- updated sudo to version 1.7.1

- fixed small bug in configure.in (sudo-1.7.1-conffix.patch)
- reverted the value of secure-path configure option

.cvsignore

@@ -1,2 +1,2 @@
-sudo-1.6.9p17.tar.gz
+sudo-1.7.1.tar.gz
 sudo-1.6.8p12-sudoers

sources

@@ -1,2 +1,2 @@
-60daf18f28e2c1eb7641c4408e244110  sudo-1.6.9p17.tar.gz
+af672524b2c854a67612bf4c743f58b8  sudo-1.7.1.tar.gz
 f9b28fbbb09ec22ca543c758db44d2cd  sudo-1.6.8p12-sudoers

sudo-1.7.1-audit.patch

@@ -0,0 +1,389 @@
+diff -up /dev/null sudo-1.7.1/audit_help.c
+--- /dev/null	2009-06-19 12:23:43.376002420 +0200
++++ sudo-1.7.1/audit_help.c	2009-06-22 14:24:48.000000000 +0200
+@@ -0,0 +1,136 @@
++/*
++ *  Audit helper functions used throughout sudo
++ *
++ *  Copyright (C) 2007, Red Hat, Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
++ *    may be used to endorse or promote products derived from this software
++ *    without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED.  IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
++ * SUCH DAMAGE.
++ */
++
++#include <config.h>
++
++#ifdef WITH_AUDIT
++#include <stdlib.h>
++#include <syslog.h>
++#include <stdarg.h>
++#include <libaudit.h>
++#include <errno.h>
++#include <stdio.h>
++#include <string.h>
++#include <unistd.h>
++#include <sys/types.h>
++
++#ifdef HAVE_SELINUX
++#include <selinux/selinux.h>
++#endif
++
++int audit_fd;
++
++void audit_help_open (void)
++{
++	audit_fd = audit_open ();
++	if (audit_fd < 0) {
++        	/* You get these only when the kernel doesn't have
++                 * audit compiled in. */
++		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++		    errno == EAFNOSUPPORT)
++			return;
++		fprintf (stderr, "Cannot open audit interface - aborting.\n");
++		exit (1);
++	}
++}
++
++/*
++ * This function will log a message to the audit system using a predefined
++ * message format. Parameter usage is as follows:
++ *
++ * type - type of message: AUDIT_USER_CMD
++ * command - the command being logged
++ * params - parames of the command
++ * result - 1 is "success" and 0 is "failed"
++ *
++ */
++void audit_logger (int type, const char *command, const char *params, int result)
++{
++	int err;
++	char *msg;
++
++	if( audit_fd < 0 )
++		return;
++	else {
++
++		if( params ) 
++	                err = asprintf(&msg, "%s %s", command, params);
++		else 
++	                err = asprintf(&msg, "%s", command);
++                if (err < 0) {
++                        fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n");
++                        return;
++                }
++		
++		err = audit_log_user_command (audit_fd, type, msg, NULL, result);
++               /* The kernel supports auditing and we had 
++                  enough privilege to write to the socket. */
++		if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) {
++			perror("audit_log_user_command()");
++		}
++
++		free(msg);
++	}
++}
++
++#ifdef HAVE_SELINUX
++int send_audit_message(int success, security_context_t old_context,
++                       security_context_t new_context, const char *ttyn)
++{
++        char *msg = NULL;
++        int rc;
++
++        if (audit_fd < 0)
++                return -1;
++
++        if (asprintf(&msg, "newrole: old-context=%s new-context=%s",
++                     old_context ? old_context : "?",
++                     new_context ? new_context : "?") < 0) {
++                fprintf(stderr, "Error allocating memory.\n");
++                rc = -1;
++                goto out;
++        }
++
++        rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
++                                    msg, NULL, NULL, ttyn, success);
++
++        if (rc <= 0) {
++                fprintf(stderr, "Error sending audit message.\n");
++                rc = -1;
++                goto out;
++        }
++        rc = 0;
++
++        out:
++         free(msg);
++         return rc;
++}
++#endif
++#endif                         /* WITH_AUDIT */
+diff -up sudo-1.7.1/configure.in.audit sudo-1.7.1/configure.in
