Ubuntu
sudo package

Merge ~danilogondolfo/ubuntu/+source/sudo:merge-lp2030914-mantic into ubuntu/+source/sudo:ubuntu/devel

Proposed by Danilo Egea Gondolfo on 2023-08-10

Status:	Superseded
Proposed branch:	~danilogondolfo/ubuntu/+source/sudo:merge-lp2030914-mantic
Merge into:	ubuntu/+source/sudo:ubuntu/devel
Diff against target:	79368 lines (+25553/-17282) (has conflicts) 231 files modified ChangeLog (+1674/-1) INSTALL.md (+33/-12) MANIFEST (+35/-10) Makefile.in (+2/-1) NEWS (+116/-0) config.h.in (+79/-68) configure (+1037/-634) configure.ac (+242/-257) debian/changelog (+31/-0) debian/copyright (+6/-2) debian/etc/sudoers.d/README (+6/-8) debian/patches/series (+0/-1) dev/null (+0/-71) docker/debian/latest/Dockerfile (+4/-5) docker/debian/testing/Dockerfile (+4/-5) docker/fedora/latest/Dockerfile (+1/-1) docker/fedora/rawhide/Dockerfile (+1/-1) docker/ubuntu/devel/Dockerfile (+4/-5) docker/ubuntu/latest/Dockerfile (+4/-5) docker/ubuntu/rolling/Dockerfile (+4/-5) docs/Makefile.in (+2/-1) docs/UPGRADE.md (+24/-1) docs/sudo.man.in (+5/-1) docs/sudo.mdoc.in (+5/-1) docs/sudo_plugin_python.man.in (+1/-1) docs/sudo_plugin_python.mdoc.in (+1/-1) docs/sudoers.ldap.man.in (+87/-13) docs/sudoers.ldap.mdoc.in (+79/-13) docs/sudoers.man.in (+62/-17) docs/sudoers.mdoc.in (+61/-17) docs/visudo.man.in (+28/-1) docs/visudo.mdoc.in (+26/-1) etc/codespell.exclude (+1/-0) etc/codespell.ignore (+5/-2) examples/Makefile.in (+2/-1) include/Makefile.in (+2/-1) include/sudo_compat.h (+13/-5) include/sudo_event.h (+1/-1) include/sudo_eventlog.h (+12/-1) include/sudo_iolog.h (+1/-1) include/sudo_util.h (+18/-43) lib/eventlog/Makefile.in (+96/-11) lib/eventlog/eventlog.c (+1/-0) lib/eventlog/eventlog_free.c (+6/-0) lib/eventlog/parse_json.c (+1042/-0) lib/eventlog/parse_json.h (+6/-10) lib/eventlog/regress/eventlog_store/store_json_test.c (+198/-0) lib/eventlog/regress/eventlog_store/store_sudo_test.c (+208/-0) lib/eventlog/regress/eventlog_store/test1.json.in (+51/-0) lib/eventlog/regress/eventlog_store/test1.json.out.ok (+30/-0) lib/eventlog/regress/eventlog_store/test1.sudo.out.ok (+2/-0) lib/eventlog/regress/eventlog_store/test2.json.in (+47/-0) lib/eventlog/regress/eventlog_store/test2.json.out.ok (+28/-0) lib/eventlog/regress/eventlog_store/test2.sudo.out.ok (+2/-0) lib/eventlog/regress/eventlog_store/test3.json.in (+48/-0) lib/eventlog/regress/eventlog_store/test3.json.out.ok (+29/-0) lib/eventlog/regress/eventlog_store/test3.sudo.out.ok (+2/-0) lib/eventlog/regress/eventlog_store/test4.json.in (+46/-0) lib/eventlog/regress/eventlog_store/test4.json.out.ok (+30/-0) lib/eventlog/regress/eventlog_store/test4.sudo.out.ok (+2/-0) lib/eventlog/regress/parse_json/check_parse_json.c (+18/-13) lib/iolog/Makefile.in (+27/-56) lib/iolog/iolog_gets.c (+5/-5) lib/iolog/iolog_json.c (+7/-889) lib/iolog/regress/fuzz/fuzz_iolog_json.c (+0/-2) lib/util/Makefile.in (+45/-24) lib/util/event.c (+1/-1) lib/util/lbuf.c (+44/-2) lib/util/nanosleep.c (+25/-16) lib/util/rcstr.c (+2/-3) lib/util/realpath.c (+198/-0) lib/util/regress/digest/digest_test.c (+1179/-0) lib/util/secure_path.c (+58/-0) lib/util/sudo_conf.c (+51/-43) lib/util/term.c (+13/-5) lib/util/ttysize.c (+15/-8) lib/util/util.exp.in (+3/-0) lib/zlib/Makefile.in (+3/-2) logsrvd/Makefile.in (+3/-2) logsrvd/iolog_writer.c (+4/-1) logsrvd/logsrv_util.c (+12/-6) logsrvd/logsrvd.c (+21/-12) logsrvd/logsrvd_conf.c (+19/-8) logsrvd/logsrvd_journal.c (+5/-0) logsrvd/regress/fuzz/fuzz_logsrvd_conf.c (+86/-0) logsrvd/sendlog.c (+12/-3) m4/hardening.m4 (+2/-7) m4/ldap.m4 (+2/-2) m4/openssl.m4 (+3/-1) m4/sudo.m4 (+45/-2) pathnames.h.in (+8/-8) plugins/audit_json/Makefile.in (+2/-1) plugins/group_file/Makefile.in (+2/-1) plugins/python/Makefile.in (+2/-1) plugins/python/pyhelpers.h (+3/-0) plugins/sample/Makefile.in (+2/-1) plugins/sample_approval/Makefile.in (+2/-1) plugins/sudoers/Makefile.in (+109/-33) plugins/sudoers/alias.c (+5/-4) plugins/sudoers/audit.c (+0/-1) plugins/sudoers/auth/bsdauth.c (+28/-20) plugins/sudoers/auth/sudo_auth.h (+1/-0) plugins/sudoers/canon_path.c (+200/-0) plugins/sudoers/check.h (+2/-0) plugins/sudoers/cvtsudoers.c (+39/-18) plugins/sudoers/cvtsudoers.h (+4/-4) plugins/sudoers/cvtsudoers_csv.c (+17/-15) plugins/sudoers/cvtsudoers_json.c (+19/-15) plugins/sudoers/cvtsudoers_ldif.c (+10/-10) plugins/sudoers/defaults.c (+4/-5) plugins/sudoers/defaults.h (+2/-2) plugins/sudoers/digestname.c (+1/-1) plugins/sudoers/editor.c (+1/-1) plugins/sudoers/file.c (+14/-7) plugins/sudoers/filedigest.c (+3/-2) plugins/sudoers/find_path.c (+8/-12) plugins/sudoers/fmtsudoers.c (+7/-7) plugins/sudoers/fmtsudoers_cvt.c (+5/-5) plugins/sudoers/gc.c (+0/-10) plugins/sudoers/getdate.c (+1/-1) plugins/sudoers/getdate.y (+1/-1) plugins/sudoers/goodpath.c (+2/-14) plugins/sudoers/gram.c (+362/-292) plugins/sudoers/gram.y (+89/-19) plugins/sudoers/iolog.c (+0/-1) plugins/sudoers/ldap.c (+37/-156) plugins/sudoers/ldap_conf.c (+12/-10) plugins/sudoers/ldap_innetgr.c (+264/-0) plugins/sudoers/ldap_util.c (+116/-0) plugins/sudoers/log_client.c (+22/-10) plugins/sudoers/logging.c (+50/-19) plugins/sudoers/logging.h (+1/-0) plugins/sudoers/match.c (+194/-134) plugins/sudoers/match_command.c (+204/-191) plugins/sudoers/match_digest.c (+1/-12) plugins/sudoers/parse.c (+3/-5) plugins/sudoers/parse.h (+65/-26) plugins/sudoers/pivot.c (+90/-0) plugins/sudoers/po/cs.po (+692/-657) plugins/sudoers/po/de.po (+688/-656) plugins/sudoers/po/eo.po (+790/-751) plugins/sudoers/po/fr.po (+691/-656) plugins/sudoers/po/hr.po (+699/-664) plugins/sudoers/po/ko.po (+693/-658) plugins/sudoers/po/pl.po (+688/-656) plugins/sudoers/po/ro.po (+728/-691) plugins/sudoers/po/ru.po (+1536/-1544) plugins/sudoers/po/sr.po (+940/-843) plugins/sudoers/po/sudoers.pot (+656/-624) plugins/sudoers/po/uk.po (+691/-656) plugins/sudoers/policy.c (+46/-44) plugins/sudoers/regress/editor/check_editor.c (+1/-2) plugins/sudoers/regress/fuzz/fuzz_policy.c (+37/-14) plugins/sudoers/regress/fuzz/fuzz_stubs.c (+20/-1) plugins/sudoers/regress/fuzz/fuzz_sudoers.c (+5/-5) plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c (+2/-2) plugins/sudoers/regress/parser/check_digest.c (+3/-2) plugins/sudoers/regress/parser/check_fill.c (+7/-1) plugins/sudoers/regress/starttime/check_starttime.c (+14/-1) plugins/sudoers/regress/sudoers/test27.json.ok (+6/-0) plugins/sudoers/regress/sudoers/test27.ldif.ok (+2/-0) plugins/sudoers/regress/sudoers/test27.out.ok (+2/-2) plugins/sudoers/regress/testsudoers/group (+1/-0) plugins/sudoers/regress/testsudoers/passwd (+6/-0) plugins/sudoers/regress/testsudoers/test21.out.ok (+10/-0) plugins/sudoers/regress/testsudoers/test21.sh (+20/-0) plugins/sudoers/regress/testsudoers/test22.out.ok (+8/-0) plugins/sudoers/regress/testsudoers/test22.sh (+18/-0) plugins/sudoers/regress/testsudoers/test23.out.ok (+8/-0) plugins/sudoers/regress/testsudoers/test23.sh (+17/-0) plugins/sudoers/set_perms.c (+33/-12) plugins/sudoers/sssd.c (+7/-6) plugins/sudoers/starttime.c (+31/-0) plugins/sudoers/stubs.c (+14/-0) plugins/sudoers/sudo_ldap.h (+79/-1) plugins/sudoers/sudo_ldap_conf.h (+2/-46) plugins/sudoers/sudo_nss.c (+1/-1) plugins/sudoers/sudo_nss.h (+6/-4) plugins/sudoers/sudoers.c (+412/-226) plugins/sudoers/sudoers.h (+21/-31) plugins/sudoers/sudoers.in (+4/-0) plugins/sudoers/sudoreplay.c (+2/-2) plugins/sudoers/testsudoers.c (+27/-8) plugins/sudoers/timestamp.c (+25/-0) plugins/sudoers/toke.c (+287/-183) plugins/sudoers/toke.h (+8/-2) plugins/sudoers/toke.l (+192/-88) plugins/sudoers/toke_util.c (+1/-1) plugins/sudoers/visudo.c (+195/-107) plugins/system_group/Makefile.in (+2/-1) po/cs.po (+254/-227) po/de.po (+255/-228) po/eo.po (+280/-260) po/fr.po (+254/-227) po/hr.po (+258/-229) po/ko.po (+255/-228) po/pl.po (+254/-227) po/ro.po (+277/-236) po/ru.po (+764/-380) po/sr.po (+346/-312) po/sudo.pot (+251/-225) po/uk.po (+254/-227) po/vi.po (+388/-329) scripts/config.sub (+2/-2) scripts/mkdep.pl (+2/-2) src/Makefile.in (+26/-46) src/conversation.c (+1/-3) src/edit_open.c (+11/-9) src/exec.c (+22/-15) src/exec_intercept.c (+13/-6) src/exec_intercept.h (+1/-1) src/exec_iolog.c (+12/-13) src/exec_monitor.c (+48/-71) src/exec_nopty.c (+21/-18) src/exec_ptrace.c (+29/-5) src/exec_pty.c (+307/-213) src/get_pty.c (+21/-24) src/limits.c (+32/-20) src/parse_args.c (+32/-51) src/regress/intercept/test_ptrace.c (+5/-12) src/selinux.c (+1/-1) src/sudo.c (+39/-34) src/sudo.h (+12/-15) src/sudo_edit.c (+50/-46) src/sudo_edit.h (+3/-3) src/sudo_exec.h (+14/-18) src/sudo_usage.h.in (+50/-11) src/suspend_parent.c (+62/-11) src/tgetpass.c (+11/-1) src/ttyname.c (+46/-16) src/utmp.c (+1/-6) Conflict in debian/changelog
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
git-ubuntu import		2023-08-10	Pending
Review via email: mp+448881@code.launchpad.net

This proposal has been superseded by a proposal from 2023-08-10.

Unmerged commits

cd2f9f4... by Danilo Egea Gondolfo on 2023-08-09

changelog

120a093... by Danilo Egea Gondolfo on 2023-08-09

update-maintainer

1de0518... by Danilo Egea Gondolfo on 2023-08-09

reconstruct-changelog

8d170db... by Danilo Egea Gondolfo on 2023-08-09

merge-changelogs

3cd5e46... by Danilo Egea Gondolfo on 2023-07-05

debian/tests/04-getroot-sssd:

  + Check if the slapd daemon is ready before proceeding.
    In some situations, the next command (ldapmodify) runs before
    the service is ready. See LP:#2026888

3d48e21... by Danilo Egea Gondolfo on 2023-07-05

debian/tests/control: 03-getroot-ldap

+ allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes)

52e4d7a... by Danilo Egea Gondolfo on 2023-07-05

debian/etc/sudoers:

+ also grant admin group sudo access
+ include /snap/bin in the secure_path

8eb6623... by Danilo Egea Gondolfo on 2023-07-05

debian/etc/pam.d/sudo[-i]:

  + Use pam_env to read /etc/environment and /etc/default/locale
    environment files. Reading ~/.pam_environment is not permitted due
    to security reasons.

f19a7d4... by Danilo Egea Gondolfo on 2023-07-05

debian/sudo[-ldap].init: delete init scripts, as they are no longer
necessary.

3f8d539... by Danilo Egea Gondolfo on 2023-07-05

debian/sudo[-ldap].manpages: install man/man8/sudo_root.8

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Danilo Egea Gondolfo

git-ubuntu developers

Ubuntu
sudo package

Merge ~danilogondolfo/ubuntu/+source/sudo:merge-lp2030914-mantic into ubuntu/+source/sudo:ubuntu/devel

