From d4a972905694c70f70468376cbe0fca620a4cf50 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 21 Aug 2024 10:35:32 +0200
Subject: [PATCH]  RHEL 10.0 ERRATUM

- sudo-1.9.15-2.p5.el10: RHEL SAST Automation: address 4 High impact true positive(s)
Resolves: RHEL-44436
- sudo subpackage sudo-logsrvd should not be built
Resolves: RHEL-52864

Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
 sudo-conf.patch | 25 +++++++++++++++++++++++++
 sudo.spec       |  4 ++--
 2 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 sudo-conf.patch

diff --git a/sudo-conf.patch b/sudo-conf.patch
new file mode 100644
index 0000000..8b493ee
--- /dev/null
+++ b/sudo-conf.patch
@@ -0,0 +1,25 @@
+diff -up ./examples/sudo.conf.in.fix ./examples/sudo.conf.in
+--- ./examples/sudo.conf.in.fix	2024-08-20 16:32:04.223791138 +0200
++++ ./examples/sudo.conf.in	2024-08-20 16:33:02.470003955 +0200
+@@ -11,9 +11,9 @@
+ # The plugin_options are optional.
+ #
+ # The sudoers plugin is used by default if no Plugin lines are present.
+-#Plugin sudoers_policy @sudoers_plugin@
+-#Plugin sudoers_io @sudoers_plugin@
+-#Plugin sudoers_audit @sudoers_plugin@
++Plugin sudoers_policy @sudoers_plugin@
++Plugin sudoers_io @sudoers_plugin@
++Plugin sudoers_audit @sudoers_plugin@
+ 
+ #
+ # Sudo askpass:
+@@ -85,7 +85,7 @@
+ # To aid in debugging sudo problems, you may wish to enable core
+ # dumps by setting "disable_coredump" to false.
+ #
+-#Set disable_coredump false
++Set disable_coredump false
+ 
+ #
+ # User groups:
diff --git a/sudo.spec b/sudo.spec
index bd03952..6b07fce 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -33,6 +33,7 @@ BuildRequires: zlib-devel
 
 
 Patch1: coverity.patch
+Patch2: sudo-conf.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -161,13 +162,12 @@ cat sudo.lang sudoers.lang > sudo_all.lang
 rm sudo.lang sudoers.lang
 
 mkdir -p $RPM_BUILD_ROOT/etc/pam.d
+
 cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF
 #%%PAM-1.0
 auth       include      system-auth
 account    include      system-auth
 password   include      system-auth
-session    optional     pam_keyinit.so revoke
-session    required     pam_limits.so
 session    include      system-auth
 EOF