From 7e52cdebceae5996a8c9206f8a6181c2a735c04b Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 22 Jul 2025 17:55:07 +0000
Subject: [PATCH] import UBI sudo-1.9.15-8.p5.el10_0.2

---
 cve-2025-32462.patch |  109 ++
 cve-2025-32463.patch | 3207 ++++++++++++++++++++++++++++++++++++++++++
 sudo.spec            |  917 +-----------
 3 files changed, 3326 insertions(+), 907 deletions(-)
 create mode 100644 cve-2025-32462.patch
 create mode 100644 cve-2025-32463.patch

diff --git a/cve-2025-32462.patch b/cve-2025-32462.patch
new file mode 100644
index 0000000..55a2855
--- /dev/null
+++ b/cve-2025-32462.patch
@@ -0,0 +1,109 @@
+# Local Privilege Escalation via host option
+
+Sudo's host (`-h` or `--host`) option is intended to be used in
+conjunction with the list option (`-l` or `--list`) to list a user's
+sudo privileges on a host other than the current one.  However, due
+to a bug it was not restricted to listing privileges and could be
+used when running a command via `sudo` or editing a file with
+`sudoedit`.  Depending on the rules present in the sudoers file
+this could allow a local privilege escalation attack.
+
+## Sudo versions affected:
+
+Sudo versions 1.8.8 to 1.9.17 inclusive are affected.
+
+## CVE ID:
+
+This vulnerability has been assigned
+[CVE-2025-32462](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32462)
+in the [Common Vulnerabilities and Exposures](https://cve.mitre.org/) database.
+
+## Details:
+
+The intent of sudo's `-h` (`--host`) option is to make it possible
+to list a user's sudo privileges for a host other than the current
+one.  It was only intended be used with in conjunction with the
+`-l` (`--list`) option.
+
+The bug effectively makes the hostname portion of a sudoers rule
+irrelevant since the user can set the host to be used when evaluating
+the rules themselves.  A user must still be listed in the sudoers
+file, but they do not needed to have an entry for the current host.
+
+For example, given the sudoers rule:
+
+``` plain
+alice cerebus = ALL
+```
+
+user __alice__ would be able to run `sudo -h cerebus id` on any host,
+not just _cerebus_.  For example:
+
+``` plain
+alice@hades$ sudo -l
+Sorry, user alice may not run sudo on hades.
+
+alice@hades$ sudo -l -h cerebus
+User alice may run the following commands on cerebus:
+    (root) ALL
+
+alice@hades$ sudo -h cerebus id
+uid=0(root) gid=0(root) groups=0(root)
+```
+
+## Impact:
+
+Sudoers files that include rules where the host field is not the
+current host or _ALL_ are affected.  This primarily affects sites
+that use a common sudoers file that is distributed to multiple
+machines.  Sites that use LDAP-based sudoers (including SSSD) are
+similarly impacted.
+
+For example, a sudoers rule such as:
+
+``` plain
+bob ALL = ALL
+```
+
+is not affected since the host _ALL_ already matches any hosts,
+but a rule like:
+
+``` plain
+alice cerebus = ALL
+```
+
+could allow user __alice__ to run any command even if the current
+host is not _cerebus_.
+
+## Fix:
+
+The bug is fixed in sudo 1.9.17p1.
+
+## Credit:
+
+Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU) for
+reporting and analyzing the bug.
+
+diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
+index 70a0c1a52..ad2fa2f61 100644
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
+     time_t now;
+     debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
+ 
++    /* The user may only specify a host for "sudo -l". */
++    if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
++	if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
++	    log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
++		N_("user not allowed to set remote host for command"));
++	    sudo_warnx("%s",
++		U_("a remote host may only be specified when listing privileges."));
++	    ret = false;
++	    goto done;
++	}
++    }
++
+     /* If given the -P option, set the "preserve_groups" flag. */
+     if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
+ 	def_preserve_groups = true;
diff --git a/cve-2025-32463.patch b/cve-2025-32463.patch
new file mode 100644
index 0000000..a5925c3
--- /dev/null
+++ b/cve-2025-32463.patch
@@ -0,0 +1,3207 @@
+# Local Privilege Escalation via chroot option
+
+An attacker can leverage sudo's `-R` (`--chroot`) option to run
+arbitrary commands as root, even if they are not listed in the
+sudoers file.
+
+## Sudo versions affected:
+
+Sudo versions 1.9.14 to 1.9.17 inclusive are affected.
+
+## CVE ID:
+
+This vulnerability has been assigned
+[CVE-2025-32463](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32463)
+in the [Common Vulnerabilities and Exposures](https://cve.mitre.org/) database.
+
+## Details:
+
+Sudo's `-R` (`--chroot`) option is intended to allow the user to
+run a command with a user-selected root directory if the sudoers
+file allows it.  A change was made in sudo 1.9.14 to resolve paths
+via `chroot()` using the user-specified root directory while the
+sudoers file was still being evaluated.  It is possible for an
+attacker to trick sudo into loading an arbitrary shared library by
+creating an `/etc/nsswitch.conf` file under the user-specified root
+directory.
+
+The change in sudo 1.9.14 has been reverted in sudo 1.9.17p1 and
+the chroot feature has been marked as deprecated.  It will be removed
+entirely in a future sudo release.  Because of the way sudo resolves
+commands, supporting a user-specified chroot directory is error-prone
+and this feature does not appear to be widely used.
+
+## Impact:
+
+On systems that support `/etc/nsswitch.conf` a user may be
+able to run arbitrary commands as root.
+
+## Fix:
+
+The bug is fixed in sudo 1.9.17p1.
+
+## Credit:
+
+Thanks to Rich Mirch from Stratascale Cyber Research Unit (CRU) for
+reporting and analyzing the bug.
+
+diff -up ./MANIFEST.cve-chroot ./MANIFEST
+--- ./MANIFEST.cve-chroot	2023-12-15 20:08:30.000000000 +0100
++++ ./MANIFEST	2025-07-01 09:07:19.326708206 +0200
+@@ -685,8 +685,6 @@ plugins/sudoers/mkdefaults
+ plugins/sudoers/parse.h
+ plugins/sudoers/parse_ldif.c
+ plugins/sudoers/parser_warnx.c
+-plugins/sudoers/pivot.c
+-plugins/sudoers/pivot.h
+ plugins/sudoers/po/README
+ plugins/sudoers/po/ast.mo
+ plugins/sudoers/po/ast.po
+diff -up ./plugins/sudoers/editor.c.cve-chroot ./plugins/sudoers/editor.c
+--- ./plugins/sudoers/editor.c.cve-chroot	2023-12-15 20:08:29.000000000 +0100
++++ ./plugins/sudoers/editor.c	2025-07-01 09:07:19.326870695 +0200
+@@ -147,7 +147,7 @@ resolve_editor(const char *ed, size_t ed
+ 	goto oom;
+ 
+     /* If we can't find the editor in the user's PATH, give up. */
+-    if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"),
++    if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
+ 	    false, allowlist) != FOUND) {
+ 	errno = ENOENT;
+ 	goto bad;
+diff -up ./plugins/sudoers/find_path.c.cve-chroot ./plugins/sudoers/find_path.c
+--- ./plugins/sudoers/find_path.c.cve-chroot	2023-12-15 20:08:29.000000000 +0100
++++ ./plugins/sudoers/find_path.c	2025-07-01 09:07:19.326985083 +0200
+@@ -43,14 +43,14 @@
+  * On failure, returns false.
+  */
+ static bool
+-cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp,
+-    char * const *allowlist)
++cmnd_allowed(char *cmnd, size_t cmnd_size, const char *runchroot,
++    struct stat *cmnd_sbp, char * const *allowlist)
+ {
+     const char *cmnd_base;
+     char * const *al;
+     debug_decl(cmnd_allowed, SUDOERS_DEBUG_UTIL);
+ 
+-    if (!sudo_goodpath(cmnd, cmnd_sbp))
++    if (!sudo_goodpath(cmnd, runchroot, cmnd_sbp))
+ 	debug_return_bool(false);
+ 
+     if (allowlist == NULL)
+@@ -67,7 +67,7 @@ cmnd_allowed(char *cmnd, size_t cmnd_siz
+ 	if (strcmp(cmnd_base, base) != 0)
+ 	    continue;
+ 
+-	if (sudo_goodpath(path, &sb) &&
++	if (sudo_goodpath(path, runchroot, &sb) &&
+ 	    sb.st_dev == cmnd_sbp->st_dev && sb.st_ino == cmnd_sbp->st_ino) {
+ 	    /* Overwrite cmnd with safe version from allowlist. */
+ 	    if (strlcpy(cmnd, path, cmnd_size) < cmnd_size)
+@@ -87,7 +87,8 @@ cmnd_allowed(char *cmnd, size_t cmnd_siz
+  */
+ int
+ find_path(const char *infile, char **outfile, struct stat *sbp,
+-    const char *path, bool ignore_dot, char * const *allowlist)
++    const char *path, const char *runchroot, bool ignore_dot,
++    char * const *allowlist)
+ {
+     char command[PATH_MAX];
+     const char *cp, *ep, *pathend;
+@@ -108,7 +109,8 @@ find_path(const char *infile, char **out
+ 	    errno = ENAMETOOLONG;
+ 	    debug_return_int(NOT_FOUND_ERROR);
+ 	}
+-	found = cmnd_allowed(command, sizeof(command), sbp, allowlist);
++	found = cmnd_allowed(command, sizeof(command), runchroot, sbp,
++	    allowlist);
+ 	goto done;
+     }
+ 
+@@ -137,7 +139,8 @@ find_path(const char *infile, char **out
+ 	    errno = ENAMETOOLONG;
+ 	    debug_return_int(NOT_FOUND_ERROR);
+ 	}
+-	found = cmnd_allowed(command, sizeof(command), sbp, allowlist);
++	found = cmnd_allowed(command, sizeof(command), runchroot,
++	    sbp, allowlist);
+ 	if (found)
+ 	    break;
+     }
+@@ -151,7 +154,8 @@ find_path(const char *infile, char **out
+ 	    errno = ENAMETOOLONG;
+ 	    debug_return_int(NOT_FOUND_ERROR);
+ 	}
+-	found = cmnd_allowed(command, sizeof(command), sbp, allowlist);
++	found = cmnd_allowed(command, sizeof(command), runchroot,
++	    sbp, allowlist);
+ 	if (found && ignore_dot)
+ 	    debug_return_int(NOT_FOUND_DOT);
+     }
+diff -up ./plugins/sudoers/goodpath.c.cve-chroot ./plugins/sudoers/goodpath.c
+--- ./plugins/sudoers/goodpath.c.cve-chroot	2023-12-15 20:08:29.000000000 +0100
++++ ./plugins/sudoers/goodpath.c	2025-07-01 09:07:19.327081162 +0200
+@@ -39,13 +39,25 @@
+  * Verify that path is a normal file and executable by root.
+  */
+ bool
+-sudo_goodpath(const char *path, struct stat *sbp)
++sudo_goodpath(const char *path, const char *runchroot, struct stat *sbp)
+ {
+     bool ret = false;
+-    struct stat sb;
+     debug_decl(sudo_goodpath, SUDOERS_DEBUG_UTIL);
+ 
+     if (path != NULL) {
++	char pathbuf[PATH_MAX];
++	struct stat sb;
++
++	if (runchroot != NULL) {
++	    /* XXX - handle symlinks and '..' in path outside chroot */
++	    const int len =
++		snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path);
++	    if (len >= ssizeof(pathbuf)) {
++		errno = ENAMETOOLONG;
++		goto done;
++	    }
++	    path = pathbuf; // -V507
++	}
+ 	if (sbp == NULL)
+ 	    sbp = &sb;
+ 
+@@ -57,5 +69,6 @@ sudo_goodpath(const char *path, struct s
+ 		errno = EACCES;
+ 	}
+     }
++done:
+     debug_return_bool(ret);
+ }
+diff -up ./plugins/sudoers/Makefile.in.cve-chroot ./plugins/sudoers/Makefile.in
+--- ./plugins/sudoers/Makefile.in.cve-chroot	2023-12-15 20:08:31.000000000 +0100
++++ ./plugins/sudoers/Makefile.in	2025-07-01 09:07:19.327307130 +0200
+@@ -188,11 +188,11 @@ SUDOERS_OBJS = $(AUTH_OBJS) audit.lo boo
+                display.lo editor.lo env.lo sudoers_hooks.lo env_pattern.lo \
+                file.lo find_path.lo fmtsudoers.lo gc.lo goodpath.lo \
+                group_plugin.lo interfaces.lo iolog.lo iolog_path_escapes.lo \
+-               locale.lo log_client.lo logging.lo lookup.lo pivot.lo \
+-               policy.lo prompt.lo serialize_list.lo set_perms.lo \
+-               sethost.lo starttime.lo strlcpy_unesc.lo strvec_join.lo \
+-               sudo_nss.lo sudoers.lo sudoers_cb.lo sudoers_ctx_free.lo \
+-               timestamp.lo unesc_str.lo @SUDOERS_OBJS@
++               locale.lo log_client.lo logging.lo lookup.lo policy.lo \
++	       prompt.lo serialize_list.lo set_perms.lo sethost.lo \
++	       starttime.lo strlcpy_unesc.lo strvec_join.lo sudo_nss.lo \
++	       sudoers.lo sudoers_cb.lo sudoers_ctx_free.lo timestamp.lo \
++	       unesc_str.lo @SUDOERS_OBJS@
+ 
+ SUDOERS_IOBJS = $(SUDOERS_OBJS:.lo=.i)
+ 
+@@ -726,9 +726,9 @@ afs.lo: $(authdir)/afs.c $(authdir)/sudo
+         $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+         $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-        $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-        $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+-        $(top_builddir)/config.h $(top_builddir)/pathnames.h
++        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++        $(srcdir)/timestamp.h $(top_builddir)/config.h \
++        $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/afs.c
+ afs.i: $(authdir)/afs.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+         $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -736,7 +736,7 @@ afs.i: $(authdir)/afs.c $(authdir)/sudo_
+         $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+         $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-        $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+         $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+         $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -748,10 +748,9 @@ aix_auth.lo: $(authdir)/aix_auth.c $(aut
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-             $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-             $(top_builddir)/pathnames.h
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/aix_auth.c
+ aix_auth.i: $(authdir)/aix_auth.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+              $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -759,7 +758,7 @@ aix_auth.i: $(authdir)/aix_auth.c $(auth
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+@@ -772,10 +771,9 @@ alias.lo: $(srcdir)/alias.c $(devdir)/de
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-          $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-          $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-          $(top_builddir)/pathnames.h
++          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/redblack.h \
++          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/alias.c
+ alias.i: $(srcdir)/alias.c $(devdir)/def_data.h $(devdir)/gram.h \
+           $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -783,7 +781,7 @@ alias.i: $(srcdir)/alias.c $(devdir)/def
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++          $(srcdir)/logging.h $(srcdir)/parse.h \
+           $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+           $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+           $(top_builddir)/pathnames.h
+@@ -798,8 +796,8 @@ audit.lo: $(srcdir)/audit.c $(devdir)/de
+           $(incdir)/sudo_queue.h $(incdir)/sudo_ssl_compat.h \
+           $(incdir)/sudo_util.h $(srcdir)/bsm_audit.h $(srcdir)/defaults.h \
+           $(srcdir)/linux_audit.h $(srcdir)/log_client.h $(srcdir)/logging.h \
+-          $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/solaris_audit.h \
+-          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++          $(srcdir)/parse.h $(srcdir)/solaris_audit.h $(srcdir)/sudo_nss.h \
++          $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/audit.c
+ audit.i: $(srcdir)/audit.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+@@ -810,7 +808,7 @@ audit.i: $(srcdir)/audit.c $(devdir)/def
+           $(incdir)/sudo_queue.h $(incdir)/sudo_ssl_compat.h \
+           $(incdir)/sudo_util.h $(srcdir)/bsm_audit.h $(srcdir)/defaults.h \
+           $(srcdir)/linux_audit.h $(srcdir)/log_client.h $(srcdir)/logging.h \
+-          $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/solaris_audit.h \
++          $(srcdir)/parse.h $(srcdir)/solaris_audit.h \
+           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -823,7 +821,7 @@ b64_decode.lo: $(srcdir)/b64_decode.c $(
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/b64_decode.c
+@@ -834,7 +832,7 @@ b64_decode.i: $(srcdir)/b64_decode.c $(d
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -847,7 +845,7 @@ b64_encode.o: $(srcdir)/b64_encode.c $(d
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/b64_encode.c
+@@ -858,7 +856,7 @@ b64_encode.i: $(srcdir)/b64_encode.c $(d
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -870,10 +868,9 @@ boottime.lo: $(srcdir)/boottime.c $(devd
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-             $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-             $(top_builddir)/pathnames.h
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/boottime.c
+ boottime.i: $(srcdir)/boottime.c $(devdir)/def_data.h \
+              $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -881,7 +878,7 @@ boottime.i: $(srcdir)/boottime.c $(devdi
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+@@ -894,8 +891,8 @@ bsdauth.lo: $(authdir)/bsdauth.c $(authd
+             $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-            $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/bsdauth.c
+ bsdauth.i: $(authdir)/bsdauth.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+@@ -904,7 +901,7 @@ bsdauth.i: $(authdir)/bsdauth.c $(authdi
+             $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h \
+             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -917,9 +914,9 @@ bsm_audit.lo: $(srcdir)/bsm_audit.c $(de
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/bsm_audit.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-              $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-              $(top_builddir)/config.h $(top_builddir)/pathnames.h
++              $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++              $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/bsm_audit.c
+ bsm_audit.i: $(srcdir)/bsm_audit.c $(devdir)/def_data.h \
+               $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -928,7 +925,7 @@ bsm_audit.i: $(srcdir)/bsm_audit.c $(dev
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/bsm_audit.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++              $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -941,9 +938,9 @@ canon_path.lo: $(srcdir)/canon_path.c $(
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \
+-               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-               $(top_builddir)/config.h $(top_builddir)/pathnames.h
++               $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/canon_path.c
+ canon_path.i: $(srcdir)/canon_path.c $(devdir)/def_data.h \
+                $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -952,7 +949,7 @@ canon_path.i: $(srcdir)/canon_path.c $(d
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \
++               $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \
+                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -963,7 +960,7 @@ check.lo: $(srcdir)/check.c $(devdir)/de
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++          $(srcdir)/logging.h $(srcdir)/parse.h \
+           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(srcdir)/timestamp.h $(top_builddir)/config.h \
+           $(top_builddir)/pathnames.h
+@@ -973,7 +970,7 @@ check.i: $(srcdir)/check.c $(devdir)/def
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++          $(srcdir)/logging.h $(srcdir)/parse.h \
+           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(srcdir)/timestamp.h $(top_builddir)/config.h \
+           $(top_builddir)/pathnames.h
+@@ -987,9 +984,9 @@ check_addr.o: $(srcdir)/regress/parser/c
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-              $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-              $(top_builddir)/config.h $(top_builddir)/pathnames.h
++              $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++              $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/parser/check_addr.c
+ check_addr.i: $(srcdir)/regress/parser/check_addr.c $(devdir)/def_data.h \
+               $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -998,7 +995,7 @@ check_addr.i: $(srcdir)/regress/parser/c
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++              $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1011,10 +1008,9 @@ check_aliases.o: $(srcdir)/check_aliases
+                  $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                  $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                  $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                 $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-                 $(top_builddir)/pathnames.h
++                 $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++                 $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++                 $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/check_aliases.c
+ check_aliases.i: $(srcdir)/check_aliases.c $(devdir)/def_data.h \
+                  $(devdir)/gram.h $(incdir)/compat/stdbool.h \
+@@ -1023,7 +1019,7 @@ check_aliases.i: $(srcdir)/check_aliases
+                  $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                  $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                  $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                 $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                 $(srcdir)/logging.h $(srcdir)/parse.h \
+                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                  $(top_builddir)/pathnames.h
+@@ -1061,9 +1057,9 @@ check_editor.o: $(srcdir)/regress/editor
+                 $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                 $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                 $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-                $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-                $(top_builddir)/config.h $(top_builddir)/pathnames.h
++                $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++                $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/editor/check_editor.c
+ check_editor.i: $(srcdir)/regress/editor/check_editor.c $(devdir)/def_data.c \
+                 $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+@@ -1072,7 +1068,7 @@ check_editor.i: $(srcdir)/regress/editor
+                 $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                 $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                 $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-                $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++                $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+                 $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                 $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1085,7 +1081,7 @@ check_env_pattern.o: $(srcdir)/regress/e
+                      $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                      $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                      $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                     $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                     $(srcdir)/logging.h $(srcdir)/parse.h \
+                      $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                      $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                      $(top_builddir)/pathnames.h
+@@ -1097,7 +1093,7 @@ check_env_pattern.i: $(srcdir)/regress/e
+                      $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                      $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                      $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                     $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                     $(srcdir)/logging.h $(srcdir)/parse.h \
+                      $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                      $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                      $(top_builddir)/pathnames.h
+@@ -1112,7 +1108,7 @@ check_exptilde.o: $(srcdir)/regress/expt
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/exptilde/check_exptilde.c
+@@ -1124,7 +1120,7 @@ check_exptilde.i: $(srcdir)/regress/expt
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1166,7 +1162,7 @@ check_iolog_plugin.o: $(srcdir)/regress/
+                       $(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \
+                       $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                       $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                      $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                      $(srcdir)/logging.h $(srcdir)/parse.h \
+                       $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                       $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                       $(top_builddir)/pathnames.h
+@@ -1179,7 +1175,7 @@ check_iolog_plugin.i: $(srcdir)/regress/
+                       $(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \