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers

 diff --git a/ChangeLog b/ChangeLog
 index 9218ccc..edbeba1 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,13 +1,1392 @@
++2023-07-15  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* .hgtags:
++	Added tag SUDO_1_9_14p2 for changeset 47c0bf9a7ebb
++	[6bbe51d30496] [tip] <1.9>
++
++	* configure, configure.ac:
++	sudo 1.9.14p2
++	[47c0bf9a7ebb] [SUDO_1_9_14p2] <1.9>
++
++	* plugins/sudoers/match.c:
++	runas_userlist_matches: fix matching a Runas_Spec with an empty
++	runas user.
++
++	We should only match a rule with an empty runas user if a group was
++	specified on the command line (sudo -g) without a user (no -u
++	option) or the user specified their own name on the command line.
++	GitHub issue #290
++	[164428126ee6] <1.9>
++
++2023-07-14  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* NEWS:
++	Document bug fixes in 1.9.14p2.
++	[e5cd975816b8] <1.9>
++
++	* src/exec_pty.c:
++	Pass SUDO_TERM_OFLAG to sudo_term_raw() when sudo output is piped.
++
++	This fixes a problem with "stair-stepped" output when the sudo-run
++	command's output is piped to another program and the command reads
++	input from the terminal.
++	[17009f9817b0] <1.9>
++
++	* src/exec_monitor.c, src/exec_pty.c:
++	Simplify the exec_monitor() foreground flag.
++
++	Add cmnd_foreground flag that is only true if sudo is the foreground
++	process and the CD_EXEC_BG flag is not set and pass it to
++	exec_monitor(). This means exec_monitor() no longer needs to check
++	for CD_EXEC_BG.
++	[6cc420fea368] <1.9>
++
++	* include/sudo_util.h, lib/util/term.c, plugins/sudoers/sudoreplay.c:
++	sudo_term_raw: change the isig argument into a flags field
++
++	There are current two flags: SUDO_TERM_ISIG (enable terminal
++	signals) and SUDO_TERM_OFLAG (preserve output flags).
++	[15fdaae9fa3b] <1.9>
++
++2023-07-12  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/exec_ptrace.c:
++	Fix a crash in intercept mode running a command with NULL argv[0].
++
++	Newer Linux kernels replace a NULL argv[0] with the empty string, we
++	should as well.
++	[74e81e6d373a] <1.9>
++
++2023-07-11  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* .hgtags:
++	Added tag SUDO_1_9_14p1 for changeset fc033946b1a9
++	[ee6033290e91] <1.9>
++
++	* configure, configure.ac:
++	sudo 1.9.14p1
++	[fc033946b1a9] [SUDO_1_9_14p1] <1.9>
++
++	* NEWS:
++	Docume bug fixes in 1.9.14p1.
++	[f526fda905de] <1.9>
++
++	* plugins/sudoers/log_client.c:
++	fmt_info_messages: don't include ttyname if it is NULL
++
++	The NULL check was commented out for testing but should have been
++	restored. Fixes a potential protocol error message from
++	sudo_logsrvd.
++	[12cf2b87355a] <1.9>
++
++	* logsrvd/iolog_writer.c:
++	evlog_new: store a new copy of peeraddr, not a pointer to a buffer.
++
++	Starting in sudo 1.9.14, eventlog_free() will free the peeraddr
++	member too so it needs to be dynamically allocated.
++	[4c984e3e6aef] <1.9>
++
++2023-06-27  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* .hgtags:
++	Added tag SUDO_1_9_14 for changeset 8010d7515347
++	[ff70094a18c0] <1.9>
++
++	* MANIFEST, NEWS, config.h.in, configure, configure.ac,
++	include/sudo_compat.h, plugins/sudoers/Makefile.in,
++	plugins/sudoers/logging.c, plugins/sudoers/match_command.c,
++	plugins/sudoers/parse.c, plugins/sudoers/parse.h,
++	plugins/sudoers/regress/fuzz/fuzz_policy.c,
++	plugins/sudoers/sudoers.c, plugins/sudoers/testsudoers.c,
++	plugins/sudoers/visudo.c, src/exec_nopty.c:
++	Merge sudo 1.9.14 from tip.
++	[8010d7515347] [SUDO_1_9_14] <1.9>
++
++2023-06-26  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* Merge pull request #275 from AtariDreams/emergency
++
++	Set command_info to NULL once it is freed
++	[6d1e55f4e7b9]
++
++2023-06-26  Rose  <83477269+AtariDreams@users.noreply.github.com>
++
++	* plugins/sudoers/policy.c:
++	Set command_info to NULL once it is freed
++
++	The lack of setting to NULL is a holdover from when command_info was
++	a local variable and not a global one. However, we given how other
++	global variables are set to NULL, it is best that we do the same
++	here to avoid potential issues should sudoers_policy_store_result be
++	called again after the first time failed, otherwise we could get a
++	double-free.
++	[a1a462a52a98]
++
++2023-06-25  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* Merge pull request #274 from bin-ly/main
++
++	Modify the is_script function for match_command.c
++	[05675d16bd52]
++
++2023-06-25  binlingyu  <binlingyu@uniontech.com>
++
++	* plugins/sudoers/match_command.c:
++	Modify the is_script function for match_command.c
++	[ce944a838c33]
++
++2023-06-21  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* NEWS:
++	Mention C99 requirement.
++	[f12a7b68e0b2]
++
++2023-06-20  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* docs/sudoers.man.in, docs/sudoers.mdoc.in:
++	Reference SETENV-related settings in the command environment
++	section.
++
++	Based on GitHub PR #273 from Ilya Kulakov.
++	[f8b5ef533800]
++
++	* INSTALL.md:
++	Sudo requires a C99 compiler due to the use of flexible array
++	members.
++	[bb80666c7382]
++
++	* Merge pull request #266 from AtariDreams/c99
++
++	Do variable length arrays the C99 way
++	[690561b17683]
++
++2023-06-19  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* Merge pull request #269 from trackers-lover/main
++
++	correct the return value type of function alias_find_used
++	[30dc3eb4a59a]
++
++2023-06-18  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* docs/sudoers.man.in, docs/sudoers.mdoc.in:
++	Clarify that use_pty is on by default starting with 1.9.14.
++	[984048215229]
++
++	* docs/sudo.man.in, docs/sudo.mdoc.in:
++	Sudo runs the command in a pty by default in 1.9.14 and above.
++	[92ec41fdf7c9]
++
++	* plugins/sudoers/sudoers.in:
++	Add commented out example for disabling use_pty.
++	[9a59b831f363]
++
++2023-06-15  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* .circleci/config.yml:
++	Update Xcode version from 13.2.1 to 13.4.1.
++	[10bbb25b415e]
++
++2023-06-14  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* MANIFEST:
++	Add plugins/sudoers/regress/testsudoers/passwd to MANIFEST.
++	[016644afd8ae]
++
++	* plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
++	plugins/sudoers/po/pl.mo, plugins/sudoers/po/pl.po, po/eo.mo,
++	po/eo.po, po/pl.mo, po/pl.po:
++	Updated translations from translationproject.org
++	[97167b63ffbd]
++
++	* NEWS:
++	Document recent bug fixes.
++	[34d8ffa919c6]
++
++	* MANIFEST, plugins/sudoers/regress/testsudoers/group,
++	plugins/sudoers/regress/testsudoers/passwd,
++	plugins/sudoers/regress/testsudoers/test22.out.ok,
++	plugins/sudoers/regress/testsudoers/test22.sh,
++	plugins/sudoers/regress/testsudoers/test23.out.ok,
++	plugins/sudoers/regress/testsudoers/test23.sh:
++	Add tests to exercise recent runas user and group bug fixes.
++	[20f19831ed34]
++
++	* MANIFEST, plugins/sudoers/regress/testsudoers/passwd,
++	plugins/sudoers/regress/testsudoers/test21.out.ok,
++	plugins/sudoers/regress/testsudoers/test21.sh:
++	Add test to exercise the bug that prevented the group specified via
++	"sudo -g" from matching when a Runas_Alias was used in the user or
++	group portion of a Runas_Spec.
++	[16c0668b5c4b]
++
++2023-06-13  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/match.c:
++	runaslist_matches: split out user_list and group_list matching.
++
++	This makes it possible to call the appropriate runas user or group
++	list match function when resolving aliases instead of calling
++	runaslist_matches() itself. Fixes a bug that prevented the group
++	specified via "sudo -g" from matching when a Runas_Alias was used in
++	the user or group portion of a Runas_Spec.
++	[3e0885e96418]
++
++	* plugins/sudoers/match.c:
++	runaslist_matches: remove special case to handle "sudo -g group"
++
++	Now that we are guaranteed to have a runas user list for all sudoers
++	rules that contain a runas list, we can remove support for the
++	special case where user_matched is set in the runas group matching
++	conditional. This fixes a bug where "sudo -u myuser -g mygroup" was
++	permitted by a rule like "myuser ALL = (root) ALL".
++	[d80e907efe77]
++
++	* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
++	plugins/sudoers/regress/sudoers/test27.json.ok,
++	plugins/sudoers/regress/sudoers/test27.ldif.ok,
++	plugins/sudoers/regress/sudoers/test27.out.ok:
++	Populate runasusers even when only a grouplist is specified.
++
++	When a sudoers rule permits the user to run commands as a group, not
++	a user, we should set the runasusers to single member with the
++	special MYSELF token. This guarantees that the only time runasusers
++	will be NULL is when no runaslist is present.
++	[25c293ae5053]
++
++	* plugins/sudoers/match.c:
++	runaslist_matches: fix bug when no runas list is specified in
++	sudoers.
++
++	If a sudoers rule has no runas list, a user-specified runas group
++	should only be allowed if it matches a group that the default runas
++	user belongs to. Instead, a missing group check allowed the user run
++	commands as the default runas user with an arbitrary group.
++
++	This means that a rule like "somebody host = ALL", which should be
++	equivalent to "somebody host = (root) ALL", had the same effect as
++	"somebody host = (root:ALL) ALL".
++	[eeb075b3b79c]
++
++2023-06-11  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/python/pyhelpers.h:
++	Python may be built with 32-bit time_t support on 32-bit platforms.
++	We need to undef the SIZEOF_TIME_T from pyconfig.h so it does not
++	conflict with our own.
++	[c8bf985eb777]
++
++2023-06-10  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* Merge pull request #272 from millert/main
++
++	Avoid use of variable length arrays and add ctype(3) casts.
++	[806b2266f6ab]
++
++	* lib/util/lbuf.c:
++	Avoid use of variable length arrays and add ctype(3) casts.
++	[d8c80d4905b3]
++
++	* Merge pull request #270 from moehanabi/main
++
++	Add %n$s support for sudo_lbuf_append_v1
++	[53ad2cdaaabe]
++
++2023-06-09  Brilliant Hanabi  <130747944+moehanabi@users.noreply.github.com>
++
++	* lib/util/lbuf.c:
++	Add %n$s support for sudo_lbuf_append_v1
++	[f48fa0250fdc]
++
++2023-06-09  bianguangze  <bianguangze@uniontech.com>
++
++	* plugins/sudoers/alias.c:
++	correct the return value type of function alias_find_used
++	[f689f55fef3f]
++
++2023-06-07  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/po/cs.mo, plugins/sudoers/po/cs.po,
++	plugins/sudoers/po/de.mo, plugins/sudoers/po/de.po,
++	plugins/sudoers/po/eo.mo, plugins/sudoers/po/eo.po,
++	plugins/sudoers/po/fr.mo, plugins/sudoers/po/fr.po,
++	plugins/sudoers/po/hr.mo, plugins/sudoers/po/hr.po,
++	plugins/sudoers/po/ko.mo, plugins/sudoers/po/ko.po,
++	plugins/sudoers/po/ro.mo, plugins/sudoers/po/ro.po,
++	plugins/sudoers/po/ru.mo, plugins/sudoers/po/ru.po,
++	plugins/sudoers/po/sr.mo, plugins/sudoers/po/sr.po,
++	plugins/sudoers/po/uk.mo, plugins/sudoers/po/uk.po, po/cs.mo,
++	po/cs.po, po/de.mo, po/de.po, po/eo.mo, po/eo.po, po/fr.mo,
++	po/fr.po, po/hr.mo, po/hr.po, po/ko.mo, po/ko.po, po/ro.mo,
++	po/ro.po, po/ru.mo, po/ru.po, po/sr.mo, po/sr.po, po/uk.mo,
++	po/uk.po, po/vi.mo, po/vi.po:
++	Updated translations from translationproject.org
++	[966147718ed3]
++
++	* plugins/sudoers/po/sudoers.pot, po/sudo.pot:
++	Update .pot files for 1.9.14
++	[b79b44520c46]
++
++	* NEWS:
++	Mention Bug #1050 fix.
++	[c4af7e56a515]
++
++	* docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in,
++	plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c,
++	plugins/sudoers/sudo_ldap_conf.h:
++	Add NETGROUP_QUERY option for servers that can't match
++	nisNetgroupTriple. This can be used to support netgroup queries on
++	systems that lack the innetgr() function and where the LDAP server
++	cannot query the nisNetgroup by nisNetgroupTriple.
++	[98b293bee424]
++
++2023-06-06  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/defaults.c, plugins/sudoers/ldap.c,
++	plugins/sudoers/match.c, plugins/sudoers/parse.h:
++	sudo_ldap_check_non_unix_group: pass nss pointer to netgr_matches()
++	This allows us to use the LDAP-specific version of innetgr() when
++	possible. Also enable "use_netgroups" by default even on systems
++	without innetgr() since we can now query netgroups directly via
++	LDAP.
++	[a443919be48c]
++
++2023-06-05  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/exec_ptrace.c:
++	Only call ptrace_verify_post_exec() for intercept, not log_subcmds.
++	[9f55dcdd66cd]
++
++	* NEWS, configure, configure.ac:
++	sudo 1.9.14
++	[73c25828ffc8]
++
++2023-06-04  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/visudo.c:
++	run_command: back out changes to run editor in its own process
++	group. It unnecessarily complicates things to work around bugs in an
++	OS almost no one runs.
++	[8790d32a4f99]
++
++	* MANIFEST, include/sudo_util.h, lib/util/Makefile.in,
++	lib/util/suspend_parent.c, lib/util/util.exp.in,
++	plugins/sudoers/Makefile.in, src/Makefile.in, src/sudo_exec.h,
++	src/suspend_parent.c:
++	Make suspend_parent.c out of lib/util and into src. Nothing else
++	uses it now.
++	[69eda3d690e4]
++
++2023-06-03  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/digestname.c, plugins/sudoers/filedigest.c,
++	plugins/sudoers/gram.c, plugins/sudoers/gram.y,
++	plugins/sudoers/parse.h,
++	plugins/sudoers/regress/parser/check_digest.c,
++	plugins/sudoers/toke.c, plugins/sudoers/toke.l:
++	Initialize digest_type to SUDO_DIGEST_INVALID, not -1 and make it
++	unsigned. This makes the digest type consistently unsigned instead
++	of a mix of signed (for the -1 value in the tokenizer) and unsigned.
++	[49ef7c33450f]
++
++2023-05-25  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* docs/sudo_plugin_python.man.in, docs/sudo_plugin_python.mdoc.in,
++	etc/codespell.exclude, etc/codespell.ignore,
++	plugins/sudoers/getdate.c, plugins/sudoers/getdate.y,
++	plugins/sudoers/pivot.c, plugins/sudoers/visudo.c:
++	Fix typos and update excluded/ignored codespell lists.
++	[bdb70620b4e4]
++
++2023-05-19  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/visudo.c:
++	run_command: check that ttyfd is not -1 before using it
++	[990cbd169a37]
++
++2023-05-18  Rose  <83477269+AtariDreams@users.noreply.github.com>
++
++	* include/sudo_event.h, lib/util/event.c, lib/util/rcstr.c,
++	plugins/sudoers/canon_path.c, plugins/sudoers/ldap_conf.c,
++	plugins/sudoers/sudo_ldap_conf.h:
++	Do variable length arrays the C99 way
++
++	Variable length arrays are supported by C99, but having it denoted
++	as "1" confused the compiler and is not defined.
++
++	Note that because we don't get the inferred NULL terminator, we have
++	to increase the malloc size by one.
++	[4e33419e940e]
++
++2023-05-11  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/visudo.c:
++	Work around a macOS a kernel bug where tcsetpgrp() does not restart.
++
++	I reported this bug to Apple over 12 years ago.
++	[77871464e563]
++
++	* plugins/sudoers/visudo.c:
++	run_command: run editor in foreground if visudo is the foreground
++	process
++
++	The command is now always run in its own process group. If visudo is
++	run in the foreground, the command is run in the foreground too.
++	Otherwise, run the command in the background. There is a race
++	between the tcsetpgrp() call in the parent and the execve() in the
++	child. If we lose the race and the command needs the controlling
++	terminal, it will be stopped with SIGTTOU or SIGTTIN, which the
++	waitpid() loop will handle.
++	[e8e14e0024da]
++
++	* plugins/sudoers/visudo.c:
++	Accept carriage return for EOL in addition to newline.
++
++	Since visudo doesn't alter the terminal settings it is possible for
++	the terminal to have the ONLCR bit set in the output control flags.
++	In that case, we will get a CR, not a NL when the user presses
++	enter/return. One way this can happen is if visudo is run in the
++	background from a shell that supports line editing and the editor
++	restores the (cbreak-style) terminal mode when it finishes.
++	[14538e74fd02]
++
++2023-05-09  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/regress/parser/check_fill.c:
++	check_fill: sudoers_strict() is now a function, not a global
++	variable
++	[8b8e72d283df]
++
++	* plugins/sudoers/parse.h, plugins/sudoers/sudoers.h,
++	plugins/sudoers/toke.h:
++	Move parser prototypes / externs from sudoers.h to parse.h or
++	toke.h.
++	[79a52390c46b]
++
++	* plugins/sudoers/file.c, plugins/sudoers/sudoers.c:
++	parse.h is already included by sudoers.h.
++	[f6faa3f782a2]
++
++	* plugins/sudoers/policy.c, plugins/sudoers/testsudoers.c,
++	plugins/sudoers/visudo.c:
++	Rename parser_conf -> sudoers_conf in all but the parser itself.
++	[61614621341e]
++
++2023-05-08  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c,
++	plugins/sudoers/gram.c, plugins/sudoers/gram.y,
++	plugins/sudoers/parse.h, plugins/sudoers/policy.c,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
++	plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c,
++	plugins/sudoers/visudo.c:
++	Move sudoers search path to struct sudoers_parser_config.
++
++	That way we can avoid passing it to init_parser() directly. We still
++	need sudoers_search_path to be shared between the lexer and the
++	parser.
++	[5e6c6a08aded]
++
++	* plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c,
++	plugins/sudoers/gram.c, plugins/sudoers/gram.y,
++	plugins/sudoers/parse.h, plugins/sudoers/policy.c,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
++	plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c,
++	plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c,
++	plugins/sudoers/toke.c, plugins/sudoers/toke.l,
++	plugins/sudoers/toke_util.c, plugins/sudoers/visudo.c:
++	Add struct sudoers_parser_config and pass it to init_parser().
++
++	This struct contains parser configuration such as the sudoers file
++	uid/gid/mode and parse flags such as verbose, strict and recovery.
++	[ed8042e7a49a]
++
++	* plugins/sudoers/toke.c, plugins/sudoers/toke.l:
++	push_include_int: Avoid passing close(2) a negative value on error.
++	Coverity CID 314108
++	[bbbdfa87543e]
++
++	* plugins/sudoers/ldap.c:
++	Eliminate dead store. Coverity CID 315032.
++	[6b48998e4db1]
++
++2023-05-05  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* include/sudo_iolog.h, lib/iolog/iolog_gets.c:
++	iolog_gets: change size parameter to int to match fgets/gzgets
++
++	Return an error, setting errno to EINVAL, for negative sizes.
++	[27534bcb58a7]
++
++2023-05-04  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/policy.c, plugins/sudoers/sudoers.c,
++	plugins/sudoers/sudoers.h:
++	Rename force_umask to override_umask and make it private to
++	sudoers.c.
++
++	Add getter for policy.c.
++	[1c8a56c767f3]
++
++	* plugins/sudoers/check.h, plugins/sudoers/regress/fuzz/fuzz_stubs.c,
++	plugins/sudoers/set_perms.c, plugins/sudoers/sudoers.c,
++	plugins/sudoers/sudoers.h, plugins/sudoers/timestamp.c:
++	Make timestamp_uid and timestamp_gid private to timestamp.c.
++
++	Add getter (for set_perms.c) and setter (for sudoers.c).
++	[ad49d0ee7e6f]
++
++	* plugins/sudoers/auth/bsdauth.c, plugins/sudoers/auth/sudo_auth.h,
++	plugins/sudoers/policy.c,
++	plugins/sudoers/regress/fuzz/fuzz_policy.c,
++	plugins/sudoers/sudoers.h:
++	Make login_style private to bsdauth.c
++
++	Add a setter for policy.c to handle auth_type from the front-end.
++	[962af1d3d0fd]
++
++2023-05-03  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* lib/util/sudo_debug.c:
++	Back out last change, len must be int, not size_t, for %.*s.
++	[a82bbd86fa29]
++
++	* src/exec_pty.c:
++	Use a "%s" format instead of using a translated string as the
++	format.
++	[1a73a1b4fa94]
++
++	* Merge pull request #260 from AtariDreams/size_t
++
++	Prefer size_t over int, as casting can take extra instructions
++	[c0fd1027e105]
++
++2023-05-03  Rose  <83477269+AtariDreams@users.noreply.github.com>
++
++	* lib/eventlog/parse_json.c, lib/util/sudo_debug.c,
++	plugins/sudoers/fmtsudoers.c:
++	Prefer size_t over int, as casting can take extra instructions
++	[96fc138b2009]
++
++2023-05-02  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c,
++	plugins/sudoers/gram.y, plugins/sudoers/parse.h,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
++	plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
++	Rename init_parser_ext() to init_parser() and remove old wrapper.
++
++	There was only one consumer of the init_parser() wrapper now that
++	reset_parser() has been introduced.
++	[4be1b8965ce6]
++
++	* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
++	plugins/sudoers/parse.h,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
++	plugins/sudoers/sudoers.c:
++	Add reset_parser() and use in place of init_parser(NULL).
++	[f85227ac1182]
++
++	* plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c,
++	plugins/sudoers/policy.c, plugins/sudoers/sudoers.h:
++	Make path_ldap_conf and path_ldap_secret private to policy.c.
++
++	Add getters for both so the ldap code can access them.
++	[90a2107d6ec7]
++
++	* plugins/sudoers/file.c, plugins/sudoers/policy.c,
++	plugins/sudoers/sudoers.h, plugins/sudoers/toke.c,
++	plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
++	Make sudoers_file private to policy.c and visudo.c.
++
++	We just need a way for the policy (and visudo) to override the
++	default sudoers path. This adds a getter to be used in file.c when
++	sudoers is first opened.
++	[657aa80f3af8]
++
++	* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
++	plugins/sudoers/parse.h,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
++	plugins/sudoers/sudoers.h, plugins/sudoers/testsudoers.c,
++	plugins/sudoers/toke.c, plugins/sudoers/toke.l,
++	plugins/sudoers/visudo.c:
++	Support adminconfdir for relative include paths in sudoers.
++	[7ebdbd46b47b]
++
++	* plugins/sudoers/visudo.c:
++	Track the destination sudoers path for each parsed file.
++
++	When adminconfdir is enabled, the destination pathh may be different
++	from the path we opened. We always store an edited file in the
++	adminconfdir (if enabled). This makes it possible to use visudo when
++	/etc/sudoers is located on a read-only file system.
++	[de896a012d81]
++
++	* INSTALL.md, Makefile.in, configure, configure.ac, docs/Makefile.in,
++	examples/Makefile.in, include/Makefile.in, lib/util/Makefile.in,
++	lib/zlib/Makefile.in, logsrvd/Makefile.in, m4/sudo.m4,
++	plugins/audit_json/Makefile.in, plugins/group_file/Makefile.in,
++	plugins/python/Makefile.in, plugins/sample/Makefile.in,
++	plugins/sample_approval/Makefile.in, plugins/sudoers/Makefile.in,
++	plugins/system_group/Makefile.in, src/Makefile.in:
++	Add adminconfdir and --enable-adminconf to set it. Configuration
++	paths in sudo are now a colon-separated list of files with the
++	adminconfdir instance first (if enabled), followed by a sysconfdir
++	instance.
++	[be1f672878ae]
++
++	* configure, configure.ac, include/sudo_util.h, lib/util/Makefile.in,