+--- sudo-1.7.1/configure.in.audit	2009-06-22 14:24:48.000000000 +0200
++++ sudo-1.7.1/configure.in	2009-06-22 14:26:42.000000000 +0200
+@@ -179,6 +179,10 @@ dnl
+ dnl Options for --with
+ dnl
+ 
++AC_ARG_WITH(audit,
++        [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])],
++        [with_audit=$withval], [with_audit=yes])
++
+ AC_ARG_WITH(CC, [  --with-CC               C compiler to use],
+ [case $with_CC in
+     yes)	AC_MSG_ERROR(["must give --with-CC an argument."])
+@@ -1706,6 +1710,24 @@ dnl
+ : ${mansectsu='8'}
+ : ${mansectform='5'}
+ 
++AC_SUBST(LIBAUDIT)
++if test "$with_audit" = "yes"; then
++	# See if we have the audit library
++        AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"])
++        if test "$audit_header" = "yes"; then
++                AC_CHECK_LIB(audit, audit_log_user_command,
++                        [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages])
++                        LIBAUDIT="-laudit"])
++        fi
++	# See if we have the libcap library
++	AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"])
++	if test "$cap_header" = "yes"; then
++		AC_CHECK_LIB(cap, cap_init,
++			[AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support])
++			SUDO_LIBS="${SUDO_LIBS} -lcap"])
++	fi
++fi
++
+ dnl
+ dnl Add in any libpaths or libraries specified via configure
+ dnl
+diff -up sudo-1.7.1/Makefile.in.audit sudo-1.7.1/Makefile.in
+--- sudo-1.7.1/Makefile.in.audit	2009-06-22 14:24:48.000000000 +0200
++++ sudo-1.7.1/Makefile.in	2009-06-22 14:24:48.000000000 +0200
+@@ -125,6 +125,8 @@ HDRS = bsm_audit.h compat.h def_data.h d
+ 
+ AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
+ 
++AUDIT_OBJS = audit_help.o
++
+ # Note: gram.o must come first here
+ COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \
+ 	      toke.o redblack.o zero_bytes.o
+@@ -132,7 +134,7 @@ COMMON_OBJS = gram.o alias.o alloc.o def
+ SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \
+ 	    getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
+ 	    interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \
+-	    sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o
++	    sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o $(AUDIT_OBJS)
+ 
+ VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \
+ 	      find_path.o pwutil.o
+@@ -361,6 +363,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH
+ sia.o: $(authdir)/sia.c $(AUTHDEP)
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
+ 
++audit_help.o: audit_help.c sudo.h
++	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c
++
+ sudo.man.in: $(srcdir)/sudo.pod
+ 	@rm -f $(srcdir)/$@
+ 	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
+diff -up sudo-1.7.1/set_perms.c.audit sudo-1.7.1/set_perms.c
+--- sudo-1.7.1/set_perms.c.audit	2008-03-06 18:19:56.000000000 +0100
++++ sudo-1.7.1/set_perms.c	2009-06-22 14:24:48.000000000 +0200
+@@ -48,6 +48,10 @@
+ #ifdef HAVE_LOGIN_CAP_H
+ # include <login_cap.h>
+ #endif
++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
++# include <sys/prctl.h>
++# include <sys/capability.h>
++#endif
+ 
+ #include "sudo.h"
+ 
+@@ -126,16 +130,59 @@ set_perms(perm)
+ 			      	break;
+ 
+ 	case PERM_FULL_RUNAS:
+-				/* headed for exec(), assume euid == ROOT_UID */
+-				runas_setup();
+-				if (setresuid(def_stay_setuid ?
+-				    user_uid : runas_pw->pw_uid,
+-				    runas_pw->pw_uid, runas_pw->pw_uid)) {
+-				    errstr = "unable to change to runas uid";
+-				    goto bad;
+-				}
++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
++	                     { /* BEGIN CAP BLOCK */
++				  cap_t new_caps;
++				  cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
++				  
++				  if (runas_pw->pw_uid != ROOT_UID) {
++				       new_caps = cap_init ();
++				       if (!new_caps) {
++					    errstr = "Error initing capabilities, aborting.\n";
++					    goto bad;
++				       }
++				       
++				       if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) ||
++					  cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) {
