594
+
+ -- Bdale Garbee <bdale@gag.com>  Mon,  2 Nov 1998 00:00:24 -0700               
+
+sudo (1.5.6p2-2) unstable; urgency=low
+
+  * update copyright file, closes 24136
+  * review and close forwarded bugs believed fixed in this upstream version,
+    closes 17606, 15786.
+
+ -- Bdale Garbee <bdale@gag.com>  Mon,  5 Oct 1998 22:30:43 -0600               
+
+sudo (1.5.6p2-1) unstable; urgency=low
+
+  * new upstream release
+
+ -- Bdale Garbee <bdale@gag.com>  Mon,  5 Oct 1998 22:30:43 -0600               
+
+sudo (1.5.4-4) frozen unstable; urgency=low
+
+  * update postinst to use groupadd, closes 21403
+  * move the suidregister stuff earlier in postinst to ensure it always runs
+
+ -- Bdale Garbee <bdale@gag.com>  Sun, 19 Apr 1998 22:07:45 -0600               
+
+sudo (1.5.4-3) frozen unstable; urgency=low
+
+  * change /etc/sudoers from a conffile to being handled in postinst, 
+    closes 18219
+  * add suidmanager support, closes 15711
+  * add '-Wno-comment' to quiet warnings from gcc upstream maintainer is
+    unlikely to ever fix, and which just don't matter.  closes 17146
+  * fix FSF address in copyright file, and submit exception for lintian
+    warning about sudo being setuid root
+
+ -- Bdale Garbee <bdale@gag.com>  Thu,  9 Apr 1998 23:59:11 -0600               
+
+sudo (1.5.4-2) unstable; urgency=high
+ 
+  * patch from upstream author correcting/improving security fix
+  
+ -- Bdale Garbee <bdale@gag.com>  Tue, 13 Jan 1998 10:39:35 -0700               
+
+sudo (1.5.4-1) unstable; urgency=high
+
+  * new upstream version, includes a security fix
+  * change default editor from /bin/ae to /usr/bin/editor
+
+ -- Bdale Garbee <bdale@gag.com>  Mon, 12 Jan 1998 23:36:41 -0700
+
+sudo (1.5.3-1) unstable; urgency=medium
+
+  * new upstream version, closes bug 15911.
+  * rules file reworked to use debhelper
+  * implement a really gross hack to force use of the sudo-provided 
+    lsearch(), since the one in libc6 is broken!  This closes bugs
+    12552, 12557, 14881, 15259, 15916.  
+
+ -- Bdale Garbee <bdale@gag.com>  Sat,  3 Jan 1998 20:39:23 -0700
+
+sudo (1.5.2-6) unstable; urgency=LOW
+
+  * don't install INSTALL in the doc directory, closes bug 13195.
+
+ -- Bdale Garbee <bdale@gag.com>  Sun, 21 Sep 1997 17:10:40 -0600
+
+sudo (1.5.2-5) unstable; urgency=LOW
+
+  * libc6
+
+ -- Bdale Garbee <bdale@gag.com>  Fri,  5 Sep 1997 00:06:22 -0600
+
+sudo (1.5.2-4) unstable; urgency=LOW
+
+  * change TIMEOUT (how long before you have to type your password again)
+    to 15 mins, disable PASSWORD_TIMEOUT.  This makes building large Debian
+    packages on slower machines much more tolerable.  Closes bug 9076.
+  * touch debian/suid before debstd.  Closes bug 8709.
+
+ -- Bdale Garbee <bdale@gag.com>  Sat, 26 Apr 1997 00:48:01 -0600
+
+sudo (1.5.2-3) frozen unstable; urgency=LOW
+
+  * patch from upstream maintainer to close Bug 6828
+  * add a debian/suid file to get debstd to leave my perl postinst alone
+
+ -- Bdale Garbee <bdale@gag.com>  Fri, 11 Apr 1997 23:09:55 -0600
+
+sudo (1.5.2-2) frozen unstable; urgency=LOW
+
+  * change rules to use -O2 -Wall as per standards
+
+ -- Bdale Garbee <bdale@gag.com>  Sun, 6 Apr 1997 12:48:53 -0600
+
+sudo (1.5.2-1) unstable; urgency=LOW
+
+  * new upstream version
+  * cosmetic changes to debian package control files
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 30 Oct 1996 09:50:00 -0700
+
+sudo (1.5-2) unstable; urgency=LOW
+
+  * add /usr/X11R6/bin to the end of the secure path... this makes it
+    much easier to run xmkmf, etc., during package builds.  To the extent
+    that /usr/local/sbin and /usr/local/bin were already included, I see
+    no security reasons not to add this.
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 30 Oct 1996 09:44:58 -0700
+
+sudo (1.5-1) unstable; urgency=LOW
+
+  * New upstream version
+  * New maintainer
+  * New packaging format
+
+ -- Bdale Garbee <bdale@gag.com>  Thu, 29 Aug 1996 11:44:22 +0200
+
+Tue Mar  5 09:36:41 MET 1996 Michael Meskes <meskes@informatik.rwth-aachen.de>
+
+        sudo (1.4.1-1):
+
+        * hard code SECURE_PATH to:
+               "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+       * enable ENV_EDITOR
+
+       * enabled EXEMPTGROUP "sudo"
+
+       * moved timestamp dir to /var/log/sudo
+
+       * changed parser to check for long and short filenames (Bug#1162)
+
+Wed Apr 17 13:03:31 MET DST 1996 Michael Meskes <meskes@informatik.rwth-aachen.de>
+
+        sudo (1.4.2-1):
+
+       * New upstream source
+
+       * Fixed postinst script
+               (thanks to Peter Tobis <tobias@et-inf.fho-emden.de>)
+
+       * Removed special shadow binary. This version works with and without
+         shadow password file.
+
+Mon May 20 09:35:22 MET DST 1996 Michael Meskes <meskes@debian.org>
+
+        sudo (1.4.2-2):
+
+       * Corrected editor path to /bin/ae (Bug#3062)
+
+       * Set file permission to 4755 for sudo and 755 for visudo (Bug#3063)
+
+Mon Jun 17 12:06:41 MET DST 1996 Michael Meskes <meskes@debian.org>
+
+        sudo (1.4.3-1):
+
+       * New upstream version
+
+       * Changed sudoers permission to 440 (owner root, group root) to make
+         sudo usable via NFS
+
+Wed Jun 19 10:56:54 MET DST 1996 Michael Meskes <meskes@debian.org>
+
+        sudo (1.4.3-2):
+
+       * Applied upstream patch 1
+
+Thu Jun 20 09:02:57 MET DST 1996 Michael Meskes <meskes@debian.org>
+
+        sudo (1.4.3-3):
+
+        * Applied upstream patch 2
+
+Fri Jun 28 12:49:40 MET DST 1996 Michael Meskes <meskes@debian.org>
+
+        sudo (1.4.3-4):
+
+        * Applied upstream patch 3 (fixes problems with an NFS-mounted
+          sudoers file)
+
+
+Sun Jun 30 13:02:44 MET DST 1996 Michael Meskes <meskes@debian.org>
+
+        sudo (1.4.3-5):
+
+       * Corrected postinst to use /usr/bin/perl instead of /bin/perl
+         [Reported by jdassen@wi.leidenuniv.nl (J.H.M.Dassen)]
+
+Wed Jul 10 12:44:33 MET DST 1996 Michael Meskes <meskes@debian.org>
+
+        sudo (1.4.3-6):
+
+       * Applied upstream patch 4 (fixes several bugs)
+
+       * Changed priority to optional
+
+Thu Jul 11 19:23:52 MET DST 1996 Michael Meskes <meskes@debian.org>
+
+        sudo (1.4.3-7):
+
+       * Corrected postinst to create correct permission for /etc/sudoers
+         (Bug#3749)
+
+Fri Aug  2 10:50:53 MET DST 1996 Michael Meskes <meskes@debian.org>
+
+        sudo (1.4.4-1):
+
+       * New upstream version
+
+
+sudo (1.4.4-2) admin; urgency=HIGH
+
+       * Fixed major security bug reported by Peter Tobias
+         <tobias@et-inf.fho-emden.de>
+       * Added dchanges support to debian.rules
+
+sudo (1.4.5-1) admin; urgency=LOW
+
+       * New upstream version
+       * Minor changes to debian.rules