++	lib/util/secure_path.c, lib/util/sudo_conf.c, lib/util/util.exp.in,
++	logsrvd/Makefile.in, logsrvd/logsrvd.c, logsrvd/logsrvd_conf.c,
++	plugins/sudoers/Makefile.in, plugins/sudoers/cvtsudoers.c,
++	plugins/sudoers/sudoers.c, src/Makefile.in:
++	Convert config file paths to colon-separated path list. This means
++	that _PATH_SUDO_CONF, _PATH_SUDOERS, _PATH_SUDO_LOGSRVD_CONF, and
++	_PATH_CVTSUDOERS_CONF can now specify multiple files. The first file
++	that exists is used.
++	[902d9da6a941]
++
++	* plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c,
++	plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
++	plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c,
++	plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
++	Support sudoers_file being a colon-separated path of files. The
++	first file found is used.
++	[bebe005e2d32]
++
++2023-05-01  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* config.h.in, configure:
++	Regenerate with latest autoconf from git.
++	[0996570205bf]
++
++2023-04-28  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* logsrvd/logsrvd_conf.c:
++	No longer need to set AI_NUMERICSERV while fuzzing.
++
++	Now that getaddrinfo() is stubbed out while fuzzing we can remove
++	the hack that set AI_NUMERICSERV.
++	[8e3deb584c1c]
++
++2023-04-26  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* logsrvd/regress/fuzz/fuzz_logsrvd_conf.c,
++	plugins/sudoers/regress/fuzz/fuzz_policy.c:
++	getaddrinfo stub: set sin_port
++	[019eb2da9944]
++
++	* logsrvd/regress/fuzz/fuzz_logsrvd_conf.c,
++	plugins/sudoers/regress/fuzz/fuzz_policy.c:
++	Avoid NULL deref in stub getaddrinfo() when nodename is NULL. Also
++	add support for parsing servname. We only need to support a subset
++	of getaddrinfo() functionality in the fuzzer.
++	[a605cc43bbaf]
++
++	* configure, m4/hardening.m4:
++	Add missing stdio.h include for the _FORTIFY_SOURCE=2 check.
++	Implementations of _FORTIFY_SOURCE require the header file to be
++	included. Also remove the useless test of an empty program with
++	_FORTIFY_SOURCE defined. Pointed out by Florian Weimer.
++	[511b9bdddbdc]
++
++	* configure, m4/ldap.m4:
++	Use ldap_msgfree() instead of ldap_init() for the lber.h test. The
++	ldap_init() function is marked as deprecated and not defined by
++	default on some systems. This can cause an error for compilers that
++	do not support implicit function declarations. From Florian Weimer.
++	[1b1ce2072403]
++
++2023-04-25  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
++	Include arpa/inet.h for inet_pton() prototype.
++	[50d3b09376f7]
++
++	* logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
++	Add netdb.h for struct addrinfo and EAI_* error codes.
++	[92d33c6f8a23]
++
++	* logsrvd/regress/fuzz/fuzz_logsrvd_conf.c:
++	Stub out getaddrinfo() and freeaddrinfo(). We may not be able have
++	access to DNS in the fuzzing environment.
++	[b3d2e6c04076]
++
++	* lib/eventlog/regress/eventlog_store/store_sudo_test.c:
++	Plug memory leaks in store_sudo_test found by LSAN.
++	[5f1d68d01c0c]
++
++2023-04-24  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/limits.c:
++	disable_coredump: only change the soft limit, leave the hard limit
++	as-is This should avoid problems on Linux in cases where sudo does
++	not have CAP_SYS_RESOURCE which may be the case in an unprivileged
++	container. GitHub issue #42
++	[4e65c3923119]
++
++2023-04-19  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* scripts/build_pkgs:
++	Add basic support for remote power on/off via net-snmp.
++	[ca021941fd58]
++
++	* src/exec.c:
++	More accurate description of what happens for "sudo -b".
++	[a9158169fcac]
++
++	* src/exec_pty.c:
++	Better support for "sudo -b" when running the command in a pty.
++
++	When a command is run via "sudo -b" it has no access to terminal
++	input. In non-pty mode, the command runs in an orphaned process
++	group and reads from the controlling terminal fail with EIO. We
++	cannot do the same while running in a pty but if we set stdin to a
++	half-closed pipe, reads from it will get EOF. That is close enough.
++	[a284611a18fd]
++
++2023-04-18  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/exec_nopty.c, src/exec_pty.c, src/selinux.c, src/sudo.h,
++	src/ttyname.c:
++	Avoid calling isatty()/ttyname() on std{in,out,err} if not a char
++	dev.
++
++	The user controls these fds so we should avoid calling ioctl(2) on
++	them unless they correspond to actual character device files.
++	[745430b563db]
++
++	* src/parse_args.c, src/sudo_usage.h.in:
++	Hard-code usage() and help() for an 80-column terminal.
++
++	Trying to tailor the help and usage output to the terminal width is
++	simply not worth it and could be abused to mark a socket as
++	"trusted" on Linux if there are additional kernel bugs like
++	CVE-2023-2002.
++	[d06fa6322ffb]
++
++	* config.h.in, configure, configure.ac, src/sudo.c,
++	src/sudo_usage.h.in:
++	Move CONFIGURE_ARGS from sudo_usage.h.in to config.h.in.
++	[e3149b6f4392]
++
++2023-04-17  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* lib/util/ttysize.c, src/sudo.c:
++	get_user_info: call sudo_get_ttysize() even if no /dev/tty We still
++	want to initialize rows and cols based on the environment if
++	possible.
++	[4f3801c2f264]
++
++2023-04-16  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/parse_args.c:
++	Get the tty size using stdout, not stderr, when printing help
++	output. While usage() prints to stderr, help() prints to stdout.
++	[0bdf411ebc7f]
++
++	* src/sudo.c:
++	get_user_info: pass sudo_get_ttysize() the fd of /dev/tty, not
++	stderr. Both the plugin API and the main event loop expect
++	lines/cols to refer to the user's terminal, so using /dev/tty is
++	better here.
++	[2e7ba199f4c7]
++
++	* include/sudo_util.h, lib/util/ttysize.c, lib/util/util.exp.in,
++	plugins/sudoers/sudoreplay.c, src/parse_args.c, src/sudo.c:
++	Add an fd argument to sudo_get_ttysize() instead of always using
++	stderr.
++
++	For sudoreplay we open /dev/tty, so use that instead of stderr when
++	determining the terminal size.
++	[4afc292d3cf4]
++
++	* lib/util/ttysize.c:
++	Check whether stderr is a tty before trying TIOCGWINSZ.
++	[4a0d367e49c6]
++
++2023-04-14  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* configure, configure.ac:
++	Use -no-undefined on macOS to avoid "-undefined dynamic_lookup"
++	warnings.
++
++	Starting with macOS 13, the linker warns when "-undefined
++	dynamic_lookup" is used. This is added by libtool by default on
++	macOS but we can suppress it by passing -no-undefined to libtool.
++	[afeb9acd894c]
++
++2023-04-08  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* docker/debian/latest/Dockerfile, docker/debian/testing/Dockerfile,
++	docker/fedora/latest/Dockerfile, docker/fedora/rawhide/Dockerfile,
++	docker/ubuntu/devel/Dockerfile, docker/ubuntu/latest/Dockerfile,
++	docker/ubuntu/rolling/Dockerfile:
++	Add make to Dockerfile and sort packages.
++	[fa937cbf8a23]
++
++2023-04-06  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* docs/UPGRADE.md, docs/sudoers.man.in, docs/sudoers.mdoc.in,
++	plugins/sudoers/defaults.c:
++	Enable the use_pty option by default for sudo 1.9.14.
++
++	GitHub issue #258
++	[86a1a6da1878]
++
++2023-04-05  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/policy.c, plugins/sudoers/sudoers.c,
++	plugins/sudoers/sudoers.h:
++	Split up the monolithic sudoers_policy_main() function.
++
++	This splits the code to find the command, perform a sudoers lookup,
++	ask for a password as needed, and perform post-lokup checks out into
++	sudoers_check_common(). The old sudoers_policy_main() has been
++	replaced by sudoers_check_cmnd() (called by sudoers_policy_check()),
++	sudoers_validate_user() (called by sudoers_policy_validate()) and
++	sudoers_list() (called by sudoers_policy_list()). The list_user
++	lookup is now performed in sudoers_list().
++	[59e0b245c776]
++
++	* plugins/sudoers/sudoers.c:
++	Move the root_sudo check until after we apply per-command Defaults.
++
++	It is possible, though unlikely, for "root_sudo" to be used in a
++	per-command Defaults statement.
++	[ca1903576e0d]
++
++2023-04-01  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/sudoers.c:
++	sudoers_policy_main: restore locale if sudoers_lookup() fails.
++
++	Previously, if sudoers_lookup() set VALIDATE_ERROR, the sudoers
++	locale would still be in effect instead of the original locale.
++	[24df4eebbfc8]
++
++	* plugins/sudoers/parse.c:
++	sudoers_lookup_pseudo: remove validated function argument
++
++	This was always set to FLAG_NO_USER|FLAG_NO_HOST which are cleared
++	at the top of the fuction. Make validated a local variables,
++	initialized to 0, instead. No change in behavior.
++	[72e6207850fc]
++
++2023-03-31  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/audit.c, plugins/sudoers/iolog.c:
++	The I/O log file name is not just the basename of the full
++	iolog_path. The audit plugin already has the correct value for
++	iolog_file, don't overwrite it with basename(iolog_path). In the
++	future we may wish to pass in iolog_file and iolog_dir in addition
++	to iolog_path. Fixes Bug #1046.
++	[f272de885273]
++
++2023-03-29  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/sudoers.c:
++	Warn with "unknown user" not "unknown uid" if user cannot be
++	resolved. Prior to sudo 1.8 this was after a getpwuid() but now we
++	use getpwnam().
++	[9a523881df41]
++
++	* plugins/sudoers/sudoers.c:
++	Set timestamp_uid and timestamp_gid via a callback. This also makes
++	it possible to include the location of the line in the sudoers file
++	in the warning message (and mail).
++	[5588cf3cb55b]
++
++2023-03-28  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
++	Fix display of escape sequencees in ldapsearch example.
++	[08dc98162160]
++
++	* docs/sudoers.man.in, docs/sudoers.mdoc.in:
++	White space is not allowed between Defaults and '@', ':', '!', '>'.
++	The EBNF made it appear that this is allowed when it really is not.
++	[74bba755afaf]
++
++2023-03-27  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/edit_open.c, src/exec.c, src/exec_intercept.c,
++	src/exec_intercept.h, src/exec_monitor.c, src/exec_nopty.c,
++	src/exec_pty.c, src/sudo.c, src/sudo.h, src/sudo_edit.c,
++	src/sudo_edit.h, src/sudo_exec.h, src/tgetpass.c:
++	Make struct {command,user}_details pointers const where possible.
++	[dcfa95a24789]
++
++	* src/sudo.c, src/sudo.h, src/sudo_edit.c, src/tgetpass.c:
++	Make user_details private to main.
++	[43477263455b]
++
++	* src/exec.c, src/exec_nopty.c, src/exec_pty.c, src/parse_args.c,
++	src/sudo.c, src/sudo.h, src/sudo_edit.c, src/sudo_exec.h,
++	src/tgetpass.c:
++	Make user_details private to sudo.c.
++	[fec5df7605dc]
++
++	* configure, scripts/config.sub:
++	Regenerate with the autoconf 2.72c snapshot.
++	[6dda0f9323b1]
++
++2023-03-25  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/parse_args.c:
++	Use sudo_get_ttysize() in help() and usage(). This eliminates a
++	dependency on the user_details global.
++	[ecbc8afc1630]
++
++	* src/exec.c, src/sudo.c, src/sudo.h:
++	Store submitcwd (from user_details) in struct command_details. This
++	eliminates use of the user_details global from exec_setup().
++	[ed37b2a451f8]
++
++2023-03-24  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/utmp.c:
++	utmp_fill: user is now always non-NULL, no need for user_details.
++	[76bdecaaad07]
++
++	* src/parse_args.c, src/sudo.c, src/sudo.h:
++	Remove list_user global.
++	[fd397db04688]
++
++	* src/conversation.c:
++	No need to declare tgetpass_flags, it is already in sudo.h.
++	[c7e1b8ef75c8]
++
++	* src/sudo.c:
++	No need for sudo_mode to be global anymore.
++	[f746eba12bd9]
++
++	* src/sudo.c:
++	Make command_details private to main().
++	[311fd705cce4]
++
++	* src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
++	Make iobufs private to exec_iolog.c.
++	[80861a209ddd]
++
++	* src/sudo_exec.h:
++	Remove ttymode and its associated values.
++	[efb4e04097ab]
++
++	* src/exec.c, src/exec_pty.c, src/get_pty.c, src/sudo.h,
++	src/sudo_exec.h:
++	Move ptyname to struct exec_closure
++	[d4080a4262bd]
++
++	* src/exec_monitor.c, src/exec_pty.c, src/sudo_exec.h:
++	Move pty_make_controlling() to exec_monitor.c where it is called. We
++	can use details->tty to access the pty follower path.
++	[9875f0b136f4]
++
++	* src/exec_pty.c, src/sudo.c:
++	Eliminate utmp_user global, just use the value in struct command
++	details.
++	[95b28adcb0f3]
++
++	* src/exec_iolog.c, src/exec_nopty.c, src/exec_pty.c, src/sudo_exec.h:
++	Replace tty_mode global with term_raw flag in struct exec_closure.
++
++	The pty_cleanup hook needs access to the closure so add
++	pty_cleanup_init() to store a pointer to the closure for use by
++	pty_cleanup_hook().
++	[cc01f0da46d9]
++
++	* src/exec_monitor.c, src/exec_pty.c, src/sudo_exec.h:
++	Register pty cleanup function in exec_pty(), not exec_cmnd_pty(). We
++	want it to execute in the main sudo process, not the monitor.
++	[279e370adc01]
++
++	* src/exec_iolog.c:
++	Make ttyblock private to exec_iolog.c
++	[61243eba350d]
++
++2023-03-23  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/exec_pty.c, src/sudo_exec.h:
++	exec_pty.c: move foreground flag to struct exec_closure. Also make
++	pipeline flag private to exec_pty() and remove the unneeded
++	check_foreground() prototype.
++	[dd25f1d91008]
++
++	* src/exec_pty.c:
++	On resume, always sync the pty terminal settings with /dev/tty.
++
++	Changes made to the terminal settings while the command is suspended
++	are now reflected in the pty when the command is resumed. This is
++	more consistent with the non-pty behavior and allows for the removal
++	of the "tty_initialized" global. One downside to this change is that
++	if a terminal-based program using the pty is stopped with SIGSTOP it
++	may have the wrong terminal settings on resume. However, this is no
++	different from the non-pty case.
++	[3e59765dea31]
++
++	* lib/util/suspend_parent.c, lib/util/term.c:
++	Correct a comment.
++	[393a4d472507]
++
++2023-03-22  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* .github/FUNDING.yml:
++	GitHub sponsor settings.
++	[7bd778b9adef]
++
++	* config.h.in, configure, configure.ac:
++	Use built-in tests for bit types instead of using AC_CHECK_TYPES.
++	This should be more portable as it handles the quirks of some older
++	systems.
++	[7e471f2a914d]
++
++	* plugins/sudoers/visudo.c, src/regress/intercept/test_ptrace.c:
++	Quiet compiler warnings on systems where pid_t is not an int.
++	Historically, pid_t was a long on some 32-bit systems like Solaris.
++	[c31393da893d]
++
++	* plugins/sudoers/visudo.c:
++	Silence "used uninitialized" false positives with older gcc
++	versions.
++	[40f0ee142249]
++
++	* src/exec_pty.c:
++	exec_pty: always copy the terminal settings from /dev/tty the pty.
++	Previously, we only did this when running in the foreground but this
++	can cause problems when running a program that reads the terminal
++	settings or window size in the background. If sudo is running in the
++	background, the terminal settings will be updated if it transitions
++	to the foreground process. Based on a suggestion from From Duncan
++	Overbruck.
++	[51a70eadc7fc]
++
++	* src/exec_pty.c:
++	check_foreground: use SFD_LEADER not SFD_FOLLOWER (which was
++	closed). Also use SFD_LEADER for sudo_term_copy() in exec_pty() for
++	consistency. From Duncan Overbruck.
++	[172962b90aa6]
++
++	* src/exec_pty.c:
++	suspend_sudo_pty: fix cut & pasto in last commit to catch SIGCONT.
++	Also set sa.sa_handler to SIG_DFL instead of SIG_IGN. There is no
++	difference for SIGCONT but it means we can re-use sa as-is later.
++	[e07725c8c939]
++
++2023-03-21  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* src/exec_pty.c:
++	Catch SIGCONT and restore terminal settings on resume from SIGSTOP.
++	While we cannot catch SIGSTOP, we _can_ catch SIGCONT and set
++	/dev/tty to raw mode when running in the foreground. Ignore SIGCONT
++	in suspend_sudo_pty() so we don't call resume_terminal() twice.
++	[b5b2d739e44d]
++
++	* src/exec_monitor.c, src/exec_pty.c:
++	Only convert a signal number to a name if we are going to use it. It
++	is mostly used for debug logging.
++	[225c3630ffff]
++
++	* src/exec_monitor.c, src/exec_pty.c, src/sudo.h:
++	Move updating of the window size back to the main sudo process. We
++	can use the leader file descriptor with TIOCGWINSZ to set the window
++	size of the pty. Thanks to Duncan Overbruck for the hint.
++	[6e3f7622038a]
++
++	* plugins/sudoers/visudo.c:
++	visudo: restore controlling terminal after running the editor.
++	Otherwise, visudo will get SIGTTOU if it tries to write to the
++	terminal after the editor finishes. Also avoid races by setting the
++	process group ID in both the parent and child, and grant the
++	controlling terminal in the parent, not the child.
++	[c0f339a84be8]
++
++2023-03-20  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* docs/visudo.man.in, docs/visudo.mdoc.in, plugins/sudoers/gram.c,
++	plugins/sudoers/gram.y, plugins/sudoers/sudoers.h,
++	plugins/sudoers/toke.c, plugins/sudoers/toke.h,
++	plugins/sudoers/toke.l:
++	Warn about ignored files in sudoers.d in visudo.
++	[61f8def2d666]
++
++	* plugins/sudoers/cvtsudoers.c, plugins/sudoers/gram.c,
++	plugins/sudoers/gram.y, plugins/sudoers/parse.h,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
++	plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h,
++	plugins/sudoers/testsudoers.c, plugins/sudoers/toke.c,
++	plugins/sudoers/toke.l, plugins/sudoers/visudo.c:
++	Replace sudoers_warnings with sudoers_verbose. This is now an int,
++	with values > 1 reserved for visudo.
++	[d1d7b559b904]
++
++	* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
++	plugins/sudoers/toke.c, plugins/sudoers/toke.h,
++	plugins/sudoers/toke.l:
++	Split push_include() into push_include() and push_includedir(). This
++	moves the "isdir" function argument to the internal version.
++	[d454beb6eebf]
++
++2023-03-17  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/file.c, plugins/sudoers/ldap.c,
++	plugins/sudoers/regress/fuzz/fuzz_policy.c,
++	plugins/sudoers/regress/fuzz/fuzz_stubs.c,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c, plugins/sudoers/sssd.c,
++	plugins/sudoers/sudo_nss.c, plugins/sudoers/sudo_nss.h:
++	Pass around const struct sudo_nss pointers where possible.
++	[d13437078d19]
++
++	* plugins/sudoers/alias.c, plugins/sudoers/cvtsudoers.c,
++	plugins/sudoers/cvtsudoers.h, plugins/sudoers/cvtsudoers_csv.c,
++	plugins/sudoers/cvtsudoers_json.c,
++	plugins/sudoers/cvtsudoers_ldif.c, plugins/sudoers/defaults.c,
++	plugins/sudoers/defaults.h, plugins/sudoers/fmtsudoers.c,
++	plugins/sudoers/fmtsudoers_cvt.c, plugins/sudoers/match.c,
++	plugins/sudoers/parse.h:
++	Pass around const struct sudoers_parse_tree pointers where possible.
++	[1aa8b9069b39]
++
++	* plugins/sudoers/sudo_ldap.h, plugins/sudoers/sudo_ldap_conf.h:
++	Move non-config-related macros to from sudo_ldap_conf.h to
++	sudo_ldap.h.
++	[16e67a765a30]
++
++2023-03-16  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* MANIFEST, config.h.in, configure, configure.ac,
++	include/sudo_compat.h, lib/util/Makefile.in, lib/util/getcwd.c,
++	scripts/mkdep.pl:
++	Remove portable getcwd.c, nothing uses it anymore. Any operating
++	system supported by sudo already includes getcwd(3).
++	[8f0584066f6f]
++
++	* src/Makefile.in:
++	Use LIBPROTOBUF_C and LIBUTIL variables and use them.
++	[062142fa5ae8]
++
++2023-03-15  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* include/sudo_util.h:
++	Remove now-unused sudo_timeval* macros.
++	[3448dce21b9c]
++
++	* lib/util/nanosleep.c:
++	nanosleep: clear remainder on successful completion Also switch to
++	doing everything in terms of struct timespec except for the actual
++	select(2) call.
++	[d67451eb618e]
++
++	* lib/eventlog/Makefile.in, lib/iolog/Makefile.in:
++	Add lib dependencies for fuzzer and test targets.
++	[60605bcc3905]
++
++	* lib/eventlog/eventlog_free.c:
++	eventlog_free: free peeraddr
++	[42670e45e57f]
++
++	* plugins/sudoers/ldap_innetgr.c:
++	sudo_ldap_netgroup_match_str: "-" in a netgroup can never match. We
++	already check for a NULL value above so "str == NULL" is always
++	false. Found by PVS-Studio.
++	[c9cfdd013e92]
++
++2023-03-14  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* lib/iolog/Makefile.in:
++	Fix static compilation.
++	[5a18337c03d3]
++
++	* MANIFEST:
++	Replace eventlog_json.h with parse_json.h.
++	[cc68fe24ee0d]
++
++	* lib/eventlog/eventlog_free.c, lib/eventlog/parse_json.c:
++	Add support for parsing all fields of struct eventlog.
++	[3828e55bdaff]
++
++2023-03-13  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* MANIFEST, lib/eventlog/Makefile.in,
++	lib/eventlog/regress/eventlog_store/store_json_test.c,
++	lib/eventlog/regress/eventlog_store/store_sudo_test.c,
++	lib/eventlog/regress/eventlog_store/test1.json.in,
++	lib/eventlog/regress/eventlog_store/test1.json.out.ok,
++	lib/eventlog/regress/eventlog_store/test1.sudo.out.ok,
++	lib/eventlog/regress/eventlog_store/test2.json.in,
++	lib/eventlog/regress/eventlog_store/test2.json.out.ok,
++	lib/eventlog/regress/eventlog_store/test2.sudo.out.ok,
++	lib/eventlog/regress/eventlog_store/test3.json.in,
++	lib/eventlog/regress/eventlog_store/test3.json.out.ok,
++	lib/eventlog/regress/eventlog_store/test3.sudo.out.ok,
++	lib/eventlog/regress/eventlog_store/test4.json.in,
++	lib/eventlog/regress/eventlog_store/test4.json.out.ok,
++	lib/eventlog/regress/eventlog_store/test4.sudo.out.ok,
++	lib/eventlog/regress/parse_json/check_parse_json.c:
++	Add tests for JSON and sudo-style log output.
++	[3a923f86fff2]
++
++	* plugins/sudoers/match.c:
++	Declare domain even if the system lacks innetgr(). Fixes a build
++	error on musl-based systems like Alpine.
++	[34cfa5ad4cdc]
++
++	* lib/eventlog/Makefile.in:
++	Add missing definition of $(SED).
++	[9a614b90c852]
++
++	* MANIFEST, include/sudo_eventlog.h, lib/eventlog/Makefile.in,
++	lib/eventlog/parse_json.c, lib/eventlog/parse_json.h,
++	lib/eventlog/regress/parse_json/check_parse_json.c,
++	lib/eventlog/regress/parse_json/test1.in,
++	lib/eventlog/regress/parse_json/test2.in,
++	lib/eventlog/regress/parse_json/test2.out.ok,
++	lib/eventlog/regress/parse_json/test3.in,
++	lib/eventlog/regress/parse_json/test3.out.ok, lib/iolog/Makefile.in,
++	lib/iolog/iolog_json.c, lib/iolog/iolog_json.h,
++	lib/iolog/regress/fuzz/fuzz_iolog_json.c,
++	lib/iolog/regress/iolog_json/check_iolog_json.c,
++	lib/iolog/regress/iolog_json/test1.in,
++	lib/iolog/regress/iolog_json/test2.in,
++	lib/iolog/regress/iolog_json/test2.out.ok,
++	lib/iolog/regress/iolog_json/test3.in,
++	lib/iolog/regress/iolog_json/test3.out.ok:
++	Move JSON log parsing from libsudo_iolog.la to libsudo_eventlog.la
++	It will be used in the upcoming log output tests.
++	[1a8dd741b666]
++
++	* lib/eventlog/eventlog.c:
++	Add missing " ; " separator between environment variables and