+                       $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                       $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                      $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                      $(srcdir)/logging.h $(srcdir)/parse.h \
+                       $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                       $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                       $(top_builddir)/pathnames.h
+@@ -1195,9 +1191,9 @@ check_serialize_list.lo: \
+                          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                          $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+                          $(srcdir)/logging.h $(srcdir)/parse.h \
+-                         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-                         $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-                         $(top_builddir)/config.h $(top_builddir)/pathnames.h
++                         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                         $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++                         $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/serialize_list/check_serialize_list.c
+ check_serialize_list.i: \
+                          $(srcdir)/regress/serialize_list/check_serialize_list.c \
+@@ -1208,7 +1204,7 @@ check_serialize_list.i: \
+                          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                          $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+                          $(srcdir)/logging.h $(srcdir)/parse.h \
+-                         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++                         $(srcdir)/sudo_nss.h \
+                          $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1249,7 +1245,7 @@ check_unesc.o: $(srcdir)/regress/unescap
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/unescape/check_unesc.c
+@@ -1260,7 +1256,7 @@ check_unesc.i: $(srcdir)/regress/unescap
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1273,7 +1269,7 @@ check_util.lo: $(srcdir)/check_util.c $(
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/check_util.c
+@@ -1284,7 +1280,7 @@ check_util.i: $(srcdir)/check_util.c $(d
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1298,8 +1294,8 @@ cvtsudoers.o: $(srcdir)/cvtsudoers.c $(d
+               $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/redblack.h \
+-              $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/parse.h $(srcdir)/redblack.h $(srcdir)/strlist.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \
+               $(srcdir)/testsudoers_pwutil.h $(srcdir)/tsgetgrpw.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+@@ -1312,8 +1308,8 @@ cvtsudoers.i: $(srcdir)/cvtsudoers.c $(d
+               $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/redblack.h \
+-              $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/parse.h $(srcdir)/redblack.h $(srcdir)/strlist.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \
+               $(srcdir)/testsudoers_pwutil.h $(srcdir)/tsgetgrpw.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+@@ -1328,9 +1324,9 @@ cvtsudoers_csv.o: $(srcdir)/cvtsudoers_c
+                   $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                   $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
+-                  $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-                  $(top_builddir)/config.h $(top_builddir)/pathnames.h
++                  $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++                  $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/cvtsudoers_csv.c
+ cvtsudoers_csv.i: $(srcdir)/cvtsudoers_csv.c $(devdir)/def_data.h \
+                   $(devdir)/gram.h $(incdir)/compat/stdbool.h \
+@@ -1340,7 +1336,7 @@ cvtsudoers_csv.i: $(srcdir)/cvtsudoers_c
+                   $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                   $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
++                  $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
+                   $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                   $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1354,7 +1350,7 @@ cvtsudoers_json.o: $(srcdir)/cvtsudoers_
+                    $(incdir)/sudo_json.h $(incdir)/sudo_plugin.h \
+                    $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                    $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \
+-                   $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                   $(srcdir)/logging.h $(srcdir)/parse.h \
+                    $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
+                    $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                    $(top_builddir)/config.h $(top_builddir)/pathnames.h
+@@ -1367,7 +1363,7 @@ cvtsudoers_json.i: $(srcdir)/cvtsudoers_
+                    $(incdir)/sudo_json.h $(incdir)/sudo_plugin.h \
+                    $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                    $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \
+-                   $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                   $(srcdir)/logging.h $(srcdir)/parse.h \
+                    $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
+                    $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                    $(top_builddir)/config.h $(top_builddir)/pathnames.h
+@@ -1382,11 +1378,11 @@ cvtsudoers_ldif.o: $(srcdir)/cvtsudoers_
+                    $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
+                    $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                    $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \
+-                   $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-                   $(srcdir)/redblack.h $(srcdir)/strlist.h \
+-                   $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \
+-                   $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-                   $(top_builddir)/config.h $(top_builddir)/pathnames.h
++                   $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/redblack.h \
++                   $(srcdir)/strlist.h $(srcdir)/sudo_ldap.h \
++                   $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++                   $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/cvtsudoers_ldif.c
+ cvtsudoers_ldif.i: $(srcdir)/cvtsudoers_ldif.c $(devdir)/def_data.h \
+                    $(devdir)/gram.h $(incdir)/compat/stdbool.h \
+@@ -1396,7 +1392,7 @@ cvtsudoers_ldif.i: $(srcdir)/cvtsudoers_
+                    $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
+                    $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                    $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \
+-                   $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                   $(srcdir)/logging.h $(srcdir)/parse.h \
+                    $(srcdir)/redblack.h $(srcdir)/strlist.h \
+                    $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \
+                    $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+@@ -1412,7 +1408,7 @@ cvtsudoers_merge.o: $(srcdir)/cvtsudoers
+                     $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                     $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \
+                     $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                    $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/strlist.h \
++                    $(srcdir)/redblack.h $(srcdir)/strlist.h \
+                     $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                     $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                     $(top_builddir)/pathnames.h
+@@ -1425,7 +1421,7 @@ cvtsudoers_merge.i: $(srcdir)/cvtsudoers
+                     $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                     $(incdir)/sudo_util.h $(srcdir)/cvtsudoers.h \
+                     $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                    $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/strlist.h \
++                    $(srcdir)/redblack.h $(srcdir)/strlist.h \
+                     $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                     $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                     $(top_builddir)/pathnames.h
+@@ -1439,11 +1435,10 @@ cvtsudoers_pwutil.o: $(srcdir)/cvtsudoer
+                      $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                      $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                      $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \
+-                     $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-                     $(srcdir)/pwutil.h $(srcdir)/strlist.h \
+-                     $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-                     $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-                     $(top_builddir)/pathnames.h
++                     $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pwutil.h \
++                     $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
++                     $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++                     $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/cvtsudoers_pwutil.c
+ cvtsudoers_pwutil.i: $(srcdir)/cvtsudoers_pwutil.c $(devdir)/def_data.h \
+                      $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -1452,7 +1447,7 @@ cvtsudoers_pwutil.i: $(srcdir)/cvtsudoer
+                      $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                      $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                      $(srcdir)/cvtsudoers.h $(srcdir)/defaults.h \
+-                     $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                     $(srcdir)/logging.h $(srcdir)/parse.h \
+                      $(srcdir)/pwutil.h $(srcdir)/strlist.h \
+                      $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                      $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+@@ -1466,9 +1461,9 @@ dce.lo: $(authdir)/dce.c $(authdir)/sudo
+         $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+         $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-        $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-        $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+-        $(top_builddir)/config.h $(top_builddir)/pathnames.h
++        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++        $(srcdir)/timestamp.h $(top_builddir)/config.h \
++        $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/dce.c
+ dce.i: $(authdir)/dce.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+         $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -1476,7 +1471,7 @@ dce.i: $(authdir)/dce.c $(authdir)/sudo_
+         $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+         $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-        $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+         $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+         $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1489,10 +1484,9 @@ defaults.lo: $(srcdir)/defaults.c $(devd
+              $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+              $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-             $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-             $(top_builddir)/pathnames.h
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/defaults.c
+ defaults.i: $(srcdir)/defaults.c $(devdir)/def_data.c $(devdir)/def_data.h \
+              $(devdir)/gram.h $(incdir)/compat/stdbool.h \
+@@ -1501,7 +1495,7 @@ defaults.i: $(srcdir)/defaults.c $(devdi
+              $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+              $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+@@ -1529,9 +1523,9 @@ display.lo: $(srcdir)/display.c $(devdir
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+             $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+             $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-            $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-            $(top_builddir)/config.h $(top_builddir)/pathnames.h
++            $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++            $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++            $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/display.c
+ display.i: $(srcdir)/display.c $(devdir)/def_data.h $(devdir)/gram.h \
+             $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -1540,7 +1534,7 @@ display.i: $(srcdir)/display.c $(devdir)
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+             $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+             $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-            $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++            $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1552,9 +1546,9 @@ editor.lo: $(srcdir)/editor.c $(devdir)/
+            $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+            $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+            $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-           $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-           $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-           $(top_builddir)/config.h $(top_builddir)/pathnames.h
++           $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++           $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++           $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/editor.c
+ editor.i: $(srcdir)/editor.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+            $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
+@@ -1562,7 +1556,7 @@ editor.i: $(srcdir)/editor.c $(devdir)/d
+            $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+            $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+            $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-           $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++           $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+            $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1573,7 +1567,7 @@ env.lo: $(srcdir)/env.c $(devdir)/def_da
+         $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+         $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+         $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-        $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++        $(srcdir)/logging.h $(srcdir)/parse.h \
+         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+         $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/env.c
+@@ -1582,7 +1576,7 @@ env.i: $(srcdir)/env.c $(devdir)/def_dat
+         $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+         $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+         $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-        $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++        $(srcdir)/logging.h $(srcdir)/parse.h \
+         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+         $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1595,7 +1589,7 @@ env_pattern.lo: $(srcdir)/env_pattern.c
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                 $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/env_pattern.c
+@@ -1606,7 +1600,7 @@ env_pattern.i: $(srcdir)/env_pattern.c $
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                 $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1618,8 +1612,8 @@ exptilde.lo: $(srcdir)/exptilde.c $(devd
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pwutil.h \
++             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/exptilde.c
+@@ -1629,7 +1623,7 @@ exptilde.i: $(srcdir)/exptilde.c $(devdi
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+@@ -1643,9 +1637,8 @@ file.lo: $(srcdir)/file.c $(devdir)/def_
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-         $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-         $(top_builddir)/pathnames.h
++         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++         $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/file.c
+ file.i: $(srcdir)/file.c $(devdir)/def_data.h $(devdir)/gram.h \
+          $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -1654,7 +1647,7 @@ file.i: $(srcdir)/file.c $(devdir)/def_d
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+          $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+          $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1667,9 +1660,9 @@ filedigest.lo: $(srcdir)/filedigest.c $(
+                $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-               $(top_builddir)/config.h $(top_builddir)/pathnames.h
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/filedigest.c
+ filedigest.i: $(srcdir)/filedigest.c $(devdir)/def_data.h \
+                $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -1678,7 +1671,7 @@ filedigest.i: $(srcdir)/filedigest.c $(d
+                $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1691,7 +1684,7 @@ find_path.lo: $(srcdir)/find_path.c $(de
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/find_path.c
+@@ -1702,7 +1695,7 @@ find_path.i: $(srcdir)/find_path.c $(dev
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1715,9 +1708,9 @@ fmtsudoers.lo: $(srcdir)/fmtsudoers.c $(
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+                $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-               $(top_builddir)/config.h $(top_builddir)/pathnames.h
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/fmtsudoers.c
+ fmtsudoers.i: $(srcdir)/fmtsudoers.c $(devdir)/def_data.h $(devdir)/gram.h \
+                $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -1726,7 +1719,7 @@ fmtsudoers.i: $(srcdir)/fmtsudoers.c $(d
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+                $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1740,7 +1733,7 @@ fmtsudoers_cvt.lo: $(srcdir)/fmtsudoers_
+                    $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
+                    $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                    $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                   $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                   $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                    $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                    $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/fmtsudoers_cvt.c
+@@ -1752,7 +1745,7 @@ fmtsudoers_cvt.i: $(srcdir)/fmtsudoers_c
+                    $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
+                    $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                    $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                   $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                   $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                    $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                    $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1767,7 +1760,7 @@ fuzz_policy.o: $(srcdir)/regress/fuzz/fu
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \
+                $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/fuzz/fuzz_policy.c
+@@ -1780,7 +1773,7 @@ fuzz_policy.i: $(srcdir)/regress/fuzz/fu
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \
+                $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1793,10 +1786,9 @@ fuzz_stubs.o: $(srcdir)/regress/fuzz/fuz
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-              $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-              $(srcdir)/timestamp.h $(top_builddir)/config.h \
+-              $(top_builddir)/pathnames.h
++              $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
++              $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/fuzz/fuzz_stubs.c
+ fuzz_stubs.i: $(srcdir)/regress/fuzz/fuzz_stubs.c $(devdir)/def_data.h \
+               $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -1805,7 +1797,7 @@ fuzz_stubs.i: $(srcdir)/regress/fuzz/fuz
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++              $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+               $(srcdir)/timestamp.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+@@ -1819,10 +1811,9 @@ fuzz_sudoers.o: $(srcdir)/regress/fuzz/f
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/interfaces.h \
+-                $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-                $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-                $(top_builddir)/pathnames.h
++                $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/fuzz/fuzz_sudoers.c
+ fuzz_sudoers.i: $(srcdir)/regress/fuzz/fuzz_sudoers.c $(devdir)/def_data.h \
+                 $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -1831,7 +1822,7 @@ fuzz_sudoers.i: $(srcdir)/regress/fuzz/f
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/interfaces.h \
+-                $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                $(srcdir)/logging.h $(srcdir)/parse.h \
+                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                 $(top_builddir)/pathnames.h
+@@ -1845,7 +1836,7 @@ fuzz_sudoers_ldif.o: $(srcdir)/regress/f
+                      $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                      $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                      $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                     $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                     $(srcdir)/logging.h $(srcdir)/parse.h \
+                      $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                      $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                      $(top_builddir)/pathnames.h
+@@ -1857,7 +1848,7 @@ fuzz_sudoers_ldif.i: $(srcdir)/regress/f
+                      $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                      $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                      $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                     $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                     $(srcdir)/logging.h $(srcdir)/parse.h \
+                      $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                      $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                      $(top_builddir)/pathnames.h
+@@ -1870,8 +1861,8 @@ fwtk.lo: $(authdir)/fwtk.c $(authdir)/su
+          $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+          $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-         $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++         $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++         $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/fwtk.c
+ fwtk.i: $(authdir)/fwtk.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+@@ -1880,7 +1871,7 @@ fwtk.i: $(authdir)/fwtk.c $(authdir)/sud
+          $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+          $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-         $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++         $(srcdir)/logging.h $(srcdir)/parse.h \
+          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1891,8 +1882,8 @@ gc.lo: $(srcdir)/gc.c $(devdir)/def_data
+        $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+        $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+        $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-       $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-       $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++       $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++       $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+        $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/gc.c
+ gc.i: $(srcdir)/gc.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+@@ -1900,7 +1891,7 @@ gc.i: $(srcdir)/gc.c $(devdir)/def_data.