diff --git a/debian/compat b/debian/compat
new file mode 100644 (file)
index 0000000..7ed6ff8
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+5

diff --git a/debian/control b/debian/control
new file mode 100644 (file)
index 0000000..97a3f96
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,36 @@
+Source: sudo
+Section: admin
+Priority: optional
+Maintainer: Bdale Garbee <bdale@gag.com>
+Build-Depends: debhelper (>= 7), libpam0g-dev, libldap2-dev, libsasl2-dev, autotools-dev, bison, flex
+Standards-Version: 3.9.1
+Vcs-Git: git://git.gag.com/debian/sudo
+Vcs-Browser: http://git.gag.com/?p=debian/sudo
+
+Package: sudo
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-modules
+Conflicts: sudo-ldap
+Replaces: sudo-ldap
+Description: Provide limited super user privileges to specific users
+ Sudo is a program designed to allow a sysadmin to give limited root
+ privileges to users and log root activity.  The basic philosophy is to give
+ as few privileges as possible but still allow people to get their work done.
+ .
+ This version is built with minimal shared library dependencies, use the
+ sudo-ldap package instead if you need LDAP support for sudoers.
+
+Package: sudo-ldap
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-modules
+Conflicts: sudo
+Replaces: sudo
+Provides: sudo
+Description: Provide limited super user privileges to specific users
+ Sudo is a program designed to allow a sysadmin to give limited root
+ privileges to users and log root activity.  The basic philosophy is to give
+ as few privileges as possible but still allow people to get their work done.
+ .
+ This version is built with LDAP support, which allows an equivalent of the
+ sudoers database to be distributed via LDAP.  Authentication is still 
+ performed via pam.