++	command. This is a regression introduced in sudo 1.9.13. GitHub
++	issue #254.
++	[a3c09b724b7a]
++
++2023-03-12  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
++	Add example to verify support for searching by nisNetgroupTriple.
++	[090ffa785e56]
++
++2023-03-11  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/gc.c:
++	Remove unused sudoers_gc_init() function.
++	[b2ee61f8f11d]
++
++2023-03-10  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* docs/sudoers.ldap.man.in, docs/sudoers.ldap.mdoc.in:
++	Sudo now does its own netgroup lookups if NETGROUP_BASE is set.
++	Previously, it only performed netgroup queries to determine the list
++	of netgroups a user was a member of.
++	[932613f6868a]
++
++	* plugins/sudoers/regress/fuzz/fuzz_policy.c,
++	plugins/sudoers/sudoers.c:
++	sudoers_cleanup: free cached environment before running g/c. Avoids
++	a double free in fuzz_policy.
++	[e616d4a038b6]
++
++	* plugins/sudoers/policy.c, plugins/sudoers/sudoers.c:
++	sudoers_cleanup: run the garbage collector at the end
++	[cbc28a012f8b]
++
++	* plugins/sudoers/sudoers.c:
++	Plugin a memory leak in intercept mode.
++	[f63fb51ff972]
++
++	* src/exec_intercept.c:
++	Sync non-intercept version of intercept_cleanup() declaration.
++	[712ff6c2f6bd]
++
++	* plugins/sudoers/ldap_innetgr.c:
++	Plug memory leak if ldap_get_option() fails with LDAP_NO_MEMORY.
++	[0be36e3e9473]
++
++	* src/exec.c, src/exec_intercept.c, src/sudo_exec.h:
++	Plug a memory leak with ptrace-based intercept.
++	[3b411be9fe37]
++
++	* src/exec_intercept.c:
++	Plug memory leak when log_subcmds is enabled.
++	[1d5b21665ced]
++
++	* lib/util/suspend_parent.c:
++	Pass closure to callback, not the callback pointer itself.
++	[a4e433840f16]
++
++	* MANIFEST, configure, m4/ldap.m4, plugins/sudoers/Makefile.in,
++	plugins/sudoers/ldap.c, plugins/sudoers/ldap_innetgr.c,
++	plugins/sudoers/sudo_ldap.h, scripts/mkdep.pl:
++	Add LDAP-specific innetgr() implementation. Wheh netgroup_base is
++	set we now do out own netgroup lookups using LDAP. Previously, LDAP
++	was queried directly to get a list of the netgroups the user belongs
++	to but other netgroups queries went through innetgr(3). This makes
++	it possible to use netgroups in LDAP sudoers on systems that don't
++	have an innetgr() function. GitHub issue #251.
++	[aa7304a533e0]
++
++	* plugins/sudoers/ldap.c, plugins/sudoers/ldap_conf.c,
++	plugins/sudoers/ldap_util.c, plugins/sudoers/sudo_ldap.h:
++	Move some functions from ldap.c to ldap_util.c. These will be used
++	by the LDAP innetgr() implementation.
++	[70fd74041c5d]
++
++2023-03-08  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* lib/zlib/Makefile.in:
++	fix typo in uninstall target
++	[e3c1b8427d01]
++
++	* Merge pull request #252 from bin-ly/main
++
++	fix typo in uninstall target
++	[4a1d3542345c]
++
++2023-03-09  bin-ly  <binlingyu@uniontech.com>
++
++	* lib/util/Makefile.in:
++	fix command error for lib/util/Makefile.in
++	[7dd4e9e6d976]
++
++2023-03-08  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/cvtsudoers.c, plugins/sudoers/file.c,
++	plugins/sudoers/gram.c, plugins/sudoers/gram.y,
++	plugins/sudoers/ldap.c, plugins/sudoers/match.c,
++	plugins/sudoers/parse.h,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c,
++	plugins/sudoers/sssd.c, plugins/sudoers/sudo_nss.h:
++	Add per-source innetgr function pointer and use it in
++	netgr_matches(). This will be used to implement LDAP-specific
++	netgroup lookups when netgroup_base is set in ldap.conf.
++	[f7c89d6e8d6b]
++
++2023-03-07  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* MANIFEST, lib/util/Makefile.in,
++	lib/util/regress/digest/digest_test.c:
++	Add tests for SHA2 digest support. This uses the NIST byte-oriented
++	short message test vectors.
++	[06e01abf7943]
++
 -03-04  Todd C. Miller  <Todd.Miller@sudo.ws>
  	* .hgtags:
  	Added tag SUDO_1_9_13p3 for changeset 0bdd0b8469e3
--	[fc4e872d6d89] [tip] <1.9>
++	[fc4e872d6d89] <1.9>
  	* NEWS, configure, configure.ac:
  	Sudo 1.9.13p3
  	[0bdd0b8469e3] [SUDO_1_9_13p3] <1.9>
++	* NEWS, configure, configure.ac:
++	Sudo 1.9.13p3
++	[0c4b7112dde9]
++
 -03-03  Todd C. Miller  <Todd.Miller@sudo.ws>
  	* plugins/sudoers/match.c, plugins/sudoers/parse.c,
@@ -16,6 +1395,12 @@
  	with "sudo ALL" for root _is_ allowed to list any user.
  	[a3f7301ba4d3] <1.9>
++	* plugins/sudoers/match.c, plugins/sudoers/parse.c,
++	plugins/sudoers/parse.h:
++	A user with "list" privs for root may not list all users. A user
++	with "sudo ALL" for root _is_ allowed to list any user.
++	[fe758ae9d0bb]
++
  	* plugins/sudoers/policy.c:
  	sudoers_policy_list: do not set runas_pw to list_pw when listing
  	This change introduced in sudo 1.9.13 is not actually needed. The
@@ -23,6 +1408,13 @@
  	which does not use runas_pw. GitHub issue #248
  	[84effa5ffaa1] <1.9>
++	* plugins/sudoers/policy.c:
++	sudoers_policy_list: do not set runas_pw to list_pw when listing
++	This change introduced in sudo 1.9.13 is not actually needed. The
++	"list" pseudo-command checks are performed via runas_matches_pw()
++	which does not use runas_pw. GitHub issue #248
++	[94c1f6d9bc6d]
++
  	* plugins/sudoers/logging.c, plugins/sudoers/parse.c,
  	plugins/sudoers/sudoers.c:
  	Fix "sudo -l command args", broken in sudo 1.9.13. The value of
@@ -31,8 +1423,24 @@
  	restores the pre-1.9.13 behavior. GitHub issue #249
  	[3e1225e7bf33] <1.9>
++	* plugins/sudoers/logging.c, plugins/sudoers/parse.c,
++	plugins/sudoers/sudoers.c:
++	Fix "sudo -l command args", broken in sudo 1.9.13. The value of
++	user_args should not contain the command to be run in "sudo -l
++	command args", only the arguments of the command being checked. This
++	restores the pre-1.9.13 behavior. GitHub issue #249
++	[2773b6d91cf1]
++
 -03-01  Todd C. Miller  <Todd.Miller@sudo.ws>
++	* logsrvd/logsrv_util.c, logsrvd/logsrvd.c, logsrvd/logsrvd_journal.c,
++	logsrvd/sendlog.c, plugins/sudoers/log_client.c:
++	Check for sudo_pow2_roundup() overflow. Calling
++	sudo_pow2_roundup(INT_MAX+2) will return since there is no power of
++	2 larger than INT_MAX+1 that fits in an unsigned int. This is not an
++	issue in practice since we restrict messages to 2Mib.
++	[d76de48704d0]
++
  	* src/exec_nopty.c, src/exec_pty.c:
  	write_callback: only enable /dev/tty reader if the command is
  	running This fixes a hang when there is /dev/tty data in a buffer to
@@ -42,6 +1450,15 @@
  	reproduce it.
  	[b7ea5b5e6a88] <1.9>
++	* src/exec_nopty.c, src/exec_pty.c:
++	write_callback: only enable /dev/tty reader if the command is
++	running This fixes a hang when there is /dev/tty data in a buffer to
++	be flushed by the final call to del_io_events(). We do not want to
++	re-enable the reader when flushing the buffers as part of
++	pty_finish(). See PR #247 for analysis of the problem and how to
++	reproduce it.
++	[2cf041ccbd98]
++
 -02-28  Todd C. Miller  <Todd.Miller@sudo.ws>
  	* plugins/sudoers/regress/testsudoers/test12.out.ok,
@@ -49,10 +1466,19 @@
  	Test non-fully qualified path name.
  	[0a9e6e83fe15] <1.9>
++	* plugins/sudoers/regress/testsudoers/test12.out.ok,
++	plugins/sudoers/regress/testsudoers/test12.sh:
++	Test non-fully qualified path name.
++	[b653458b1758]
++
  	* plugins/sudoers/Makefile.in:
  	Fix removal of y.tab.[ch] when generating gram.[ch].
  	[f69c86ecae66] <1.9>
++	* plugins/sudoers/Makefile.in:
++	Fix removal of y.tab.[ch] when generating gram.[ch].
++	[9c5f5be26ad0]
++
  	* MANIFEST, plugins/sudoers/regress/sudoers/test30.in,
  	plugins/sudoers/regress/sudoers/test30.json.ok,
  	plugins/sudoers/regress/sudoers/test30.ldif.ok,
@@ -63,6 +1489,16 @@
  	Add test for using "list" as user, runas and host.
  	[ae2c84c73371] <1.9>
++	* MANIFEST, plugins/sudoers/regress/sudoers/test30.in,
++	plugins/sudoers/regress/sudoers/test30.json.ok,
++	plugins/sudoers/regress/sudoers/test30.ldif.ok,
++	plugins/sudoers/regress/sudoers/test30.ldif2sudo.ok,
++	plugins/sudoers/regress/sudoers/test30.out.ok,
++	plugins/sudoers/regress/sudoers/test30.sudo.ok,
++	plugins/sudoers/regress/sudoers/test30.toke.ok:
++	Add test for using "list" as user, runas and host.
++	[712c96af942d]
++
  	* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
  	plugins/sudoers/toke.c, plugins/sudoers/toke.l:
  	Move handling of the "list" pseudo-command from lexer to parser. The
@@ -71,12 +1507,29 @@
  	#246.
  	[efb3a4dea1da] <1.9>
++	* plugins/sudoers/gram.c, plugins/sudoers/gram.y,
++	plugins/sudoers/toke.c, plugins/sudoers/toke.l:
++	Move handling of the "list" pseudo-command from lexer to parser. The
++	special handling of "list" in the lexer meant it could not be used
++	as a user, group or host, which was unintentional. GitHub issue
++	#246.
++	[d36f1d686343]
++
 -02-27  Todd C. Miller  <Todd.Miller@sudo.ws>
  	* include/sudo_compat.h:
  	Make the check for HAVE_DECL_NSIG consistent with other decl checks.
  	[616c42c4adce] <1.9>
++	* include/sudo_compat.h:
++	Make the check for HAVE_DECL_NSIG consistent with other decl checks.
++	[4e6e627062af]
++
++	* plugins/sudoers/match_command.c:
++	Plug memory leak with multiple matching CHROOT= entries. Found by
++	oss-fuzz.
++	[a4982b468985]
++
 -02-25  Todd C. Miller  <Todd.Miller@sudo.ws>
  	* .hgtags:
@@ -87,24 +1540,117 @@
  	Sudo 1.9.13p2.
  	[2db7cee1cb77] [SUDO_1_9_13p2] <1.9>
++	* NEWS, configure, configure.ac:
++	Sudo 1.9.13p2.
++	[251788b2308b]
++
 -02-23  Todd C. Miller  <Todd.Miller@sudo.ws>
++	* plugins/sudoers/logging.c:
++	Include error string when formatting a SLOG_PARSE_ERROR message if
++	present.
++	[b4254bf84300]
++
  	* lib/util/lbuf.c:
  	Add missing include of errno.h.
  	[65ddd70d0c18] <1.9>
  	* lib/util/lbuf.c:
++	Add missing include of errno.h.
++	[669e4a4ab3ad]
++
++	* lib/util/lbuf.c:
  	sudo_lbuf_expand: check for overflow when rounding to the nearest
  	power of 2. Problem deteced by oss-fuzz using the fuzz_sudoers
  	fuzzer.
  	[9357396fdaa0] <1.9>
++	* lib/util/lbuf.c:
++	sudo_lbuf_expand: check for overflow when rounding to the nearest
++	power of 2. Problem deteced by oss-fuzz using the fuzz_sudoers
++	fuzzer.
++	[7d433e75c858]
++
  	* src/load_plugins.c:
  	Fix --enable-static-sudoers, broken in sudo 1.9.13.
  	sudo_qualify_plugin() should not try to fully-qualify the path to a
  	statically-compiled plugin. GitHub issue #245
  	[eca5f1f6555e] <1.9>
++	* src/load_plugins.c:
++	Fix --enable-static-sudoers, broken in sudo 1.9.13.
++	sudo_qualify_plugin() should not try to fully-qualify the path to a
++	statically-compiled plugin. GitHub issue #245
++	[f323e3f0a5c0]
++
++2023-02-22  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/logging.c, plugins/sudoers/logging.h,
++	plugins/sudoers/sudoers.c:
++	Add sudoers open errors to the list of parse errors sent via mail.
++	Previously there would be one email for the open failure and a
++	separate one describing the parse error. Now a single email message
++	contains everything.
++	[b81299ccdad8]
++
++	* plugins/sudoers/visudo.c:
++	visudo: quiet a compiler warning on Solaris 10. Also explicitly
++	close /dev/tty fd instead of relying on closefrom() in case the fd
++	ends up being a value 0-2.
++	[d839cc458245]
++
++	* Merge pull request #244 from ffontaine/main
++
++	configure.ac: fix openssl static build
++	[af40f67e9771]
++
++	* configure, configure.ac, lib/util/Makefile.in:
++	Replace LIBMD with LIBCRYPTO display crypto/tls libs in summary. We
++	can only have one of either -lmd, -lgcrypt or -lcrypto so there is
++	no need to have more than one variable.
++	[da65125af8c6]
++
++2023-02-22  Fabrice Fontaine  <fontaine.fabrice@gmail.com>
++
++	* m4/openssl.m4:
++	configure.ac: fix openssl static build
++
++	Do not use AX_APPEND_FLAG as it will break static builds by removing
++	duplicates such as -lz or -latomic which are needed by -lssl and
++	-lcrypto. This will fix the following build failure with sparc which
++	needs -latomic:
++
++	Checking for X509_STORE_CTX_get0_cert configure:21215:
++	/home/thomas/autobuild/instance-3/output-1/host/bin/sparc-buildroot-
++	linux-uclibc-gcc -o conftest -D_LARGEFILE_SOURCE
++	-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -g0 -static
++	-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
++	-DZLIB_CONST -static conftest.c
++	-L/home/thomas/autobuild/instance-3/output-1/host/bin/../sparc-
++	buildroot-linux-uclibc/sysroot/usr/lib -lssl -lz -pthread -latomic
++	-lcrypto >&5
++	/home/thomas/autobuild/instance-3/output-1/host/lib/gcc/sparc-
++	buildroot-linux-uclibc/10.4.0/../../../../sparc-buildroot-linux-
++	uclibc/bin/ld:
++	/home/thomas/autobuild/instance-3/output-1/host/bin/../sparc-
++	buildroot-linux-uclibc/sysroot/usr/lib/libcrypto.a(x509cset.o): in
++	function `X509_CRL_up_ref': x509cset.c:(.text+0x108): undefined
++	reference to `__atomic_fetch_add_4'
++
++	[...]
++
++	In file included from ./hostcheck.c:38:
++	../../include/sudo_compat.h:342:41: error: conflicting types for
++	'ASN1_STRING_data' 342 | # define ASN1_STRING_get0_data(x)
++	ASN1_STRING_data(x) | ^~~~~~~~~~~~~~~~
++
++	Fixes:
++	 - http://autobuild.buildroot.org/results/8be59dd94e4916f9457cb435104e3
++	6e62a28373b
++
++	Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
++	[487cfc17c742]
++
 -02-21  Todd C. Miller  <Todd.Miller@sudo.ws>
  	* MANIFEST, plugins/sudoers/match_command.c,
@@ -117,6 +1663,116 @@
  	the user_cmnd variable could be freed twice.
  	[2c1477233f48] <1.9>
++	* MANIFEST, plugins/sudoers/match_command.c,
++	plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
++	plugins/sudoers/regress/testsudoers/test20.out.ok,
++	plugins/sudoers/regress/testsudoers/test20.sh,
++	plugins/sudoers/testsudoers.c, plugins/sudoers/visudo.c:
++	Fix potential double free for rules that include a CHROOT= option.
++	If a rule with a CHROOT= option matches the user, host and runas,
++	the user_cmnd variable could be freed twice.
++	[a988ae0045a2]
++
++	* plugins/sudoers/visudo.c:
++	Check tcsetpgrp() return value.
++	[5d9bdb2fea15]
++
++	* MANIFEST, include/sudo_util.h, lib/util/Makefile.in,
++	lib/util/suspend_parent.c, lib/util/util.exp.in,
++	plugins/sudoers/visudo.c, src/Makefile.in, src/exec_iolog.c,
++	src/exec_nopty.c, src/regress/intercept/test_ptrace.c, src/sudo.h,
++	src/sudo_exec.h, src/suspend_nopty.c, src/tcsetpgrp_nobg.c:
++	Run the editor in its own process group. This fixes suspending the
++	editor on GNU Hurd which doesn't seem to have proper process group
++	signal handling.
++	[210e058101af]
++
++	* plugins/sudoers/Makefile.in,
++	plugins/sudoers/regress/fuzz/fuzz_stubs.c, plugins/sudoers/stubs.c,
++	plugins/sudoers/testsudoers.c:
++	Stub out pivot_root() and unpivot_root() for all but the sudoers
++	module.
++	[967f706e6bff]
++
++	* plugins/sudoers/match_command.c:
++	Fix build when SUDOERS_NAME_MATCH is defined.
++	[79e4613fbd85]
++
++	* MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/pivot.c,
++	plugins/sudoers/sudoers.h:
++	Add pivot_root() and unpivot_root() to switch the root dir and
++	restore it. This will be used to more accurately handling command
++	resolution and path matching when a new root directory is specified.
++	[77300a0e1537]
++
++	* plugins/sudoers/editor.c, plugins/sudoers/find_path.c,
++	plugins/sudoers/goodpath.c,
++	plugins/sudoers/regress/editor/check_editor.c,
++	plugins/sudoers/regress/fuzz/fuzz_policy.c,
++	plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
++	set_cmnd_path: apply runchroot if set when finding the command path
++	Previously we would prepend runchroot to the path we were checking
++	but that does not properly handle symbolic links.
++	[3fb7ca4631c0]
++
++	* plugins/sudoers/match_command.c, plugins/sudoers/match_digest.c,
++	plugins/sudoers/parse.h:
++	match_command: apply runchroot if set when matching the command
++	Previously we would prepend runchroot to the path we were checking
++	but that does not properly handle symbolic links.
++	[41dc8f445f78]
++
++	* MANIFEST, plugins/sudoers/Makefile.in, plugins/sudoers/canon_path.c,
++	plugins/sudoers/sudoers.c, plugins/sudoers/sudoers.h:
++	Add canon_path(), a realpath() wrapper that performs caching. This
++	also adds a new user_cmnd_dir variable that stores the canonicalized
++	parent directory of the command to be run.
++	[6065f5e76387]
++
++	* plugins/sudoers/match_command.c:
++	Match using canonicalized directories where possible.
++	[020d4ad53d07]
++
++	* src/exec_ptrace.c:
++	ptrace_intercept_execve: preserve old argv[0] after policy check. We
++	have to replace argv[0] with the pathname for the policy check but
++	want to restore it afterwards if the policy has not changed the
++	command's path name to avoid a mismatch later on.
++	[5dcd96a5c369]
++
++	* configure, configure.ac:
++	Move initial values into AC_SUBST() where possible.
++	[3db7feb16577]
++
++	* configure, configure.ac:
++	No need to AC_SUBST() standard autoconf variables.
++	[48ce145c9e40]
++
++2023-02-19  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* INSTALL.md:
++	Document --disable-largefile and --disable-year2038.
++	[424d17d1b83d]
++
++	* configure, configure.ac:
++	Fix indentation of intercept file in summary output.
++	[3cf0104bd2e5]
++
++	* plugins/sudoers/regress/starttime/check_starttime.c,
++	plugins/sudoers/starttime.c:
++	get_starttime: add support for GNU Hurd using the mach task_info
++	call. This is currently Hurd-specific but could be made Mach-generic
++	as long as the equivalent of pid2task() is available.
++	[a81de7fb1f83]
++
++2023-02-18  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* plugins/sudoers/regress/starttime/check_starttime.c:
++	Only test get_starttime() on platforms where we support it. Fixes a
++	test failure on systems where we have no way to determine a
++	process's start time.
++	[bf8dbe59b2c6]
++
 -02-16  Todd C. Miller  <Todd.Miller@sudo.ws>
  	* .hgtags:
@@ -238,6 +1894,15 @@
  	Regenerate .mo files.
  	[a7a708d8bf34]
++2023-02-12  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* MANIFEST, config.h.in, configure, configure.ac,
++	include/sudo_compat.h, lib/util/Makefile.in, lib/util/realpath.c,
++	scripts/mkdep.pl:
++	Add checks for realpath(3) and a version from NetBSD for those
++	without it.
++	[121fb2ed88de]
++
 -02-09  Todd C. Miller  <Todd.Miller@sudo.ws>
  	* plugins/sudoers/regress/fuzz/fuzz_sudoers.c:
@@ -267,6 +1932,14 @@
  	we only ever pass in a const string.
  	[700e72ca42c0]
++2023-02-08  Todd C. Miller  <Todd.Miller@sudo.ws>
++
++	* configure, configure.ac, m4/sudo.m4, pathnames.h.in,
++	plugins/sudoers/visudo.c:
++	Substitute for _PATH_SUDO* variables in pathnames.h. Previously
++	these were hard-coded with Makefile overrides.
++	[53c8be4b6af3]
++
 -02-05  Todd C. Miller  <Todd.Miller@sudo.ws>
  	* configure, configure.ac:
 diff --git a/INSTALL.md b/INSTALL.md
 index 34f60f6..1bb3ce3 100644
 --- a/INSTALL.md
 +++ b/INSTALL.md
@@ -10,16 +10,16 @@ about the `configure` script itself.
  ## System requirements
--To build sudo from the source distribution you need a POSIX-compliant
--operating system (any modern version of BSD, Linux, or Unix should work),
--an ANSI/ISO C compiler that supports the "long long" type, variadic
--macros (a C99 feature) as well as the ar, make, and ranlib utilities.
++To build sudo from the source distribution you will need a
++POSIX-compliant operating system (any modern version of BSD, Linux,
++or Unix should work), a C compiler that conforms to ISO C99 or
++higher, and the ar, make, and ranlib utilities.
  If you wish to modify the parser then you will need flex version
--2.5.2 or later and either bison or byacc (sudo comes with a
--pre-generated parser).  You'll also have to run configure with the
----with-devel option or pass DEVEL=1 to make.  You can get flex from
--https://github.com/westes/flex/.  You can get GNU bison from
++2.5.2 or later and either bison or byacc (sudo comes with a parser
++generated with GNU bison).  You'll also have to run configure with
++the --with-devel option or pass DEVEL=1 to make.  You can get flex
++from https://github.com/westes/flex/.  You can get GNU bison from
  https://ftp.gnu.org/pub/gnu/bison/ or any GNU mirror.
  Some systems will also require that development library packages be
@@ -110,7 +110,8 @@ Defaults are listed in brackets after the description.
          Install plugins and helper programs in DIR/sudo [PREFIX/libexec/sudo]
      --sysconfdir=DIR
--        Look for `sudo.conf` and `sudoers` files in DIR. [/etc]
++        Look for configuration files such as `sudo.conf` and `sudoers`
++        in DIR. [/etc]
      --includedir=DIR
          Install sudo_plugin.h include file in DIR [PREFIX/include]
@@ -226,9 +227,11 @@ Defaults are listed in brackets after the description.
          -fstack-clash-protection, -fcf-protection and linking with
          -zrelro, -znow, and -znoexecstack where supported.
--    --disable-ssp
--        Disable use of the -fstack-protector compiler option.
--        This does not affect the other hardening options.
++    --disable-largefile
++        Disable support for large (64-bit) files on 32-bit systems
++        where the maximum file size is normally 4GB.  By default,
++        configure will enable support for 64-bit file sizes if
++        supported by the operating system.
      --disable-leaks
          Avoid leaking memory even when we are headed for exit,
@@ -278,6 +281,10 @@ Defaults are listed in brackets after the description.
          instead.  This option may only be used in conjunction with
          the --enable-static-sudoers option.
++    --disable-ssp
++        Disable use of the -fstack-protector compiler option.
++        This does not affect the other hardening options.
++
      --enable-static-sudoers
          By default, the sudoers plugin is built and installed as a
          dynamic shared object.  When the --enable-static-sudoers
@@ -294,6 +301,11 @@ Defaults are listed in brackets after the description.
          use the /usr/lib/tmpfiles.d directory if the file
          /usr/lib/tmpfiles.d/systemd.conf exists.
++    --disable-year2038
++	Disable support for dates after January 2038.  By default,
++        configure will enable support for 64-bit time_t values if
++	supported by the operating system.
++
      --enable-zlib[=location]
          Enable the use of the zlib compress library when storing
          I/O log files.  If specified, location is the base directory
@@ -347,6 +359,15 @@ Defaults are listed in brackets after the description.
  ### Optional features:
++    --enable-adminconf=[DIR]
++        Search for configuration files in adminconfdir (PREFIX/etc
++        by default) in preference to configuration files in sysconfdir
++        (/etc by default).  This can be used on systems where
++        sysconfdir is located on a read-only filesystem.  When this
++        option is enabled, the visudo utility will store edited
++        sudoers files in adminconfdir if the original was located
++        in sysconfdir.
++
      --disable-root-mailer