+        $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+        $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+        $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-       $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++       $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+        $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+        $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1931,7 +1922,7 @@ getspwuid.lo: $(srcdir)/getspwuid.c $(de
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/getspwuid.c
+@@ -1942,7 +1933,7 @@ getspwuid.i: $(srcdir)/getspwuid.c $(dev
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -1954,10 +1945,9 @@ goodpath.lo: $(srcdir)/goodpath.c $(devd
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-             $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-             $(top_builddir)/pathnames.h
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/goodpath.c
+ goodpath.i: $(srcdir)/goodpath.c $(devdir)/def_data.h \
+              $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -1965,7 +1955,7 @@ goodpath.i: $(srcdir)/goodpath.c $(devdi
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+@@ -1978,9 +1968,8 @@ gram.lo: $(devdir)/gram.c $(devdir)/def_
+          $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-         $(srcdir)/sudoers_debug.h $(srcdir)/toke.h $(top_builddir)/config.h \
+-         $(top_builddir)/pathnames.h
++         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++         $(srcdir)/toke.h $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(devdir)/gram.c
+ gram.i: $(devdir)/gram.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+          $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+@@ -1988,7 +1977,7 @@ gram.i: $(devdir)/gram.c $(devdir)/def_d
+          $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+          $(srcdir)/sudoers_debug.h $(srcdir)/toke.h $(top_builddir)/config.h \
+          $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2001,10 +1990,9 @@ group_plugin.lo: $(srcdir)/group_plugin.
+                  $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                  $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                  $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                 $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-                 $(top_builddir)/pathnames.h
++                 $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++                 $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++                 $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/group_plugin.c
+ group_plugin.i: $(srcdir)/group_plugin.c $(devdir)/def_data.h \
+                  $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2013,7 +2001,7 @@ group_plugin.i: $(srcdir)/group_plugin.c
+                  $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                  $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                  $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                 $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                 $(srcdir)/logging.h $(srcdir)/parse.h \
+                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                  $(top_builddir)/pathnames.h
+@@ -2027,9 +2015,9 @@ interfaces.lo: $(srcdir)/interfaces.c $(
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-               $(top_builddir)/config.h $(top_builddir)/pathnames.h
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/interfaces.c
+ interfaces.i: $(srcdir)/interfaces.c $(devdir)/def_data.h \
+                $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2038,7 +2026,7 @@ interfaces.i: $(srcdir)/interfaces.c $(d
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2052,8 +2040,8 @@ iolog.lo: $(srcdir)/iolog.c $(devdir)/de
+           $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+           $(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
+           $(srcdir)/defaults.h $(srcdir)/log_client.h $(srcdir)/logging.h \
+-          $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/strlist.h \
+-          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++          $(srcdir)/parse.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
++          $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/iolog.c
+ iolog.i: $(srcdir)/iolog.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+@@ -2064,7 +2052,7 @@ iolog.i: $(srcdir)/iolog.c $(devdir)/def
+           $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+           $(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
+           $(srcdir)/defaults.h $(srcdir)/log_client.h $(srcdir)/logging.h \
+-          $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/strlist.h \
++          $(srcdir)/parse.h $(srcdir)/strlist.h \
+           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2077,7 +2065,7 @@ iolog_path_escapes.lo: $(srcdir)/iolog_p
+                        $(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \
+                        $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                        $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                       $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                       $(srcdir)/logging.h $(srcdir)/parse.h \
+                        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                        $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                        $(top_builddir)/pathnames.h
+@@ -2089,7 +2077,7 @@ iolog_path_escapes.i: $(srcdir)/iolog_pa
+                        $(incdir)/sudo_gettext.h $(incdir)/sudo_iolog.h \
+                        $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                        $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                       $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                       $(srcdir)/logging.h $(srcdir)/parse.h \
+                        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                        $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                        $(top_builddir)/pathnames.h
+@@ -2102,8 +2090,8 @@ kerb5.lo: $(authdir)/kerb5.c $(authdir)/
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++          $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/kerb5.c
+ kerb5.i: $(authdir)/kerb5.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+@@ -2112,7 +2100,7 @@ kerb5.i: $(authdir)/kerb5.c $(authdir)/s
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++          $(srcdir)/logging.h $(srcdir)/parse.h \
+           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2124,8 +2112,8 @@ ldap.lo: $(srcdir)/ldap.c $(devdir)/def_
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \
+-         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++         $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \
++         $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ldap.c
+ ldap.i: $(srcdir)/ldap.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+@@ -2134,7 +2122,7 @@ ldap.i: $(srcdir)/ldap.c $(devdir)/def_d
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \
++         $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \
+          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2147,7 +2135,7 @@ ldap_conf.lo: $(srcdir)/ldap_conf.c $(de
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+               $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+               $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \
++              $(srcdir)/parse.h $(srcdir)/sudo_ldap.h \
+               $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \
+               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+@@ -2159,7 +2147,7 @@ ldap_conf.i: $(srcdir)/ldap_conf.c $(dev
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+               $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+               $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \
++              $(srcdir)/parse.h $(srcdir)/sudo_ldap.h \
+               $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \
+               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+@@ -2173,10 +2161,10 @@ ldap_innetgr.lo: $(srcdir)/ldap_innetgr.
+                  $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                  $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                  $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                 $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \
+-                 $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \
+-                 $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-                 $(top_builddir)/config.h $(top_builddir)/pathnames.h
++                 $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \
++                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++                 $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ldap_innetgr.c
+ ldap_innetgr.i: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \
+                  $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2185,7 +2173,7 @@ ldap_innetgr.i: $(srcdir)/ldap_innetgr.c
+                  $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                  $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                  $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                 $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \
++                 $(srcdir)/sudo_ldap.h \
+                  $(srcdir)/sudo_ldap_conf.h $(srcdir)/sudo_nss.h \
+                  $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                  $(top_builddir)/config.h $(top_builddir)/pathnames.h
+@@ -2200,10 +2188,9 @@ ldap_util.lo: $(srcdir)/ldap_util.c $(de
+               $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \
+-              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-              $(top_builddir)/pathnames.h
++              $(srcdir)/parse.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \
++              $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++              $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ldap_util.c
+ ldap_util.i: $(srcdir)/ldap_util.c $(devdir)/def_data.h $(devdir)/gram.h \
+               $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2213,7 +2200,7 @@ ldap_util.i: $(srcdir)/ldap_util.c $(dev
+               $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h \
++              $(srcdir)/parse.h $(srcdir)/sudo_ldap.h \
+               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+@@ -2227,10 +2214,9 @@ linux_audit.lo: $(srcdir)/linux_audit.c
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/linux_audit.h \
+-                $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-                $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-                $(top_builddir)/pathnames.h
++                $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/linux_audit.c
+ linux_audit.i: $(srcdir)/linux_audit.c $(devdir)/def_data.h \
+                 $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2239,7 +2225,7 @@ linux_audit.i: $(srcdir)/linux_audit.c $
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/linux_audit.h \
+-                $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                $(srcdir)/logging.h $(srcdir)/parse.h \
+                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                 $(top_builddir)/pathnames.h
+@@ -2273,9 +2259,9 @@ log_client.lo: $(srcdir)/log_client.c $(
+                $(incdir)/sudo_queue.h $(incdir)/sudo_ssl_compat.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+                $(srcdir)/log_client.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
+-               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-               $(top_builddir)/config.h $(top_builddir)/pathnames.h
++               $(srcdir)/strlist.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/log_client.c
+ log_client.i: $(srcdir)/log_client.c $(devdir)/def_data.h \
+                $(incdir)/compat/getaddrinfo.h $(incdir)/compat/stdbool.h \
+@@ -2288,7 +2274,7 @@ log_client.i: $(srcdir)/log_client.c $(d
+                $(incdir)/sudo_queue.h $(incdir)/sudo_ssl_compat.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+                $(srcdir)/log_client.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
++               $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
+                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2303,8 +2289,8 @@ logging.lo: $(srcdir)/logging.c $(devdir
+             $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+             $(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
+             $(srcdir)/defaults.h $(srcdir)/log_client.h $(srcdir)/logging.h \
+-            $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/strlist.h \
+-            $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++            $(srcdir)/parse.h $(srcdir)/strlist.h $(srcdir)/sudo_nss.h \
++            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/logging.c
+ logging.i: $(srcdir)/logging.c $(devdir)/def_data.h \
+@@ -2316,7 +2302,7 @@ logging.i: $(srcdir)/logging.c $(devdir)
+             $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+             $(incdir)/sudo_ssl_compat.h $(incdir)/sudo_util.h \
+             $(srcdir)/defaults.h $(srcdir)/log_client.h $(srcdir)/logging.h \
+-            $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/strlist.h \
++            $(srcdir)/parse.h $(srcdir)/strlist.h \
+             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2328,8 +2314,8 @@ lookup.lo: $(srcdir)/lookup.c $(devdir)/
+            $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+            $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+            $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-           $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++           $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++           $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+            $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/lookup.c
+ lookup.i: $(srcdir)/lookup.c $(devdir)/def_data.h $(devdir)/gram.h \
+@@ -2338,7 +2324,7 @@ lookup.i: $(srcdir)/lookup.c $(devdir)/d
+            $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+            $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+            $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-           $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++           $(srcdir)/logging.h $(srcdir)/parse.h \
+            $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+            $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2350,8 +2336,8 @@ match.lo: $(srcdir)/match.c $(devdir)/de
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++          $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/match.c
+ match.i: $(srcdir)/match.c $(devdir)/def_data.h $(devdir)/gram.h \
+@@ -2360,7 +2346,7 @@ match.i: $(srcdir)/match.c $(devdir)/def
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++          $(srcdir)/logging.h $(srcdir)/parse.h \
+           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2373,9 +2359,9 @@ match_addr.lo: $(srcdir)/match_addr.c $(
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-               $(top_builddir)/config.h $(top_builddir)/pathnames.h
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/match_addr.c
+ match_addr.i: $(srcdir)/match_addr.c $(devdir)/def_data.h \
+                $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2384,7 +2370,7 @@ match_addr.i: $(srcdir)/match_addr.c $(d
+                $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2398,10 +2384,9 @@ match_command.lo: $(srcdir)/match_comman
+                   $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                   $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                   $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                  $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-                  $(top_builddir)/pathnames.h
++                  $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++                  $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++                  $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/match_command.c
+ match_command.i: $(srcdir)/match_command.c $(devdir)/def_data.h \
+                   $(devdir)/gram.h $(incdir)/compat/fnmatch.h \
+@@ -2411,7 +2396,7 @@ match_command.i: $(srcdir)/match_command
+                   $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                   $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                   $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-                  $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++                  $(srcdir)/logging.h $(srcdir)/parse.h \
+                   $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+@@ -2426,7 +2411,7 @@ match_digest.lo: $(srcdir)/match_digest.
+                  $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                  $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                  $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                 $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                  $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/match_digest.c
+@@ -2438,7 +2423,7 @@ match_digest.i: $(srcdir)/match_digest.c
+                  $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                  $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                  $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                 $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                  $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2468,9 +2453,8 @@ pam.lo: $(authdir)/pam.c $(authdir)/sudo
+         $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+         $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-        $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-        $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-        $(top_builddir)/pathnames.h
++        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++        $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/pam.c
+ pam.i: $(authdir)/pam.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+         $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2478,7 +2462,7 @@ pam.i: $(authdir)/pam.c $(authdir)/sudo_
+         $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+         $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-        $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+         $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+         $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2491,8 +2475,8 @@ parse_ldif.o: $(srcdir)/parse_ldif.c $(d
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/strlist.h \
+-              $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/redblack.h $(srcdir)/strlist.h $(srcdir)/sudo_ldap.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/parse_ldif.c
+@@ -2503,7 +2487,7 @@ parse_ldif.i: $(srcdir)/parse_ldif.c $(d
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/strlist.h \
++              $(srcdir)/redblack.h $(srcdir)/strlist.h \
+               $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+@@ -2517,7 +2501,7 @@ parser_warnx.lo: $(srcdir)/parser_warnx.
+                  $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                  $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                  $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                 $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                  $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/parser_warnx.c
+@@ -2528,7 +2512,7 @@ parser_warnx.i: $(srcdir)/parser_warnx.c
+                  $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                  $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                  $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                 $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                  $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2540,8 +2524,8 @@ passwd.lo: $(authdir)/passwd.c $(authdir
+            $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+            $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+            $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-           $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++           $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++           $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+            $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/passwd.c
+ passwd.i: $(authdir)/passwd.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+@@ -2550,32 +2534,12 @@ passwd.i: $(authdir)/passwd.c $(authdir)
+            $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+            $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+            $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-           $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++           $(srcdir)/logging.h $(srcdir)/parse.h \
+            $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+            $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+ passwd.plog: passwd.i
+ 	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/passwd.c --i-file $< --output-file $@
+-pivot.lo: $(srcdir)/pivot.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+-          $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+-          $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+-          $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+-          $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+-	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/pivot.c
+-pivot.i: $(srcdir)/pivot.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+-          $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+-          $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+-          $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+-          $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-          $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+-	$(CC) -E -o $@ $(CPPFLAGS) $<
+-pivot.plog: pivot.i
+-	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/pivot.c --i-file $< --output-file $@
+ policy.lo: $(srcdir)/policy.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+            $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
+            $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \
+@@ -2583,10 +2547,10 @@ policy.lo: $(srcdir)/policy.c $(devdir)/
+            $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+            $(incdir)/sudo_util.h $(srcdir)/auth/sudo_auth.h \
+            $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-           $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-           $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-           $(srcdir)/sudoers_version.h $(srcdir)/timestamp.h \
+-           $(top_builddir)/config.h $(top_builddir)/pathnames.h
++           $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++           $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \
++           $(srcdir)/timestamp.h $(top_builddir)/config.h \
++           $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/policy.c
+ policy.i: $(srcdir)/policy.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+            $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
+@@ -2595,7 +2559,7 @@ policy.i: $(srcdir)/policy.c $(devdir)/d
+            $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+            $(incdir)/sudo_util.h $(srcdir)/auth/sudo_auth.h \
+            $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \
+-           $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++           $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+            $(srcdir)/sudoers_version.h $(srcdir)/timestamp.h \
+            $(top_builddir)/config.h $(top_builddir)/pathnames.h
+@@ -2608,9 +2572,9 @@ prompt.lo: $(srcdir)/prompt.c $(devdir)/
+            $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+            $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+            $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-           $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-           $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-           $(top_builddir)/config.h $(top_builddir)/pathnames.h
++           $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++           $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++           $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/prompt.c
+ prompt.i: $(srcdir)/prompt.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+            $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
+@@ -2618,7 +2582,7 @@ prompt.i: $(srcdir)/prompt.c $(devdir)/d
+            $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+            $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+            $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-           $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++           $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+            $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2630,10 +2594,9 @@ pwutil.lo: $(srcdir)/pwutil.c $(devdir)/
+            $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+            $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+            $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-           $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/pwutil.h \
+-           $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-           $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-           $(top_builddir)/pathnames.h
++           $(srcdir)/parse.h $(srcdir)/pwutil.h $(srcdir)/redblack.h \
++           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++           $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/pwutil.c
+ pwutil.i: $(srcdir)/pwutil.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+            $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
+@@ -2641,7 +2604,7 @@ pwutil.i: $(srcdir)/pwutil.c $(devdir)/d
+            $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+            $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+            $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-           $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/pwutil.h \
++           $(srcdir)/parse.h $(srcdir)/pwutil.h \
+            $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+            $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+            $(top_builddir)/pathnames.h
+@@ -2655,9 +2618,9 @@ pwutil_impl.lo: $(srcdir)/pwutil_impl.c
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                $(srcdir)/pivot.h $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h \
+-                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-                $(top_builddir)/config.h $(top_builddir)/pathnames.h
++                $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++                $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/pwutil_impl.c
+ pwutil_impl.i: $(srcdir)/pwutil_impl.c $(devdir)/def_data.h \
+                 $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2666,7 +2629,7 @@ pwutil_impl.i: $(srcdir)/pwutil_impl.c $
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                $(srcdir)/pivot.h $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h \
++                $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h \
+                 $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                 $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2678,8 +2641,8 @@ redblack.lo: $(srcdir)/redblack.c $(devd
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/redblack.h \
++             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/redblack.c
+@@ -2689,7 +2652,7 @@ redblack.i: $(srcdir)/redblack.c $(devdi
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+@@ -2703,7 +2666,7 @@ resolve_cmnd.lo: $(srcdir)/resolve_cmnd.