diff --git a/debian/copyright b/debian/copyright
new file mode 100644 (file)
index 0000000..8e76500
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,57 @@
+This is the Debian GNU/Linux prepackaged version of sudo.  sudo is
+used to provide limited super user privileges to specific users.
+
+Bdale Garbee <bdale@gag.com> maintains this package using sources from 
+
+       http://www.sudo.ws/
+
+Sudo is distributed under the following ISC-style license:
+
+   Copyright (c) 1994-1996, 1998-2008
+        Todd C. Miller <Todd.Miller@courtesan.com>
+
+   Permission to use, copy, modify, and distribute this software for any
+   purpose with or without fee is hereby granted, provided that the above
+   copyright notice and this permission notice appear in all copies.
+
+   THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+   WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+   MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+   ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+   Sponsored in part by the Defense Advanced Research Projects
+   Agency (DARPA) and Air Force Research Laboratory, Air Force
+   Materiel Command, USAF, under agreement number F39502-99-1-0512.
+
+Additionally, fnmatch.c, fnmatch.h, getcwd.c, glob.c, glob.h and snprintf.c
+bear the following UCB license:
+
+   Copyright (c) 1987, 1989, 1990, 1991, 1992, 1993, 1994
+        The Regents of the University of California.  All rights reserved.
+
+   Redistribution and use in source and binary forms, with or without
+   modification, are permitted provided that the following conditions
+   are met:
+   1. Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+   2. Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+   3. Neither the name of the University nor the names of its contributors
+      may be used to endorse or promote products derived from this software
+      without specific prior written permission.
+
+   THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+   ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+   IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+   ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+   FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+   OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+   HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+   OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+   SUCH DAMAGE.

diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644 (file)
index 0000000..9510689
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,46 @@
+# Configuration file for git-buildpackage and friends
+
+[DEFAULT]
+# the default build command:
+#builder = debuild -i\.git/ -I.git
+# the default clean command:
+#cleaner = debuild clean
+# the default branch for upstream sources:
+upstream-branch = upstream
+# the default branch for the debian patch:
+debian-branch = master
+# the default tag formats used:
+#upstream-tag = upstream/%(version)s
+#debian-tag = debian/%(version)s
+# use pristine-tar:
+pristine-tar = True
+
+# Options only affecting git-buildpackage
+[git-buildpackage]
+#upstream-branch = dfsgclean
+# uncomment this to automatically GPG sign tags
+#sign-tags = True
+# keyid to GPG sign tags with
+#keyid = 0xdeadbeef
+# push to a remote repository after a successful tag: 
+posttag = git push --mirror
+# use this for more svn-buildpackage like behaviour:
+export-dir = ../build-area/sudo/
+#tarball-dir = ../tarballs/
+
+# Options only affecting git-import-orig
+[git-import-orig]
+#upstream-branch = newupstream
+#debian-branch = dfsgclean
+#filter = .svn
+
+# Options only affecting git-import-dsc
+[git-import-dsc]
+#upstream-branch = svn-upstream
+#filter = [ 'CVS', '.cvsignore' ]
+
+# Options only affecting git-dch
+[git-dch]
+#git-log = --no-merges
+#snapshot-number = snapshot + 1
+

diff --git a/debian/patches/env.c-safety.diff b/debian/patches/env.c-safety.diff
new file mode 100644 (file)
index 0000000..034dfdb
--- /dev/null
+++ b/debian/patches/env.c-safety.diff
@@ -0,0 +1,65 @@
+--- /home/bdale/Desktop/sudo-1.7.2p1/env.c     2009-06-23 12:24:42.000000000 -0600
++++ sudo/env.c 2009-11-20 07:31:58.000000000 -0700
+@@ -120,6 +120,8 @@
+ static const char *initial_badenv_table[] = {
+     "IFS",
+     "CDPATH",
++    "SHELLOPTS",
++    "PS4",
+     "LOCALDOMAIN",
+     "RES_OPTIONS",
+     "HOSTALIASES",
+@@ -602,6 +604,17 @@
+           if (keepit == -1)
+               keepit = matches_env_keep(*ep);
+ 
++          if (!strncmp (*ep, "DISPLAY=",8)
++              || !strncmp (*ep, "XAUTHORITY=", 11)
++              || !strncmp (*ep, "XAUTHORIZATION=", 15)
++              || !strncmp (*ep, "XAPPLRESDIR=", 12)
++              || !strncmp (*ep, "XFILESEARCHPATH=", 16)
++              || !strncmp (*ep, "XUSERFILESEARCHPATH=", 20)
++              || !strncmp (*ep, "LANG=", 5)
++              || !strncmp (*ep, "LANGUAGE=", 9)
++              || !strncmp (*ep, "LC_", 3))
++            keepit = 1;
++
+           /* For SUDO_PS1 -> PS1 conversion. */
+           if (strncmp(*ep, "SUDO_PS1=", 8) == 0)
+               ps1 = *ep + 5;
+--- tmp/sudoers.pod    2010-03-11 12:28:58.000000000 -0700
++++ sudo/sudoers.pod   2010-03-11 12:29:58.000000000 -0700
+@@ -1227,6 +1227,9 @@
+ 
+ =item env_delete
+ 
++Not effective due to security issues: only variables listed in 
++I<env_keep> or I<env_check> can be passed through B<sudo>!
++
+ Environment variables to be removed from the user's environment
+ when the I<env_reset> option is not in effect.  The argument may
+ be a double-quoted, space-separated list or a single value without
+@@ -1240,8 +1243,8 @@
+ 
+ =item env_keep
+ 
+-Environment variables to be preserved in the user's environment
+-when the I<env_reset> option is in effect.  This allows fine-grained
++Environment variables to be preserved in the user's environment.
++This allows fine-grained
+ control over the environment B<sudo>-spawned processes will receive.
+ The argument may be a double-quoted, space-separated list or a
+ single value without double-quotes.  The list can be replaced, added
+--- a/sudo.pod
++++ b/sudo.pod
+@@ -456,8 +456,8 @@ and, as such, it is not possible for B<sudo> to preserve them.
+ To prevent command spoofing, B<sudo> checks "." and "" (both denoting
+ current directory) last when searching for a command in the user's
+ PATH (if one or both are in the PATH).  Note, however, that the
+-actual C<PATH> environment variable is I<not> modified and is passed
+-unchanged to the program that B<sudo> executes.
++C<PATH> environment variable is further modified in Debian because of
++the use of the I<SECURE_PATH> build option.
+ 
+ B<sudo> will check the ownership of its time stamp directory
+ (F<@timedir@> by default) and ignore the directory's contents if