          By default sudo will run the mailer as root when tattling
          on a user so as to prevent that user from killing the mailer.
 diff --git a/MANIFEST b/MANIFEST
 index 43a3dce..ac11597 100644
 --- a/MANIFEST
 +++ b/MANIFEST
@@ -116,9 +116,31 @@ lib/eventlog/eventlog.c
  lib/eventlog/eventlog_conf.c
  lib/eventlog/eventlog_free.c
  lib/eventlog/logwrap.c
++lib/eventlog/parse_json.c
++lib/eventlog/parse_json.h
++lib/eventlog/regress/eventlog_store/store_json_test.c
++lib/eventlog/regress/eventlog_store/store_sudo_test.c
++lib/eventlog/regress/eventlog_store/test1.json.in
++lib/eventlog/regress/eventlog_store/test1.json.out.ok
++lib/eventlog/regress/eventlog_store/test1.sudo.out.ok
++lib/eventlog/regress/eventlog_store/test2.json.in
++lib/eventlog/regress/eventlog_store/test2.json.out.ok
++lib/eventlog/regress/eventlog_store/test2.sudo.out.ok
++lib/eventlog/regress/eventlog_store/test3.json.in
++lib/eventlog/regress/eventlog_store/test3.json.out.ok
++lib/eventlog/regress/eventlog_store/test3.sudo.out.ok
++lib/eventlog/regress/eventlog_store/test4.json.in
++lib/eventlog/regress/eventlog_store/test4.json.out.ok
++lib/eventlog/regress/eventlog_store/test4.sudo.out.ok
  lib/eventlog/regress/logwrap/check_wrap.c
  lib/eventlog/regress/logwrap/check_wrap.in
  lib/eventlog/regress/logwrap/check_wrap.out.ok
++lib/eventlog/regress/parse_json/check_parse_json.c
++lib/eventlog/regress/parse_json/test1.in
++lib/eventlog/regress/parse_json/test2.in
++lib/eventlog/regress/parse_json/test2.out.ok
++lib/eventlog/regress/parse_json/test3.in
++lib/eventlog/regress/parse_json/test3.out.ok
  lib/fuzzstub/Makefile.in
  lib/fuzzstub/fuzzstub.c
  lib/iolog/Makefile.in
@@ -132,7 +154,6 @@ lib/iolog/iolog_filter.c
  lib/iolog/iolog_flush.c
  lib/iolog/iolog_gets.c
  lib/iolog/iolog_json.c
--lib/iolog/iolog_json.h
  lib/iolog/iolog_legacy.c
  lib/iolog/iolog_loginfo.c
  lib/iolog/iolog_mkdirs.c
@@ -197,12 +218,6 @@ lib/iolog/regress/iolog_filter/test3/timing
  lib/iolog/regress/iolog_filter/test3/ttyin
  lib/iolog/regress/iolog_filter/test3/ttyin.filtered
  lib/iolog/regress/iolog_filter/test3/ttyout
--lib/iolog/regress/iolog_json/check_iolog_json.c
--lib/iolog/regress/iolog_json/test1.in
--lib/iolog/regress/iolog_json/test2.in
--lib/iolog/regress/iolog_json/test2.out.ok
--lib/iolog/regress/iolog_json/test3.in
--lib/iolog/regress/iolog_json/test3.out.ok
  lib/iolog/regress/iolog_mkpath/check_iolog_mkpath.c
  lib/iolog/regress/iolog_path/check_iolog_path.c
  lib/iolog/regress/iolog_path/data
@@ -236,7 +251,6 @@ lib/util/fnmatch.c
  lib/util/freezero.c
  lib/util/fstatat.c
  lib/util/getaddrinfo.c
--lib/util/getcwd.c
  lib/util/getdelim.c
  lib/util/getentropy.c
  lib/util/getgrouplist.c
@@ -276,11 +290,13 @@ lib/util/pw_dup.c
  lib/util/pwrite.c
  lib/util/rcstr.c
  lib/util/reallocarray.c
++lib/util/realpath.c
  lib/util/regex.c
  lib/util/regress/closefrom/closefrom_test.c
  lib/util/regress/corpus/seed/sudo_conf/sudo.conf.1
  lib/util/regress/corpus/seed/sudo_conf/sudo.conf.2
  lib/util/regress/corpus/seed/sudo_conf/sudo.conf.3
++lib/util/regress/digest/digest_test.c
  lib/util/regress/fnmatch/fnm_test.c
  lib/util/regress/fnmatch/fnm_test.in
  lib/util/regress/fuzz/fuzz_sudo_conf.c
@@ -598,6 +614,7 @@ plugins/sudoers/b64_encode.c
  plugins/sudoers/boottime.c
  plugins/sudoers/bsm_audit.c
  plugins/sudoers/bsm_audit.h
++plugins/sudoers/canon_path.c
  plugins/sudoers/check.c
  plugins/sudoers/check.h
  plugins/sudoers/check_aliases.c
@@ -645,6 +662,7 @@ plugins/sudoers/iolog.c
  plugins/sudoers/iolog_path_escapes.c
  plugins/sudoers/ldap.c
  plugins/sudoers/ldap_conf.c
++plugins/sudoers/ldap_innetgr.c
  plugins/sudoers/ldap_util.c
  plugins/sudoers/linux_audit.c
  plugins/sudoers/linux_audit.h
@@ -661,6 +679,7 @@ plugins/sudoers/mkdefaults
  plugins/sudoers/parse.c
  plugins/sudoers/parse.h
  plugins/sudoers/parse_ldif.c
++plugins/sudoers/pivot.c
  plugins/sudoers/po/README
  plugins/sudoers/po/ast.mo
  plugins/sudoers/po/ast.po
@@ -1034,6 +1053,7 @@ plugins/sudoers/regress/sudoers/test9.ldif.ok
  plugins/sudoers/regress/sudoers/test9.out.ok
  plugins/sudoers/regress/sudoers/test9.toke.ok
  plugins/sudoers/regress/testsudoers/group
++plugins/sudoers/regress/testsudoers/passwd
  plugins/sudoers/regress/testsudoers/test1.out.ok
  plugins/sudoers/regress/testsudoers/test1.sh
  plugins/sudoers/regress/testsudoers/test10.out.ok
@@ -1061,6 +1081,12 @@ plugins/sudoers/regress/testsudoers/test2.out.ok
  plugins/sudoers/regress/testsudoers/test2.sh
  plugins/sudoers/regress/testsudoers/test20.out.ok
  plugins/sudoers/regress/testsudoers/test20.sh
++plugins/sudoers/regress/testsudoers/test21.out.ok
++plugins/sudoers/regress/testsudoers/test21.sh
++plugins/sudoers/regress/testsudoers/test22.out.ok
++plugins/sudoers/regress/testsudoers/test22.sh
++plugins/sudoers/regress/testsudoers/test23.out.ok
++plugins/sudoers/regress/testsudoers/test23.sh
  plugins/sudoers/regress/testsudoers/test3.out.ok
  plugins/sudoers/regress/testsudoers/test3.sh
  plugins/sudoers/regress/testsudoers/test4.out.ok
@@ -1275,8 +1301,7 @@ src/sudo_intercept_common.c
  src/sudo_noexec.c
  src/sudo_plugin_int.h
  src/sudo_usage.h.in
--src/suspend_nopty.c
--src/tcsetpgrp_nobg.c
++src/suspend_parent.c
  src/tgetpass.c
  src/ttyname.c
  src/utmp.c
 diff --git a/Makefile.in b/Makefile.in
 index 0b70609..af5317e 100644
 --- a/Makefile.in
 +++ b/Makefile.in
@@ -1,7 +1,7 @@
+ #
  # SPDX-License-Identifier: ISC
+ #
--# Copyright (c) 2010-2015, 2017-2022 Todd C. Miller <Todd.Miller@sudo.ws>
++# Copyright (c) 2010-2015, 2017-2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ #
  # Permission to use, copy, modify, and distribute this software for any
  # purpose with or without fee is hereby granted, provided that the above
@@ -31,6 +31,7 @@ exec_prefix = @exec_prefix@
  bindir = @bindir@
  sbindir = @sbindir@
  sysconfdir = @sysconfdir@
++adminconfdir = @adminconfdir@
  libexecdir = @libexecdir@
  includedir = @includedir@
  datarootdir = @datarootdir@
 diff --git a/NEWS b/NEWS
 index bdf6cc4..1a51926 100644
 --- a/NEWS
 +++ b/NEWS
@@ -1,3 +1,119 @@
++What's new in Sudo 1.9.14p2
++
++ * Fixed a crash on Linux systems introduced in version 1.9.14 when
++   running a command with a NULL argv[0] if "log_subcmds" or
++   "intercept" is enabled in sudoers.
++
++ * Fixed a problem with "stair-stepped" output when piping or
++   redirecting the output of a sudo command that takes user input.
++
++ * Fixed a bug introduced in sudo 1.9.14 that affects matching
++   sudoers rules containing a Runas_Spec with an empty Runas user.
++   These rules should only match when sudo's -g option is used but
++   were matching even without the -g option.  GitHub issue #290.
++
++What's new in Sudo 1.9.14p1
++
++ * Fixed an invalid free bug in sudo_logsrvd that was introduced
++   in version 1.9.14 which could cause sudo_logsrvd to crash.
++
++ * The sudoers plugin no longer tries to send the terminal name
++   to the log server when no terminal is present.  This bug was
++   introduced in version 1.9.14.
++
++What's new in Sudo 1.9.14
++
++ * Fixed a bug where if the "intercept" or "log_subcmds" sudoers
++   option was enabled and a sub-command was run where the first
++   entry of the argument vector didn't match the command being run.
++   This resulted in commands like "sudo su -" being killed due to
++   the mismatch.  Bug #1050.
++
++ * The sudoers plugin now canonicalizes command path names before
++   matching (where possible).  This fixes a bug where sudo could
++   execute the wrong path if there are multiple symbolic links with
++   the same target and the same base name in sudoers that a user is
++   allowed to run.  GitHub issue #228.
++
++ * Improved command matching when a chroot is specified in sudoers.
++   The sudoers plugin will now change the root directory id needed
++   before performing command matching.  Previously, the root directory
++   was simply prepended to the path that was being processed.
++
++ * When NETGROUP_BASE is set in the ldap.conf file, sudo will now
++   perform its own netgroup lookups of the host name instead of
++   using the system innetgr(3) function.  This guarantees that user
++   and host netgroup lookups are performed using  the same LDAP
++   server (or servers).
++
++ * Fixed a bug introduced in sudo 1.9.13 that resulted in a missing
++   " ; " separator between environment variables and the command
++   in log entries.
++
++ * The visudo utility now displays a warning when it ignores a file
++   in an include dir such as /etc/sudoers.d.
++
++ * When running a command in a pseudo-terminal, sudo will initialize
++   the terminal settings even if it is the background process.
++   Previously, sudo only initialized the pseudo-terminal when running
++   in the foreground.  This fixes an issue where a program that
++   checks the window size would read the wrong value when sudo was
++   running in the background.
++
++ * Fixed a bug where only the first two digits of the TSID field
++   being was logged.  Bug #1046.
++
++ * The "log_pty" sudoers option is now enabled by default.  To
++   restore the historic behavior where a command is run in the
++   user's terminal, add "Defaults !use_pty" to the sudoers file.
++   GitHub issue #258.
++
++ * Sudo's "-b" option now works when the command is run in a
++   pseudo-terminal.
++
++ * When disabling core dumps, sudo now only modifies the soft limit
++   and leaves the hard limit as-is.  This avoids problems on Linux
++   when sudo does not have CAP_SYS_RESOURCE, which may be the case
++   when run inside a container.  GitHub issue #42.
++
++ * Sudo configuration file paths have been converted to colon-separated
++   lists of paths.  This makes it possible to have configuration
++   files on a read-only file system while still allowing for local
++   modifications in a different (writable) directory.  The new
++   --enable-adminconf configure option can be used to specify a
++   directory that is searched for configuration files in preference
++   to the sysconfdir (which is usually /etc).
++
++ * The "intercept_verify" sudoers option is now only applied when
++   the "intercept" option is set in sudoers.  Previously, it was
++   also applied when "log_subcmds" was enabled.
++
++ * The NETGROUP_QUERY ldap.conf parameter can now be disabled for
++   LDAP servers that do not support querying the nisNetgroup object
++   by its nisNetgroupTriple attribute, while still allowing sudo to
++   query the LDAP server directly to determine netgroup membership.
++
++ * Fixed a long-standing bug where a sudoers rule without an explicit
++   runas list allowed the user to run a command as root and any
++   group instead of just one of the groups that root is a member
++   of.  For example, a rule such as "myuser ALL = ALL" would permit
++   "sudo -u root -g othergroup" even if root did not belong to
++   "othergroup".
++
++ * Fixed a bug where a sudoers rule with an explicit runas list
++   allowed a user to run sudo commands as themselves.  For example,
++   a rule such as "myuser ALL = (root) ALL", "myuser" should only
++   allow commands to be run as root (optionally using one of root's
++   groups).  However, the rule also allowed the user to run
++   "sudo -u myuser -g myuser command".
++
++ * Fixed a bug that prevented the user from specifying a group on
++   the command line via "sudo -g" if the rule's Runas_Spec contained
++   a Runas_Alias.
++
++ * Sudo now requires a C compiler that conforms to ISO C99 or higher
++   to build.
++
  What's new in Sudo 1.9.13p3
   * Fixed a bug introduced in sudo 1.9.13 that caused a syntax error
 diff --git a/config.h.in b/config.h.in
 index 8ed7fb2..9366f31 100644
 --- a/config.h.in
 +++ b/config.h.in
@@ -3,6 +3,9 @@
  #ifndef SUDO_CONFIG_H
  #define SUDO_CONFIG_H
++/* Configure script arguments used to build sudo. */
++#undef CONFIGURE_ARGS
++
  /* Define to 1 if you want the insults from the "classic" version sudo. */
  #undef CLASSIC_INSULTS
@@ -35,8 +38,8 @@
  /* Define to 1 if you want to require fully qualified hosts in sudoers. */
  #undef FQDN
--/* Define to the type of elements in the array set by 'getgroups'. Usually
--   this is either 'int' or 'gid_t'. */
++/* Define to the type of elements in the array argument to 'getgroups'.
++   Usually this is either 'int' or 'gid_t'. */
  #undef GETGROUPS_T
  /* Define to 1 if you want insults from the "Goon Show". */
@@ -207,6 +210,10 @@
     don't. */
  #undef HAVE_DECL_SSIZE_MAX
++/* Define to 1 if you have the declaration of 'SYMLOOP_MAX', and to 0 if you
++   don't. */
++#undef HAVE_DECL_SYMLOOP_MAX
++
  /* Define to 1 if you have the declaration of 'sys_sigabbrev', and to 0 if you
     don't. */
  #undef HAVE_DECL_SYS_SIGABBREV
@@ -243,6 +250,10 @@
     you don't. */
  #undef HAVE_DECL__POSIX_PATH_MAX
++/* Define to 1 if you have the declaration of '_POSIX_SYMLOOP_MAX', and to 0
++   if you don't. */
++#undef HAVE_DECL__POSIX_SYMLOOP_MAX
++
  /* Define to 1 if you have the declaration of '_sys_siglist', and to 0 if you
     don't. */
  #undef HAVE_DECL__SYS_SIGLIST
@@ -462,18 +473,6 @@
  /* Define to 1 if you have the 'innetgr' function. */
  #undef HAVE_INNETGR
--/* Define to 1 if the system has the type 'int16_t'. */
--#undef HAVE_INT16_T
--
--/* Define to 1 if the system has the type 'int32_t'. */
--#undef HAVE_INT32_T
--
--/* Define to 1 if the system has the type 'int64_t'. */
--#undef HAVE_INT64_T
--
--/* Define to 1 if the system has the type 'int8_t'. */
--#undef HAVE_INT8_T
--
  /* Define to 1 if the system has the type 'intmax_t'. */
  #undef HAVE_INTMAX_T
@@ -602,6 +601,9 @@
  /* Define to 1 if you have the <login_cap.h> header file. */
  #undef HAVE_LOGIN_CAP_H
++/* Define to 1 if the system has the type 'long long int'. */
++#undef HAVE_LONG_LONG_INT
++
  /* Define to 1 if you have the <machine/endian.h> header file. */
  #undef HAVE_MACHINE_ENDIAN_H
@@ -758,6 +760,9 @@
  /* Define to 1 if you have the 'reallocarray' function. */
  #undef HAVE_REALLOCARRAY
++/* Define to 1 if you have the 'realpath' function. */
++#undef HAVE_REALPATH
++
  /* Define to 1 if you have the 'revoke' function. */
  #undef HAVE_REVOKE
@@ -1027,18 +1032,6 @@
  /* Define to 1 if you have the 'ttyslot' function. */
  #undef HAVE_TTYSLOT
--/* Define to 1 if the system has the type 'uint16_t'. */
--#undef HAVE_UINT16_T
--
--/* Define to 1 if the system has the type 'uint32_t'. */
--#undef HAVE_UINT32_T
--
--/* Define to 1 if the system has the type 'uint64_t'. */
--#undef HAVE_UINT64_T
--
--/* Define to 1 if the system has the type 'uint8_t'. */
--#undef HAVE_UINT8_T
--
  /* Define to 1 if the system has the type 'uintmax_t'. */
  #undef HAVE_UINTMAX_T
@@ -1051,6 +1044,9 @@
  /* Define to 1 if you have the 'unsetenv' function. */
  #undef HAVE_UNSETENV
++/* Define to 1 if the system has the type 'unsigned long long int'. */
++#undef HAVE_UNSIGNED_LONG_LONG_INT
++
  /* Define to 1 if you have the <util.h> header file. */
  #undef HAVE_UTIL_H
@@ -1229,9 +1225,6 @@
  /* The passwd prompt timeout (in minutes). */
  #undef PASSWORD_TIMEOUT
--/* Define to 1 to enable replacement getcwd if system getcwd is broken. */
--#undef PREFER_PORTABLE_GETCWD
--
  /* Enable replacement (v)snprintf if system (v)snprintf is broken. */
  #undef PREFER_PORTABLE_SNPRINTF
@@ -1447,6 +1440,21 @@
  /* Number of bits in time_t, on hosts where this is settable. */
  #undef _TIME_BITS
++/* Define for Solaris 2.5.1 so the uint32_t typedef from <sys/synch.h>,
++   <pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
++   #define below would cause a syntax error. */
++#undef _UINT32_T
++
++/* Define for Solaris 2.5.1 so the uint64_t typedef from <sys/synch.h>,
++   <pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
++   #define below would cause a syntax error. */
++#undef _UINT64_T
++
++/* Define for Solaris 2.5.1 so the uint8_t typedef from <sys/synch.h>,
++   <pthread.h>, or <semaphore.h> is not used. If the typedef were allowed, the
++   #define below would cause a syntax error. */
++#undef _UINT8_T
++
  /* Define to 1 on platforms where this makes time_t a 64-bit type. */
  #undef __MINGW_USE_VC2005_COMPAT
@@ -1457,7 +1465,7 @@
  /* Define to empty if 'const' does not conform to ANSI C. */
  #undef const
--/* Define to 'int' if <sys/types.h> doesn't define. */
++/* Define as 'int' if <sys/types.h> doesn't define. */
  #undef gid_t
  /* Define to '__inline__' or '__inline' if that's what the C compiler
@@ -1466,53 +1474,56 @@
  #undef inline
  #endif
++/* Define to the type of a signed integer type of width exactly 16 bits if
++   such a type exists and the standard includes do not define it. */
++#undef int16_t
++
++/* Define to the type of a signed integer type of width exactly 32 bits if
++   such a type exists and the standard includes do not define it. */
++#undef int32_t
++
++/* Define to the type of a signed integer type of width exactly 64 bits if
++   such a type exists and the standard includes do not define it. */
++#undef int64_t
++
++/* Define to the type of a signed integer type of width exactly 8 bits if such
++   a type exists and the standard includes do not define it. */
++#undef int8_t
++
++/* Define to the widest signed integer type if <stdint.h> and <inttypes.h> do
++   not define. */
++#undef intmax_t
++
  /* Define to an OS-specific initialization function or 'os_init_common'. */
  #undef os_init
--/* Define to 'unsigned int' if <sys/types.h> does not define. */
--#undef size_t
--
--/* Define to 'int' if <sys/types.h> doesn't define. */
++/* Define as 'int' if <sys/types.h> doesn't define. */
  #undef uid_t
++/* Define to the type of an unsigned integer type of width exactly 16 bits if
++   such a type exists and the standard includes do not define it. */
++#undef uint16_t
++
++/* Define to the type of an unsigned integer type of width exactly 32 bits if
++   such a type exists and the standard includes do not define it. */
++#undef uint32_t
++
++/* Define to the type of an unsigned integer type of width exactly 64 bits if
++   such a type exists and the standard includes do not define it. */
++#undef uint64_t
++
++/* Define to the type of an unsigned integer type of width exactly 8 bits if
++   such a type exists and the standard includes do not define it. */
++#undef uint8_t
++
++/* Define to the widest unsigned integer type if <stdint.h> and <inttypes.h>
++   do not define. */
++#undef uintmax_t
++
  /* Define to empty if the keyword 'volatile' does not work. Warning: valid
     code using 'volatile' can become incorrect without. Disable with care. */
  #undef volatile
--/* Define C99 types if stdint.h and inttypes.h are missing. */
--#if !defined(HAVE_STDINT_H) && !defined(HAVE_INTTYPES_H)
--# ifndef HAVE_INT8_T
--typedef char			int8_t;
--# endif
--# ifndef HAVE_UINT8_T
--typedef	unsigned char		uint8_t;
--# endif
--# ifndef HAVE_INT16_T
--typedef short			int16_t;
--# endif
--# ifndef HAVE_UINT16_T
--typedef unsigned short		uint16_t;
--# endif
--# ifndef HAVE_INT32_T
--typedef int			int32_t;
--# endif
--# ifndef HAVE_UINT32_T
--typedef unsigned int		uint32_t;
--# endif
--# ifndef HAVE_INT64_T
--typedef long long		int64_t;
--# endif
--# ifndef HAVE_UINT64_T
--typedef unsigned long long	uint64_t;
--# endif
--# ifndef HAVE_INTMAX_T
--typedef long long		intmax_t;
--# endif
--# ifndef HAVE_UINTMAX_T
--typedef unsigned long long	uintmax_t;
--# endif
--#endif /* !HAVE_STDINT_H && !HAVE_INTTYPES_H */
--
  #ifndef HAVE_SIG_ATOMIC_T
  typedef int			sig_atomic_t;
  #endif
 diff --git a/configure b/configure
 index b4453a8..dd6eae9 100755
 --- a/configure
 +++ b/configure
@@ -1,6 +1,6 @@
  #! /bin/sh
  # Guess values for system-dependent variables and create Makefiles.
--# Generated by GNU Autoconf 2.72a for sudo 1.9.13p3.
++# Generated by GNU Autoconf 2.72c for sudo 1.9.14p2.
+ #
  # Report bugs to <https://bugzilla.sudo.ws/>.
+ #
@@ -614,8 +614,8 @@ MAKEFLAGS=
  # Identity of this package.
  PACKAGE_NAME='sudo'
  PACKAGE_TARNAME='sudo'
--PACKAGE_VERSION='1.9.13p3'
--PACKAGE_STRING='sudo 1.9.13p3'
++PACKAGE_VERSION='1.9.14p2'
++PACKAGE_STRING='sudo 1.9.14p2'
  PACKAGE_BUGREPORT='https://bugzilla.sudo.ws/'
  PACKAGE_URL=''
@@ -656,7 +656,6 @@ ac_header_c_list=
  ac_func_c_list=
  ac_c_werror_flag=
  enable_year2038=yes
--enable_largefile=yes
  ac_subst_vars='LTLIBOBJS
  KRB5CONFIG
  LIBOBJS
@@ -700,6 +699,7 @@ FGREP
  EGREP
  GREP
  SED
++LIBTOOL
  host_os
  host_vendor
  host_cpu
@@ -722,6 +722,9 @@ CPP
  OBJEXT
  EXEEXT
  ac_ct_CC
++CPPFLAGS
++LDFLAGS
++CFLAGS
  CC
  python_plugin
  sudoers_plugin
@@ -768,6 +771,10 @@ relay_dir
  logpath
  log_dir
  iolog_dir
++sudoers_path
++sudo_logsrvd_conf
++sudo_conf
++cvtsudoers_conf
  INTERCEPT_EXP
  FUZZ_LD
  FUZZ_ENGINE
@@ -782,6 +789,7 @@ PYTHON_PLUGIN
  SIGNAME
  devsearch
  DIGEST
++adminconfdir
  exampledir
  TMPFILES_D
  COMPAT_EXP
@@ -801,12 +809,10 @@ LOCALEDIR_SUFFIX
  SUDO_NLS
  LIBPTHREAD
  LIBTLS
--LIBMD
  LIBCRYPTO
  LIBINTL
  LIBRT
  LIBDL
--CONFIGURE_ARGS
  LIBTOOL_DEPS
  ZLIB_SRC
  ZLIB
@@ -867,11 +873,7 @@ ZLIB_LDFLAGS
  LIBUTIL_LDFLAGS
  SUDOERS_LDFLAGS
  SUDO_LDFLAGS
--LDFLAGS
--CPPFLAGS
  PROGS
--CFLAGS
--LIBTOOL
  target_alias
  host_alias
  build_alias
@@ -1049,6 +1051,7 @@ enable_openssl_pkgconfig_template
  enable_wolfssl
  enable_gcrypt
  enable_python
++enable_adminconf
  enable_shared
  enable_static
  with_pic
@@ -1062,11 +1065,11 @@ enable_intercept
  with_noexec
  with_netsvc
  enable_sia
++enable_largefile
  with_pam_login
  enable_pam_session
  enable_kerb5_instance
  enable_year2038
--enable_largefile
+ '
        ac_precious_vars='SENDMAILPROG
  VIPROG
@@ -1636,7 +1639,7 @@ if test "$ac_init_help" = "long"; then
    # Omit some internal or obsolete options to make the list less imposing.
    # This message is too long to be a string in the A/UX 3.1 sh.
    cat <<_ACEOF
--'configure' configures sudo 1.9.13p3 to adapt to many kinds of systems.
++'configure' configures sudo 1.9.14p2 to adapt to many kinds of systems.
  Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1702,7 +1705,7 @@ fi
  if test -n "$ac_init_help"; then
    case $ac_init_help in
--     short | recursive ) echo "Configuration of sudo 1.9.13p3:";;
++     short | recursive ) echo "Configuration of sudo 1.9.14p2:";;
     esac
    cat <<\_ACEOF
@@ -1769,6 +1772,9 @@ Optional Features:
    --enable-wolfssl        Use wolfSSL's TLS and sha2 functions
    --enable-gcrypt         Use GNU crypt's sha2 functions
    --enable-python         Compile python plugin support
++  --enable-adminconf[=DIR]
++                          Use configuration files from adminconfdir in
++                          preference to sysconfdir
    --enable-shared[=PKGS]  build shared libraries [default=yes]
    --enable-static[=PKGS]  build static libraries [default=yes]
    --enable-fast-install[=PKGS]
@@ -1776,11 +1782,11 @@ Optional Features:
    --disable-libtool-lock  avoid locking (might break parallel builds)
    --enable-intercept      fully qualified pathname of sudo_intercept.so