++					    errstr = "Error setting capabilities, aborting\n";
++					    goto bad;
++				       }
++				       
++				       if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
++					    errstr = "Error setting KEEPCAPS, aborting\n";
++					    goto bad;
++				       }
++				  }
++#endif
++				  /* headed for exec(), assume euid == ROOT_UID */
++				  runas_setup();
++				  if (setresuid(def_stay_setuid ?
++						user_uid : runas_pw->pw_uid,
++						runas_pw->pw_uid, runas_pw->pw_uid)) {
++				       errstr = "unable to change to runas uid";
++				       goto bad;
++				  }
++				  
++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP)
++				  if (runas_pw->pw_uid != ROOT_UID) {
++				       if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
++					    errstr = "Error resetting KEEPCAPS, aborting\n";
++					    goto bad;
++				       }
++				       
++				       if (cap_set_proc(new_caps)) {
++					    errstr = "Error dropping capabilities, aborting\n";
++					    goto bad;
++				       }
++				       
++				       if (cap_free (new_caps)) {
++					    errstr = "Error freeing caps\n";
++					    goto bad;
++				       }
++				  }
++                                } /* END CAP BLOCK */
++#endif
+ 				break;
+-
+ 	case PERM_SUDOERS:
+ 				/* assume euid == ROOT_UID, ruid == user */
+ 				if (setresgid(-1, SUDOERS_GID, -1))
+diff -up sudo-1.7.1/sudo.c.audit sudo-1.7.1/sudo.c
+--- sudo-1.7.1/sudo.c.audit	2009-06-22 14:24:48.000000000 +0200
++++ sudo-1.7.1/sudo.c	2009-06-22 14:24:48.000000000 +0200
+@@ -95,6 +95,10 @@
+ # include <selinux/selinux.h>
+ #endif
+ 
++#ifdef WITH_AUDIT
++#include <libaudit.h>
++#endif
++
+ #include <sudo_usage.h>
+ #include "sudo.h"
+ #include "lbuf.h"
+@@ -360,6 +364,10 @@ main(argc, argv, envp)
+     if (safe_cmnd == NULL)
+ 	safe_cmnd = estrdup(user_cmnd);
+ 
++#if defined(WITH_AUDIT)
++    audit_help_open ();
++#endif
++    
+ #ifdef HAVE_SETLOCALE
+     setlocale(LC_ALL, "");
+ #endif
+@@ -521,7 +529,18 @@ main(argc, argv, envp)
+ 	(void) sigaction(SIGINT, &saved_sa_int, NULL);
+ 	(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
+ 	(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
+-
++	
++        if (access(safe_cmnd, X_OK) != 0) {
++		warn ("unable to execute %s", safe_cmnd);
++#ifdef WITH_AUDIT
++		audit_logger(AUDIT_USER_CMD,  safe_cmnd, user_args, 0);
++#endif
++		exit(127);
++        }
++#ifdef WITH_AUDIT
++        audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1);
++#endif
++	
+ 	/* Close the password and group files and free up memory. */
+ 	sudo_endpwent();
+ 	sudo_endgrent();
+@@ -554,11 +573,17 @@ main(argc, argv, envp)
+ 	    NewArgv[1] = safe_cmnd;
+ 	    execv(_PATH_BSHELL, NewArgv);
+ 	}
++#ifdef WITH_AUDIT
++	audit_logger(AUDIT_USER_CMD,  safe_cmnd, user_args, 0);
++#endif
+ 	warning("unable to execute %s", safe_cmnd);
+ 	exit(127);
+     } else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {
+ 	audit_failure(NewArgv, "No user or host");
+ 	log_denial(validated, 1);
++#ifdef WITH_AUDIT
++	audit_logger(AUDIT_USER_CMD,  safe_cmnd, user_args, 0);
++#endif
+ 	exit(1);
+     } else {
+ 	if (def_path_info) {
+@@ -580,6 +605,9 @@ main(argc, argv, envp)
+ 	    log_denial(validated, 1);
+ 	}
+ 	audit_failure(NewArgv, "validation failure");
++#ifdef WITH_AUDIT
++	audit_logger(AUDIT_USER_CMD,  safe_cmnd, user_args, 0);
++#endif
+ 	exit(1);
+     }
+     exit(0);	/* not reached */
+diff -up sudo-1.7.1/sudo.h.audit sudo-1.7.1/sudo.h
+--- sudo-1.7.1/sudo.h.audit	2009-06-22 14:24:48.000000000 +0200
++++ sudo-1.7.1/sudo.h	2009-06-22 14:24:48.000000000 +0200
+@@ -24,6 +24,8 @@
+ #ifndef _SUDO_SUDO_H
+ #define _SUDO_SUDO_H
+ 
++#include <config.h>
++
+ #include <pathnames.h>
+ #include <limits.h>
+ #include "compat.h"
+@@ -338,4 +340,10 @@ extern int sudo_mode;
+ extern int errno;
+ #endif
+ 
++#ifdef WITH_AUDIT
++extern int audit_fd;
++extern void audit_help_open (void);
++extern void audit_logger (int, const char *, const char *, int);
++#endif
++
+ #endif /* _SUDO_SUDO_H */