diff --git a/debian/patches/hurd-have-getutid.diff b/debian/patches/hurd-have-getutid.diff
new file mode 100644 (file)
index 0000000..f6968dc
--- /dev/null
+++ b/debian/patches/hurd-have-getutid.diff
@@ -0,0 +1,35 @@
+diff --git a/boottime.c b/boottime.c
+index f75af3e..843aeca 100644
+--- a/boottime.c
++++ b/boottime.c
+@@ -47,6 +47,14 @@
+ # include <sys/sysctl.h>
+ #endif
+ 
++/* Must be included above "compat.h"!!  */
++#if defined(HAVE_GETUTXID)
++#include <utmpx.h>
++#elif defined(HAVE_GETUTID)
++#include <utmp.h>
++#else
++#endif
++
+ #include "compat.h"
+ #include "missing.h"
+ 
+@@ -102,7 +110,6 @@ get_boottime(tv)
+ 
+ #elif defined(HAVE_GETUTXID)
+ 
+-#include <utmpx.h>
+ int
+ get_boottime(tv)
+     struct timeval *tv;
+@@ -121,7 +128,6 @@ get_boottime(tv)
+ 
+ #elif defined(HAVE_GETUTID)
+ 
+-#include <utmp.h>
+ int
+ get_boottime(tv)
+     struct timeval *tv;

diff --git a/debian/patches/paths-in-samples.diff b/debian/patches/paths-in-samples.diff
new file mode 100644 (file)
index 0000000..89d4d62
--- /dev/null
+++ b/debian/patches/paths-in-samples.diff
@@ -0,0 +1,38 @@
+--- /home/bdale/Desktop/sudo-1.7.2p1/sample.sudoers    2008-10-03 13:55:57.000000000 -0600
++++ sudo/sample.sudoers        2009-11-20 07:31:58.000000000 -0700
+@@ -46,8 +46,8 @@
+ # Cmnd alias specification
+ ##
+ Cmnd_Alias    DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
+-                      /usr/sbin/rrestore, /usr/bin/mt
+-Cmnd_Alias    KILL = /usr/bin/kill
++                      /usr/sbin/rrestore, /bin/mt
++Cmnd_Alias    KILL = /bin/kill
+ Cmnd_Alias    PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias    SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias    HALT = /usr/sbin/halt
+@@ -85,7 +85,7 @@
+               sudoedit /etc/printcap, /usr/oper/bin/
+ 
+ # joe may su only to operator
+-joe           ALL = /usr/bin/su operator
++joe           ALL = /bin/su operator
+ 
+ # pete may change passwords for anyone but root on the hp snakes
+ pete          HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+@@ -99,13 +99,13 @@
+ 
+ # users in the secretaries netgroup need to help manage the printers
+ # as well as add and remove users
+-+secretaries  ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+++secretaries  ALL = PRINTING, /usr/sbin/adduser, /usr/bin/rmuser
+ 
+ # fred can run commands as oracle or sybase without a password
+ fred          ALL = (DB) NOPASSWD: ALL
+ 
+ # on the alphas, john may su to anyone but root and flags are not allowed
+-john          ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
++john          ALPHA = /bin/su [!-]*, !/bin/su *root*
+ 
+ # jen can run anything on all machines except the ones
+ # in the "SERVERS" Host_Alias

diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644 (file)
index 0000000..ba3c21b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,4 @@
+typo-in-classic-insults.diff
+env.c-safety.diff
+paths-in-samples.diff
+hurd-have-getutid.diff

diff --git a/debian/patches/typo-in-classic-insults.diff b/debian/patches/typo-in-classic-insults.diff
new file mode 100644 (file)
index 0000000..7a7f219
--- /dev/null
+++ b/debian/patches/typo-in-classic-insults.diff
@@ -0,0 +1,11 @@
+--- /home/bdale/Desktop/sudo-1.7.2p1/ins_classic.h     2004-02-13 14:36:43.000000000 -0700
++++ sudo/ins_classic.h 2009-11-20 07:31:58.000000000 -0700
+@@ -32,7 +32,7 @@
+     "Where did you learn to type?",
+     "Are you on drugs?",
+     "My pet ferret can type better than you!",
+-    "You type like i drive.",
++    "You type like I drive.",
+     "Do you think like you type?",
+     "Your mind just hasn't been the same since the electro-shock, has it?",
+ 