    --disable-sia           Disable SIA on Digital UNIX
++  --disable-largefile     omit support for large files
    --disable-pam-session   Disable PAM session support
    --enable-kerb5-instance instance string to append to the username (separated
                            by a slash)
--  --disable-year2038      omit support for dates after Jan 2038
--  --disable-largefile     omit support for large files
++  --disable-year2038      don't support timestamps after 2038
  Optional Packages:
    --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -1993,8 +1999,8 @@ fi
  test -n "$ac_init_help" && exit $ac_status
  if $ac_init_version; then
    cat <<\_ACEOF
--sudo configure 1.9.13p3
--generated by GNU Autoconf 2.72a
++sudo configure 1.9.14p2
++generated by GNU Autoconf 2.72c
  Copyright (C) 2023 Free Software Foundation, Inc.
  This configure script is free software; the Free Software Foundation
@@ -2409,6 +2415,148 @@ printf "%s\n" "$ac_res" >&6; }
  } # ac_fn_c_check_member
++# ac_fn_c_find_intX_t LINENO BITS VAR
++# -----------------------------------
++# Finds a signed integer type with width BITS, setting cache variable VAR
++# accordingly.
++ac_fn_c_find_intX_t ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for int$2_t" >&5
++printf %s "checking for int$2_t... " >&6; }
++if eval test \${$3+y}
++then :
++  printf %s "(cached) " >&6
++else case e in #(
++  e) eval "$3=no"
++     # Order is important - never check a type that is potentially smaller
++     # than half of the expected target width.
++     for ac_type in int$2_t 'int' 'long int' \
++	 'long long int' 'short int' 'signed char'; do
++       cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$ac_includes_default
++	     enum { N = $2 / 2 - 1 };
++int
++main (void)
++{
++static int test_array [1 - 2 * !(0 < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1))];
++test_array [0] = 0;
++return test_array [0];
++
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"
++then :
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$ac_includes_default
++	        enum { N = $2 / 2 - 1 };
++int
++main (void)
++{
++static int test_array [1 - 2 * !(($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 1)
++		 < ($ac_type) ((((($ac_type) 1 << N) << N) - 1) * 2 + 2))];
++test_array [0] = 0;
++return test_array [0];
++
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"
++then :
++
++else case e in #(
++  e) case $ac_type in #(
++  int$2_t) :
++    eval "$3=yes" ;; #(
++  *) :
++    eval "$3=\$ac_type" ;;
++esac ;;
++esac
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
++       if eval test \"x\$"$3"\" = x"no"
++then :
++
++else case e in #(
++  e) break ;;
++esac
++fi
++     done ;;
++esac
++fi
++eval ac_res=\$$3
++	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++printf "%s\n" "$ac_res" >&6; }
++  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
++
++} # ac_fn_c_find_intX_t
++
++# ac_fn_c_find_uintX_t LINENO BITS VAR
++# ------------------------------------
++# Finds an unsigned integer type with width BITS, setting cache variable VAR
++# accordingly.
++ac_fn_c_find_uintX_t ()
++{
++  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
++  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for uint$2_t" >&5
++printf %s "checking for uint$2_t... " >&6; }
++if eval test \${$3+y}
++then :
++  printf %s "(cached) " >&6
++else case e in #(
++  e) eval "$3=no"
++     # Order is important - never check a type that is potentially smaller
++     # than half of the expected target width.
++     for ac_type in uint$2_t 'unsigned int' 'unsigned long int' \
++	 'unsigned long long int' 'unsigned short int' 'unsigned char'; do
++       cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$ac_includes_default
++int
++main (void)
++{
++static int test_array [1 - 2 * !((($ac_type) -1 >> ($2 / 2 - 1)) >> ($2 / 2 - 1) == 3)];
++test_array [0] = 0;
++return test_array [0];
++
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"
++then :
++  case $ac_type in #(
++  uint$2_t) :
++    eval "$3=yes" ;; #(
++  *) :
++    eval "$3=\$ac_type" ;;
++esac
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
++       if eval test \"x\$"$3"\" = x"no"
++then :
++
++else case e in #(
++  e) break ;;
++esac
++fi
++     done ;;
++esac
++fi
++eval ac_res=\$$3
++	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
++printf "%s\n" "$ac_res" >&6; }
++  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
++
++} # ac_fn_c_find_uintX_t
++
  # ac_fn_c_try_run LINENO
  # ----------------------
  # Try to run conftest.$ac_ext, and return whether this succeeded. Assumes that
@@ -2671,8 +2819,8 @@ cat >config.log <<_ACEOF
  This file contains any messages produced by compilers while
  running configure, to aid debugging if configure makes a mistake.
--It was created by sudo $as_me 1.9.13p3, which was
--generated by GNU Autoconf 2.72a.  Invocation command line was
++It was created by sudo $as_me 1.9.14p2, which was
++generated by GNU Autoconf 2.72c.  Invocation command line was
    $ $0$ac_configure_args_raw
@@ -2972,6 +3120,21 @@ static char *f (char * (*g) (char **, int), char **p, ...)
    return s;
+ }
++/* C89 style stringification. */
++#define noexpand_stringify(a) #a
++const char *stringified = noexpand_stringify(arbitrary+token=sequence);
++
++/* C89 style token pasting.  Exercises some of the corner cases that
++   e.g. old MSVC gets wrong, but not very hard. */
++#define noexpand_concat(a,b) a##b
++#define expand_concat(a,b) noexpand_concat(a,b)
++extern int vA;
++extern int vbee;
++#define aye A
++#define bee B
++int *pvA = &expand_concat(v,aye);
++int *pvbee = &noexpand_concat(v,bee);
++
  /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
     function prototypes and stuff, but not \xHH hex character constants.
     These do not provoke an error unfortunately, instead are silently treated
@@ -3452,113 +3615,31 @@ ac_config_headers="$ac_config_headers config.h pathnames.h"
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
++PROGS=sudo
++LT_LDDEP="\$(shlib_exp)"
++LT_LDEXPORTS="-export-symbols \$(shlib_exp)"
++BAMAN=0
++LCMAN=0
++PSMAN=0
++SEMAN=0
++AAMAN=0
++devdir='$(srcdir)'
++PRELOAD_MODULE='-module'
++LDAP='#'
++SUDO_NLS=disabled
++exampledir='$(docdir)/examples'
++adminconfdir='$(prefix)/etc'
++PYTHON_PLUGIN='#'
++LOGSRV_SRC='lib/logsrv'
++LOGSRVD_SRC='logsrvd'
++LOGSRVD_CONF='sudo_logsrvd.conf'
++LIBLOGSRV='$(top_builddir)/lib/logsrv/liblogsrv.la $(top_builddir)/lib/protobuf-c/libprotobuf-c.la'
++PPFILES='$(srcdir)/etc/sudo.pp'
++FUZZ_LD='$(CC)'
++cvtsudoers_conf='$(sysconfdir)/cvtsudoers.conf'
++sudo_conf='$(sysconfdir)/sudo.conf'
++sudo_logsrvd_conf='$(sysconfdir)/sudo_logsrvd.conf'
++sudoers_path='$(sysconfdir)/sudoers'
@@ -3653,62 +3734,20 @@ devsearch="/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev"
+ #
  # End initial values for man page substitution
+ #
--INSTALL_BACKUP=
--INSTALL_INTERCEPT=
--INSTALL_NOEXEC=
--PRELOAD_MODULE=-module
--exampledir='$(docdir)/examples'
--devdir='$(srcdir)'
--PROGS="sudo"
  : ${MANDIRTYPE='man'}
  : ${SHLIB_MODE='0644'}
  : ${SUDOERS_MODE='0440'}
  : ${SUDOERS_UID='0'}
  : ${SUDOERS_GID='0'}
--DEVEL=
--LDAP="#"
--BAMAN=0
--LCMAN=0
--PSMAN=0
--SEMAN=0
--AAMAN=0
--LIBINTL=
--LIBCRYPTO=
--LIBMD=
--LIBTLS=
--ZLIB=
--ZLIB_SRC=
--AUTH_OBJS=
++CONFIGURE_ARGS="$@"
  AUTH_REG=
  AUTH_EXCL=
  AUTH_EXCL_DEF=
  AUTH_DEF=passwd
--SUDO_NLS=disabled
--LOCALEDIR_SUFFIX=
--LT_LDEXPORTS="-export-symbols \$(shlib_exp)"
--LT_LDDEP="\$(shlib_exp)"
--OS_INIT=os_init_common
--INIT_SCRIPT=
--INIT_DIR=
--RC_LINK=
--COMPAT_EXP=
--SIGNAME=
--FUZZ_ENGINE=
--FUZZ_LD='$(CC)'
--INTERCEPT_EXP=
--WEAK_ALIAS=no
  CHECKSHADOW=true
  shadow_funcs=
  shadow_libs=
--TMPFILES_D=
--CONFIGURE_ARGS="$@"
--PYTHON_PLUGIN=#
--LOGSRVD=
--LOGSRVD_SRC=logsrvd
--LOGSRV_SRC=lib/logsrv
--LOGSRVD_CONF='sudo_logsrvd.conf'
--LIBLOGSRV='$(top_builddir)/lib/logsrv/liblogsrv.la $(top_builddir)/lib/protobuf-c/libprotobuf-c.la'
--PPFILES='$(srcdir)/etc/sudo.pp'
++OS_INIT=os_init_common
  RTLD_PRELOAD_VAR="LD_PRELOAD"
  RTLD_PRELOAD_ENABLE_VAR=
@@ -7173,6 +7212,23 @@ printf "%s\n" "$as_me: WARNING: ignoring unknown argument to --enable-python: $e
  fi
++# Check whether --enable-adminconf was given.
++if test ${enable_adminconf+y}
++then :
++  enableval=$enable_adminconf;  case "$enableval" in
++    yes|no)
++	;;
++    *)	adminconfdir="$enableval"
++	enable_adminconf=yes
++	;;
++  esac
++
++else case e in #(
++  e) enable_adminconf=no ;;
++esac
++fi
++
++
  ac_ext=c
  ac_cpp='$CPP $CPPFLAGS'
  ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
@@ -8987,9 +9043,10 @@ do
        as_fn_executable_p "$ac_path_SED" || continue
  # Check for GNU ac_path_SED and select it if it is found.
    # Check for GNU $ac_path_SED
--case `"$ac_path_SED" --version 2>&1` in
++case `"$ac_path_SED" --version 2>&1` in #(
  *GNU*)
    ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;;
++#(
  *)
    ac_count=0
    printf %s 0123456789 >"conftest.in"
@@ -9070,9 +9127,10 @@ do
        as_fn_executable_p "$ac_path_GREP" || continue
  # Check for GNU ac_path_GREP and select it if it is found.
    # Check for GNU $ac_path_GREP
--case `"$ac_path_GREP" --version 2>&1` in
++case `"$ac_path_GREP" --version 2>&1` in #(
  *GNU*)
    ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;;
++#(
  *)
    ac_count=0
    printf %s 0123456789 >"conftest.in"
@@ -9143,9 +9201,10 @@ do
        as_fn_executable_p "$ac_path_EGREP" || continue
  # Check for GNU ac_path_EGREP and select it if it is found.
    # Check for GNU $ac_path_EGREP
--case `"$ac_path_EGREP" --version 2>&1` in
++case `"$ac_path_EGREP" --version 2>&1` in #(
  *GNU*)
    ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;;
++#(
  *)
    ac_count=0
    printf %s 0123456789 >"conftest.in"
@@ -9188,6 +9247,8 @@ fi
  printf "%s\n" "$ac_cv_path_EGREP" >&6; }
   EGREP="$ac_cv_path_EGREP"
++         EGREP_TRADITIONAL=$EGREP
++ ac_cv_path_EGREP_TRADITIONAL=$EGREP
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5
  printf %s "checking for fgrep... " >&6; }
@@ -9217,9 +9278,10 @@ do
        as_fn_executable_p "$ac_path_FGREP" || continue
  # Check for GNU ac_path_FGREP and select it if it is found.
    # Check for GNU $ac_path_FGREP
--case `"$ac_path_FGREP" --version 2>&1` in
++case `"$ac_path_FGREP" --version 2>&1` in #(
  *GNU*)
    ac_cv_path_FGREP="$ac_path_FGREP" ac_path_FGREP_found=:;;
++#(
  *)
    ac_count=0
    printf %s 0123456789 >"conftest.in"
@@ -17504,6 +17566,11 @@ fi
  fi
  sudo_cv_prev_host="$host"
++cat >>confdefs.h <<EOF
++#define CONFIGURE_ARGS "$CONFIGURE_ARGS"
++EOF
++
++
  if test -n "$host_os"
  then :
@@ -19837,7 +19904,12 @@ done
+ #
  # Check for large file and 64-bit time support.
+ #
--  if test "$enable_largefile" != no
++# Check whether --enable-largefile was given.
++if test ${enable_largefile+y}
++then :
++  enableval=$enable_largefile;
++fi
++if test "$enable_largefile,$enable_year2038" != no,no
  then :
    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable large file support" >&5
  printf %s "checking for $CC option to enable large file support... " >&6; }
@@ -19880,6 +19952,7 @@ rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
      test $ac_opt_found = no || break
    done
    CC="$ac_save_CC"
++
    test $ac_opt_found = yes || ac_cv_sys_largefile_opts="support not detected" ;;
  esac
  fi
@@ -19890,15 +19963,10 @@ ac_have_largefile=yes
  case $ac_cv_sys_largefile_opts in #(
    "none needed") :
       ;; #(
++  "supported through gnulib") :
++     ;; #(
    "support not detected") :
--    ac_have_largefile=no
--     if test $enable_largefile = required
--then :
--  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5
--printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;}
--as_fn_error $? "support for large files is required
--See 'config.log' for more details" "$LINENO" 5; }
--fi ;; #(
++    ac_have_largefile=no ;; #(
    "-D_FILE_OFFSET_BITS=64") :
  printf "%s\n" "#define _FILE_OFFSET_BITS 64" >>confdefs.h
@@ -19913,10 +19981,10 @@ printf "%s\n" "#define _LARGE_FILES 1" >>confdefs.h
      as_fn_error $? "internal error: bad value for \$ac_cv_sys_largefile_opts" "$LINENO" 5 ;;
  esac
--  if test "$enable_year2038" != no
++if test "$enable_year2038" != no
  then :
--  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable timestamps after Jan 2038" >&5
--printf %s "checking for $CC option to enable timestamps after Jan 2038... " >&6; }
++  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option for timestamps after 2038" >&5
++printf %s "checking for $CC option for timestamps after 2038... " >&6; }
  if test ${ac_cv_sys_year2038_opts+y}
  then :
    printf %s "(cached) " >&6
@@ -19967,49 +20035,12 @@ case $ac_cv_sys_year2038_opts in #(
    "none needed") :
       ;; #(
    "support not detected") :
--    ac_have_year2038=no
--     case $enable_year2038 in #(
--  required) :
--    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5
--printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;}
--as_fn_error $? "support for timestamps after Jan 2038 is required
--See 'config.log' for more details" "$LINENO" 5; } ;; #(
--  yes) :
--    # If we're not cross compiling and 'touch' works with a large
--        # timestamp, then we can presume the system supports wider time_t
--        # *somehow* and we just weren't able to detect it.  One common
--        # case that we deliberately *don't* probe for is a system that
--        # supports both 32- and 64-bit ABIs but only the 64-bit ABI offers
--        # wide time_t.  (It would be inappropriate for us to override an
--        # intentional use of -m32.)  Error out, demanding use of
--        # --disable-year2038 if this is intentional.
--        if test $cross_compiling = no
--then :
--  if TZ=UTC0 touch -t 210602070628.15 conftest.time 2>/dev/null
--then :
--  case `TZ=UTC0 LC_ALL=C ls -l conftest.time 2>/dev/null` in #(
--  *'Feb  7  2106'* | *'Feb  7 17:10'*) :
--    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5
--printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;}
--as_fn_error $? "this system appears to support timestamps after
--January 2038, but no mechanism for enabling wide
--'time_t' was detected. Did you mean to build a 64-bit
--binary? (e.g. 'CC=\"${CC} -m64\"'.) To proceed with
--32-bit time_t, configure with '--disable-year2038'.
--See 'config.log' for more details" "$LINENO" 5; } ;; #(
--  *) :
--     ;;
--esac
--fi
--fi ;; #(
--  *) :
--     ;;
--esac ;; #(
++    ac_have_year2038=no ;; #(
    "-D_TIME_BITS=64") :
  printf "%s\n" "#define _TIME_BITS 64" >>confdefs.h
   ;; #(
--  "-D__MINGW_USE_VC2005_COMPAT=1") :
++  "-D__MINGW_USE_VC2005_COMPAT") :
  printf "%s\n" "#define __MINGW_USE_VC2005_COMPAT 1" >>confdefs.h
   ;; #(
@@ -20017,7 +20048,7 @@ printf "%s\n" "#define __MINGW_USE_VC2005_COMPAT 1" >>confdefs.h
      { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5
  printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;}
  as_fn_error $? "the 'time_t' type is currently forced to be 32-bit. It
--will stop working after January 2038. Remove
++will stop working after mid-January 2038. Remove
  _USE_32BIT_TIME_T from the compiler flags.
  See 'config.log' for more details" "$LINENO" 5; } ;; #(
    *) :
@@ -20026,12 +20057,34 @@ esac
  fi
--
--
  fi
--
--
--
++if test "$enable_year2038,$ac_have_year2038,$cross_compiling" = yes,no,no
++then :
++  # If we're not cross compiling and 'touch' works with a large
++  # timestamp, then we can presume the system supports wider time_t
++  # *somehow* and we just weren't able to detect it.  One common
++  # case that we deliberately *don't* probe for is a system that
++  # supports both 32- and 64-bit ABIs but only the 64-bit ABI offers
++  # wide time_t.  (It would be inappropriate for us to override an
++  # intentional use of -m32.)  Error out, demanding use of
++  # --disable-year2038 if this is intentional.
++  if TZ=UTC0 touch -t 210602070628.15 conftest.time 2>/dev/null
++then :
++  case `TZ=UTC0 LC_ALL=C ls -l conftest.time 2>/dev/null` in #(
++  *'Feb  7  2106'* | *'Feb  7 17:10'*) :
++    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in '$ac_pwd':" >&5
++printf "%s\n" "$as_me: error: in '$ac_pwd':" >&2;}
++as_fn_error $? "this system appears to support timestamps after
++mid-January 2038, but no mechanism for enabling wide
++'time_t' was detected. Did you mean to build a 64-bit
++binary? (E.g., 'CC=\"${CC} -m64\"'.) To proceed with
++32-bit time_t, configure with '--disable-year2038'.
++See 'config.log' for more details" "$LINENO" 5; } ;; #(
++  *) :
++     ;;
++esac
++fi
++fi
+ #
  # Don't allow undefined symbols, even in shared libraries, if possible.
@@ -20042,27 +20095,69 @@ fi
  if test -n "$GCC" -a X"${enable_sanitizer}${enable_fuzzer}" = X"nono"
  then :
--    # On FreeBSD and Dragonfly, environ is filled in by the dynamic loader
--    # so -Wl,--no-undefined causes a link error when environ is used.
--    # https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263265
--    # We use errno because OpenBSD shared libraries don't explicitly
--    # link with libc, which can result in undefined reference errors.
--    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking the linker accepts -Wl,--no-undefined" >&5
++    case $host_os in #(
++  darwin*) :
++
++	# On macOS 13, using "-undefined dynamic_lookup" produces a
++	# warning.  Use the -no-undefined libtool option to avoid this.
++
++if test ${LT_LDFLAGS+y}
++then :
++
++  case " $LT_LDFLAGS " in #(
++  *" -no-undefined "*) :
++    { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LT_LDFLAGS already contains -no-undefined"; } >&5
++  (: LT_LDFLAGS already contains -no-undefined) 2>&5
++  ac_status=$?
++  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; } ;; #(
++  *) :
++
++     as_fn_append LT_LDFLAGS " -no-undefined"
++     { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LT_LDFLAGS=\"\$LT_LDFLAGS\""; } >&5
++  (: LT_LDFLAGS="$LT_LDFLAGS") 2>&5
++  ac_status=$?
++  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }
++     ;;
++esac
++
++else case e in #(
++  e)
++  LT_LDFLAGS=-no-undefined
++  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: : LT_LDFLAGS=\"\$LT_LDFLAGS\""; } >&5
++  (: LT_LDFLAGS="$LT_LDFLAGS") 2>&5
++  ac_status=$?
++  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
++  test $ac_status = 0; }
++   ;;
++esac
++fi
++
++     ;; #(
++  *) :
++
++	# On FreeBSD and Dragonfly, environ is filled in by the dynamic loader
++	# so -Wl,--no-undefined causes a link error when environ is used.
++	# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263265
++	# We use errno because OpenBSD shared libraries don't explicitly
++	# link with libc, which can result in undefined reference errors.
++	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking the linker accepts -Wl,--no-undefined" >&5
  printf %s "checking the linker accepts -Wl,--no-undefined... " >&6; }
  if test ${sudo_cv_var_ld___no_undefined+y}
  then :
    printf %s "(cached) " >&6
  else case e in #(
    e)
--	    sudo_cv_var_ld___no_undefined=no
--	    _CFLAGS="$CFLAGS"
--	    CFLAGS="$CFLAGS $lt_prog_compiler_pic"
--	    _LDFLAGS="$LDFLAGS"
--	    LDFLAGS="$LDFLAGS $lt_prog_compiler_pic -shared -Wl,--no-undefined"
--	    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++		sudo_cv_var_ld___no_undefined=no
++		_CFLAGS="$CFLAGS"
++		CFLAGS="$CFLAGS $lt_prog_compiler_pic"
++		_LDFLAGS="$LDFLAGS"
++		LDFLAGS="$LDFLAGS $lt_prog_compiler_pic -shared -Wl,--no-undefined"
++		cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
  #include <errno.h>
--extern char **environ;
++    extern char **environ;
  int
  main (void)
+ {
@@ -20077,15 +20172,15 @@ then :
  fi
  rm -f core conftest.err conftest.$ac_objext conftest.beam \
      conftest$ac_exeext conftest.$ac_ext
--	    CFLAGS="$_CFLAGS"
--	    LDFLAGS="$_LDFLAGS"
++		CFLAGS="$_CFLAGS"
++		LDFLAGS="$_LDFLAGS"
--     ;;
++	 ;;
  esac
  fi
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_ld___no_undefined" >&5
  printf "%s\n" "$sudo_cv_var_ld___no_undefined" >&6; }
--    if test "$sudo_cv_var_ld___no_undefined" = "yes"
++	if test "$sudo_cv_var_ld___no_undefined" = "yes"
  then :
@@ -20124,6 +20219,8 @@ fi
  fi
++     ;;
++esac
  fi
@@ -20445,91 +20542,261 @@ fi
  fi
--if test X"${ac_cv_header_stdint_h}${ac_cv_header_inttypes_h}" = X"nono"
--then :
--    ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "$ac_includes_default"
--if test "x$ac_cv_type_int8_t" = xyes
++  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for unsigned long long int" >&5
++printf %s "checking for unsigned long long int... " >&6; }
++if test ${ac_cv_type_unsigned_long_long_int+y}
  then :
++  printf %s "(cached) " >&6
++else case e in #(
++  e) ac_cv_type_unsigned_long_long_int=yes
++     case $ac_prog_cc_stdc in
++       no | c89) ;;
++       *)
++	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
--printf "%s\n" "#define HAVE_INT8_T 1" >>confdefs.h
++  /* For now, do not test the preprocessor; as of 2007 there are too many
++	 implementations with broken preprocessors.  Perhaps this can
++	 be revisited in 2012.  In the meantime, code should not expect
++	 #if to work with literals wider than 32 bits.  */
++      /* Test literals.  */
++      long long int ll = 9223372036854775807ll;
++      long long int nll = -9223372036854775807LL;
++      unsigned long long int ull = 18446744073709551615ULL;
++      /* Test constant expressions.   */
++      typedef int a[((-9223372036854775807LL < 0 && 0 < 9223372036854775807ll)
++		     ? 1 : -1)];
++      typedef int b[(18446744073709551615ULL <= (unsigned long long int) -1
++		     ? 1 : -1)];
++      int i = 63;
++int
++main (void)
++{
++/* Test availability of runtime routines for shift and division.  */
++      long long int llmax = 9223372036854775807ll;
++      unsigned long long int ullmax = 18446744073709551615ull;
++      return ((ll << 63) | (ll >> 63) | (ll < i) | (ll > i)
++	      | (llmax / ll) | (llmax % ll)
++	      | (ull << 63) | (ull >> 63) | (ull << i) | (ull >> i)
++	      | (ullmax / ull) | (ullmax % ull));
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_link "$LINENO"
++then :
++else case e in #(
++  e) ac_cv_type_unsigned_long_long_int=no ;;
++esac
  fi
--ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" "$ac_includes_default"
--if test "x$ac_cv_type_uint8_t" = xyes
--then :
++rm -f core conftest.err conftest.$ac_objext conftest.beam \
++    conftest$ac_exeext conftest.$ac_ext;;
++     esac ;;
++esac
++fi
++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_unsigned_long_long_int" >&5
++printf "%s\n" "$ac_cv_type_unsigned_long_long_int" >&6; }
++  if test $ac_cv_type_unsigned_long_long_int = yes; then
--printf "%s\n" "#define HAVE_UINT8_T 1" >>confdefs.h
++printf "%s\n" "#define HAVE_UNSIGNED_LONG_LONG_INT 1" >>confdefs.h
++  fi
--fi
--ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" "$ac_includes_default"