+                  $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                  $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                  $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                 $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                  $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/resolve_cmnd.c
+@@ -2714,7 +2677,7 @@ resolve_cmnd.i: $(srcdir)/resolve_cmnd.c
+                  $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                  $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                  $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                 $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                  $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2726,8 +2689,8 @@ rfc1938.lo: $(authdir)/rfc1938.c $(authd
+             $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-            $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/rfc1938.c
+ rfc1938.i: $(authdir)/rfc1938.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+@@ -2736,7 +2699,7 @@ rfc1938.i: $(authdir)/rfc1938.c $(authdi
+             $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h \
+             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2749,9 +2712,9 @@ secureware.lo: $(authdir)/secureware.c $
+                $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-               $(top_builddir)/config.h $(top_builddir)/pathnames.h
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/secureware.c
+ secureware.i: $(authdir)/secureware.c $(authdir)/sudo_auth.h \
+                $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+@@ -2760,7 +2723,7 @@ secureware.i: $(authdir)/secureware.c $(
+                $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+                $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
+-               $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++               $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+                $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2772,10 +2735,9 @@ securid5.lo: $(authdir)/securid5.c $(aut
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-             $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-             $(top_builddir)/pathnames.h
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/securid5.c
+ securid5.i: $(authdir)/securid5.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+              $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2783,7 +2745,7 @@ securid5.i: $(authdir)/securid5.c $(auth
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+@@ -2797,7 +2759,7 @@ serialize_list.lo: $(srcdir)/serialize_l
+                    $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                    $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                    $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                   $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                   $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                    $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                    $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/serialize_list.c
+@@ -2808,7 +2770,7 @@ serialize_list.i: $(srcdir)/serialize_li
+                    $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                    $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                    $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                   $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                   $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                    $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                    $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2821,7 +2783,7 @@ set_perms.lo: $(srcdir)/set_perms.c $(de
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/set_perms.c
+@@ -2832,7 +2794,7 @@ set_perms.i: $(srcdir)/set_perms.c $(dev
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2844,8 +2806,8 @@ sethost.lo: $(srcdir)/sethost.c $(devdir
+             $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-            $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sethost.c
+ sethost.i: $(srcdir)/sethost.c $(devdir)/def_data.h \
+@@ -2854,7 +2816,7 @@ sethost.i: $(srcdir)/sethost.c $(devdir)
+             $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h \
+             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2866,9 +2828,8 @@ sia.lo: $(authdir)/sia.c $(authdir)/sudo
+         $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+         $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-        $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-        $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-        $(top_builddir)/pathnames.h
++        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++        $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/sia.c
+ sia.i: $(authdir)/sia.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \
+         $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2876,7 +2837,7 @@ sia.i: $(authdir)/sia.c $(authdir)/sudo_
+         $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+         $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+         $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-        $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++        $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+         $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+         $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2889,10 +2850,9 @@ solaris_audit.lo: $(srcdir)/solaris_audi
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/solaris_audit.h \
+-                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-                  $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-                  $(top_builddir)/pathnames.h
++                  $(srcdir)/solaris_audit.h $(srcdir)/sudo_nss.h \
++                  $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++                  $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/solaris_audit.c
+ solaris_audit.i: $(srcdir)/solaris_audit.c $(devdir)/def_data.h \
+                   $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -2901,7 +2861,7 @@ solaris_audit.i: $(srcdir)/solaris_audit
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/solaris_audit.h \
++                  $(srcdir)/solaris_audit.h \
+                   $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+@@ -2914,9 +2874,9 @@ sssd.lo: $(srcdir)/sssd.c $(devdir)/def_
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \
+-         $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-         $(top_builddir)/config.h $(top_builddir)/pathnames.h
++         $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++         $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
++         $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sssd.c
+ sssd.i: $(srcdir)/sssd.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+          $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+@@ -2924,7 +2884,7 @@ sssd.i: $(srcdir)/sssd.c $(devdir)/def_d
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \
++         $(srcdir)/sudo_ldap.h $(srcdir)/sudo_nss.h \
+          $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2937,7 +2897,7 @@ starttime.lo: $(srcdir)/starttime.c $(de
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/starttime.c
+@@ -2948,7 +2908,7 @@ starttime.i: $(srcdir)/starttime.c $(dev
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2961,7 +2921,7 @@ strlcpy_unesc.lo: $(srcdir)/strlcpy_unes
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/strlcpy_unesc.c
+@@ -2972,7 +2932,7 @@ strlcpy_unesc.i: $(srcdir)/strlcpy_unesc
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -2997,7 +2957,7 @@ strvec_join.lo: $(srcdir)/strvec_join.c
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                 $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/strvec_join.c
+@@ -3008,7 +2968,7 @@ strvec_join.i: $(srcdir)/strvec_join.c $
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                 $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3020,9 +2980,8 @@ stubs.o: $(srcdir)/stubs.c $(devdir)/def
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+          $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+          $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-         $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-         $(top_builddir)/pathnames.h
++         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++         $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/stubs.c
+ stubs.i: $(srcdir)/stubs.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+          $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+@@ -3030,7 +2989,7 @@ stubs.i: $(srcdir)/stubs.c $(devdir)/def
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+          $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+          $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+          $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+          $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3046,10 +3005,9 @@ sudo_auth.lo: $(authdir)/sudo_auth.c $(a
+               $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h \
+               $(srcdir)/ins_csops.h $(srcdir)/ins_goons.h \
+               $(srcdir)/ins_python.h $(srcdir)/insults.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
+-              $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-              $(srcdir)/timestamp.h $(top_builddir)/config.h \
+-              $(top_builddir)/pathnames.h
++              $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
++              $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/sudo_auth.c
+ sudo_auth.i: $(authdir)/sudo_auth.c $(authdir)/sudo_auth.h \
+               $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
+@@ -3061,7 +3019,7 @@ sudo_auth.i: $(authdir)/sudo_auth.c $(au
+               $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h \
+               $(srcdir)/ins_csops.h $(srcdir)/ins_goons.h \
+               $(srcdir)/ins_python.h $(srcdir)/insults.h $(srcdir)/logging.h \
+-              $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++              $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+               $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+               $(srcdir)/timestamp.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+@@ -3074,10 +3032,9 @@ sudo_nss.lo: $(srcdir)/sudo_nss.c $(devd
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-             $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-             $(top_builddir)/pathnames.h
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudo_nss.c
+ sudo_nss.i: $(srcdir)/sudo_nss.c $(devdir)/def_data.h \
+              $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -3085,7 +3042,7 @@ sudo_nss.i: $(srcdir)/sudo_nss.c $(devdi
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+@@ -3111,8 +3068,8 @@ sudoers.lo: $(srcdir)/sudoers.c $(devdir
+             $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+             $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-            $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(srcdir)/timestamp.h $(top_builddir)/config.h \
+             $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers.c
+@@ -3123,7 +3080,7 @@ sudoers.i: $(srcdir)/sudoers.c $(devdir)
+             $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
+             $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h \
+             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(srcdir)/timestamp.h $(top_builddir)/config.h \
+             $(top_builddir)/pathnames.h
+@@ -3138,7 +3095,7 @@ sudoers_cb.lo: $(srcdir)/sudoers_cb.c $(
+                $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers_cb.c
+@@ -3150,7 +3107,7 @@ sudoers_cb.i: $(srcdir)/sudoers_cb.c $(d
+                $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \
+                $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+                $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3163,7 +3120,7 @@ sudoers_ctx_free.lo: $(srcdir)/sudoers_c
+                      $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                      $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                      $(srcdir)/defaults.h $(srcdir)/logging.h \
+-                     $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++                     $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+                      $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                      $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers_ctx_free.c
+@@ -3174,7 +3131,7 @@ sudoers_ctx_free.i: $(srcdir)/sudoers_ct
+                      $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                      $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                      $(srcdir)/defaults.h $(srcdir)/logging.h \
+-                     $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/sudo_nss.h \
++                     $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
+                      $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                      $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3187,7 +3144,7 @@ sudoers_debug.lo: $(srcdir)/sudoers_debu
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers_debug.c
+@@ -3198,7 +3155,7 @@ sudoers_debug.i: $(srcdir)/sudoers_debug
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3211,7 +3168,7 @@ sudoers_hooks.lo: $(srcdir)/sudoers_hook
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/sudoers_hooks.c
+@@ -3222,7 +3179,7 @@ sudoers_hooks.i: $(srcdir)/sudoers_hooks
+                   $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                   $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                   $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-                  $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++                  $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                   $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                   $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3258,7 +3215,7 @@ testsudoers.o: $(srcdir)/testsudoers.c $
+                $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+                $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(srcdir)/testsudoers_pwutil.h \
+                $(srcdir)/toke.h $(srcdir)/tsgetgrpw.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+@@ -3271,7 +3228,7 @@ testsudoers.i: $(srcdir)/testsudoers.c $
+                $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
+                $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+                $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-               $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++               $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                $(srcdir)/sudoers_debug.h $(srcdir)/testsudoers_pwutil.h \
+                $(srcdir)/toke.h $(srcdir)/tsgetgrpw.h $(top_builddir)/config.h \
+                $(top_builddir)/pathnames.h
+@@ -3285,7 +3242,7 @@ testsudoers_pwutil.o: $(srcdir)/testsudo
+                       $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                       $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                       $(srcdir)/defaults.h $(srcdir)/logging.h \
+-                      $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/pwutil.h \
++                      $(srcdir)/parse.h $(srcdir)/pwutil.h \
+                       $(srcdir)/pwutil_impl.c $(srcdir)/sudo_nss.h \
+                       $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                       $(srcdir)/testsudoers_pwutil.h $(srcdir)/tsgetgrpw.h \
+@@ -3298,7 +3255,7 @@ testsudoers_pwutil.i: $(srcdir)/testsudo
+                       $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                       $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                       $(srcdir)/defaults.h $(srcdir)/logging.h \
+-                      $(srcdir)/parse.h $(srcdir)/pivot.h $(srcdir)/pwutil.h \
++                      $(srcdir)/parse.h $(srcdir)/pwutil.h \
+                       $(srcdir)/pwutil_impl.c $(srcdir)/sudo_nss.h \
+                       $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+                       $(srcdir)/testsudoers_pwutil.h $(srcdir)/tsgetgrpw.h \
+@@ -3325,7 +3282,7 @@ timestamp.lo: $(srcdir)/timestamp.c $(de
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/timestamp.c
+@@ -3336,7 +3293,7 @@ timestamp.i: $(srcdir)/timestamp.c $(dev
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3348,8 +3305,8 @@ timestr.lo: $(srcdir)/timestr.c $(devdir
+             $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-            $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++            $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/timestr.c
+ timestr.i: $(srcdir)/timestr.c $(devdir)/def_data.h \
+@@ -3358,7 +3315,7 @@ timestr.i: $(srcdir)/timestr.c $(devdir)
+             $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+             $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+             $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-            $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++            $(srcdir)/logging.h $(srcdir)/parse.h \
+             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3371,9 +3328,8 @@ toke.lo: $(devdir)/toke.c $(devdir)/def_
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-         $(srcdir)/sudoers_debug.h $(srcdir)/toke.h $(top_builddir)/config.h \
+-         $(top_builddir)/pathnames.h
++         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++         $(srcdir)/toke.h $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(devdir)/toke.c
+ toke.i: $(devdir)/toke.c $(devdir)/def_data.h $(devdir)/gram.h \
+          $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -3382,7 +3338,7 @@ toke.i: $(devdir)/toke.c $(devdir)/def_d
+          $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \
+          $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+          $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-         $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++         $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+          $(srcdir)/sudoers_debug.h $(srcdir)/toke.h $(top_builddir)/config.h \
+          $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3395,7 +3351,7 @@ toke_util.lo: $(srcdir)/toke_util.c $(de
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/toke.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/toke_util.c
+@@ -3406,7 +3362,7 @@ toke_util.i: $(srcdir)/toke_util.c $(dev
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(srcdir)/toke.h \
+               $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3417,7 +3373,7 @@ tsdump.o: $(srcdir)/tsdump.c $(devdir)/d
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++          $(srcdir)/logging.h $(srcdir)/parse.h \
+           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(srcdir)/timestamp.h $(top_builddir)/config.h \
+           $(top_builddir)/pathnames.h
+@@ -3427,7 +3383,7 @@ tsdump.i: $(srcdir)/tsdump.c $(devdir)/d
+           $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-          $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++          $(srcdir)/logging.h $(srcdir)/parse.h \
+           $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(srcdir)/timestamp.h $(top_builddir)/config.h \
+           $(top_builddir)/pathnames.h
+@@ -3440,10 +3396,10 @@ tsgetgrpw.o: $(srcdir)/tsgetgrpw.c $(dev
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-             $(srcdir)/sudoers_debug.h $(srcdir)/tsgetgrpw.h \
+-             $(top_builddir)/config.h $(top_builddir)/pathnames.h
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++             $(srcdir)/tsgetgrpw.h $(top_builddir)/config.h \
++             $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/tsgetgrpw.c
+ tsgetgrpw.i: $(srcdir)/tsgetgrpw.c $(devdir)/def_data.h \
+              $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -3451,7 +3407,7 @@ tsgetgrpw.i: $(srcdir)/tsgetgrpw.c $(dev
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(srcdir)/tsgetgrpw.h \
+              $(top_builddir)/config.h $(top_builddir)/pathnames.h
+@@ -3477,7 +3433,7 @@ unesc_str.lo: $(srcdir)/unesc_str.c $(de
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+ 	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/unesc_str.c
+@@ -3488,7 +3444,7 @@ unesc_str.i: $(srcdir)/unesc_str.c $(dev
+               $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+               $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+               $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-              $(srcdir)/pivot.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+               $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+               $(top_builddir)/pathnames.h
+ 	$(CC) -E -o $@ $(CPPFLAGS) $<
+@@ -3501,10 +3457,9 @@ visudo.o: $(srcdir)/visudo.c $(devdir)/d
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+           $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-          $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \
+-          $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+-          $(srcdir)/sudoers_version.h $(top_builddir)/config.h \
+-          $(top_builddir)/pathnames.h
++          $(srcdir)/redblack.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
++          $(srcdir)/sudoers_debug.h $(srcdir)/sudoers_version.h \
++          $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/visudo.c
+ visudo.i: $(srcdir)/visudo.c $(devdir)/def_data.h $(devdir)/gram.h \
+           $(incdir)/compat/getopt.h $(incdir)/compat/stdbool.h \
+@@ -3513,7 +3468,7 @@ visudo.i: $(srcdir)/visudo.c $(devdir)/d
+           $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+           $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+           $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \
+-          $(srcdir)/pivot.h $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \
++          $(srcdir)/redblack.h $(srcdir)/sudo_nss.h \
+           $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
+           $(srcdir)/sudoers_version.h $(top_builddir)/config.h \
+           $(top_builddir)/pathnames.h
+@@ -3526,10 +3481,9 @@ visudo_cb.o: $(srcdir)/visudo_cb.c $(dev
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
+-             $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+-             $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+-             $(top_builddir)/pathnames.h
++             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \
++             $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
++             $(top_builddir)/config.h $(top_builddir)/pathnames.h
+ 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/visudo_cb.c
+ visudo_cb.i: $(srcdir)/visudo_cb.c $(devdir)/def_data.h \
+              $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+@@ -3537,7 +3491,7 @@ visudo_cb.i: $(srcdir)/visudo_cb.c $(dev
+              $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+              $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+              $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
+-             $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/pivot.h \
++             $(srcdir)/logging.h $(srcdir)/parse.h \
+              $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+              $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+              $(top_builddir)/pathnames.h
+diff -up ./plugins/sudoers/match_command.c.cve-chroot ./plugins/sudoers/match_command.c
+--- ./plugins/sudoers/match_command.c.cve-chroot	2023-12-15 20:08:31.000000000 +0100
++++ ./plugins/sudoers/match_command.c	2025-07-01 09:07:19.328156880 +0200
+@@ -122,14 +122,26 @@ command_args_match(struct sudoers_contex
+  * Returns true on success, else false.
+  */
+ static bool
+-do_stat(int fd, const char *path, struct stat *sb)
++do_stat(int fd, const char *path, const char *runchroot, struct stat *sb)
+ {
++    char pathbuf[PATH_MAX];
+     bool ret;
+     debug_decl(do_stat, SUDOERS_DEBUG_MATCH);
+ 
+     if (fd != -1) {
+ 	ret = fstat(fd, sb) == 0;
+     } else {
++	/* Make path relative to the new root, if any. */
++	if (runchroot != NULL) {
++	    /* XXX - handle symlinks and '..' in path outside chroot */
++	    const int len =
++		snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path);
++	    if (len >= ssizeof(pathbuf)) {
++		errno = ENAMETOOLONG;
++		debug_return_bool(false);
++	    }
++	    path = pathbuf;
++	}
+ 	ret = stat(path, sb) == 0;
+     }
+     debug_return_bool(ret);
+@@ -158,15 +170,29 @@ is_script(int fd)
+  * Returns false on error, else true.