diff --git a/debian/rules b/debian/rules
new file mode 100755 (executable)
index 0000000..2f665ff
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,153 @@
+#!/usr/bin/make -f
+
+export DH_VERBOSE=1
+
+CFLAGS = -Wall -Wno-comment -g
+ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
+    CFLAGS += -O0
+else
+    CFLAGS += -O2
+endif
+export CFLAGS
+
+configure: configure-stamp
+configure-stamp:
+       dh_testdir
+       cp -f /usr/share/misc/config.sub config.sub
+       cp -f /usr/share/misc/config.guess config.guess
+
+       # simple version
+       mkdir -p build-simple
+       cd build-simple && NROFFPROG=/usr/bin/nroff $(CURDIR)/configure \
+               --prefix=/usr -v \
+               --with-all-insults \
+               --with-devel \
+               --with-pam \
+               --with-fqdn \
+               --with-logging=syslog \
+               --with-logfac=authpriv \
+               --with-env-editor \
+               --with-editor=/usr/bin/editor \
+               --with-timeout=15 \
+               --with-password-timeout=0 \
+               --with-passprompt="[sudo] password for %p: " \
+               --with-timedir=/var/lib/sudo \
+               --disable-root-mailer \
+               --disable-setresuid \
+               --with-sendmail=/usr/sbin/sendmail \
+               --mandir=/usr/share/man \
+               --libexecdir=/usr/lib/sudo \
+               --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin"
+
+       # LDAP version
+       mkdir -p build-ldap
+       cd build-ldap && NROFFPROG=/usr/bin/nroff $(CURDIR)/configure \
+               --prefix=/usr -v \
+               --with-all-insults \
+               --with-devel \
+               --with-pam \
+               --with-ldap \
+               --with-fqdn \
+               --with-logging=syslog \
+               --with-logfac=authpriv \
+               --with-env-editor \
+               --with-editor=/usr/bin/editor \
+               --with-timeout=15 \
+               --with-password-timeout=0 \
+               --with-passprompt="[sudo] password for %p: " \
+               --disable-root-mailer \
+               --disable-setresuid \
+               --with-sendmail=/usr/sbin/sendmail \
+               --with-ldap-conf-file=/etc/sudo-ldap.conf \
+               --mandir=/usr/share/man \
+               --libexecdir=/usr/lib/sudo \
+               --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin"
+
+       touch configure-stamp
+
+build: build-stamp
+build-stamp: configure-stamp
+       dh_testdir
+
+       # ensure our pod changes get picked up
+       $(MAKE) sudoers.man.in sudo.man.in visudo.man.in
+
+       $(MAKE) -C build-simple
+       $(MAKE) -C build-ldap
+
+       touch build-stamp
+
+clean:
+       dh_testdir
+       dh_testroot
+       rm -f configure-stamp build-stamp
+       rm -rf build-simple build-ldap
+       rm -f config.cache
+       dh_clean
+
+install: build-stamp
+       dh_testdir
+       dh_testroot
+       dh_prep
+       dh_installdirs
+
+       $(MAKE) -C build-simple install DESTDIR=$(CURDIR)/debian/sudo
+       $(MAKE) -C build-ldap   install DESTDIR=$(CURDIR)/debian/sudo-ldap
+
+       # remove stuff we don't want
+       rm -f   debian/sudo*/etc/sudoers \
+               debian/sudo*/usr/share/doc/sudo/LICENSE* \
+               debian/sudo*/usr/share/doc/sudo/ChangeLog
+
+       # move upstream-installed docs to the right place for ldap package
+       mv      debian/sudo-ldap/usr/share/doc/sudo/* \
+               debian/sudo-ldap/usr/share/doc/sudo-ldap/
+       rmdir   debian/sudo-ldap/usr/share/doc/sudo
+
+       # and install things we do want that make install doesn't know about
+       install -o root -g root -m 0644 debian/sudo.pam \
+               debian/sudo/etc/pam.d/sudo
+       install -o root -g root -m 0644 debian/sudo.pam \
+               debian/sudo-ldap/etc/pam.d/sudo
+
+       install -o root -g root -m 0644 debian/sudo.lintian \
+               debian/sudo/usr/share/lintian/overrides/sudo
+       install -o root -g root -m 0644 debian/sudo-ldap.lintian \
+               debian/sudo-ldap/usr/share/lintian/overrides/sudo-ldap
+
+       install -o root -g root -m 0440 debian/sudoers \
+               debian/sudo/etc/sudoers
+       install -o root -g root -m 0440 debian/sudoers \
+               debian/sudo-ldap/etc/sudoers
+
+       install -o root -g root -m 0440 debian/README \
+               debian/sudo/etc/sudoers.d/README
+       install -o root -g root -m 0440 debian/README \
+               debian/sudo-ldap/etc/sudoers.d/README
+
+binary-indep: build install
+
+binary-arch: build install
+       dh_testdir
+       dh_testroot
+       dh_installdocs -A
+       dh_installexamples -A sample.sudoers
+       dh_installinit -psudo -psudo-ldap --name=sudo
+       dh_installman -A
+       dh_installinfo -A
+       dh_installchangelogs ChangeLog 
+       dh_strip
+       dh_compress
+       dh_fixperms
+       chown root.root debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo
+       chmod 4755 debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo
+       chmod 0440      debian/sudo/etc/sudoers.d/README \
+                       debian/sudo-ldap/etc/sudoers.d/README
+       dh_installdeb
+       dh_shlibdeps
+       dh_gencontrol
+       dh_md5sums
+       dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: configure build clean binary-indep binary-arch binary install