--if test "x$ac_cv_type_int16_t" = xyes
--then :
--printf "%s\n" "#define HAVE_INT16_T 1" >>confdefs.h
++  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for long long int" >&5
++printf %s "checking for long long int... " >&6; }
++if test ${ac_cv_type_long_long_int+y}
++then :
++  printf %s "(cached) " >&6
++else case e in #(
++  e) ac_cv_type_long_long_int=yes
++      case $ac_prog_cc_stdc in
++	no | c89) ;;
++	*)
++	  ac_cv_type_long_long_int=$ac_cv_type_unsigned_long_long_int
++	  if test $ac_cv_type_long_long_int = yes; then
++	    	    	    	    if test "$cross_compiling" = yes
++then :
++  :
++else case e in #(
++  e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++#include <limits.h>
++		   #ifndef LLONG_MAX
++		   # define HALF \\
++			    (1LL << (sizeof (long long int) * CHAR_BIT - 2))
++		   # define LLONG_MAX (HALF - 1 + HALF)
++		   #endif
++int
++main (void)
++{
++long long int n = 1;
++		   int i;
++		   for (i = 0; ; i++)
++		     {
++		       long long int m = n << i;
++		       if (m >> i != n)
++			 return 1;
++		       if (LLONG_MAX / 2 < m)
++			 break;
++		     }
++		   return 0;
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_run "$LINENO"
++then :
++else case e in #(
++  e) ac_cv_type_long_long_int=no ;;
++esac
  fi
--ac_fn_c_check_type "$LINENO" "uint16_t" "ac_cv_type_uint16_t" "$ac_includes_default"
--if test "x$ac_cv_type_uint16_t" = xyes
--then :
++rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
++  conftest.$ac_objext conftest.beam conftest.$ac_ext ;;
++esac
++fi
++
++	  fi;;
++      esac ;;
++esac
++fi
++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_long_long_int" >&5
++printf "%s\n" "$ac_cv_type_long_long_int" >&6; }
++  if test $ac_cv_type_long_long_int = yes; then
--printf "%s\n" "#define HAVE_UINT16_T 1" >>confdefs.h
++printf "%s\n" "#define HAVE_LONG_LONG_INT 1" >>confdefs.h
++  fi
--fi
--ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" "$ac_includes_default"
--if test "x$ac_cv_type_int32_t" = xyes
++if test X"${ac_cv_header_stdint_h}${ac_cv_header_inttypes_h}" = X"nono"
  then :
--printf "%s\n" "#define HAVE_INT32_T 1" >>confdefs.h
++    ac_fn_c_find_intX_t "$LINENO" "8" "ac_cv_c_int8_t"
++case $ac_cv_c_int8_t in #(
++  no|yes) ;; #(
++  *)
++printf "%s\n" "#define int8_t $ac_cv_c_int8_t" >>confdefs.h
++;;
++esac
--fi
--ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "$ac_includes_default"
--if test "x$ac_cv_type_uint32_t" = xyes
--then :
++    ac_fn_c_find_uintX_t "$LINENO" "8" "ac_cv_c_uint8_t"
++case $ac_cv_c_uint8_t in #(
++  no|yes) ;; #(
++  *)
--printf "%s\n" "#define HAVE_UINT32_T 1" >>confdefs.h
++printf "%s\n" "#define _UINT8_T 1" >>confdefs.h
--fi
--ac_fn_c_check_type "$LINENO" "int64_t" "ac_cv_type_int64_t" "$ac_includes_default"
--if test "x$ac_cv_type_int64_t" = xyes
--then :
++printf "%s\n" "#define uint8_t $ac_cv_c_uint8_t" >>confdefs.h
++;;
++  esac
--printf "%s\n" "#define HAVE_INT64_T 1" >>confdefs.h
++    ac_fn_c_find_intX_t "$LINENO" "16" "ac_cv_c_int16_t"
++case $ac_cv_c_int16_t in #(
++  no|yes) ;; #(
++  *)
++printf "%s\n" "#define int16_t $ac_cv_c_int16_t" >>confdefs.h
++;;
++esac
--fi
--ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "$ac_includes_default"
--if test "x$ac_cv_type_uint64_t" = xyes
--then :
++    ac_fn_c_find_uintX_t "$LINENO" "16" "ac_cv_c_uint16_t"
++case $ac_cv_c_uint16_t in #(
++  no|yes) ;; #(
++  *)
--printf "%s\n" "#define HAVE_UINT64_T 1" >>confdefs.h
++printf "%s\n" "#define uint16_t $ac_cv_c_uint16_t" >>confdefs.h
++;;
++  esac
--fi
--ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" "$ac_includes_default"
++    ac_fn_c_find_intX_t "$LINENO" "32" "ac_cv_c_int32_t"
++case $ac_cv_c_int32_t in #(
++  no|yes) ;; #(
++  *)
++
++printf "%s\n" "#define int32_t $ac_cv_c_int32_t" >>confdefs.h
++;;
++esac
++
++    ac_fn_c_find_uintX_t "$LINENO" "32" "ac_cv_c_uint32_t"
++case $ac_cv_c_uint32_t in #(
++  no|yes) ;; #(
++  *)
++
++printf "%s\n" "#define _UINT32_T 1" >>confdefs.h
++
++
++printf "%s\n" "#define uint32_t $ac_cv_c_uint32_t" >>confdefs.h
++;;
++  esac
++
++    ac_fn_c_find_intX_t "$LINENO" "64" "ac_cv_c_int64_t"
++case $ac_cv_c_int64_t in #(
++  no|yes) ;; #(
++  *)
++
++printf "%s\n" "#define int64_t $ac_cv_c_int64_t" >>confdefs.h
++;;
++esac
++
++    ac_fn_c_find_uintX_t "$LINENO" "64" "ac_cv_c_uint64_t"
++case $ac_cv_c_uint64_t in #(
++  no|yes) ;; #(
++  *)
++
++printf "%s\n" "#define _UINT64_T 1" >>confdefs.h
++
++
++printf "%s\n" "#define uint64_t $ac_cv_c_uint64_t" >>confdefs.h
++;;
++  esac
++
++
++
++  ac_fn_c_check_type "$LINENO" "intmax_t" "ac_cv_type_intmax_t" "$ac_includes_default"
  if test "x$ac_cv_type_intmax_t" = xyes
  then :
  printf "%s\n" "#define HAVE_INTMAX_T 1" >>confdefs.h
++else case e in #(
++  e) test $ac_cv_type_long_long_int = yes \
++       && ac_type='long long int' \
++       || ac_type='long int'
++printf "%s\n" "#define intmax_t $ac_type" >>confdefs.h
++ ;;
++esac
  fi
--ac_fn_c_check_type "$LINENO" "uintmax_t" "ac_cv_type_uintmax_t" "$ac_includes_default"
++
++
++
++
++  ac_fn_c_check_type "$LINENO" "uintmax_t" "ac_cv_type_uintmax_t" "$ac_includes_default"
  if test "x$ac_cv_type_uintmax_t" = xyes
  then :
  printf "%s\n" "#define HAVE_UINTMAX_T 1" >>confdefs.h
++else case e in #(
++  e) test $ac_cv_type_unsigned_long_long_int = yes \
++       && ac_type='unsigned long long int' \
++       || ac_type='unsigned long int'
++printf "%s\n" "#define uintmax_t $ac_type" >>confdefs.h
++ ;;
++esac
  fi
++
  fi
  ac_fn_c_check_type "$LINENO" "sig_atomic_t" "ac_cv_type_sig_atomic_t" "
  $ac_includes_default
@@ -20566,172 +20833,27 @@ printf "%s\n" "#define HAVE_SOCKLEN_T 1" >>confdefs.h
  fi
--
--{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for egrep -e" >&5
--printf %s "checking for egrep -e... " >&6; }
--if test ${ac_cv_path_EGREP_TRADITIONAL+y}
++ac_fn_c_check_type "$LINENO" "uid_t" "ac_cv_type_uid_t" "$ac_includes_default"
++if test "x$ac_cv_type_uid_t" = xyes
  then :
--  printf %s "(cached) " >&6
--else case e in #(
--  e) if test -z "$EGREP_TRADITIONAL"; then
--  ac_path_EGREP_TRADITIONAL_found=false
--  # Loop through the user's path and test for each of PROGNAME-LIST
--  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
--do
--  IFS=$as_save_IFS
--  case $as_dir in #(((
--    '') as_dir=./ ;;
--    */) ;;
--    *) as_dir=$as_dir/ ;;
--  esac
--    for ac_prog in grep ggrep
--   do
--    for ac_exec_ext in '' $ac_executable_extensions; do
--      ac_path_EGREP_TRADITIONAL="$as_dir$ac_prog$ac_exec_ext"
--      as_fn_executable_p "$ac_path_EGREP_TRADITIONAL" || continue
--# Check for GNU ac_path_EGREP_TRADITIONAL and select it if it is found.
--  # Check for GNU $ac_path_EGREP_TRADITIONAL
--case `"$ac_path_EGREP_TRADITIONAL" --version 2>&1` in
--*GNU*)
--  ac_cv_path_EGREP_TRADITIONAL="$ac_path_EGREP_TRADITIONAL" ac_path_EGREP_TRADITIONAL_found=:;;
--*)
--  ac_count=0
--  printf %s 0123456789 >"conftest.in"
--  while :
--  do
--    cat "conftest.in" "conftest.in" >"conftest.tmp"
--    mv "conftest.tmp" "conftest.in"
--    cp "conftest.in" "conftest.nl"
--    printf "%s\n" 'EGREP_TRADITIONAL' >> "conftest.nl"
--    "$ac_path_EGREP_TRADITIONAL" -E 'EGR(EP|AC)_TRADITIONAL$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
--    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
--    as_fn_arith $ac_count + 1 && ac_count=$as_val
--    if test $ac_count -gt ${ac_path_EGREP_TRADITIONAL_max-0}; then
--      # Best one so far, save it but keep looking for a better one
--      ac_cv_path_EGREP_TRADITIONAL="$ac_path_EGREP_TRADITIONAL"
--      ac_path_EGREP_TRADITIONAL_max=$ac_count
--    fi
--    # 10*(2^10) chars as input seems more than enough
--    test $ac_count -gt 10 && break
--  done
--  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
--esac
--
--      $ac_path_EGREP_TRADITIONAL_found && break 3
--    done
--  done
--  done
--IFS=$as_save_IFS
--  if test -z "$ac_cv_path_EGREP_TRADITIONAL"; then
--    :
--  fi
--else
--  ac_cv_path_EGREP_TRADITIONAL=$EGREP_TRADITIONAL
--fi
--    if test "$ac_cv_path_EGREP_TRADITIONAL"
--then :
--  ac_cv_path_EGREP_TRADITIONAL="$ac_cv_path_EGREP_TRADITIONAL -E"
  else case e in #(
--  e) if test -z "$EGREP_TRADITIONAL"; then
--  ac_path_EGREP_TRADITIONAL_found=false
--  # Loop through the user's path and test for each of PROGNAME-LIST
--  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
--for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin
--do
--  IFS=$as_save_IFS
--  case $as_dir in #(((
--    '') as_dir=./ ;;
--    */) ;;
--    *) as_dir=$as_dir/ ;;
--  esac
--    for ac_prog in egrep
--   do
--    for ac_exec_ext in '' $ac_executable_extensions; do
--      ac_path_EGREP_TRADITIONAL="$as_dir$ac_prog$ac_exec_ext"
--      as_fn_executable_p "$ac_path_EGREP_TRADITIONAL" || continue
--# Check for GNU ac_path_EGREP_TRADITIONAL and select it if it is found.
--  # Check for GNU $ac_path_EGREP_TRADITIONAL
--case `"$ac_path_EGREP_TRADITIONAL" --version 2>&1` in
--*GNU*)
--  ac_cv_path_EGREP_TRADITIONAL="$ac_path_EGREP_TRADITIONAL" ac_path_EGREP_TRADITIONAL_found=:;;
--*)
--  ac_count=0
--  printf %s 0123456789 >"conftest.in"
--  while :
--  do
--    cat "conftest.in" "conftest.in" >"conftest.tmp"
--    mv "conftest.tmp" "conftest.in"
--    cp "conftest.in" "conftest.nl"
--    printf "%s\n" 'EGREP_TRADITIONAL' >> "conftest.nl"
--    "$ac_path_EGREP_TRADITIONAL" 'EGR(EP|AC)_TRADITIONAL$' < "conftest.nl" >"conftest.out" 2>/dev/null || break
--    diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break
--    as_fn_arith $ac_count + 1 && ac_count=$as_val
--    if test $ac_count -gt ${ac_path_EGREP_TRADITIONAL_max-0}; then
--      # Best one so far, save it but keep looking for a better one
--      ac_cv_path_EGREP_TRADITIONAL="$ac_path_EGREP_TRADITIONAL"
--      ac_path_EGREP_TRADITIONAL_max=$ac_count
--    fi
--    # 10*(2^10) chars as input seems more than enough
--    test $ac_count -gt 10 && break
--  done
--  rm -f conftest.in conftest.tmp conftest.nl conftest.out;;
--esac
--
--      $ac_path_EGREP_TRADITIONAL_found && break 3
--    done
--  done
--  done
--IFS=$as_save_IFS
--  if test -z "$ac_cv_path_EGREP_TRADITIONAL"; then
--    as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5
--  fi
--else
--  ac_cv_path_EGREP_TRADITIONAL=$EGREP_TRADITIONAL
--fi
++  e)
++printf "%s\n" "#define uid_t int" >>confdefs.h
   ;;
  esac
--fi ;;
--esac
  fi
--{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP_TRADITIONAL" >&5
--printf "%s\n" "$ac_cv_path_EGREP_TRADITIONAL" >&6; }
-- EGREP_TRADITIONAL=$ac_cv_path_EGREP_TRADITIONAL
--{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5
--printf %s "checking for uid_t in sys/types.h... " >&6; }
--if test ${ac_cv_type_uid_t+y}
++ac_fn_c_check_type "$LINENO" "gid_t" "ac_cv_type_gid_t" "$ac_includes_default"
++if test "x$ac_cv_type_gid_t" = xyes
  then :
--  printf %s "(cached) " >&6
--else case e in #(
--  e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--/* end confdefs.h.  */
--#include <sys/types.h>
--_ACEOF
--if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
--  $EGREP_TRADITIONAL "uid_t" >/dev/null 2>&1
--then :
--  ac_cv_type_uid_t=yes
  else case e in #(
--  e) ac_cv_type_uid_t=no ;;
--esac
--fi
--rm -rf conftest*
++  e)
++printf "%s\n" "#define gid_t int" >>confdefs.h
   ;;
  esac
  fi
--{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5
--printf "%s\n" "$ac_cv_type_uid_t" >&6; }
--if test $ac_cv_type_uid_t = no; then
--
--printf "%s\n" "#define uid_t int" >>confdefs.h
--
--
--printf "%s\n" "#define gid_t int" >>confdefs.h
--
--fi
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking max length of uid_t" >&5
@@ -21661,103 +21783,133 @@ if test ${ac_cv_type_getgroups+y}
  then :
    printf %s "(cached) " >&6
  else case e in #(
--  e) if test "$cross_compiling" = yes
++  e) # If AC_TYPE_UID_T says there isn't any gid_t typedef, then we can skip
++# everything below.
++if test $ac_cv_type_gid_t = no
  then :
--  ac_cv_type_getgroups=cross
++  ac_cv_type_getgroups=int
  else case e in #(
--  e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++  e) # Test programs below rely on strict type checking of extern declarations:
++  # 'extern int getgroups(int, int *); extern int getgroups(int, pid_t *);'
++  # is valid in C89 if and only if pid_t is a typedef for int.  Unlike
++  # anything involving either an assignment or a function call, compilers
++  # tend to make this kind of type mismatch a hard error, not just an
++  # "incompatible pointer types" warning.
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
--/* Thanks to Mike Rendell for this test.  */
  $ac_includes_default
--#define NGID 256
--#undef MAX
--#define MAX(x, y) ((x) > (y) ? (x) : (y))
--
++extern int getgroups(int, gid_t *);
  int
  main (void)
+ {
--  gid_t gidset[NGID];
--  int i, n;
--  union { gid_t gval; long int lval; }  val;
--
--  val.lval = -1;
--  for (i = 0; i < NGID; i++)
--    gidset[i] = val.gval;
--  n = getgroups (sizeof (gidset) / MAX (sizeof (int), sizeof (gid_t)) - 1,
--		 gidset);
--  /* Exit non-zero if getgroups seems to require an array of ints.  This
--     happens when gid_t is short int but getgroups modifies an array
--     of ints.  */
--  return n > 0 && gidset[n] != val.gval;
++return !(getgroups(0, 0) >= 0);
++  ;
++  return 0;
+ }
  _ACEOF
--if ac_fn_c_try_run "$LINENO"
++if ac_fn_c_try_compile "$LINENO"
  then :
--  ac_cv_type_getgroups=gid_t
++  ac_getgroups_gidarray=yes
  else case e in #(
--  e) ac_cv_type_getgroups=int ;;
++  e) ac_getgroups_gidarray=no ;;
  esac
  fi
--rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
--  conftest.$ac_objext conftest.beam conftest.$ac_ext ;;
++rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
++  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++/* end confdefs.h.  */
++$ac_includes_default
++extern int getgroups(int, int *);
++int
++main (void)
++{
++return !(getgroups(0, 0) >= 0);
++  ;
++  return 0;
++}
++_ACEOF
++if ac_fn_c_try_compile "$LINENO"
++then :
++  ac_getgroups_intarray=yes
++else case e in #(
++  e) ac_getgroups_intarray=no ;;
  esac
  fi
++rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
--if test $ac_cv_type_getgroups = cross; then
--        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
++  case int:$ac_getgroups_intarray,gid:$ac_getgroups_gidarray in #(
++  int:yes,gid:no) :
++    ac_cv_type_getgroups=int ;; #(
++  int:no,gid:yes) :
++    ac_cv_type_getgroups=gid_t ;; #(
++  int:yes,gid:yes) :
++
++      # Both programs compiled - this means *either* that getgroups
++      # was declared with no prototype, in which case we should use int,
++      # or that it was declared prototyped but gid_t is a typedef for int,
++      # in which case we should use gid_t.  Distinguish the two cases
++      # by testing if the compiler catches a blatantly incorrect function
++      # signature for getgroups.
++      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
--#include <unistd.h>
--
++$ac_includes_default
++extern int getgroups(int, float);
++int
++main (void)
++{
++return !(getgroups(0, 0) >= 0);
++  ;
++  return 0;
++}
  _ACEOF
--if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
--  $EGREP_TRADITIONAL "getgroups.*int.*gid_t" >/dev/null 2>&1
++if ac_fn_c_try_compile "$LINENO"
  then :
--  ac_cv_type_getgroups=gid_t
++
++        # Compiler did not catch incorrect argument list;
++        # getgroups is unprototyped.
++        ac_cv_type_getgroups=int
++
  else case e in #(
--  e) ac_cv_type_getgroups=int ;;
++  e)
++        # Compiler caught incorrect argument list;
++        # gid_t is a typedef for int.
++        ac_cv_type_getgroups=gid_t
++       ;;
  esac
  fi
--rm -rf conftest*
++rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
++     ;; #(
++  *) :
--fi ;;
++      # Both programs failed to compile - this probably means getgroups
++      # wasn't declared at all.  Use 'int', as this is probably a very
++      # old system where the type _would have been_ int.
++      ac_cv_type_getgroups=int
++     ;;
++esac
++   ;;
  esac
  fi
--{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_getgroups" >&5
--printf "%s\n" "$ac_cv_type_getgroups" >&6; }
--
--printf "%s\n" "#define GETGROUPS_T $ac_cv_type_getgroups" >>confdefs.h
--
--
--ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default"
--if test "x$ac_cv_type_size_t" = xyes
--then :
--
--else case e in #(
--  e)
--printf "%s\n" "#define size_t unsigned int" >>confdefs.h
   ;;
  esac
  fi
++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_getgroups" >&5
++printf "%s\n" "$ac_cv_type_getgroups" >&6; }
++printf "%s\n" "#define GETGROUPS_T $ac_cv_type_getgroups" >>confdefs.h
--ac_fn_c_check_func "$LINENO" "getgroups" "ac_cv_func_getgroups"
--if test "x$ac_cv_func_getgroups" = xyes
--then :
--
--fi
--# If we don't yet have getgroups, see if it's in -lbsd.
++# On older systems getgroups might be in -lbsd.
  # This is reported to be necessary on an ITOS 3000WS running SEIUX 3.1.
  ac_save_LIBS=$LIBS
--if test $ac_cv_func_getgroups = no; then
--  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for getgroups in -lbsd" >&5
--printf %s "checking for getgroups in -lbsd... " >&6; }
--if test ${ac_cv_lib_bsd_getgroups+y}
++LIBS=
++GETGROUPS_LIB=
++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing getgroups" >&5
++printf %s "checking for library containing getgroups... " >&6; }
++if test ${ac_cv_search_getgroups+y}
  then :
    printf %s "(cached) " >&6
  else case e in #(
--  e) ac_check_lib_save_LIBS=$LIBS
--LIBS="-lbsd  $LIBS"
++  e) ac_func_search_save_LIBS=$LIBS
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
@@ -21779,70 +21931,75 @@ return getgroups ();
    return 0;
+ }
  _ACEOF
--if ac_fn_c_try_link "$LINENO"
++for ac_lib in '' bsd
++do
++  if test -z "$ac_lib"; then
++    ac_res="none required"
++  else
++    ac_res=-l$ac_lib
++    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
++  fi
++  if ac_fn_c_try_link "$LINENO"
  then :
--  ac_cv_lib_bsd_getgroups=yes
++  ac_cv_search_getgroups=$ac_res
++fi
++rm -f core conftest.err conftest.$ac_objext conftest.beam \
++    conftest$ac_exeext
++  if test ${ac_cv_search_getgroups+y}
++then :
++  break
++fi
++done
++if test ${ac_cv_search_getgroups+y}
++then :
++
  else case e in #(
--  e) ac_cv_lib_bsd_getgroups=no ;;
++  e) ac_cv_search_getgroups=no ;;
  esac
  fi
--rm -f core conftest.err conftest.$ac_objext conftest.beam \
--    conftest$ac_exeext conftest.$ac_ext
--LIBS=$ac_check_lib_save_LIBS ;;
++rm conftest.$ac_ext
++LIBS=$ac_func_search_save_LIBS ;;
  esac
  fi
--{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bsd_getgroups" >&5
--printf "%s\n" "$ac_cv_lib_bsd_getgroups" >&6; }
--if test "x$ac_cv_lib_bsd_getgroups" = xyes
++{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_getgroups" >&5
++printf "%s\n" "$ac_cv_search_getgroups" >&6; }
++ac_res=$ac_cv_search_getgroups
++if test "$ac_res" != no
  then :
--  GETGROUPS_LIB=-lbsd
++  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
++  test "$ac_res" = "none required" || GETGROUPS_LIB="$ac_res"
++   ac_cv_func_getgroups=yes
++else case e in #(
++  e) ac_cv_func_getgroups=no ;;
++esac
  fi
--fi
++LIBS=$ac_save_LIBS
++
--# Run the program to test the functionality of the system-supplied
--# getgroups function only if there is such a function.
++# Known severe bugs in getgroups on particular systems.
++#  - On Ultrix 4.3 and NextSTEP 3.2, getgroups (0, 0) is reported to
++#    fail, rather than returning the number of supplementary groups as
++#    it ought to.  We do not know the exact range of releases affected
++#    in either case.
++# We currently reject all versions of the systems with known bugs, and
++# no other systems.  Please send corrections to bug-autoconf@gnu.org.
  if test $ac_cv_func_getgroups = yes; then
++  # This AC_CACHE_CHECK exists so that one may override an incorrect
++  # guess by setting ac_cv_func_getgroups_works in a config.site file.
    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working getgroups" >&5
  printf %s "checking for working getgroups... " >&6; }
  if test ${ac_cv_func_getgroups_works+y}
  then :
    printf %s "(cached) " >&6
  else case e in #(
--  e) if test "$cross_compiling" = yes
--then :
--  case "$host_os" in # ((
--			     # Guess yes on glibc systems.
--		     *-gnu*) ac_cv_func_getgroups_works="guessing yes" ;;
--			     # If we don't know, assume the worst.
--		     *)      ac_cv_func_getgroups_works="guessing no" ;;
--		   esac
--else case e in #(
--  e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--/* end confdefs.h.  */
--$ac_includes_default
--int
--main (void)
--{
--/* On Ultrix 4.3, getgroups (0, 0) always fails.  */
--       return getgroups (0, 0) == -1;
--  ;
--  return 0;
--}
--_ACEOF
--if ac_fn_c_try_run "$LINENO"
--then :
--  ac_cv_func_getgroups_works=yes
--else case e in #(
--  e) ac_cv_func_getgroups_works=no ;;
--esac
--fi
--rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
--  conftest.$ac_objext conftest.beam conftest.$ac_ext ;;
--esac
--fi
--
--    ;;
++  e) case $host_os in #(
++  ultrix* | nextstep*) :
++    ac_cv_func_getgroups_works=no # getgroups(0,0) fails
++ ;; #(
++  *) :
++    ac_cv_func_getgroups_works=yes ;;
++esac ;;
  esac
  fi
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_getgroups_works" >&5
@@ -21850,14 +22007,11 @@ printf "%s\n" "$ac_cv_func_getgroups_works" >&6; }
  else
    ac_cv_func_getgroups_works=no
  fi
--case "$ac_cv_func_getgroups_works" in
--  *yes)
++if test $ac_cv_func_getgroups_works = yes; then
  printf "%s\n" "#define HAVE_GETGROUPS 1" >>confdefs.h
--    ;;
--esac
--LIBS=$ac_save_LIBS
++fi
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for declarations of fseeko and ftello" >&5
  printf %s "checking for declarations of fseeko and ftello... " >&6; }
@@ -23822,6 +23976,33 @@ fi
  done
++  for ac_func in realpath
++do :
++  ac_fn_c_check_func "$LINENO" "realpath" "ac_cv_func_realpath"
++if test "x$ac_cv_func_realpath" = xyes
++then :
++  printf "%s\n" "#define HAVE_REALPATH 1" >>confdefs.h
++
++else case e in #(
++  e)
++    case " $LIBOBJS " in
++  *" realpath.$ac_objext "* ) ;;
++  *) LIBOBJS="$LIBOBJS realpath.$ac_objext"
++ ;;
++esac
++
++
++    for _sym in sudo_realpath; do
++	COMPAT_EXP="${COMPAT_EXP}${_sym}
++"
++    done
++
++ ;;
++esac
++fi
++
++done
++
    for ac_func in strlcpy
  do :
    ac_fn_c_check_func "$LINENO" "strlcpy" "ac_cv_func_strlcpy"
@@ -24637,6 +24818,7 @@ fi
++
      openssl_missing=no
      if test "${enable_openssl-no}" != no; then
  	# Use pkg-config to find the openssl cflags and libs if possible.
@@ -26245,7 +26427,7 @@ then :
  	printf "%s\n" "#define HAVE_GCRYPT 1" >>confdefs.h
  	DIGEST=digest_gcrypt.lo
--	LIBMD="-lgcrypt"
++	LIBCRYPTO="-lgcrypt"
  	if test "$enable_gcrypt" != "yes"
  then :
@@ -26501,7 +26683,7 @@ printf "%s\n" "#define SHA2_VOID_PTR 1" >>confdefs.h
    fi
--		    LIBMD="-lmd"
++		    LIBCRYPTO="-lmd"
  else case e in #(
    e)
@@ -28115,6 +28297,19 @@ else case e in #(
  esac
  fi