+  */
+ static bool
+-open_cmnd(const char *path, const struct command_digest_list *digests, int *fdp)
++open_cmnd(const char *path, const char *runchroot,
++    const struct command_digest_list *digests, int *fdp)
+ {
+     int fd;
++    char pathbuf[PATH_MAX];
+     debug_decl(open_cmnd, SUDOERS_DEBUG_MATCH);
+ 
+     /* Only open the file for fdexec or for digest matching. */
+     if (def_fdexec != always && TAILQ_EMPTY(digests))
+ 	debug_return_bool(true);
+ 
++    /* Make path relative to the new root, if any. */
++    if (runchroot != NULL) {
++	/* XXX - handle symlinks and '..' in path outside chroot */
++	const int len =
++	    snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path);
++	if (len >= ssizeof(pathbuf)) {
++	    errno = ENAMETOOLONG;
++	    debug_return_bool(false);
++	}
++	path = pathbuf;
++    }
++
+     fd = open(path, O_RDONLY|O_NONBLOCK);
+ # ifdef O_EXEC
+     if (fd == -1 && errno == EACCES && TAILQ_EMPTY(digests)) {
+@@ -185,7 +211,7 @@ open_cmnd(const char *path, const struct
+ }
+ 
+ static void
+-set_cmnd_fd(struct sudoers_context *ctx, int fd, int real_root)
++set_cmnd_fd(struct sudoers_context *ctx, int fd)
+ {
+     debug_decl(set_cmnd_fd, SUDOERS_DEBUG_MATCH);
+ 
+@@ -200,19 +226,11 @@ set_cmnd_fd(struct sudoers_context *ctx,
+ 	} else if (is_script(fd)) {
+ 	    char fdpath[PATH_MAX];
+ 	    struct stat sb;
+-	    int error, flags;
++	    int flags;
+ 
+ 	    /* We can only use fexecve() on a script if /dev/fd/N exists. */
+-	    if (real_root != -1) {
+-		/* Path relative to old root directory. */
+-		(void)snprintf(fdpath, sizeof(fdpath), "dev/fd/%d", fd);
+-		error = fstatat(real_root, fdpath, &sb, 0);
+-	    } else {
+-		/* Absolute path. */
+-		(void)snprintf(fdpath, sizeof(fdpath), "/dev/fd/%d", fd);
+-		error = stat(fdpath, &sb);
+-	    }
+-	    if (error != 0) {
++	    (void)snprintf(fdpath, sizeof(fdpath), "/dev/fd/%d", fd);
++	    if (stat(fdpath, &sb) != 0) {
+ 		/* Missing /dev/fd file, can't use fexecve(). */
+ 		close(fd);
+ 		fd = -1;
+@@ -238,14 +256,28 @@ set_cmnd_fd(struct sudoers_context *ctx,
+  */
+ static int
+ command_matches_dir(struct sudoers_context *ctx, const char *sudoers_dir,
+-    size_t dlen, int real_root, const struct command_digest_list *digests)
++    size_t dlen, const char *runchroot,
++    const struct command_digest_list *digests)
+ {
+     struct stat sudoers_stat;
+-    char path[PATH_MAX];
++    char path[PATH_MAX], sdbuf[PATH_MAX];
++    size_t chrootlen = 0;
+     int len, fd = -1;
+     int ret = DENY;
+     debug_decl(command_matches_dir, SUDOERS_DEBUG_MATCH);
+ 
++    /* Make sudoers_dir relative to the new root, if any. */
++    if (runchroot != NULL) {
++	/* XXX - handle symlinks and '..' in path outside chroot */
++	len = snprintf(sdbuf, sizeof(sdbuf), "%s%s", runchroot, sudoers_dir);
++	if (len >= ssizeof(sdbuf)) {
++	    errno = ENAMETOOLONG;
++	    debug_return_bool(false);
++	}
++	sudoers_dir = sdbuf;
++	chrootlen = strlen(runchroot);
++    }
++
+     /* Compare the canonicalized directories, if possible. */
+     if (ctx->user.cmnd_dir != NULL) {
+ 	char *resolved = canon_path(sudoers_dir);
+@@ -264,18 +296,19 @@ command_matches_dir(struct sudoers_conte
+ 	goto done;
+ 
+     /* Open the file for fdexec or for digest matching. */
+-    if (!open_cmnd(path, digests, &fd))
++    if (!open_cmnd(path, NULL, digests, &fd))
+ 	goto done;
+-    if (!do_stat(fd, path, &sudoers_stat))
++    if (!do_stat(fd, path, NULL, &sudoers_stat))
+ 	goto done;
+ 
+     if (ctx->user.cmnd_stat == NULL ||
+ 	(ctx->user.cmnd_stat->st_dev == sudoers_stat.st_dev &&
+ 	ctx->user.cmnd_stat->st_ino == sudoers_stat.st_ino)) {
+-	if (digest_matches(fd, path, digests) != ALLOW)
++	/* path is already relative to runchroot */
++	if (digest_matches(fd, path, NULL, digests) != ALLOW)
+ 	    goto done;
+ 	free(ctx->runas.cmnd);
+-	if ((ctx->runas.cmnd = strdup(path)) == NULL) {
++	if ((ctx->runas.cmnd = strdup(path + chrootlen)) == NULL) {
+ 	    sudo_warnx(U_("%s: %s"), __func__,
+ 		U_("unable to allocate memory"));
+ 	}
+@@ -295,7 +328,8 @@ done:
+  */
+ static int
+ command_matches_dir(struct sudoers_context *ctx, const char *sudoers_dir,
+-    size_t dlen, int real_root, const struct command_digest_list *digests)
++    size_t dlen, const char *runchroot,
++    const struct command_digest_list *digests)
+ {
+     int fd = -1;
+     debug_decl(command_matches_dir, SUDOERS_DEBUG_MATCH);
+@@ -309,11 +343,11 @@ command_matches_dir(struct sudoers_conte
+ 	goto bad;
+ 
+     /* Open the file for fdexec or for digest matching. */
+-    if (!open_cmnd(ctx->user.cmnd, digests, &fd))
++    if (!open_cmnd(ctx->user.cmnd, runchroot, digests, &fd))
+ 	goto bad;
+-    if (digest_matches(fd, ctx->user.cmnd, digests) != ALLOW)
++    if (digest_matches(fd, ctx->user.cmnd, runchroot, digests) != ALLOW)
+ 	goto bad;
+-    set_cmnd_fd(ctx, fd, real_root);
++    set_cmnd_fd(ctx, fd);
+ 
+     debug_return_int(ALLOW);
+ bad:
+@@ -324,7 +358,7 @@ bad:
+ #endif /* SUDOERS_NAME_MATCH */
+ 
+ static int
+-command_matches_all(struct sudoers_context *ctx, int real_root,
++command_matches_all(struct sudoers_context *ctx, const char *runchroot,
+     const struct command_digest_list *digests)
+ {
+ #ifndef SUDOERS_NAME_MATCH
+@@ -336,10 +370,10 @@ command_matches_all(struct sudoers_conte
+     if (strchr(ctx->user.cmnd, '/') != NULL) {
+ #ifndef SUDOERS_NAME_MATCH
+ 	/* Open the file for fdexec or for digest matching. */
+-	bool open_error = !open_cmnd(ctx->user.cmnd, digests, &fd);
++	bool open_error = !open_cmnd(ctx->user.cmnd, runchroot, digests, &fd);
+ 
+ 	/* A non-existent file is not an error for "sudo ALL". */
+-	if (do_stat(fd, ctx->user.cmnd, &sb)) {
++	if (do_stat(fd, ctx->user.cmnd, runchroot, &sb)) {
+ 	    if (open_error) {
+ 		/* File exists but we couldn't open it above? */
+ 		goto bad;
+@@ -347,14 +381,14 @@ command_matches_all(struct sudoers_conte
+ 	}
+ #else
+ 	/* Open the file for fdexec or for digest matching. */
+-	(void)open_cmnd(ctx->user.cmnd, digests, &fd);
++	(void)open_cmnd(ctx->user.cmnd, runchroot, digests, &fd);
+ #endif
+     }
+ 
+     /* Check digest of ctx->user.cmnd since we have no sudoers_cmnd for ALL. */
+-    if (digest_matches(fd, ctx->user.cmnd, digests) != ALLOW)
++    if (digest_matches(fd, ctx->user.cmnd, runchroot, digests) != ALLOW)
+ 	goto bad;
+-    set_cmnd_fd(ctx, fd, real_root);
++    set_cmnd_fd(ctx, fd);
+ 
+     /* No need to set ctx->runas.cmnd for ALL. */
+     debug_return_int(ALLOW);
+@@ -366,7 +400,7 @@ bad:
+ 
+ static int
+ command_matches_fnmatch(struct sudoers_context *ctx, const char *sudoers_cmnd,
+-    const char *sudoers_args, int real_root,
++    const char *sudoers_args, const char *runchroot,
+     const struct command_digest_list *digests)
+ {
+     const char *cmnd = ctx->user.cmnd;
+@@ -394,22 +428,25 @@ command_matches_fnmatch(struct sudoers_c
+      *  b) there are no args on command line and none required by sudoers OR
+      *  c) there are args in sudoers and on command line and they match
+      *     else return DENY.
++     *
++     * Neither sudoers_cmnd nor user_cmnd are relative to runchroot.
+      */
++
+     if (fnmatch(sudoers_cmnd, cmnd, FNM_PATHNAME) != 0)
+ 	debug_return_int(DENY);
+ 
+     if (command_args_match(ctx, sudoers_cmnd, sudoers_args) == ALLOW) {
+ 	/* Open the file for fdexec or for digest matching. */
+-	if (!open_cmnd(cmnd, digests, &fd))
++	if (!open_cmnd(cmnd, runchroot, digests, &fd))
+ 	    goto bad;
+ #ifndef SUDOERS_NAME_MATCH
+-	if (!do_stat(fd, cmnd, &sb))
++	if (!do_stat(fd, cmnd, runchroot, &sb))
+ 	    goto bad;
+ #endif
+ 	/* Check digest of cmnd since sudoers_cmnd is a pattern. */
+-	if (digest_matches(fd, cmnd, digests) != ALLOW)
++	if (digest_matches(fd, cmnd, runchroot, digests) != ALLOW)
+ 	    goto bad;
+-	set_cmnd_fd(ctx, fd, real_root);
++	set_cmnd_fd(ctx, fd);
+ 
+ 	/* No need to set ctx->runas.cmnd since cmnd matches sudoers_cmnd */
+ 	debug_return_int(ALLOW);
+@@ -422,7 +459,7 @@ bad:
+ 
+ static int
+ command_matches_regex(struct sudoers_context *ctx, const char *sudoers_cmnd,
+-    const char *sudoers_args, int real_root,
++    const char *sudoers_args, const char *runchroot,
+     const struct command_digest_list *digests)
+ {
+     const char *cmnd = ctx->user.cmnd;
+@@ -450,22 +487,24 @@ command_matches_regex(struct sudoers_con
+      *  b) there are no args on command line and none required by sudoers OR
+      *  c) there are args in sudoers and on command line and they match
+      *     else return DENY.
++     *
++     * Neither sudoers_cmnd nor user_cmnd are relative to runchroot.
+      */
+     if (regex_matches(sudoers_cmnd, cmnd) != ALLOW)
+ 	debug_return_int(DENY);
+ 
+     if (command_args_match(ctx, sudoers_cmnd, sudoers_args) == ALLOW) {
+ 	/* Open the file for fdexec or for digest matching. */
+-	if (!open_cmnd(cmnd, digests, &fd))
++	if (!open_cmnd(cmnd, runchroot, digests, &fd))
+ 	    goto bad;
+ #ifndef SUDOERS_NAME_MATCH
+-	if (!do_stat(fd, cmnd, &sb))
++	if (!do_stat(fd, cmnd, runchroot, &sb))
+ 	    goto bad;
+ #endif
+ 	/* Check digest of cmnd since sudoers_cmnd is a pattern. */
+-	if (digest_matches(fd, cmnd, digests) != ALLOW)
++	if (digest_matches(fd, cmnd, runchroot, digests) != ALLOW)
+ 	    goto bad;
+-	set_cmnd_fd(ctx, fd, real_root);
++	set_cmnd_fd(ctx, fd);
+ 
+ 	/* No need to set ctx->runas.cmnd since cmnd matches sudoers_cmnd */
+ 	debug_return_int(ALLOW);
+@@ -479,17 +518,31 @@ bad:
+ #ifndef SUDOERS_NAME_MATCH
+ static int
+ command_matches_glob(struct sudoers_context *ctx, const char *sudoers_cmnd,
+-    const char *sudoers_args, int real_root,
++    const char *sudoers_args, const char *runchroot,
+     const struct command_digest_list *digests)
+ {
+     struct stat sudoers_stat;
+     bool bad_digest = false;
+     char **ap, *base, *cp;
++    char pathbuf[PATH_MAX];
+     int fd = -1;
+-    size_t dlen;
++    size_t dlen, chrootlen = 0;
+     glob_t gl;
+     debug_decl(command_matches_glob, SUDOERS_DEBUG_MATCH);
+ 
++    /* Make sudoers_cmnd relative to the new root, if any. */
++    if (runchroot != NULL) {
++	/* XXX - handle symlinks and '..' in path outside chroot */
++	const int len =
++	    snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, sudoers_cmnd);
++	if (len >= ssizeof(pathbuf)) {
++	    errno = ENAMETOOLONG;
++	    debug_return_bool(false);
++	}
++	sudoers_cmnd = pathbuf;
++	chrootlen = strlen(runchroot);
++    }
++
+     /*
+      * First check to see if we can avoid the call to glob(3).