diff --git a/debian/source.lintian-overrides b/debian/source.lintian-overrides
new file mode 100644 (file)
index 0000000..b747b98
--- /dev/null
+++ b/debian/source.lintian-overrides
@@ -0,0 +1,2 @@
+sudo source: maintainer-script-lacks-debhelper-token debian/sudo.postinst
+sudo source: maintainer-script-lacks-debhelper-token debian/sudo-ldap.postinst

diff --git a/debian/source/format b/debian/source/format
new file mode 100644 (file)
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)

diff --git a/debian/sudo-ldap.dirs b/debian/sudo-ldap.dirs
new file mode 100644 (file)
index 0000000..83f817c
--- /dev/null
+++ b/debian/sudo-ldap.dirs
@@ -0,0 +1,8 @@
+etc/pam.d
+etc/sudoers.d
+usr/bin
+usr/share/man/man8
+usr/share/man/man5
+usr/sbin
+usr/share/doc/sudo-ldap/examples
+usr/share/lintian/overrides

diff --git a/debian/sudo-ldap.docs b/debian/sudo-ldap.docs
new file mode 100644 (file)
index 0000000..76cded0
--- /dev/null
+++ b/debian/sudo-ldap.docs
@@ -0,0 +1,8 @@
+debian/OPTIONS 
+UPGRADE 
+HISTORY 
+README 
+README.LDAP 
+TROUBLESHOOTING
+sudoers2ldif
+schema.*

diff --git a/debian/sudo-ldap.lintian b/debian/sudo-ldap.lintian
new file mode 100644 (file)
index 0000000..56e77ef
--- /dev/null
+++ b/debian/sudo-ldap.lintian
@@ -0,0 +1,3 @@
+sudo-ldap: non-standard-file-perm etc/sudoers.d/README 0440 != 0644
+sudo-ldap: setuid-binary usr/bin/sudo 4755 root/root
+sudo-ldap: setuid-binary usr/bin/sudoedit 4755 root/root

diff --git a/debian/sudo-ldap.manpages b/debian/sudo-ldap.manpages
new file mode 100644 (file)
index 0000000..36a1d59
--- /dev/null
+++ b/debian/sudo-ldap.manpages
@@ -0,0 +1,4 @@
+build-ldap/sudo.man
+build-ldap/sudoers.man
+build-ldap/sudoers.ldap.man
+build-ldap/visudo.man

diff --git a/debian/sudo-ldap.postinst b/debian/sudo-ldap.postinst
new file mode 100644 (file)
index 0000000..88e8c2c
--- /dev/null
+++ b/debian/sudo-ldap.postinst
@@ -0,0 +1,61 @@
+#!/usr/bin/perl
+
+# remove old link
+
+unlink ("/etc/alternatives/sudo") if ( -l "/etc/alternatives/sudo");
+
+# complain if no sudoers file is present
+if ( ! -f "/etc/sudoers") {
+       print "WARNING:  /etc/sudoers not present!\n";
+}
+
+# handle state directory transition from /var/run/sudo to /var/lib/sudo,
+# moving any existing content over to avoid re-lecturing existing users
+if ( -d "/var/run/sudo") {
+    system ('mkdir -p /var/lib/sudo');
+    system ('(cd /var/run/sudo ; tar cf - .) | (cd /var/lib/sudo ; tar xf -)');
+    system ('rm -rf /var/run/sudo');
+}
+
+# make sure sudoers has the correct permissions and owner/group
+system ('chown root:root /etc/sudoers');
+system ('chmod 440 /etc/sudoers');
+
+# must do a remove first to un-do the "bad" links created by previous version
+system ('update-rc.d -f sudo remove >/dev/null 2>&1');
+
+system ('update-rc.d sudo start 75 2 3 4 5 . >/dev/null');
+
+# create symlink to ease transition to new path for ldap config
+# if old config file exists and new one doesn't
+if (-e "/etc/ldap/ldap.conf" && ! -e "/etc/sudo-ldap.conf") {
+  system("ln -s ldap/ldap.conf /etc/sudo-ldap.conf");
+}
+
+# make sure we have a sudo group
+
+exit 0 if getgrnam("sudo"); # we're finished if there is a group sudo
+
+$gid = 27;                 # start searcg with gid 27
+setgrent;
+while (getgrgid($gid)) {
+       ++$gid;
+}
+endgrent;
+
+if ($gid != 27) {
+       print "On Debian we normally use gid 27 for 'sudo'.\n";
+       $gname = getgrgid(27);
+       print "However, on your system gid 27 is group '$gname'.\n\n";
+       print "Would you like me to stop configuring sudo so that you can change this? [n] "; 
+       $ans = <STDIN>;
+        if ($ans =~ m/^[yY].*/) {
+               print "'dpkg --pending --configure' will restart the configuration.\n\n\n";
+               exit 1;
+       }
+}
+
+print "Creating group 'sudo' with gid = $gid\n";
+system("groupadd -g $gid sudo");
+
+print "";