  printf "%s\n" "#define HAVE_DECL_SSIZE_MAX $ac_have_decl" >>confdefs.h
++ac_fn_check_decl "$LINENO" "SYMLOOP_MAX" "ac_cv_have_decl_SYMLOOP_MAX" "
++#include <sys/types.h>
++#include <limits.h>
++
++" "$ac_c_undeclared_builtin_options" "CFLAGS"
++if test "x$ac_cv_have_decl_SYMLOOP_MAX" = xyes
++then :
++  ac_have_decl=1
++else case e in #(
++  e) ac_have_decl=0 ;;
++esac
++fi
++printf "%s\n" "#define HAVE_DECL_SYMLOOP_MAX $ac_have_decl" >>confdefs.h
  ac_fn_check_decl "$LINENO" "SIZE_MAX" "ac_cv_have_decl_SIZE_MAX" "
  #include <sys/types.h>
@@ -28230,6 +28425,25 @@ printf "%s\n" "#define HAVE_DECL__POSIX_PATH_MAX $ac_have_decl" >>confdefs.h
  fi
++if test "$ac_cv_have_decl_SYMLOOP_MAX" != "yes"
++then :
++
++    ac_fn_check_decl "$LINENO" "_POSIX_SYMLOOP_MAX" "ac_cv_have_decl__POSIX_SYMLOOP_MAX" "
++#include <sys/types.h>
++#include <limits.h>
++
++" "$ac_c_undeclared_builtin_options" "CFLAGS"
++if test "x$ac_cv_have_decl__POSIX_SYMLOOP_MAX" = xyes
++then :
++  ac_have_decl=1
++else case e in #(
++  e) ac_have_decl=0 ;;
++esac
++fi
++printf "%s\n" "#define HAVE_DECL__POSIX_SYMLOOP_MAX $ac_have_decl" >>confdefs.h
++
++
++fi
    for ac_func in strsignal
@@ -31011,7 +31225,7 @@ fi
  	    with_ldap=yes
  	fi
--	SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo"
++	SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo ldap_innetgr.lo"
  	case "$SUDOERS_OBJS" in
  	    *ldap_util.lo*) ;;
  	    *) SUDOERS_OBJS="${SUDOERS_OBJS} ldap_util.lo";;
@@ -31223,7 +31437,7 @@ else case e in #(
  int
  main (void)
+ {
--(void)ldap_init(0, 0)
++return ldap_msgfree(NULL)
+   ;
    return 0;
+ }
@@ -33915,33 +34129,11 @@ else case e in #(
    e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
  /* end confdefs.h.  */
--
--int
--main (void)
--{
--char buf[4]; (void)sprintf(buf, "%s", "foo");
--
--  ;
--  return 0;
--}
--_ACEOF
--if ac_fn_c_try_link "$LINENO"
--then :
--  sudo_cv_use_fortify_source=yes
--else case e in #(
--  e) sudo_cv_use_fortify_source=no
--		 ;;
--esac
--fi
--rm -f core conftest.err conftest.$ac_objext conftest.beam \
--    conftest$ac_exeext conftest.$ac_ext
--
--	    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--/* end confdefs.h.  */
--
++		    #include <stdio.h>
  int
  main (void)
+ {
++char buf[4]; sprintf(buf, "%s", "foo"); return buf[0];
+   ;
    return 0;
@@ -35339,26 +35531,6 @@ while test X"$plugindir" != X"$_plugindir"; do
  done
  exec_prefix="$oexec_prefix"
--# Convert exampledir to something that can be used in the man pages
--# I wish there was a better way to expand this.
--EXAMPLES="$exampledir"
--while :; do
--    EXAMPLES="`echo \"$EXAMPLES\" | sed -e 's/(/{/g' -e 's/)/}/g'`"
--    case "$EXAMPLES" in
--    *\${[A-Za-z]*}*)
--	eval EXAMPLES="$EXAMPLES"
--	;;
--    *)
--	break
--	;;
--    esac
--done
--case "$EXAMPLES" in
--    NONE/*)
--	EXAMPLES="${ac_default_prefix}${EXAMPLES#NONE}"
--	;;
--esac
--
  if test X"$enable_intercept" != X"no"
  then :
@@ -35448,20 +35620,245 @@ SUDO_LIBS=${SUDO_LIBS# }
  SUDOERS_LIBS=${SUDOERS_LIBS# }
  if test X"$prefix" = X"NONE"; then
--    test "$mandir" = '${datarootdir}/man' && mandir='$(prefix)/man'
++    test X"$mandir" = X'${datarootdir}/man' && mandir='$(prefix)/man'
  else
--    test "$mandir" = '${datarootdir}/man' && mandir='$(datarootdir)/man'
--fi
--test "$bindir" = '${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
--test "$sbindir" = '${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
--test "$libexecdir" = '${exec_prefix}/libexec' && libexecdir='$(exec_prefix)/libexec'
--test "$includedir" = '${prefix}/include' && includedir='$(prefix)/include'
--test "$datarootdir" = '${prefix}/share' && datarootdir='$(prefix)/share'
--test "$docdir" = '${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
--test "$localedir" = '${datarootdir}/locale' && localedir='$(datarootdir)/locale'
--test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
--test "$runstatedir" = '${localstatedir}/run' && runstatedir='$(localstatedir)/run'
--test "$sysconfdir" = '${prefix}/etc' && sysconfdir='/etc'
++    test X"$mandir" = X'${datarootdir}/man' && mandir='$(datarootdir)/man'
++fi
++test X"$bindir" = X'${exec_prefix}/bin' && bindir='$(exec_prefix)/bin'
++test X"$sbindir" = X'${exec_prefix}/sbin' && sbindir='$(exec_prefix)/sbin'
++test X"$libexecdir" = X'${exec_prefix}/libexec' && libexecdir='$(exec_prefix)/libexec'
++test X"$includedir" = X'${prefix}/include' && includedir='$(prefix)/include'
++test X"$datarootdir" = X'${prefix}/share' && datarootdir='$(prefix)/share'
++test X"$docdir" = X'${datarootdir}/doc/${PACKAGE_TARNAME}' && docdir='$(datarootdir)/doc/$(PACKAGE_TARNAME)'
++test X"$localedir" = X'${datarootdir}/locale' && localedir='$(datarootdir)/locale'
++test X"$localstatedir" = X'${prefix}/var' && localstatedir='$(prefix)/var'
++test X"$runstatedir" = X'${localstatedir}/run' && runstatedir='$(localstatedir)/run'
++test X"$adminconfdir" = X'${prefix}/etc' && adminconfdir='$(prefix)/etc'
++test X"$sysconfdir" = X'${prefix}/etc' && sysconfdir='/etc'
++
++# The configuration file search path is to check adminconfdir first and
++# fall back to sysconfdir.  This can support systems with read-only
++# sysconfdir (/etc) that contains a set of default configuration files.
++
++    _sysconfdir="$sysconfdir"
++    while :; do
++	_sysconfdir="`echo \"$_sysconfdir\" | sed -e 's/(/{/g' -e 's/)/}/g'`"
++	case "$_sysconfdir" in
++	*\${[A-Za-z]*}*)
++	    eval _sysconfdir="$_sysconfdir"
++	    ;;
++	*)
++	    break
++	    ;;
++    esac
++done
++case "$_sysconfdir" in
++    NONE/*)
++        _sysconfdir="${ac_default_prefix}${_sysconfdir#NONE}"
++        ;;
++esac
++
++
++    _adminconfdir="$adminconfdir"
++    while :; do
++	_adminconfdir="`echo \"$_adminconfdir\" | sed -e 's/(/{/g' -e 's/)/}/g'`"
++	case "$_adminconfdir" in
++	*\${[A-Za-z]*}*)
++	    eval _adminconfdir="$_adminconfdir"
++	    ;;
++	*)
++	    break
++	    ;;
++    esac
++done
++case "$_adminconfdir" in
++    NONE/*)
++        _adminconfdir="${ac_default_prefix}${_adminconfdir#NONE}"
++        ;;
++esac
++
++if test $enable_adminconf = yes
++then :
++
++    # Only use adminconfdir if different from sysconfdir
++    if test X"$_sysconfdir" != X"$_adminconfdir"
++then :
++
++	cvtsudoers_conf='$(adminconfdir)/cvtsudoers.conf:'$cvtsudoers_conf
++	sudo_conf='$(adminconfdir)/sudo.conf:'$sudo_conf
++	sudo_logsrvd_conf='$(adminconfdir)/sudo_logsrvd.conf:'$sudo_logsrvd_conf
++	sudoers_path='$(adminconfdir)/sudoers:'$sudoers_path
++
++fi
++
++fi
++
++# Expand config file paths for use in pathnames.h (after config dir override)
++
++    as_save_IFS=$IFS
++    IFS=:
++    _sudo_define_path_res=
++    for as_dir in $cvtsudoers_conf; do
++
++    _sudo_define_path_exp="$as_dir"
++    while :; do
++	_sudo_define_path_exp="`echo \"$_sudo_define_path_exp\" | sed -e 's/(/{/g' -e 's/)/}/g'`"
++	case "$_sudo_define_path_exp" in
++	*\${[A-Za-z]*}*)
++	    eval _sudo_define_path_exp="$_sudo_define_path_exp"
++	    ;;
++	*)
++	    break
++	    ;;
++    esac
++done
++case "$_sudo_define_path_exp" in
++    NONE/*)
++        _sudo_define_path_exp="${ac_default_prefix}${_sudo_define_path_exp#NONE}"
++        ;;
++esac
++
++	if test -z "${_sudo_define_path_res}"; then
++	    _sudo_define_path_res="${_sudo_define_path_exp}"
++	else
++	    _sudo_define_path_res="${_sudo_define_path_res}:${_sudo_define_path_exp}"
++	fi
++    done
++    IFS=$as_save_IFS
++    cat >>confdefs.h <<EOF
++#define _PATH_CVTSUDOERS_CONF "${_sudo_define_path_res}"
++EOF
++
++
++
++    as_save_IFS=$IFS
++    IFS=:
++    _sudo_define_path_res=
++    for as_dir in $sudo_conf; do
++
++    _sudo_define_path_exp="$as_dir"
++    while :; do
++	_sudo_define_path_exp="`echo \"$_sudo_define_path_exp\" | sed -e 's/(/{/g' -e 's/)/}/g'`"
++	case "$_sudo_define_path_exp" in
++	*\${[A-Za-z]*}*)
++	    eval _sudo_define_path_exp="$_sudo_define_path_exp"
++	    ;;
++	*)
++	    break
++	    ;;
++    esac
++done
++case "$_sudo_define_path_exp" in
++    NONE/*)
++        _sudo_define_path_exp="${ac_default_prefix}${_sudo_define_path_exp#NONE}"
++        ;;
++esac
++
++	if test -z "${_sudo_define_path_res}"; then
++	    _sudo_define_path_res="${_sudo_define_path_exp}"
++	else
++	    _sudo_define_path_res="${_sudo_define_path_res}:${_sudo_define_path_exp}"
++	fi
++    done
++    IFS=$as_save_IFS
++    cat >>confdefs.h <<EOF
++#define _PATH_SUDO_CONF "${_sudo_define_path_res}"
++EOF
++
++
++
++    as_save_IFS=$IFS
++    IFS=:
++    _sudo_define_path_res=
++    for as_dir in $sudo_logsrvd_conf; do
++
++    _sudo_define_path_exp="$as_dir"
++    while :; do
++	_sudo_define_path_exp="`echo \"$_sudo_define_path_exp\" | sed -e 's/(/{/g' -e 's/)/}/g'`"
++	case "$_sudo_define_path_exp" in
++	*\${[A-Za-z]*}*)
++	    eval _sudo_define_path_exp="$_sudo_define_path_exp"
++	    ;;
++	*)
++	    break
++	    ;;
++    esac
++done
++case "$_sudo_define_path_exp" in
++    NONE/*)
++        _sudo_define_path_exp="${ac_default_prefix}${_sudo_define_path_exp#NONE}"
++        ;;
++esac
++
++	if test -z "${_sudo_define_path_res}"; then
++	    _sudo_define_path_res="${_sudo_define_path_exp}"
++	else
++	    _sudo_define_path_res="${_sudo_define_path_res}:${_sudo_define_path_exp}"
++	fi
++    done
++    IFS=$as_save_IFS
++    cat >>confdefs.h <<EOF
++#define _PATH_SUDO_LOGSRVD_CONF "${_sudo_define_path_res}"
++EOF
++
++
++
++    as_save_IFS=$IFS
++    IFS=:
++    _sudo_define_path_res=
++    for as_dir in $sudoers_path; do
++
++    _sudo_define_path_exp="$as_dir"
++    while :; do
++	_sudo_define_path_exp="`echo \"$_sudo_define_path_exp\" | sed -e 's/(/{/g' -e 's/)/}/g'`"
++	case "$_sudo_define_path_exp" in
++	*\${[A-Za-z]*}*)
++	    eval _sudo_define_path_exp="$_sudo_define_path_exp"
++	    ;;
++	*)
++	    break
++	    ;;
++    esac
++done
++case "$_sudo_define_path_exp" in
++    NONE/*)
++        _sudo_define_path_exp="${ac_default_prefix}${_sudo_define_path_exp#NONE}"
++        ;;
++esac
++
++	if test -z "${_sudo_define_path_res}"; then
++	    _sudo_define_path_res="${_sudo_define_path_exp}"
++	else
++	    _sudo_define_path_res="${_sudo_define_path_res}:${_sudo_define_path_exp}"
++	fi
++    done
++    IFS=$as_save_IFS
++    cat >>confdefs.h <<EOF
++#define _PATH_SUDOERS "${_sudo_define_path_res}"
++EOF
++
++
++
++# Convert exampledir to something that can be used in the man pages
++
++    EXAMPLES="$exampledir"
++    while :; do
++	EXAMPLES="`echo \"$EXAMPLES\" | sed -e 's/(/{/g' -e 's/)/}/g'`"
++	case "$EXAMPLES" in
++	*\${[A-Za-z]*}*)
++	    eval EXAMPLES="$EXAMPLES"
++	    ;;
++	*)
++	    break
++	    ;;
++    esac
++done
++case "$EXAMPLES" in
++    NONE/*)
++        EXAMPLES="${ac_default_prefix}${EXAMPLES#NONE}"
++        ;;
++esac
++
  if test X"$INIT_SCRIPT" != X""
  then :
@@ -35597,12 +35994,6 @@ then :
    enableval=$enable_year2038;
  fi
--# Check whether --enable-largefile was given.
--if test ${enable_largefile+y}
--then :
--  enableval=$enable_largefile;
--fi
--
  : "${CONFIG_STATUS=./config.status}"
  ac_write_fail=0
@@ -35996,8 +36387,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
  # report actual input values of CONFIG_FILES etc. instead of their
  # values after options handling.
  ac_log="
--This file was extended by sudo $as_me 1.9.13p3, which was
--generated by GNU Autoconf 2.72a.  Invocation command line was
++This file was extended by sudo $as_me 1.9.14p2, which was
++generated by GNU Autoconf 2.72c.  Invocation command line was
    CONFIG_FILES    = $CONFIG_FILES
    CONFIG_HEADERS  = $CONFIG_HEADERS
@@ -36064,8 +36455,8 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\
  cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
  ac_cs_config='$ac_cs_config_escaped'
  ac_cs_version="\\
--sudo config.status 1.9.13p3
--configured by $0, generated by GNU Autoconf 2.72a,
++sudo config.status 1.9.14p2
++configured by $0, generated by GNU Autoconf 2.72c,
    with options \\"\$ac_cs_config\\"
  Copyright (C) 2023 Free Software Foundation, Inc.
@@ -37668,13 +38059,14 @@ fi
  echo "" >&6
  echo "Configured Sudo version $PACKAGE_VERSION" >&6
  echo " Compiler settings:" >&6
--echo "  prefix			: $prefix" >&6
  echo "  compiler			: $CC" >&6
  echo "  compiler options		: $CFLAGS" >&6
  echo "  preprocessor options		: $CPPFLAGS" >&6
  echo "  front-end libraries		: $SUDO_LIBS" >&6
  echo "  front-end linker options	: $SUDO_LDFLAGS" >&6
  echo "  network libraries		: $NET_LIBS" >&6
++echo "  Crypto library		: $LIBCRYPTO" >&6
++echo "  TLS libraries			: $LIBTLS" >&6
  echo "  extra libraries		: $LIBS" >&6
  echo "  extra linker options		: $LDFLAGS" >&6
  echo "  sudoers libraries		: $SUDOERS_LIBS" >&6
@@ -37774,18 +38166,30 @@ echo "  mail if user not in sudoers	: ${mail_no_user}" >&6
  echo "  mail if user not on host	: ${mail_no_host}" >&6
  echo "  mail if command not allowed	: ${mail_no_perms}" >&6
  echo " Pathnames:" >&6
--echo "  log directory			: ${log_dir}" >&6
--echo "  plugin directory		: ${plugindir}" >&6
--echo "  sudoers plugin			: ${sudoers_plugin}" >&6
--if test "${enable_python-no}" != "no"; then
--    echo "  python plugin			: ${python_plugin}" >&6
++echo "  prefix			: $prefix" >&6
++echo "  sysconfdir			: $_sysconfdir" >&6
++if test "${enable_adminconf-no}" != "no"; then
++    echo "  adminconfdir			: $_adminconfdir" >&6
  fi
++echo "  log directory			: ${log_dir}" >&6
  echo "  run directory			: ${rundir}" >&6
  echo "  var directory			: ${vardir}" >&6
  echo "  I/O log directory		: ${iolog_dir}" >&6
  echo "  sudo_logsrvd relay directory	: ${relay_dir}" >&6
--echo "  time zone directory		: ${tzdir}" >&6
++if test X"$with_exampledir" != X""; then
++    echo "  exampledir			: $exampledir" >&6
++fi
++echo "  plugin directory		: ${plugindir}" >&6
++echo "  sudoers plugin		: ${sudoers_plugin}" >&6
++if test "${enable_python-no}" != "no"; then
++    echo "  python plugin			: ${python_plugin}" >&6
++fi
++echo "  sudoers file			: ${sudoers_path}" >&6
++echo "  cvtsudoers.conf file		: ${cvtsudoers_conf}" >&6
++echo "  sudo.conf file		: ${sudo_conf}" >&6
++echo "  sudo_logsrvd.conf file	: ${sudo_logsrvd_conf}" >&6
  echo "  path to sendmail		: ${with_sendmail}" >&6
++echo "  time zone directory		: ${tzdir}" >&6
  if test -n "$TMPFILES_D"; then
      echo "  systemd tempfiles dir	: ${TMPFILES_D}" >&6
  fi
@@ -37794,7 +38198,7 @@ if test ${with_netsvc-"no"} != "no"; then
  elif test ${with_nsswitch-"yes"} != "no"; then
      echo "  nsswitch file			: ${nsswitch_conf}" >&6
  fi
--echo "  intercept file			: ${intercept_file}" >&6
++echo "  intercept file		: ${intercept_file}" >&6
  echo "  noexec file			: ${noexec_file}" >&6
  echo "  secure path			: ${with_secure_path-no}" >&6
  echo "  askpass helper file		: ${with_askpass-no}" >&6
@@ -37995,4 +38399,3 @@ fi
--
 diff --git a/configure.ac b/configure.ac
 index 8bb5c07..687a3bd 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -18,120 +18,120 @@ dnl ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  dnl OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  dnl
  AC_PREREQ([2.69])
--AC_INIT([sudo], [1.9.13p3], [https://bugzilla.sudo.ws/], [sudo])
++AC_INIT([sudo], [1.9.14p2], [https://bugzilla.sudo.ws/], [sudo])
  AC_CONFIG_HEADERS([config.h pathnames.h])
  AC_CONFIG_SRCDIR([src/sudo.c])
  AC_CONFIG_AUX_DIR([scripts])
  dnl
  dnl Variables that get substituted in the Makefile and man pages
  dnl
--AC_SUBST([SHELL])
--AC_SUBST([LIBTOOL])
--AC_SUBST([CFLAGS])
--AC_SUBST([PROGS])
--AC_SUBST([CPPFLAGS])
--AC_SUBST([LDFLAGS])
--AC_SUBST([SUDO_LDFLAGS])
--AC_SUBST([SUDOERS_LDFLAGS])
--AC_SUBST([LIBUTIL_LDFLAGS])
--AC_SUBST([ZLIB_LDFLAGS])
--AC_SUBST([LT_LDFLAGS])
--AC_SUBST([LT_LDDEP])
--AC_SUBST([LT_LDEXPORTS])
--AC_SUBST([LT_STATIC])
--AC_SUBST([LT_DEP_LIBS])
--AC_SUBST([COMMON_OBJS])
--AC_SUBST([SUDOERS_LT_STATIC])
--AC_SUBST([SUDOERS_OBJS])
--AC_SUBST([SUDO_OBJS])
--AC_SUBST([LIBS])
--AC_SUBST([SUDO_LIBS])
--AC_SUBST([SUDOERS_LIBS])
--AC_SUBST([STATIC_SUDOERS])
--AC_SUBST([NET_LIBS])
--AC_SUBST([AFS_LIBS])
--AC_SUBST([REPLAY_LIBS])
--AC_SUBST([GETGROUPS_LIB])
--AC_SUBST([AUTH_OBJS])
--AC_SUBST([MANTYPE])
--AC_SUBST([MANDIRTYPE])
--AC_SUBST([MANCOMPRESS])
--AC_SUBST([MANCOMPRESSEXT])
--AC_SUBST([SHLIB_ENABLE])
--AC_SUBST([SHLIB_MODE])
--AC_SUBST([SUDOERS_MODE])
--AC_SUBST([SUDOERS_UID])
--AC_SUBST([SUDOERS_GID])
--AC_SUBST([DEVEL])
--AC_SUBST([EXAMPLES])
--AC_SUBST([BAMAN])
--AC_SUBST([LCMAN])
--AC_SUBST([PSMAN])
--AC_SUBST([SEMAN])
--AC_SUBST([AAMAN])
--AC_SUBST([devdir])
--AC_SUBST([mansectsu])
--AC_SUBST([mansectform])
--AC_SUBST([mansectmisc])
--AC_SUBST([INTERCEPTFILE])
--AC_SUBST([INTERCEPTDIR])
--AC_SUBST([intercept_file])
--AC_SUBST([NOEXECFILE])
--AC_SUBST([NOEXECDIR])
--AC_SUBST([noexec_file])
--AC_SUBST([sesh_file])
--AC_SUBST([INSTALL_BACKUP])
--AC_SUBST([INSTALL_INTERCEPT])
--AC_SUBST([INSTALL_NOEXEC])
--AC_SUBST([PRELOAD_MODULE])
--AC_SUBST([DONT_LEAK_PATH_INFO])
--AC_SUBST([BSDAUTH_USAGE])
--AC_SUBST([SELINUX_USAGE])
--AC_SUBST([LDAP])
--AC_SUBST([LOGINCAP_USAGE])
--AC_SUBST([ZLIB])
--AC_SUBST([ZLIB_SRC])
--AC_SUBST([LIBTOOL_DEPS])
--AC_SUBST([CONFIGURE_ARGS])
--AC_SUBST([LIBDL])
--AC_SUBST([LIBRT])
--AC_SUBST([LIBINTL])
--AC_SUBST([LIBCRYPTO])
--AC_SUBST([LIBMD])
--AC_SUBST([LIBTLS])
--AC_SUBST([LIBPTHREAD])
--AC_SUBST([SUDO_NLS])
--AC_SUBST([LOCALEDIR_SUFFIX])
--AC_SUBST([COMPAT_TEST_PROGS])
--AC_SUBST([SUDOERS_TEST_PROGS])
--AC_SUBST([CROSS_COMPILING])
--AC_SUBST([ASAN_LDFLAGS])
--AC_SUBST([ASAN_CFLAGS])
--AC_SUBST([PIE_LDFLAGS])
--AC_SUBST([PIE_CFLAGS])
--AC_SUBST([HARDENING_LDFLAGS])
--AC_SUBST([HARDENING_CFLAGS])
--AC_SUBST([INIT_SCRIPT])
--AC_SUBST([INIT_DIR])
--AC_SUBST([RC_LINK])
--AC_SUBST([COMPAT_EXP])
--AC_SUBST([TMPFILES_D])
--AC_SUBST([exampledir])
--AC_SUBST([DIGEST])
--AC_SUBST([devsearch])
--AC_SUBST([SIGNAME])
--AC_SUBST([PYTHON_PLUGIN])
--AC_SUBST([PYTHON_PLUGIN_SRC])
--AC_SUBST([LOGSRV])
--AC_SUBST([LOGSRV_SRC])
--AC_SUBST([LOGSRVD_SRC])
--AC_SUBST([LOGSRVD_CONF])
--AC_SUBST([LIBLOGSRV])
--AC_SUBST([PPFILES])
--AC_SUBST([FUZZ_ENGINE])
--AC_SUBST([FUZZ_LD])
--AC_SUBST([INTERCEPT_EXP])
--
++AC_SUBST([PROGS], [sudo])dnl
++AC_SUBST([SUDO_LDFLAGS])dnl
++AC_SUBST([SUDOERS_LDFLAGS])dnl
++AC_SUBST([LIBUTIL_LDFLAGS])dnl
++AC_SUBST([ZLIB_LDFLAGS])dnl
++AC_SUBST([LT_LDFLAGS])dnl
++AC_SUBST([LT_LDDEP], ["\$(shlib_exp)"])dnl
++AC_SUBST([LT_LDEXPORTS], ["-export-symbols \$(shlib_exp)"])dnl
++AC_SUBST([LT_STATIC])dnl
++AC_SUBST([LT_DEP_LIBS])dnl
++AC_SUBST([COMMON_OBJS])dnl
++AC_SUBST([SUDOERS_LT_STATIC])dnl
++AC_SUBST([SUDOERS_OBJS])dnl
++AC_SUBST([SUDO_OBJS])dnl
++AC_SUBST([SUDO_LIBS])dnl
++AC_SUBST([SUDOERS_LIBS])dnl
++AC_SUBST([STATIC_SUDOERS])dnl
++AC_SUBST([NET_LIBS])dnl
++AC_SUBST([AFS_LIBS])dnl
++AC_SUBST([REPLAY_LIBS])dnl
++AC_SUBST([GETGROUPS_LIB])dnl
++AC_SUBST([AUTH_OBJS])dnl
++AC_SUBST([MANTYPE])dnl
++AC_SUBST([MANDIRTYPE])dnl
++AC_SUBST([MANCOMPRESS])dnl
++AC_SUBST([MANCOMPRESSEXT])dnl
++AC_SUBST([SHLIB_ENABLE])dnl
++AC_SUBST([SHLIB_MODE])dnl
++AC_SUBST([SUDOERS_MODE])dnl
++AC_SUBST([SUDOERS_UID])dnl
++AC_SUBST([SUDOERS_GID])dnl
++AC_SUBST([DEVEL])dnl
++AC_SUBST([EXAMPLES])dnl
++AC_SUBST([BAMAN], [0])dnl
++AC_SUBST([LCMAN], [0])dnl
++AC_SUBST([PSMAN], [0])dnl
++AC_SUBST([SEMAN], [0])dnl
++AC_SUBST([AAMAN], [0])dnl
++AC_SUBST([devdir], ['$(srcdir)'])dnl
++AC_SUBST([mansectsu])dnl
++AC_SUBST([mansectform])dnl
++AC_SUBST([mansectmisc])dnl
++AC_SUBST([INTERCEPTFILE])dnl
++AC_SUBST([INTERCEPTDIR])dnl
++AC_SUBST([intercept_file])dnl
++AC_SUBST([NOEXECFILE])dnl
++AC_SUBST([NOEXECDIR])dnl
++AC_SUBST([noexec_file])dnl
++AC_SUBST([sesh_file])dnl
++AC_SUBST([INSTALL_BACKUP])dnl
++AC_SUBST([INSTALL_INTERCEPT])dnl
++AC_SUBST([INSTALL_NOEXEC])dnl
++AC_SUBST([PRELOAD_MODULE], ['-module'])dnl
++AC_SUBST([DONT_LEAK_PATH_INFO])dnl
++AC_SUBST([BSDAUTH_USAGE])dnl
++AC_SUBST([SELINUX_USAGE])dnl
++AC_SUBST([LDAP], ['#'])dnl
++AC_SUBST([LOGINCAP_USAGE])dnl
++AC_SUBST([ZLIB])dnl
++AC_SUBST([ZLIB_SRC])dnl
++AC_SUBST([LIBTOOL_DEPS])dnl
++AC_SUBST([LIBDL])dnl
++AC_SUBST([LIBRT])dnl
++AC_SUBST([LIBINTL])dnl
++AC_SUBST([LIBCRYPTO])dnl
++AC_SUBST([LIBTLS])dnl
++AC_SUBST([LIBPTHREAD])dnl
++AC_SUBST([SUDO_NLS], [disabled])dnl
++AC_SUBST([LOCALEDIR_SUFFIX])dnl
++AC_SUBST([COMPAT_TEST_PROGS])dnl
++AC_SUBST([SUDOERS_TEST_PROGS])dnl
++AC_SUBST([CROSS_COMPILING])dnl
++AC_SUBST([ASAN_LDFLAGS])dnl
++AC_SUBST([ASAN_CFLAGS])dnl
++AC_SUBST([PIE_LDFLAGS])dnl
++AC_SUBST([PIE_CFLAGS])dnl
++AC_SUBST([HARDENING_LDFLAGS])dnl
++AC_SUBST([HARDENING_CFLAGS])dnl
++AC_SUBST([INIT_SCRIPT])dnl
++AC_SUBST([INIT_DIR])dnl
++AC_SUBST([RC_LINK])dnl
++AC_SUBST([COMPAT_EXP])dnl
++AC_SUBST([TMPFILES_D])dnl
++AC_SUBST([exampledir], ['$(docdir)/examples'])dnl
++AC_SUBST([adminconfdir], ['$(prefix)/etc'])dnl
++AC_SUBST([DIGEST])dnl
++AC_SUBST([devsearch])dnl
++AC_SUBST([SIGNAME])dnl
++AC_SUBST([PYTHON_PLUGIN], ['#'])dnl
++AC_SUBST([PYTHON_PLUGIN_SRC])dnl
++AC_SUBST([LOGSRV])dnl
++AC_SUBST([LOGSRV_SRC], ['lib/logsrv'])dnl
++AC_SUBST([LOGSRVD_SRC], ['logsrvd'])dnl
++AC_SUBST([LOGSRVD_CONF], ['sudo_logsrvd.conf'])dnl
++AC_SUBST([LIBLOGSRV], ['$(top_builddir)/lib/logsrv/liblogsrv.la $(top_builddir)/lib/protobuf-c/libprotobuf-c.la'])dnl
++AC_SUBST([PPFILES], ['$(srcdir)/etc/sudo.pp'])dnl
++AC_SUBST([FUZZ_ENGINE])dnl
++AC_SUBST([FUZZ_LD], ['$(CC)'])dnl
++AC_SUBST([INTERCEPT_EXP])dnl
++dnl
++dnl Config file paths
++dnl Either a single file or a colon-separated list of paths.
++dnl
++AC_SUBST([cvtsudoers_conf], ['$(sysconfdir)/cvtsudoers.conf'])dnl
++AC_SUBST([sudo_conf], ['$(sysconfdir)/sudo.conf'])dnl
++AC_SUBST([sudo_logsrvd_conf], ['$(sysconfdir)/sudo_logsrvd.conf'])dnl
++AC_SUBST([sudoers_path], ['$(sysconfdir)/sudoers'])dnl
  dnl
  dnl Variables that get substituted in docs (not overridden by environment)
  dnl
@@ -239,65 +239,23 @@ dnl
  dnl Initial values for Makefile variables listed above
  dnl May be overridden by environment variables..
  dnl
--INSTALL_BACKUP=
--INSTALL_INTERCEPT=
--INSTALL_NOEXEC=
--PRELOAD_MODULE=-module
--exampledir='$(docdir)/examples'
--devdir='$(srcdir)'
--PROGS="sudo"
  : ${MANDIRTYPE='man'}
  : ${SHLIB_MODE='0644'}
  : ${SUDOERS_MODE='0440'}
  : ${SUDOERS_UID='0'}
  : ${SUDOERS_GID='0'}
--DEVEL=
--LDAP="#"
--BAMAN=0
--LCMAN=0
--PSMAN=0
--SEMAN=0
--AAMAN=0
--LIBINTL=
--LIBCRYPTO=
--LIBMD=
--LIBTLS=
--ZLIB=
--ZLIB_SRC=
--AUTH_OBJS=
++dnl
++dnl Other variables
++dnl
++CONFIGURE_ARGS="$@"
  AUTH_REG=
  AUTH_EXCL=
  AUTH_EXCL_DEF=
  AUTH_DEF=passwd
--SUDO_NLS=disabled
--LOCALEDIR_SUFFIX=
--LT_LDEXPORTS="-export-symbols \$(shlib_exp)"
--LT_LDDEP="\$(shlib_exp)"
--OS_INIT=os_init_common
--INIT_SCRIPT=
--INIT_DIR=
--RC_LINK=
--COMPAT_EXP=
--SIGNAME=
--FUZZ_ENGINE=
--FUZZ_LD='$(CC)'
--INTERCEPT_EXP=
--dnl
--dnl Other variables
--dnl
--WEAK_ALIAS=no
  CHECKSHADOW=true
  shadow_funcs=
  shadow_libs=
--TMPFILES_D=
--CONFIGURE_ARGS="$@"
--PYTHON_PLUGIN=#
--LOGSRVD=
--LOGSRVD_SRC=logsrvd
--LOGSRV_SRC=lib/logsrv
--LOGSRVD_CONF='sudo_logsrvd.conf'

Ubuntusudo package

Merge ~danilogondolfo/ubuntu/+source/sudo:merge-lp2030914-mantic into ubuntu/+source/sudo:ubuntu/devel

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers

Ubuntu
sudo package