+      * Short circuit if there are no meta chars in the command itself
+@@ -521,19 +574,21 @@ command_matches_glob(struct sudoers_cont
+ 		close(fd);
+ 		fd = -1;
+ 	    }
++	    /* Remove the runchroot, if any. */
++	    cp += chrootlen;
+ 
+ 	    if (strcmp(cp, ctx->user.cmnd) != 0)
+ 		continue;
+ 	    /* Open the file for fdexec or for digest matching. */
+-	    if (!open_cmnd(cp, digests, &fd))
++	    if (!open_cmnd(cp, runchroot, digests, &fd))
+ 		continue;
+-	    if (!do_stat(fd, cp, &sudoers_stat))
++	    if (!do_stat(fd, cp, runchroot, &sudoers_stat))
+ 		continue;
+ 	    if (ctx->user.cmnd_stat == NULL ||
+ 		(ctx->user.cmnd_stat->st_dev == sudoers_stat.st_dev &&
+ 		ctx->user.cmnd_stat->st_ino == sudoers_stat.st_ino)) {
+ 		/* There could be multiple matches, check digest early. */
+-		if (digest_matches(fd, cp, digests) != ALLOW) {
++		if (digest_matches(fd, cp, runchroot, digests) != ALLOW) {
+ 		    bad_digest = true;
+ 		    continue;
+ 		}
+@@ -557,11 +612,13 @@ command_matches_glob(struct sudoers_cont
+ 		close(fd);
+ 		fd = -1;
+ 	    }
++	    /* Remove the runchroot, if any. */
++	    cp += chrootlen;
+ 
+ 	    /* If it ends in '/' it is a directory spec. */
+ 	    dlen = strlen(cp);
+ 	    if (cp[dlen - 1] == '/') {
+-		if (command_matches_dir(ctx, cp, dlen, real_root, digests) == ALLOW) {
++		if (command_matches_dir(ctx, cp, dlen, runchroot, digests) == ALLOW) {
+ 		    globfree(&gl);
+ 		    debug_return_int(ALLOW);
+ 		}
+@@ -592,14 +649,14 @@ command_matches_glob(struct sudoers_cont
+ 	    }
+ 
+ 	    /* Open the file for fdexec or for digest matching. */
+-	    if (!open_cmnd(cp, digests, &fd))
++	    if (!open_cmnd(cp, runchroot, digests, &fd))
+ 		continue;
+-	    if (!do_stat(fd, cp, &sudoers_stat))
++	    if (!do_stat(fd, cp, runchroot, &sudoers_stat))
+ 		continue;
+ 	    if (ctx->user.cmnd_stat == NULL ||
+ 		(ctx->user.cmnd_stat->st_dev == sudoers_stat.st_dev &&
+ 		ctx->user.cmnd_stat->st_ino == sudoers_stat.st_ino)) {
+-		if (digest_matches(fd, cp, digests) != ALLOW)
++		if (digest_matches(fd, cp, runchroot, digests) != ALLOW)
+ 		    continue;
+ 		free(ctx->runas.cmnd);
+ 		if ((ctx->runas.cmnd = strdup(cp)) == NULL) {
+@@ -616,7 +673,7 @@ done:
+     if (cp != NULL) {
+ 	if (command_args_match(ctx, sudoers_cmnd, sudoers_args) == ALLOW) {
+ 	    /* ctx->runas.cmnd was set above. */
+-	    set_cmnd_fd(ctx, fd, real_root);
++	    set_cmnd_fd(ctx, fd);
+ 	    debug_return_int(ALLOW);
+ 	}
+     }
+@@ -627,7 +684,7 @@ done:
+ 
+ static int
+ command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd,
+-    const char *sudoers_args, int real_root,
++    const char *sudoers_args, const char *runchroot,
+     const struct command_digest_list *digests)
+ {
+     struct stat sudoers_stat;
+@@ -640,7 +697,7 @@ command_matches_normal(struct sudoers_co
+     dlen = strlen(sudoers_cmnd);
+     if (sudoers_cmnd[dlen - 1] == '/') {
+ 	debug_return_int(command_matches_dir(ctx, sudoers_cmnd, dlen,
+-	    real_root, digests));
++	    runchroot, digests));
+     }
+ 
+     /* Only proceed if ctx->user.cmnd_base and basename(sudoers_cmnd) match */
+@@ -671,7 +728,7 @@ command_matches_normal(struct sudoers_co
+     }
+ 
+     /* Open the file for fdexec or for digest matching. */
+-    if (!open_cmnd(sudoers_cmnd, digests, &fd))
++    if (!open_cmnd(sudoers_cmnd, runchroot, digests, &fd))
+ 	goto bad;
+ 
+     /*
+@@ -681,7 +738,7 @@ command_matches_normal(struct sudoers_co
+      *  c) there are args in sudoers and on command line and they match
+      *  d) there is a digest and it matches
+      */
+-    if (ctx->user.cmnd_stat != NULL && do_stat(fd, sudoers_cmnd, &sudoers_stat)) {
++    if (ctx->user.cmnd_stat != NULL && do_stat(fd, sudoers_cmnd, runchroot, &sudoers_stat)) {
+ 	if (ctx->user.cmnd_stat->st_dev != sudoers_stat.st_dev ||
+ 	    ctx->user.cmnd_stat->st_ino != sudoers_stat.st_ino)
+ 	    goto bad;
+@@ -692,7 +749,7 @@ command_matches_normal(struct sudoers_co
+     }
+     if (command_args_match(ctx, sudoers_cmnd, sudoers_args) != ALLOW)
+ 	goto bad;
+-    if (digest_matches(fd, sudoers_cmnd, digests) != ALLOW) {
++    if (digest_matches(fd, sudoers_cmnd, runchroot, digests) != ALLOW) {
+ 	/* XXX - log functions not available but we should log very loudly */
+ 	goto bad;
+     }
+@@ -701,7 +758,7 @@ command_matches_normal(struct sudoers_co
+ 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ 	goto bad;
+     }
+-    set_cmnd_fd(ctx, fd, real_root);
++    set_cmnd_fd(ctx, fd);
+     debug_return_int(ALLOW);
+ bad:
+     if (fd != -1)
+@@ -711,16 +768,16 @@ bad:
+ #else /* SUDOERS_NAME_MATCH */
+ static int
+ command_matches_glob(struct sudoers_context *ctx, const char *sudoers_cmnd,
+-    const char *sudoers_args, int real_root,
++    const char *sudoers_args, const char *runchroot,
+     const struct command_digest_list *digests)
+ {
+-    return command_matches_fnmatch(ctx, sudoers_cmnd, sudoers_args, real_root,
++    return command_matches_fnmatch(ctx, sudoers_cmnd, sudoers_args, runchroot,
+ 	digests);
+ }
+ 
+ static int
+ command_matches_normal(struct sudoers_context *ctx, const char *sudoers_cmnd,
+-    const char *sudoers_args, int real_root,
++    const char *sudoers_args, const char *runchroot,
+     const struct command_digest_list *digests)
+ {
+     size_t dlen;
+@@ -730,16 +787,16 @@ command_matches_normal(struct sudoers_co
+     /* If it ends in '/' it is a directory spec. */
+     dlen = strlen(sudoers_cmnd);
+     if (sudoers_cmnd[dlen - 1] == '/') {
+-	debug_return_int(command_matches_dir(ctx, sudoers_cmnd, dlen, real_root,
++	debug_return_int(command_matches_dir(ctx, sudoers_cmnd, dlen, runchroot,
+ 	    digests));
+     }
+ 
+     if (strcmp(ctx->user.cmnd, sudoers_cmnd) == 0) {
+ 	if (command_args_match(ctx, sudoers_cmnd, sudoers_args) == ALLOW) {
+ 	    /* Open the file for fdexec or for digest matching. */
+-	    if (!open_cmnd(ctx->user.cmnd, digests, &fd))
++	    if (!open_cmnd(ctx->user.cmnd, runchroot, digests, &fd))
+ 		goto bad;
+-	    if (digest_matches(fd, ctx->user.cmnd, digests) != ALLOW)
++	    if (digest_matches(fd, ctx->user.cmnd, runchroot, digests) != ALLOW)
+ 		goto bad;
+ 
+ 	    /* Successful match. */
+@@ -749,7 +806,7 @@ command_matches_normal(struct sudoers_co
+ 		    U_("unable to allocate memory"));
+ 		goto bad;
+ 	    }
+-	    set_cmnd_fd(ctx, fd, real_root);
++	    set_cmnd_fd(ctx, fd);
+ 	    debug_return_int(ALLOW);
+ 	}
+     }
+@@ -770,11 +827,8 @@ command_matches(struct sudoers_context *
+     const char *sudoers_args, const char *runchroot, struct cmnd_info *info,
+     const struct command_digest_list *digests)
+ {
+-    struct sudoers_pivot pivot_state = SUDOERS_PIVOT_INITIALIZER;
+     char *saved_user_cmnd = NULL;
+     struct stat saved_user_stat;
+-    bool reset_cmnd = false;
+-    int real_root = -1;
+     int ret = DENY;
+     debug_decl(command_matches, SUDOERS_DEBUG_MATCH);
+ 
+@@ -792,18 +846,6 @@ command_matches(struct sudoers_context *
+ 	    runchroot = def_runchroot;
+     } else {
+ 	/* Rule-specific runchroot, must reset cmnd and cmnd_stat. */
+-	reset_cmnd = true;
+-    }
+-
+-    /* Pivot root. */
+-    if (runchroot != NULL) {
+-	if (!pivot_root(runchroot, &pivot_state))
+-	    goto done;
+-	real_root = pivot_state.saved_root;
+-    }
+-
+-    if (reset_cmnd) {
+-	/* Rule-specific runchroot, set cmnd and cmnd_stat after pivot. */
+ 	int status;
+ 
+ 	/* Save old ctx->user.cmnd first, set_cmnd_path() will free it. */
+@@ -811,7 +853,7 @@ command_matches(struct sudoers_context *
+ 	ctx->user.cmnd = NULL;
+ 	if (ctx->user.cmnd_stat != NULL)
+ 	    saved_user_stat = *ctx->user.cmnd_stat;
+-	status = set_cmnd_path(ctx, NULL);
++	status = set_cmnd_path(ctx, runchroot);
+ 	if (status != FOUND) {
+ 	    ctx->user.cmnd = saved_user_cmnd;
+ 	    saved_user_cmnd = NULL;
+@@ -822,13 +864,13 @@ command_matches(struct sudoers_context *
+ 
+     if (sudoers_cmnd == NULL) {
+ 	sudoers_cmnd = "ALL";
+-	ret = command_matches_all(ctx, real_root, digests);
++	ret = command_matches_all(ctx, runchroot, digests);
+ 	goto done;
+     }
+ 
+     /* Check for regular expressions first. */
+     if (sudoers_cmnd[0] == '^') {
+-	ret = command_matches_regex(ctx, sudoers_cmnd, sudoers_args, real_root,
++	ret = command_matches_regex(ctx, sudoers_cmnd, sudoers_args, runchroot,
+ 	    digests);
+ 	goto done;
+     }
+@@ -859,20 +901,16 @@ command_matches(struct sudoers_context *
+ 	 */
+ 	if (def_fast_glob) {
+ 	    ret = command_matches_fnmatch(ctx, sudoers_cmnd, sudoers_args,
+-		real_root, digests);
++		runchroot, digests);
+ 	} else {
+ 	    ret = command_matches_glob(ctx, sudoers_cmnd, sudoers_args,
+-		real_root, digests);
++		runchroot, digests);
+ 	}
+     } else {
+ 	ret = command_matches_normal(ctx, sudoers_cmnd, sudoers_args,
+-	    real_root, digests);
++	    runchroot, digests);
+     }
+ done:
+-    /* Restore root. */
+-    if (runchroot != NULL)
+-	(void)unpivot_root(&pivot_state);
+-
+     /* Restore ctx->user.cmnd and ctx->user.cmnd_stat. */
+     if (saved_user_cmnd != NULL) {
+ 	if (info != NULL) {
+diff -up ./plugins/sudoers/match_digest.c.cve-chroot ./plugins/sudoers/match_digest.c
+--- ./plugins/sudoers/match_digest.c.cve-chroot	2023-12-15 20:08:29.000000000 +0100
++++ ./plugins/sudoers/match_digest.c	2025-07-01 09:07:19.328365198 +0200
+@@ -40,13 +40,14 @@
+ #include <gram.h>
+ 
+ int
+-digest_matches(int fd, const char *path,
++digest_matches(int fd, const char *path, const char *runchroot,
+     const struct command_digest_list *digests)
+ {
+     unsigned int digest_type = SUDO_DIGEST_INVALID;
+     unsigned char *file_digest = NULL;
+     unsigned char *sudoers_digest = NULL;
+     struct command_digest *digest;
++    char pathbuf[PATH_MAX];
+     size_t digest_len = (size_t)-1;
+     int matched = DENY;
+     int fd2 = -1;
+@@ -66,6 +67,17 @@ digest_matches(int fd, const char *path,
+ 	fd = fd2;
+     }
+ 
++    if (runchroot != NULL) {
++	/* XXX - handle symlinks and '..' in path outside chroot */
++	const int len =
++	    snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path);
++	if (len >= ssizeof(pathbuf)) {
++	    errno = ENAMETOOLONG;
++	    debug_return_bool(false);
++	}
++	path = pathbuf;
++    }
++
+     TAILQ_FOREACH(digest, digests, entries) {
+ 	/* Compute file digest if needed. */
+ 	if (digest->digest_type != digest_type) {
+diff -up ./plugins/sudoers/parse.h.cve-chroot ./plugins/sudoers/parse.h
+--- ./plugins/sudoers/parse.h.cve-chroot	2023-12-15 20:08:31.000000000 +0100
++++ ./plugins/sudoers/parse.h	2025-07-01 09:07:19.328470557 +0200
+@@ -430,7 +430,7 @@ int addr_matches(char *n);
+ int command_matches(struct sudoers_context *ctx, const char *sudoers_cmnd, const char *sudoers_args, const char *runchroot, struct cmnd_info *info, const struct command_digest_list *digests);
+ 
+ /* match_digest.c */
+-int digest_matches(int fd, const char *path, const struct command_digest_list *digests);
++int digest_matches(int fd, const char *path, const char *runchroot, const struct command_digest_list *digests);
+ 
+ /* match.c */
+ struct group;
+diff -up ./plugins/sudoers/pivot.c.cve-chroot ./plugins/sudoers/pivot.c
+diff -up ./plugins/sudoers/pivot.h.cve-chroot ./plugins/sudoers/pivot.h
+diff -up ./plugins/sudoers/regress/editor/check_editor.c.cve-chroot ./plugins/sudoers/regress/editor/check_editor.c
+--- ./plugins/sudoers/regress/editor/check_editor.c.cve-chroot	2023-12-15 20:08:29.000000000 +0100
++++ ./plugins/sudoers/regress/editor/check_editor.c	2025-07-01 09:07:19.328592606 +0200
+@@ -80,7 +80,8 @@ sudo_dso_public int main(int argc, char
+ /* STUB */
+ int
+ find_path(const char *infile, char **outfile, struct stat *sbp,
+-    const char *path, bool ignore_dot, char * const *allowlist)
++    const char *path, const char *runchroot, bool ignore_dot,
++    char * const *allowlist)
+ {
+     if (infile[0] == '/') {
+ 	*outfile = strdup(infile);
+diff -up ./plugins/sudoers/regress/fuzz/fuzz_policy.c.cve-chroot ./plugins/sudoers/regress/fuzz/fuzz_policy.c
+--- ./plugins/sudoers/regress/fuzz/fuzz_policy.c.cve-chroot	2023-12-15 20:08:31.000000000 +0100
++++ ./plugins/sudoers/regress/fuzz/fuzz_policy.c	2025-07-01 09:07:19.328699335 +0200
+@@ -832,7 +832,8 @@ display_privs(struct sudoers_context *ct
+ /* STUB */
+ int
+ find_path(const char *infile, char **outfile, struct stat *sbp,
+-    const char *path, bool ignore_dot, char * const *allowlist)
++    const char *path, const char *runchroot, bool ignore_dot,
++    char * const *allowlist)
+ {
+     switch (pass) {
+     case PASS_CHECK_NOT_FOUND:
+@@ -855,9 +856,9 @@ find_path(const char *infile, char **out
+ /* STUB */
+ int
+ resolve_cmnd(struct sudoers_context *ctx, const char *infile, char **outfile,
+-    const char *path)
++    const char *path, const char *runchroot)
+ {
+-    return find_path(infile, outfile, NULL, path, false, NULL);
++    return find_path(infile, outfile, NULL, path, NULL, false, NULL);
+ }
+ 
+ /* STUB */
+diff -up ./plugins/sudoers/regress/fuzz/fuzz_stubs.c.cve-chroot ./plugins/sudoers/regress/fuzz/fuzz_stubs.c
+--- ./plugins/sudoers/regress/fuzz/fuzz_stubs.c.cve-chroot	2023-12-15 20:08:29.000000000 +0100
++++ ./plugins/sudoers/regress/fuzz/fuzz_stubs.c	2025-07-01 09:07:19.328807013 +0200
+@@ -57,18 +57,6 @@ init_eventlog_config(void)
+     return;
+ }
+ 
+-bool
+-pivot_root(const char *new_root, struct sudoers_pivot *state)
+-{
+-    return true;
+-}
+-
+-bool
+-unpivot_root(struct sudoers_pivot *state)
+-{
+-    return true;
+-}
+-
+ int
+ group_plugin_query(const char *user, const char *group, const struct passwd *pw)
+ {
+diff -up ./plugins/sudoers/resolve_cmnd.c.cve-chroot ./plugins/sudoers/resolve_cmnd.c
+--- ./plugins/sudoers/resolve_cmnd.c.cve-chroot	2023-12-15 20:08:29.000000000 +0100
++++ ./plugins/sudoers/resolve_cmnd.c	2025-07-01 09:07:19.328895002 +0200
+@@ -34,7 +34,7 @@
+  */
+ int
+ resolve_cmnd(struct sudoers_context *ctx, const char *infile,
+-    char **outfile, const char *path)
++    char **outfile, const char *path, const char *runchroot)
+ {
+     int ret = NOT_FOUND_ERROR;
+     debug_decl(resolve_cmnd, SUDOERS_DEBUG_UTIL);
+@@ -42,7 +42,7 @@ resolve_cmnd(struct sudoers_context *ctx
+     if (!set_perms(ctx, PERM_RUNAS))
+         goto done;
+     ret = find_path(infile, outfile, ctx->user.cmnd_stat, path,
+-        def_ignore_dot, NULL);
++        runchroot, def_ignore_dot, NULL);
+     if (!restore_perms())
+         goto done;
+     if (ret == NOT_FOUND) {
+@@ -50,7 +50,7 @@ resolve_cmnd(struct sudoers_context *ctx
+         if (!set_perms(ctx, PERM_USER))
+             goto done;
+         ret = find_path(infile, outfile, ctx->user.cmnd_stat, path,
+-            def_ignore_dot, NULL);
++            runchroot, def_ignore_dot, NULL);
+         if (!restore_perms())
+             goto done;
+     }
+diff -up ./plugins/sudoers/stubs.c.cve-chroot ./plugins/sudoers/stubs.c
+--- ./plugins/sudoers/stubs.c.cve-chroot	2023-12-15 20:08:29.000000000 +0100
++++ ./plugins/sudoers/stubs.c	2025-07-01 09:07:19.328983282 +0200
+@@ -94,17 +94,3 @@ init_eventlog_config(void)
+ {
+     return;
+ }
+-
+-/* STUB */
+-bool
+-pivot_root(const char *new_root, struct sudoers_pivot *state)
+-{
+-    return true;
+-}
+-
+-/* STUB */
+-bool
+-unpivot_root(struct sudoers_pivot *state)
+-{
+-    return true;
+-}
+diff -up ./plugins/sudoers/sudoers.c.cve-chroot ./plugins/sudoers/sudoers.c
+--- ./plugins/sudoers/sudoers.c.cve-chroot	2025-07-01 09:07:19.325332631 +0200
++++ ./plugins/sudoers/sudoers.c	2025-07-01 09:07:19.329100020 +0200
+@@ -1092,7 +1092,6 @@ init_vars(struct sudoers_context *ctx, c
+ int
+ set_cmnd_path(struct sudoers_context *ctx, const char *runchroot)
+ {
+-    struct sudoers_pivot pivot_state = SUDOERS_PIVOT_INITIALIZER;
+     const char *cmnd_in;
+     char *cmnd_out = NULL;
+     char *path = ctx->user.path;
+@@ -1111,13 +1110,7 @@ set_cmnd_path(struct sudoers_context *ct
+     if (def_secure_path && !user_is_exempt(ctx))
+ 	path = def_secure_path;
+ 
+-    /* Pivot root. */
+-    if (runchroot != NULL) {
+-	if (!pivot_root(runchroot, &pivot_state))
+-	    goto error;
+-    }
+-
+-    ret = resolve_cmnd(ctx, cmnd_in, &cmnd_out, path);
++    ret = resolve_cmnd(ctx, cmnd_in, &cmnd_out, path, runchroot);
+     if (ret == FOUND) {
+ 	char *slash = strrchr(cmnd_out, '/');
+ 	if (slash != NULL) {
+@@ -1134,14 +1127,8 @@ set_cmnd_path(struct sudoers_context *ct
+     else
+ 	ctx->user.cmnd = cmnd_out;
+ 
+-    /* Restore root. */
+-    if (runchroot != NULL)
+-	(void)unpivot_root(&pivot_state);
+-
+     debug_return_int(ret);
+ error:
+-    if (runchroot != NULL)
+-	(void)unpivot_root(&pivot_state);
+     free(cmnd_out);
+     debug_return_int(NOT_FOUND_ERROR);
+ }
+diff -up ./plugins/sudoers/sudoers.h.cve-chroot ./plugins/sudoers/sudoers.h
+--- ./plugins/sudoers/sudoers.h.cve-chroot	2023-12-15 20:08:31.000000000 +0100
++++ ./plugins/sudoers/sudoers.h	2025-07-01 09:07:19.329258729 +0200
+@@ -49,7 +49,6 @@
+ #include <defaults.h>
+ #include <logging.h>
+ #include <parse.h>
+-#include <pivot.h>
+ 
+ /*
+  * Info passed in from the sudo front-end.