sudo-1.7.1-conffix.patch

@@ -0,0 +1,12 @@
+diff -up sudo-1.7.1/configure.in.conffix sudo-1.7.1/configure.in
+--- sudo-1.7.1/configure.in.conffix	2009-06-22 15:45:51.000000000 +0200
++++ sudo-1.7.1/configure.in	2009-06-22 15:45:30.000000000 +0200
+@@ -2473,7 +2473,7 @@ if test ${with_ldap-'no'} != "no"; then
+     AC_MSG_RESULT([yes])
+     AC_DEFINE(HAVE_LBER_H)])
+ 
+-    AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s), [break]])
++    AC_CHECK_HEADERS([sasl/sasl.h] [sasl.h], [AC_CHECK_FUNCS(ldap_sasl_interactive_bind_s)], [break])
+     AC_CHECK_HEADERS([ldap_ssl.h] [mps/ldap_ssl.h], [break], [], [#include <ldap.h>])
+     AC_CHECK_FUNCS(ldap_initialize ldap_start_tls_s ldapssl_init ldapssl_set_strength ldap_search_ext_s ldap_unbind_ext_s ldap_str2dn ldap_create ldap_sasl_bind_s ldap_ssl_client_init ldap_start_tls_s_np)
+ 

sudo-1.7.1-envdebug.patch

@@ -0,0 +1,12 @@
+diff -up sudo-1.7.1/configure.in.envdebug sudo-1.7.1/configure.in
+--- sudo-1.7.1/configure.in.envdebug	2009-05-02 21:25:56.000000000 +0200
++++ sudo-1.7.1/configure.in	2009-05-02 21:27:17.000000000 +0200
+@@ -1192,7 +1192,7 @@ AC_ARG_ENABLE(env_debug,
+ [  --enable-env-debug      Whether to enable environment debugging.],
+ [ case "$enableval" in
+     yes)	AC_MSG_RESULT(yes)
+-		AC_DEFINE(ENV_DEBUG)
++		AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
+ 		;;
+     no)		AC_MSG_RESULT(no)
+ 		;;

sudo-1.7.1-getgrouplist.patch

@@ -0,0 +1,40 @@
+diff -up sudo-1.7.1/check.c.getgrouplist sudo-1.7.1/check.c
+--- sudo-1.7.1/check.c.getgrouplist	2009-05-02 21:48:17.000000000 +0200
++++ sudo-1.7.1/check.c	2009-05-02 21:49:04.000000000 +0200
+@@ -353,6 +353,24 @@ user_is_exempt()
+ 	    return(TRUE);
+     }
+ 
++#ifdef HAVE_GETGROUPLIST
++    {
++	gid_t *grouplist, grouptmp;
++	int n_groups, i;
++	n_groups = 1;
++	if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
++	    grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
++	    if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
++		for (i = 0; i < n_groups; i++)
++		    if (grouplist[i] == grp->gr_gid) {
++			free(grouplist);
++			return(TRUE);
++		    }
++	    free(grouplist);
++	}
++    }
++#endif
++
+     return(FALSE);
+ }
+ 
+diff -up sudo-1.7.1/configure.in.getgrouplist sudo-1.7.1/configure.in
+--- sudo-1.7.1/configure.in.getgrouplist	2009-05-02 21:48:13.000000000 +0200
++++ sudo-1.7.1/configure.in	2009-05-02 21:50:05.000000000 +0200
+@@ -1809,7 +1809,7 @@ dnl
+ AC_FUNC_GETGROUPS
+ AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
+ 	       strftime setrlimit initgroups getgroups fstat gettimeofday \
+-	       setlocale getaddrinfo setsid setenv)
++	       setlocale getaddrinfo setsid setenv getgrouplist)
+ AC_CHECK_FUNCS(unsetenv, SUDO_FUNC_UNSETENV_VOID)
+ SUDO_FUNC_PUTENV_CONST
+ if test -z "$SKIP_SETRESUID"; then