diff --git a/debian/sudo-ldap.postrm b/debian/sudo-ldap.postrm
new file mode 100644 (file)
index 0000000..54e7a46
--- /dev/null
+++ b/debian/sudo-ldap.postrm
@@ -0,0 +1,21 @@
+#!/bin/sh -e
+
+case "$1" in
+  purge)
+       rm -f /etc/sudo-ldap.conf
+       rm -rf /var/lib/sudo
+  ;;
+
+  remove|upgrade|deconfigure)
+  ;;
+
+  failed-upgrade)
+  ;;
+
+  *)
+        echo "unknown argument --> $1" >&2
+        exit 0
+  ;;
+esac
+
+#DEBHELPER#

diff --git a/debian/sudo-ldap.sudo.init b/debian/sudo-ldap.sudo.init
new file mode 100644 (file)
index 0000000..23700d0
--- /dev/null
+++ b/debian/sudo-ldap.sudo.init
@@ -0,0 +1,34 @@
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides:          sudo-ldap
+# Required-Start:    $local_fs $remote_fs
+# Required-Stop:
+# X-Start-Before:    rmnologin
+# Default-Start:     2 3 4 5
+# Default-Stop:
+# Short-Description: Provide limited super user privileges to specific users
+# Description: Provide limited super user privileges to specific users.
+### END INIT INFO
+
+N=/etc/init.d/sudo
+
+set -e
+
+case "$1" in
+  start)
+       # make sure privileges don't persist across reboots
+       if [ -d /var/lib/sudo ]
+       then
+                find /var/lib/sudo -exec touch -t 198501010000 '{}' \;
+       fi
+       ;;
+  stop|reload|restart|force-reload)
+       ;;
+  *)
+       echo "Usage: $N {start|stop|restart|force-reload}" >&2
+       exit 1
+       ;;
+esac
+
+exit 0

diff --git a/debian/sudo.dirs b/debian/sudo.dirs
new file mode 100644 (file)
index 0000000..4d15db4
--- /dev/null
+++ b/debian/sudo.dirs
@@ -0,0 +1,8 @@
+etc/pam.d
+etc/sudoers.d
+usr/bin
+usr/share/man/man8
+usr/share/man/man5
+usr/sbin
+usr/share/doc/sudo/examples
+usr/share/lintian/overrides

diff --git a/debian/sudo.docs b/debian/sudo.docs
new file mode 100644 (file)
index 0000000..e3c9b7b
--- /dev/null
+++ b/debian/sudo.docs
@@ -0,0 +1,5 @@
+debian/OPTIONS 
+UPGRADE 
+HISTORY 
+README 
+TROUBLESHOOTING

diff --git a/debian/sudo.lintian b/debian/sudo.lintian
new file mode 100644 (file)
index 0000000..0b4b58c
--- /dev/null
+++ b/debian/sudo.lintian
@@ -0,0 +1,3 @@
+sudo: non-standard-file-perm etc/sudoers.d/README 0440 != 0644
+sudo: setuid-binary usr/bin/sudo 4755 root/root
+sudo: setuid-binary usr/bin/sudoedit 4755 root/root

diff --git a/debian/sudo.manpages b/debian/sudo.manpages
new file mode 100644 (file)
index 0000000..e22c9d0
--- /dev/null
+++ b/debian/sudo.manpages
@@ -0,0 +1,3 @@
+build-simple/sudo.man
+build-simple/sudoers.man
+build-simple/visudo.man

diff --git a/debian/sudo.pam b/debian/sudo.pam
new file mode 100644 (file)
index 0000000..0020ecc
--- /dev/null
+++ b/debian/sudo.pam
@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+@include common-auth
+@include common-account
+@include common-session-noninteractive
+
+session required pam_permit.so
+session required pam_limits.so