+@@ -320,15 +319,16 @@ struct timespec;
+  * Function prototypes
+  */
+ /* goodpath.c */
+-bool sudo_goodpath(const char *path, struct stat *sbp);
++bool sudo_goodpath(const char *path, const char *runchroot, struct stat *sbp);
+ 
+ /* findpath.c */
+ int find_path(const char *infile, char **outfile, struct stat *sbp,
+-    const char *path, bool ignore_dot, char * const *allowlist);
++    const char *path, const char *runchroot, bool ignore_dot,
++    char * const *allowlist);
+ 
+ /* resolve_cmnd.c */
+ int resolve_cmnd(struct sudoers_context *ctx, const char *infile,
+-    char **outfile, const char *path);
++    char **outfile, const char *path, const char *runchroot);
+ 
+ /* check.c */
+ int check_user(struct sudoers_context *ctx, unsigned int validated, unsigned int mode);
+diff -up ./plugins/sudoers/testsudoers.c.cve-chroot ./plugins/sudoers/testsudoers.c
+--- ./plugins/sudoers/testsudoers.c.cve-chroot	2023-12-15 20:08:31.000000000 +0100
++++ ./plugins/sudoers/testsudoers.c	2025-07-01 09:07:19.329373377 +0200
+@@ -604,18 +604,6 @@ init_eventlog_config(void)
+     return;
+ }
+ 
+-bool
+-pivot_root(const char *new_root, struct sudoers_pivot *state)
+-{
+-    return true;
+-}
+-
+-bool
+-unpivot_root(struct sudoers_pivot *state)
+-{
+-    return true;
+-}
+-
+ int
+ set_cmnd_path(struct sudoers_context *ctx, const char *runchroot)
+ {
diff --git a/sudo.spec b/sudo.spec
index bf8540e..f1c4bfe 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,24 +1,12 @@
-## START: Set by rpmautospec
-## (rpmautospec version 0.6.5)
-## RPMAUTOSPEC: autorelease, autochangelog
-%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 8;
-    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
-    print(release_number + base_release_number - 1);
-}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
-## END: Set by rpmautospec
-
 # comment out if no extra version
 %global extraver p5
 
 Summary: Allows restricted root access for specified users
 Name: sudo
 Version: 1.9.15
-# remove -b 3 after rebase !!!
-# use "-p -e % {?extraver}" when beta
-# use "-e % {?extraver}"" when patch version
-# use nothing special when normal version
-Release: %autorelease -e %{?extraver}
+# %autoselect cannot be used in Z-stream releases
+# The .2 after %{?dist} must be increased in the next Z-stream release
+Release: 8.%{?extraver}%{?dist}.2
 License: ISC
 URL: https://www.sudo.ws
 Source0: %{url}/dist/%{name}-%{version}%{?extraver}.tar.gz
@@ -44,6 +32,8 @@ BuildRequires: zlib-devel
 
 Patch1: coverity.patch
 Patch2: sudo-conf.patch
+Patch3: cve-2025-32462.patch
+Patch4: cve-2025-32463.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -245,7 +235,11 @@ EOF
 %attr(0644,root,root) %{_libexecdir}/sudo/python_plugin.so
 
 %changelog
-## START: Generated by rpmautospec
+* Wed Jul 09 2025 Alejandro López <allopez@redhat.com> - 1.9.15-8.p5.2
+- RHEL 10.0.Z ERRATUM
+- CVE-2025-32462 sudo: LPE via host option Resolves: RHEL-100008
+- CVE-2025-32463 sudo: LPE via chroot option Resolves: RHEL-100021
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.9.15-8.p5
 - Bump release for October 2024 mass rebuild:
 
@@ -291,894 +285,3 @@ EOF
 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.13-6.p2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 
-* Thu Jul 06 2023 Leigh Scott <leigh123linux@gmail.com> - 1.9.13-5.p2
-- Rebuilt for Python 3.12
-
-* Tue Jun 20 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.13-4.p2
-- migrated to SPDX license
-
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 1.9.13-3.p2
-- Rebuilt for Python 3.12
-
-* Wed Apr 26 2023 Florian Weimer <fweimer@redhat.com> - 1.9.13-2.p2
-- Port configure script to C99
-
-* Wed Mar 01 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.13-1.p2
-- Rebase to sudo 1.9.13p2
-- sudo-1.9.13p2 is available Resolves: rhbz#2169840
-- sudo: double free with per-command chroot sudoers rules Resolves:
-  CVE-2023-27320
-
-* Thu Jan 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.9.12-1.p2
-- Rebase to sudo 1.9.12p2
-- sudo-1.9.12p2 is available Resolves: rhbz#2137775
-- sudo: arbitrary file write with privileges of the RunAs user Resolves:
-  CVE-2023-22809
-
-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.11-4.p3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Wed Jun 22 2022 Radovan Sroka <rsroka@redhat.com> - 1.9.11-3.p3
-- Update to 1.9.11p3
-
-* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 1.9.8-7.p2
-- Rebuilt for Python 3.11
-
-* Mon Jun 06 2022 Matthew Miller <mattdm@mattdm.org> - 1.9.8-6.p2
-- recommend system-default-editor instead of nano specifically
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.8-5.p2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Wed Oct 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.8-4.p2
-- Rebuild. previously built with wrong version
-
-* Wed Oct 06 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.8-3
-- Set up update workflow with %%autorelease macro
-- removed stri patch that was not relevant
-
-* Sun Oct 03 2021 Matthew Miller <mattdm@mattdm.org> - 1.9.8p2-2
-- rhbz#1328973 -- make nano the default with fallback to vim and vi in that
-  order
-
-* Sun Oct 03 2021 Matthew Miller <mattdm@mattdm.org> - 1.9.8p2-1
-- Update to 1.9.8p2, and include new sudo_intercept.so
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.9.7p2-5
-- Rebuilt with OpenSSL 3.0.0
-
-* Sat Aug  7 2021 Matthew Miller <mattdm@fedoraproject.org> - 1.9.7p2-2 
-- drop obsolete requirement for post script that doesn't exist anymore 
-  (thanks @scfc)
-- remove commented-out lines from prior PR
-
-* Fri Jul 30 2021 Peter Czanik <peter@czanik.hu> - 1.9.7p2-1
-- update to 1.9.7p2
-- follow up path change in strip patch
-- added --enable-zlib=system configure parameter, so sudo uses system zlib,
-  autoconf is no more needed
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.5p2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.9.5p2-2
-- Rebuilt for Python 3.10
-
-* Tue Jan 26 2021 Matthew Miller <mattdm@fedoraproject.org> - 1.9.5p2-1
-- rebase to 1.9.5p2
-Resolves: rhbz#1920611
-- fixed CVE-2021-3156 sudo: Heap buffer overflow in argument parsing
-Resolves: rhbz#1920618
-
-* Mon Jan 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.9.5p1-1
-- rebase to 1.9.5p1
-Resolves: rhbz#1902758
-- fixed double free in sss_to_sudoers
-Resolves: rhbz#1885874
-- fixed CVE-2021-23239 sudo: possible directory existence test due to race condition in sudoedit
-Resolves: rhbz#1915055
-- fixed CVE-2021-23240 sudo: symbolic link attack in SELinux-enabled sudoedit
-Resolves: rhbz#1915054
-
-* Wed Jan 13 2021 Jonathan Lebon <jonathan@jlebon.com> - 1.9.3p1-2
-- split out Python modules into separate subpackage
-Resolves: rhbz#1909299
-
-* Mon Oct 05 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.3p1-1
-- rebase to 1.9.3p1
-- enable python modules
-Resolves: rhbz#1881112
-
-* Tue Sep 15 2020 Radovan Sroka <rsroka@redhat.com> - 1.9.2-1
-- rebase to 1.9.2
-Resolves: rhbz#1859577
-- added logsrvd subpackage
-- added openssl-devel buildrequires
-Resolves: rhbz#1860653
-- fixed sudo runstatedir path
-- it was generated as /sudo instead of /run/sudo
-Resolves: rhbz#1868215
-- added /var/lib/snapd/snap/bin to secure_path variable
-Resolves: rhbz#1691996
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-3
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jul 08 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.1-1
-- rebase to 1.9.1
-Resolves: rhbz#1848788
-- fix rpmlint errors
-Resolves: rhbz#1817139
-
-* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
-- update to latest development version 1.9.0b4
-Resolves: rhbz#1816593
-- setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
-Resolves: rhbz#1773148
-
-* Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1
-- update to latest development version 1.9.0b1
-- added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages
-Resolves: rhbz#1787823
-- Stack based buffer overflow in when pwfeedback is enabled
-Resolves: rhbz#1796945
-- fixes: CVE-2019-18634
-- By using ! character in the shadow file instead of a password hash can access to a run as all sudoer account
-Resolves: rhbz#1786709
-- fixes CVE-2019-19234
-- attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
-Resolves: rhbz#1786705
-- fixes CVE-2019-19232
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.29-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-1
-- rebase to 1.8.29
-Resolves: rhbz#1766233
-
-* Tue Oct 22 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28p1-1
-- rebase to 1.8.28p1
-Resolves: rhbz#1762350
-
-* Tue Oct 15 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.28-1
-- rebase to 1.8.28
-Resolves: rhbz#1761533
-- set always_set_home by default
-Resolves: rhbz#1728687
-- Sync sudoers options from rhel8 to fedora
-Resolves: rhbz#1761781
-- CVE-2019-14287
-Resolves: rhbz#1761584
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.27-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Mar 31 2019 Marek Tamaskovic <mtamasko@redhat.com> 1.8.27-2
-- resolves rhbz#1676925
-- Removed PS1, PS2 from sudoers
-
-* Mon Mar 11 2019 Radovan Sroka <rsroka@redhat.com> 1.8.27-1
-- rebase sudo to 1.8.27
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.25p1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Oct 01 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25p1-1
-- rebase sudo to 1.8.25p1
-
-* Mon Sep 10 2018 Radovan Sroka <rsroka@redhat.com> 1.8.25-1
-- rebase sudo to latest stawble version
-- install /etc/dnf/protected.d/sudo instead of /etc/yum/protected.d/sudo (1626968)
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.23-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Tue Jul 03 2018 Matthew Miller <mattdm@fedoraproject.org> - 1.8.23-2
-- remove defattr, as default is now sane
-
-* Wed May 09 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-1
-- update to 1.8.23
-
-* Wed Apr 18 2018 Daniel Kopecek <dkopecek@redhat.com> - 1.8.23-0.1.b3
-- update to 1.8.23b3
-
-* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.22-0.2.b1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Thu Dec 14 2017 Radovan Sroka <rsroka@redhat.com> - 1.8.22b1-1
-- update to 1.8.22b1
-- Added /usr/local/sbin and /usr/local/bin to secure path rhbz#1166185
-
-* Thu Sep 21 2017 Marek Tamaskovic <mtamasko@redhat.com> - 1.8.21p2-1
-- update to 1.8.21p2
-- Moved libsudo_util.so from the -devel sub-package to main package (1481225)
-
-* Wed Sep 06 2017 Matthew Miller <mattdm@fedoraproject.org> - 1.8.20p2-4
-- replace file-based requirements with package-level ones:
-- /etc/pam.d/system-auth to 'pam'
-- /bin/chmod to 'coreutils' (bug #1488934)
-- /usr/bin/vi to vim-minimal
-- ... and make vim-minimal "recommends" instead of "requires", because
-  other editors can be configured.
-
-* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.20p2-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.20p2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Thu Jun 01 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p2-1
-- update to 1.8.20p2
-
-* Wed May 31 2017 Daniel Kopecek <dkopecek@redhat.com> 1.8.20p1-1
-- update to 1.8.20p1
-- fixes CVE-2017-1000367
-  Resolves: rhbz#1456884
-
-* Fri Apr 07 2017 Jiri Vymazal <jvymazal@redhat.com> - 1.8.20-0.1.b1
-- update to latest development version 1.8.20b1
-- added sudo to dnf/yum protected packages
-  Resolves: rhbz#1418756
-
-* Mon Feb 13 2017 Tomas Sykora <tosykora@redhat.com> - 1.8.19p2-1
-- update to 1.8.19p2
-
-* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.19-0.3.20161108git738c3cb
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Tue Nov 08 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.19-0.2.20161108git738c3cb
-- update to latest development version
-- fixes CVE-2016-7076
-
-* Fri Sep 23 2016 Radovan Sroka <rsroka@redhat.com> 1.8.19-0.1.20160923git90e4538
-- we were not able to update from rc and beta versions to stable one
-- so this is a new snapshot package which resolves it
-
-* Wed Sep 21 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18-1
-- update to 1.8.18
-
-* Fri Sep 16 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18rc4-1
-- update to 1.8.18rc4
-
-* Wed Sep 14 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18rc2-1
-- update to 1.8.18rc2
-- dropped sudo-1.8.14p1-ldapconfpatch.patch
-  upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html
-
-* Fri Aug 26 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18b2-1
-- update to 1.8.18b2
-- added --disable-root-mailer as configure option
-  Resolves: rhbz#1324091
-
-* Fri Jun 24 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.17p1-1
-- update to 1.8.17p1
-- install the /var/db/sudo/lectured
-  Resolves: rhbz#1321414
-
-* Tue May 31 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-4
-- removed INPUTRC from env_keep to prevent a possible info leak
-  Resolves: rhbz#1340701
-
-* Fri May 13 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-3
-- fixed upstream patch for rhbz#1328735
-
-* Thu May 12 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-2
-- fixed invalid sesh argument array construction
-
-* Mon Apr 04 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.16-1
-- update to 1.8.16
-
-* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.15-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Thu Nov  5 2015 Daniel Kopecek <dkopecek@redhat.com> 1.8.15-1
-- update to 1.8.15
-- fixes CVE-2015-5602
-
-* Mon Aug 24 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-3
-- enable upstream test suite
-
-* Mon Aug 24 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-2
-- add patch that resolves initialization problem before sudo_strsplit call
-- add patch that resolves deadcode in visudo.c
-- add patch that removes extra while in visudo.c and sudoers.c
-
-* Mon Jul 27 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-1
-- update to 1.8.14p3
-
-* Mon Jul 20 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p1-1
-- update to 1.8.14p1-1
-- rebase sudo-1.8.14b3-ldapconfpatch.patch -> sudo-1.8.14p1-ldapconfpatch.patch
-- rebase sudo-1.8.14b4-docpassexpire.patch -> sudo-1.8.14p1-docpassexpire.patch
-
-* Tue Jul 14 2015 Radovan Sroka <rsroka@redhat.com> 1.8.12-2
-- add patch3 sudo.1.8.14b4-passexpire.patch that makes change in documentation about timestamp_time
-- Resolves: rhbz#1162070
-
-* Fri Jul 10 2015 Radovan Sroka <rsroka@redhat.com> - 1.8.14b4-1
-- Update to 1.8.14b4
-- Add own %%{_tmpfilesdir}/sudo.conf
-
-* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.12-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Wed Feb 18 2015 Daniel Kopecek <dkopecek@redhat.com> - 1.8.12
-- update to 1.8.12
-- fixes CVE-2014-9680
-
-* Mon Nov  3 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11p2-1
-- update to 1.8.11p2
-- added patch to fix upstream bug #671 -- exiting immediately
-  when audit is disabled
-
-* Tue Sep 30 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.11-1
-- update to 1.8.11
-- major changes & fixes:
-  - when running a command in the background, sudo will now forward
-    SIGINFO to the command
-  - the passwords in ldap.conf and ldap.secret may now be encoded in base64.
-  - SELinux role changes are now audited. For sudoedit, we now audit
-    the actual editor being run, instead of just the sudoedit command.
-  - it is now possible to match an environment variable's value as well as
-    its name using env_keep and env_check
-  - new files created via sudoedit as a non-root user now have the proper group id
-  - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
-  - it is now possible to disable network interface probing in sudo.conf by
-    changing the value of the probe_interfaces setting
-  - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
-    for the user's password even if the targetpw, rootpw or runaspw options are set.
-  - the new use_netgroups sudoers option can be used to explicitly enable or disable
-    netgroups support
-  - visudo can now export a sudoers file in JSON format using the new -x flag
-- added patch to read ldap.conf more closely to nss_ldap
-- require /usr/bin/vi instead of vim-minimal
-- include pam.d/system-auth in PAM session phase from pam.d/sudo
-- include pam.d/sudo in PAM session phase from pam.d/sudo-i
-
-* Tue Aug  5 2014 Tom Callaway <spot@fedoraproject.org> - 1.8.8-6
-- fix license handling
-
-* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.8-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
-
-* Sat May 31 2014 Peter Robinson <pbrobinson@fedoraproject.org> 1.8.8-4
-- Drop ChangeLog, we ship NEWS
-
-* Mon Mar 10 2014 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-3
-- remove bundled copy of zlib before compilation
-- drop the requiretty Defaults setting from sudoers
-
-* Sat Jan 25 2014 Ville Skyttä <ville.skytta@iki.fi> - 1.8.8-2
-- Own the %%{_libexecdir}/sudo dir.
-
-* Mon Sep 30 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.8-1
-- update to 1.8.8
-- major changes & fixes:
-  - LDAP SASL support now works properly with Kerberos
-  - root may no longer change its SELinux role without entering a password
-  - user messages are now always displayed in the user's locale, even when
-    the same message is being logged or mailed in a different locale.