sudo-1.7.1-libtool.patch

@@ -0,0 +1,12 @@
+diff -up sudo-1.7.1/Makefile.in.libtool sudo-1.7.1/Makefile.in
+--- sudo-1.7.1/Makefile.in.libtool	2009-05-02 21:35:55.000000000 +0200
++++ sudo-1.7.1/Makefile.in	2009-05-02 21:36:04.000000000 +0200
+@@ -198,7 +198,7 @@ sudo_noexec.lo: $(srcdir)/sudo_noexec.c
+ 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c
+ 
+ sudo_noexec.la: sudo_noexec.lo
+-	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
++	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -module -avoid-version -rpath $(noexecdir)
+ 
+ # Uncomment the following if you want "make distclean" to clean the parser
+ @DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h

sudo-1.7.1-login.patch

@@ -0,0 +1,111 @@
+diff -up sudo-1.7.1/auth/pam.c.login sudo-1.7.1/auth/pam.c
+--- sudo-1.7.1/auth/pam.c.login	2009-05-02 21:01:17.000000000 +0200
++++ sudo-1.7.1/auth/pam.c	2009-05-02 21:07:42.000000000 +0200
+@@ -100,7 +100,13 @@ pam_init(pw, promptp, auth)
+     if (auth != NULL)
+ 	auth->data = (void *) &pam_status;
+     pam_conv.conv = sudo_conv;
+-    pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
++#ifdef HAVE_PAM_LOGIN
++    if (ISSET(sudo_mode, MODE_LOGIN_SHELL))
++	    pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh);
++    else
++#endif
++	    pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh);
++
+     if (pam_status != PAM_SUCCESS) {
+ 	log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");
+ 	return(AUTH_FATAL);
+diff -up sudo-1.7.1/configure.in.login sudo-1.7.1/configure.in
+--- sudo-1.7.1/configure.in.login	2009-05-02 21:01:33.000000000 +0200
++++ sudo-1.7.1/configure.in	2009-05-02 21:13:59.000000000 +0200
+@@ -393,6 +393,17 @@ AC_ARG_WITH(pam, [  --with-pam          
+ 		;;
+ esac])
+ 
++AC_ARG_WITH(pam-login, [  --with-pam-login              enable specific PAM session for sudo -i],
++[case $with_pam_login in
++    yes)	AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."])	
++		AC_MSG_CHECKING(whether to use PAM login)
++		AC_MSG_RESULT(yes)
++		;;
++    no)		;;
++    *)		AC_MSG_ERROR(["--with-pam-login does not take an argument."])
++		;;
++esac])
++
+ AC_ARG_WITH(AFS, [  --with-AFS              enable AFS support],
+ [case $with_AFS in
+     yes)	AC_DEFINE(HAVE_AFS)
+diff -up sudo-1.7.1/env.c.login sudo-1.7.1/env.c
+--- sudo-1.7.1/env.c.login	2009-05-02 21:01:24.000000000 +0200
++++ sudo-1.7.1/env.c	2009-05-02 21:12:28.000000000 +0200
+@@ -101,7 +101,7 @@ struct environment {
+ /*
+  * Prototypes
+  */
+-void rebuild_env		__P((int, int));
++void rebuild_env		__P((int));
+ static void sudo_setenv		__P((const char *, const char *, int));
+ static void sudo_putenv		__P((char *, int, int));
+ 
+@@ -550,8 +550,7 @@ matches_env_keep(var)
+  * Also adds sudo-specific variables (SUDO_*).
+  */
+ void
+-rebuild_env(sudo_mode, noexec)
+-    int sudo_mode;
++rebuild_env(noexec)
+     int noexec;
+ {
+     char **old_envp, **ep, *cp, *ps1;
+diff -up sudo-1.7.1/sudo.c.login sudo-1.7.1/sudo.c
+--- sudo-1.7.1/sudo.c.login	2009-05-02 21:01:49.000000000 +0200
++++ sudo-1.7.1/sudo.c	2009-05-02 21:18:18.000000000 +0200
+@@ -123,7 +123,7 @@ static void usage_excl			__P((int))
+ 					    __attribute__((__noreturn__));
+ static struct passwd *get_authpw	__P((void));
+ extern int sudo_edit			__P((int, char **, char **));
+-extern void rebuild_env			__P((int, int));
++extern void rebuild_env			__P((int));
+ void validate_env_vars			__P((struct list_member *));
+ void insert_env_vars			__P((struct list_member *));
+ 
+@@ -154,6 +154,8 @@ login_cap_t *lc;
+ char *login_style;
+ #endif /* HAVE_BSD_AUTH_H */
+ sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
++
++int sudo_mode;
+ static char *runas_user;
+ static char *runas_group;
+ static struct sudo_nss_list *snl;
+@@ -169,7 +171,7 @@ main(argc, argv, envp)
+     char **envp;
+ {
+     int sources = 0, validated;
+-    int fd, cmnd_status, sudo_mode, pwflag, rc = 0;
++    int fd, cmnd_status, pwflag, rc = 0;
+     sigaction_t sa;
+     struct sudo_nss *nss;
+ #if defined(SUDO_DEVEL) && defined(__OpenBSD__)
+@@ -408,7 +410,7 @@ main(argc, argv, envp)
+ 	def_env_reset = FALSE;
+ 
+     /* Build a new environment that avoids any nasty bits. */
+-    rebuild_env(sudo_mode, def_noexec);
++    rebuild_env(def_noexec);
+ 
+     /* Fill in passwd struct based on user we are authenticating as.  */
+     auth_pw = get_authpw();
+diff -up sudo-1.7.1/sudo.h.login sudo-1.7.1/sudo.h
+--- sudo-1.7.1/sudo.h.login	2009-05-02 21:01:42.000000000 +0200
++++ sudo-1.7.1/sudo.h	2009-05-02 21:14:58.000000000 +0200
+@@ -332,6 +332,7 @@ extern struct passwd *auth_pw, *list_pw;
+ extern int tgetpass_flags;
+ extern int long_list;
+ extern uid_t timestamp_uid;
++extern int sudo_mode;
+ #endif
+ #ifndef errno
+ extern int errno;

