From a85f18d2582b89fb2abdcb94cd5ca8a8adf465ca Mon Sep 17 00:00:00 2001
From: Bdale Garbee <bdale@gag.com>
Date: Wed, 29 Jul 2009 16:21:32 +0200
Subject: [PATCH] don't use NOPASSWD in the default sudoers file

---
 debian/changelog          | 7 +++++++
 debian/sudo-ldap.postinst | 2 +-
 debian/sudo.postinst      | 2 +-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index cb08100..88e2774 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+sudo (1.7.2-2) UNRELEASED; urgency=low
+
+  * further improve initial sudoers to not include the NOPASSWD option on 
+    the group sudo exception, closes: #539136, #198991
+
+ -- Bdale Garbee <bdale@gag.com>  Wed, 29 Jul 2009 16:21:04 +0200
+
 sudo (1.7.2-1) unstable; urgency=low
 
   * new upstream version, closes: #537103
diff --git a/debian/sudo-ldap.postinst b/debian/sudo-ldap.postinst
index e464377..5145cc9 100644
--- a/debian/sudo-ldap.postinst
+++ b/debian/sudo-ldap.postinst
@@ -23,7 +23,7 @@ if ( ! -f "/etc/sudoers") {
 	  "# Allow members of group sudo to not need a password\n",
 	  "# (Note that later entries override this, so you might need to move\n",
           "# it further down)\n",
-	  "%sudo ALL=(ALL) NOPASSWD: ALL\n";
+	  "%sudo ALL=(ALL) ALL\n";
 	close SUDOERS;
 
 }
diff --git a/debian/sudo.postinst b/debian/sudo.postinst
index c1a8b51..c4f9482 100644
--- a/debian/sudo.postinst
+++ b/debian/sudo.postinst
@@ -23,7 +23,7 @@ if ( ! -f "/etc/sudoers") {
 	  "# Allow members of group sudo to not need a password\n",
 	  "# (Note that later entries override this, so you might need to move\n",
           "# it further down)\n",
-	  "%sudo ALL=(ALL) NOPASSWD: ALL\n";
+	  "%sudo ALL=(ALL) ALL\n";
 	close SUDOERS;
 
 }
-- 
2.47.2