-  - log files created by sudo now explicitly have the group set to group
-    ID 0 rather than relying on BSD group semantics
-  - sudo now stores its libexec files in a sudo subdirectory instead of in
-    libexec itself
-  - system_group and group_file sudoers group provider plugins are now
-    installed by default
-  - the paths to ldap.conf and ldap.secret may now be specified as arguments
-    to the sudoers plugin in the sudo.conf file
-  - ...and many new features and settings. See the upstream ChangeLog for the
-    full list.
-- several sssd support fixes
-- added patch to make uid/gid specification parsing more strict (don't accept
-  an invalid number as uid/gid)
-- use the _pkgdocdir macro
-  (see https://fedoraproject.org/wiki/Changes/UnversionedDocdirs)
-- fixed several bugs found by the clang static analyzer
-- added %%post dependency on chmod
-
-* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p7-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
-
-* Thu Feb 28 2013 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p7-1
-- update to 1.8.6p7
-- fixes CVE-2013-1775 and CVE-2013-1776
-- fixed several packaging issues (thanks to ville.skytta@iki.fi)
-  - build with system zlib.
-  - let rpmbuild strip libexecdir/*.so.
-  - own the %%{_docdir}/sudo-* dir.
-  - fix some rpmlint warnings (spaces vs tabs, unescaped macros).
-  - fix bogus %%changelog dates.
-
-* Fri Feb 15 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.6p3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
-
-* Mon Nov 12 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-2
-- added upstream patch for a regression
-- don't include arch specific files in the -devel subpackage
-- ship only one sample plugin in the -devel subpackage
-
-* Tue Sep 25 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6p3-1
-- update to 1.8.6p3
-- drop -pipelist patch (fixed in upstream)
-
-* Thu Sep  6 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.6-1
-- update to 1.8.6
-
-* Thu Jul 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-4
-- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com)
-- re-enabled SSSD support
-- removed libsss_sudo dependency
-
-* Tue Jul 24 2012 Bill Nottingham <notting@redhat.com> - 1.8.5-3
-- flip sudoers2ldif executable bit after make install, not in setup
-
-* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.5-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
-
-* Thu May 17 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.5-1
-- update to 1.8.5
-- fixed CVE-2012-2337
-- temporarily disabled SSSD support
-
-* Wed Feb 29 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-6
-- fixed problems with undefined symbols (rhbz#798517)
-
-* Wed Feb 22 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-5
-- SSSD patch update
-
-* Tue Feb  7 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-4
-- added SSSD support
-
-* Thu Jan 26 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-3
-- added patch for CVE-2012-0809
-
-* Sat Jan 14 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.8.3p1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
-
-* Thu Nov 10 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.3p1-1
-- update to 1.8.3p1
-- disable output word wrapping if the output is piped
-
-* Wed Sep  7 2011 Peter Robinson <pbrobinson@fedoraproject.org> - 1.8.1p2-2
-- Remove execute bit from sample script in docs so we don't pull in perl
-
-* Tue Jul 12 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.8.1p2-1
-- rebase to 1.8.1p2
-- removed .sudoi patch
-- fixed typo: RELPRO -> RELRO
-- added -devel subpackage for the sudo_plugin.h header file
-- use default ldap configuration files again
-
-* Fri Jun  3 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-4
-- build with RELRO
-
-* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.4p5-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
-
-* Mon Jan 17 2011 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p5-2
-- rebase to 1.7.4p5
-- fixed sudo-1.7.4p4-getgrouplist.patch
-- fixes CVE-2011-0008, CVE-2011-0010
-
-* Tue Nov 30 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-5
-- anybody in the wheel group has now root access (using password) (rhbz#656873)
-- sync configuration paths with the nss_ldap package (rhbz#652687)
-
-* Wed Sep 29 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-4
-- added upstream patch to fix rhbz#638345
-
-* Mon Sep 20 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-3
-- added patch for #635250
-- /var/run/sudo -> /var/db/sudo in .spec
-
-* Tue Sep  7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-2
-- sudo now uses /var/db/sudo for timestamps
-
-* Tue Sep  7 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.4p4-1
-- update to new upstream version
-- new command available: sudoreplay
-- use native audit support
-- corrected license field value: BSD -> ISC
-
-* Wed Jun  2 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-2
-- added patch that fixes insufficient environment sanitization issue (#598154)
-
-* Wed Apr 14 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p6-1
-- update to new upstream version
-- merged .audit and .libaudit patch
-- added sudoers.ldap.5* to files
-
-* Mon Mar  1 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p5-2
-- update to new upstream version
-
-* Tue Feb 16 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-5
-- fixed no valid sudoers sources found (#558875)
-
-* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-4
-- audit related Makefile.in and configure.in corrections
-- added --with-audit configure option
-- removed call to libtoolize
-
-* Wed Feb 10 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-3
-- fixed segfault when #include directive is used in cycles (#561336)
-
-* Fri Jan  8 2010 Ville Skyttä <ville.skytta@iki.fi> - 1.7.2p2-2
-- Add /etc/sudoers.d dir and use it in default config (#551470).
-- Drop *.pod man page duplicates from docs.
-
-* Thu Jan 07 2010 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p2-1
-- new upstream version 1.7.2p2-1
-- commented out unused aliases in sudoers to make visudo happy (#550239)
-
-* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 1.7.1-7
-- rebuilt with new audit
-
-* Thu Aug 20 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-6
-- moved secure_path from compile-time option to sudoers file (#517428)
-
-* Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.7.1-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
-
-* Thu Jul 09 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-4
-- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch)
-- epoch number sync
-
-* Mon Jun 22 2009 Daniel Kopecek <dkopecek@redhat.com> 1.7.1-1
-- updated sudo to version 1.7.1
-- fixed small bug in configure.in (sudo-1.7.1-conffix.patch)
-
-* Tue Feb 24 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-6
-- fixed building with new libtool
-- fix for incorrect handling of groups in Runas_User
-- added /usr/local/sbin to secure-path
-
-* Tue Jan 13 2009 Daniel Kopecek <dkopecek@redhat.com> 1.6.9p17-3
-- build with sendmail installed
-- Added /usr/local/bin to secure-path
-
-* Tue Sep 02 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-2
-- adjust audit patch, do not scream when kernel is
-  compiled without audit netlink support (#401201)
-
-* Fri Jul 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p17-1
-- upgrade
-
-* Wed Jun 18 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-7
-- build with newer autoconf-2.62 (#449614)
-
-* Tue May 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-6
-- compiled with secure path (#80215)
-
-* Mon May 05 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-5
-- fix path to updatedb in /etc/sudoers (#445103)
-
-* Mon Mar 31 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-4
-- include ldap files in rpm package (#439506)
-
-* Thu Mar 13 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-3
-- include [sudo] in password prompt (#437092)
-
-* Tue Mar 04 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-2
-- audit support improvement
-
-* Thu Feb 21 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p13-1
-- upgrade to the latest upstream release
-
-* Wed Feb 06 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p12-1
-- upgrade to the latest upstream release
-- add selinux support
-
-* Mon Feb 04 2008 Dennis Gilmore <dennis@ausil.us> 1.6.9p4-6
-- sparc64 needs to be in the -fPIE list with s390
-
-* Mon Jan 07 2008 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-5
-- fix complains about audit_log_user_command(): Connection
-  refused (#401201)
-
-* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-4
-- Rebuild for deps
-
-* Wed Dec 05 2007 Release Engineering <rel-eng at fedoraproject dot org> - 1.6.9p4-3
-- Rebuild for openssl bump
-
-* Thu Aug 30 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-2
-- fix autotools stuff and add audit support
-
-* Mon Aug 20 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.9p4-1
-- upgrade to upstream release
-
-* Thu Apr 12 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-14
-- also use getgrouplist() to determine group membership (#235915)
-
-* Mon Feb 26 2007 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-13
-- fix some spec file issues
-
-* Thu Dec 14 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-12
-- fix rpmlint issue
-
-* Thu Oct 26 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-11
-- fix typo in sudoers file (#212308)
-
-* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-10
-- rebuilt for unwind info generation, broken in gcc-4.1.1-21
-
-* Thu Sep 21 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-9
-- fix sudoers file, X apps didn't work (#206320)
-
-* Tue Aug 08 2006 Peter Vrabec <pvrabec@redhat.com> 1.6.8p12-8
-- use Red Hat specific default sudoers file
-
-* Sun Jul 16 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-7
-- fix #198755 - make login processes (sudo -i) initialise session keyring
-  (thanks for PAM config files to David Howells)
-- add IPv6 support (patch by Milan Zazrivec)
-
-* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-6.1
-- rebuild
-
-* Mon May 29 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-6
-- fix #190062 - "ssh localhost sudo su" will show the password in clear
-
-* Tue May 23 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-5
-- add LDAP support (#170848)
-
-* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-4.1
-- bump again for double-long bug on ppc(64)
-
-* Wed Feb  8 2006 Karel Zak <kzak@redhat.com> 1.6.8p12-4
-- reset env. by default
-
-* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.6.8p12-3.1
-- rebuilt for new gcc4.1 snapshot and glibc changes
-
-* Mon Jan 23 2006 Dan Walsh <dwalsh@redhat.com> 1.6.8p12-3
-- Remove selinux patch.  It has been decided that the SELinux patch for sudo is
-- no longer necessary.  In tageted policy it had no effect.  In strict/MLS policy
-- We require the person using sudo to execute newrole before using sudo.
-
-* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
-- rebuilt
-
-* Fri Nov 25 2005 Karel Zak <kzak@redhat.com> 1.6.8p12-1
-- new upstream version 1.6.8p12
-
-* Tue Nov  8 2005 Karel Zak <kzak@redhat.com> 1.6.8p11-1
-- new upstream version 1.6.8p11
-
-* Thu Oct 13 2005 Tomas Mraz <tmraz@redhat.com> 1.6.8p9-6
-- use include instead of pam_stack in pam config
-
-* Tue Oct 11 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-5
-- enable interfaces in selinux patch
-- merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch
-
-* Mon Sep 19 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-4
-- fix debuginfo
-
-* Mon Sep 19 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-3
-- fix #162623 - sesh hangs when child suspends
-
-* Mon Aug 1 2005 Dan Walsh <dwalsh@redhat.com> 1.6.8p9-2
-- Add back in interfaces call, SELinux has been fixed to work around
-
-* Tue Jun 21 2005 Karel Zak <kzak@redhat.com> 1.6.8p9-1
-- new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution)
-
-* Tue May 24 2005 Karel Zak <kzak@redhat.com> 1.6.8p8-2
-- fix #154511 - sudo does not use limits.conf
-
-* Mon Apr  4 2005 Thomas Woerner <twoerner@redhat.com> 1.6.8p8-1
-- new version 1.6.8p8: new sudoedit and sudo_noexec
-
-* Wed Feb  9 2005 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-31
-- rebuild
-
-* Mon Oct  4 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-30.1
-- added missing BuildRequires for libselinux-devel (#132883)
-
-* Wed Sep 29 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-30
-- Fix missing param error in sesh
-
-* Mon Sep 27 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-29
-- Remove full patch check from sesh
-
-* Thu Jul 8 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-28
-- Fix selinux patch to switch to root user
-
-* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
-- rebuilt
-
-* Tue Apr 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-26
-- Eliminate tty handling from selinux
-
-* Thu Apr  1 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-25
-- fixed spec file: sesh in file section with selinux flag (#119682)
-
-* Tue Mar 30 2004 Colin Walters <walters@redhat.com> 1.6.7p5-24
-- Enhance sesh.c to fork/exec children itself, to avoid
-  having sudo reap all domains.
-- Only reinstall default signal handlers immediately before
-  exec of child with SELinux patch
-
-* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-23
-- change to default to sysadm_r
-- Fix tty handling
-
-* Thu Mar 18 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-22
-- Add /bin/sesh to run selinux code.
-- replace /bin/bash -c with /bin/sesh
-
-* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-21
-- Hard code to use "/bin/bash -c" for selinux
-
-* Tue Mar 16 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-20
-- Eliminate closing and reopening of terminals, to match su.
-
-* Mon Mar 15 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-19
-- SELinux fixes to make transitions work properly
-
-* Fri Mar  5 2004 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-18
-- pied sudo
-
-* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
-- rebuilt
-
-* Tue Jan 27 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-16
-- Eliminate interfaces call, since this requires big SELinux privs
-- and it seems to be useless.
-
-* Tue Jan 27 2004 Karsten Hopp <karsten@redhat.de> 1.6.7p5-15
-- visudo requires vim-minimal or setting EDITOR to something useful (#68605)
-
-* Mon Jan 26 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-14
-- Fix is_selinux_enabled call
-
-* Tue Jan 13 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-13
-- Clean up patch on failure
-
-* Tue Jan 6 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-12
-- Remove sudo.te for now.
-
-* Fri Jan 2 2004 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-11
-- Fix usage message
-
-* Mon Dec 22 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-10
-- Clean up sudo.te to not blow up if pam.te not present
-
-* Thu Dec 18 2003 Thomas Woerner <twoerner@redhat.com>
-- added missing BuildRequires for groff
-
-* Tue Dec 16 2003 Jeremy Katz <katzj@redhat.com> 1.6.7p5-9
-- remove left-over debugging code
-
-* Tue Dec 16 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-8
-- Fix terminal handling that caused Sudo to exit on non selinux machines.
-
-* Mon Dec 15 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-7
-- Remove sudo_var_run_t which is now pam_var_run_t
-
-* Fri Dec 12 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-6
-- Fix terminal handling and policy
-
-* Thu Dec 11 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-5
-- Fix policy
-
-* Thu Nov 13 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-4.sel
-- Turn on SELinux support
-
-* Tue Jul 29 2003 Dan Walsh <dwalsh@redhat.com> 1.6.7p5-3
-- Add support for SELinux
-
-* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
-- rebuilt
-
-* Mon May 19 2003 Thomas Woerner <twoerner@redhat.com> 1.6.7p5-1
-
-* Wed Jan 22 2003 Tim Powers <timp@redhat.com>
-- rebuilt
-
-* Tue Nov 12 2002 Nalin Dahyabhai <nalin@redhat.com> 1.6.6-2
-- remove absolute path names from the PAM configuration, ensuring that the
-  right modules get used for whichever arch we're built for
-- don't try to install the FAQ, which isn't there any more
-
-* Thu Jun 27 2002 Bill Nottingham <notting@redhat.com> 1.6.6-1
-- update to 1.6.6
-
-* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
-- automated rebuild
-
-* Thu May 23 2002 Tim Powers <timp@redhat.com>
-- automated rebuild
-
-* Thu Apr 18 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p2-2
-- Fix bug #63768
-
-* Thu Mar 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p2-1
-- 1.6.5p2
-
-* Fri Jan 18 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5p1-1
-- 1.6.5p1
-- Hope this "a new release per day" madness stops ;)
-
-* Thu Jan 17 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.5-1
-- 1.6.5
-
-* Tue Jan 15 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.4p1-1
-- 1.6.4p1
-
-* Mon Jan 14 2002 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.4-1
-- Update to 1.6.4
-
-* Mon Jul 23 2001 Bernhard Rosenkraenzer <bero@redhat.com> 1.6.3p7-2
-- Add build requirements (#49706)
-- s/Copyright/License/
-- bzip2 source
-
-* Sat Jun 16 2001 Than Ngo <than@redhat.com>
-- update to 1.6.3p7
-- use %%{_tmppath}
-
-* Fri Feb 23 2001 Bernhard Rosenkraenzer <bero@redhat.com>
-- 1.6.3p6, fixes buffer overrun
-
-* Tue Oct 10 2000 Bernhard Rosenkraenzer <bero@redhat.com>
-- 1.6.3p5
-
-* Wed Jul 12 2000 Prospector <bugzilla@redhat.com>
-- automatic rebuild
-
-* Tue Jun 06 2000 Karsten Hopp <karsten@redhat.de>
-- fixed owner of sudo and visudo
-
-* Thu Jun  1 2000 Nalin Dahyabhai <nalin@redhat.com>
-- modify PAM setup to use system-auth
-- clean up buildrooting by using the makeinstall macro
-
-* Tue Apr 11 2000 Bernhard Rosenkraenzer <bero@redhat.com>
-- initial build in main distrib
-- update to 1.6.3
-- deal with compressed man pages
-
-* Tue Dec 14 1999 Preston Brown <pbrown@redhat.com>
-- updated to 1.6.1 for Powertools 6.2
-- config files are now noreplace.
-
-* Thu Jul 22 1999 Tim Powers <timp@redhat.com>
-- updated to 1.5.9p2 for Powertools 6.1
-
-* Wed May 12 1999 Bill Nottingham <notting@redhat.com>
-- sudo is configured with pam. There's no pam.d file. Oops.
-
-* Mon Apr 26 1999 Preston Brown <pbrown@redhat.com>
-- upgraded to 1.59p1 for powertools 6.0
-
-* Tue Oct 27 1998 Preston Brown <pbrown@redhat.com>
-- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed)
-
-* Thu Oct 08 1998 Michael Maher <mike@redhat.com>
-- built package for 5.2
-
-* Mon May 18 1998 Michael Maher <mike@redhat.com>
-- updated SPEC file
-
-* Thu Jan 29 1998 Otto Hammersmith <otto@redhat.com>
-- updated to 1.5.4
-
-* Tue Nov 18 1997 Otto Hammersmith <otto@redhat.com>
-- built for glibc, no problems
-
-* Fri Apr 25 1997 Michael Fulbright <msf@redhat.com>
-- Fixed for 4.2 PowerTools
-- Still need to be pamified
-- Still need to move stmp file to /var/log
-
-* Mon Feb 17 1997 Michael Fulbright <msf@redhat.com>
-- First version for PowerCD.
-
-## END: Generated by rpmautospec