sudo.spec

@@ -1,7 +1,7 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.6.9p17
+Version: 1.7.1
-Release: 6%{?dist}
+Release: 1%{?dist}
 License: BSD
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
@@ -23,13 +23,13 @@ BuildRequires: sendmail
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
 # use specific PAM session for sudo -i (#198755)
-Patch2: sudo-1.6.9p4-login.patch
+Patch2: sudo-1.7.1-login.patch
 # the rest, see changelog
-Patch3: sudo-1.6.9p4-getgrouplist.patch
+Patch3: sudo-1.7.1-envdebug.patch
-Patch4: sudo-1.6.9p12-noPam.patch
+Patch4: sudo-1.7.1-libtool.patch
-Patch5: sudo-1.6.9p13-audit.patch
+Patch5: sudo-1.7.1-getgrouplist.patch
-Patch6: sudo-1.6.9p17-Makefile.patch
+Patch6: sudo-1.7.1-audit.patch
-Patch7: sudo-1.6.9p17-runas.patch
+Patch7: sudo-1.7.1-conffix.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -46,11 +46,11 @@ on many different machines.
 %setup -q
 %patch1 -p1 -b .strip
 %patch2 -p1 -b .login
-%patch3 -p1 -b .getgrouplist
+%patch3 -p1 -b .envdebug
-%patch4 -p1 -b .noPam
+%patch4 -p1 -b .libtool
-%patch5 -p1 -b .audit
+%patch5 -p1 -b .getgrouplist
-%patch6 -p1 -b .Makefile
+%patch6 -p1 -b .audit
-%patch7 -p0 -b .runas
+%patch7 -p1 -b .conffix
 
 %build
 #hande newer autoconf
@@ -79,7 +79,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
         --with-ldap \
 	--with-selinux \
 	--with-passprompt="[sudo] password for %p: " \
-	--with-secure-path="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
+	--with-secure-path="/sbin:/bin:/usr/sbin:/usr/bin"
 #	--without-kerb5 \
 #	--without-kerb4
 make
@@ -116,7 +116,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %files
 %defattr(-,root,root)
-%doc BUGS CHANGES HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
+%doc ChangeLog WHATSNEW HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
 %doc *.pod schema.* sudoers2ldif sample.*
 %attr(0440,root,root) %config(noreplace) /etc/sudoers
 %config(noreplace) /etc/pam.d/sudo
@@ -137,6 +137,10 @@ rm -rf $RPM_BUILD_ROOT
 /bin/chmod 0440 /etc/sudoers || :
 
 %changelog
+* Mon Jun 22 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-1
+- updated sudo to version 1.7.1
+- fixed small bug in configure.in (sudo-1.7.1-conffix.patch)
+
 * Tue Feb 24 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-6
 - fixed building with new libtool
 - fix for incorrect handling of groups in Runas_User