diff --git a/debian/sudo.postinst b/debian/sudo.postinst
new file mode 100644 (file)
index 0000000..33fd3d1
--- /dev/null
+++ b/debian/sudo.postinst
@@ -0,0 +1,55 @@
+#!/usr/bin/perl
+
+# remove old link
+
+unlink ("/etc/alternatives/sudo") if ( -l "/etc/alternatives/sudo");
+
+# complain if no sudoers file is present
+if ( ! -f "/etc/sudoers") {
+       print "WARNING:  /etc/sudoers not present!\n";
+}
+
+# handle state directory transition from /var/run/sudo to /var/lib/sudo,
+# moving any existing content over to avoid re-lecturing existing users
+if ( -d "/var/run/sudo") {
+    system ('mkdir -p /var/lib/sudo');
+    system ('(cd /var/run/sudo ; tar cf - .) | (cd /var/lib/sudo ; tar xf -)');
+    system ('rm -rf /var/run/sudo');
+}
+
+# make sure sudoers has the correct permissions and owner/group
+system ('chown root:root /etc/sudoers');
+system ('chmod 440 /etc/sudoers');
+
+# must do a remove first to un-do the "bad" links created by previous version
+system ('update-rc.d -f sudo remove >/dev/null 2>&1');
+
+system ('update-rc.d sudo start 75 2 3 4 5 . >/dev/null');
+
+# make sure we have a sudo group
+
+exit 0 if getgrnam("sudo"); # we're finished if there is a group sudo
+
+$gid = 27;                 # start searcg with gid 27
+setgrent;
+while (getgrgid($gid)) {
+       ++$gid;
+}
+endgrent;
+
+if ($gid != 27) {
+       print "On Debian we normally use gid 27 for 'sudo'.\n";
+       $gname = getgrgid(27);
+       print "However, on your system gid 27 is group '$gname'.\n\n";
+       print "Would you like me to stop configuring sudo so that you can change this? [n] "; 
+       $ans = <STDIN>;
+        if ($ans =~ m/^[yY].*/) {
+               print "'dpkg --pending --configure' will restart the configuration.\n\n\n";
+               exit 1;
+       }
+}
+
+print "Creating group 'sudo' with gid = $gid\n";
+system("groupadd -g $gid sudo");
+
+print "";

diff --git a/debian/sudo.postrm b/debian/sudo.postrm
new file mode 100644 (file)
index 0000000..a2dff7b
--- /dev/null
+++ b/debian/sudo.postrm
@@ -0,0 +1,20 @@
+#!/bin/sh -e
+
+case "$1" in
+  purge)
+       rm -rf /var/lib/sudo
+  ;;
+
+  remove|upgrade|deconfigure)
+  ;;
+
+  failed-upgrade)
+  ;;
+
+  *)
+        echo "unknown argument --> $1" >&2
+        exit 0
+  ;;
+esac
+
+#DEBHELPER#

diff --git a/debian/sudo.prerm b/debian/sudo.prerm
new file mode 100644 (file)
index 0000000..c3b8c46
--- /dev/null
+++ b/debian/sudo.prerm
@@ -0,0 +1,45 @@
+#!/bin/sh
+
+set -e
+
+check_password() {
+    if [ ! "$SUDO_FORCE_REMOVE" = "yes" ]; then
+       # let's check whether the root account is locked.
+       # if it is, we're not going another step. No Sirreee!
+       passwd=$(getent shadow root|cut -f2 -d:)
+       passwd1=$(echo "$passwd" |cut -c1)
+       # Note: we do need the 'xfoo' syntax here, since POSIX special-cases
+       # the $passwd value '!' as negation.
+       if [ "x$passwd" = "x*" ] || [ "x$passwd1" = "x!" ]; then
+           # yup, password is locked
+           echo "You have asked that the sudo package be removed,"
+           echo "but no root password has been set."
+           echo "Without sudo, you may not be able to gain administrative privileges."
+           echo
+           echo "If you would prefer to access the root account with su(1)"
+           echo "or by logging in directly,"
+           echo "you must set a root password with \"sudo passwd\"."
+           echo 
+           echo "If you have arranged other means to access the root account,"
+           echo "and you are sure this is what you want,"
+           echo "you may bypass this check by setting an environment variable "
+           echo "(export SUDO_FORCE_REMOVE=yes)."
+           echo
+           echo "Refusing to remove sudo."
+           exit 1
+       fi
+    fi
+}
+       
+case $1 in
+       remove)
+               check_password;
+               ;;
+       *)
+               ;;
+esac
+
+#DEBHELPER#
+
+exit 0
+

diff --git a/debian/sudo.sudo.init b/debian/sudo.sudo.init
new file mode 100644 (file)
index 0000000..9a4fb31
--- /dev/null
+++ b/debian/sudo.sudo.init
@@ -0,0 +1,34 @@
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides:          sudo
+# Required-Start:    $local_fs $remote_fs
+# Required-Stop:
+# X-Start-Before:    rmnologin
+# Default-Start:     2 3 4 5
+# Default-Stop:
+# Short-Description: Provide limited super user privileges to specific users
+# Description: Provide limited super user privileges to specific users.
+### END INIT INFO
+
+N=/etc/init.d/sudo
+
+set -e
+
+case "$1" in
+  start)
+       # make sure privileges don't persist across reboots
+       if [ -d /var/lib/sudo ]
+       then
+                find /var/lib/sudo -exec touch -t 198501010000 '{}' \;
+       fi
+       ;;
+  stop|reload|restart|force-reload)
+       ;;
+  *)
+       echo "Usage: $N {start|stop|restart|force-reload}" >&2
+       exit 1
+       ;;
+esac
+
+exit 0

diff --git a/debian/sudoers b/debian/sudoers
new file mode 100644 (file)
index 0000000..4cecb43
--- /dev/null
+++ b/debian/sudoers
@@ -0,0 +1,23 @@
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults       env_reset
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root   ALL=(ALL:ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo  ALL=(ALL:ALL) ALL
+
+#includedir /etc/sudoers.d