Sync from SUSE:SLFO:Main sudo revision 2e0d34ac30e490d545a77a4287d63a75

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

50-wheel-auth-self.conf

@@ -0,0 +1,2 @@
+Defaults:%wheel !targetpw
+%wheel ALL = (root) ALL

51-wheel.rules

@@ -0,0 +1 @@
+polkit._suse_admin_groups.push("wheel");

README.SUSE

@@ -0,0 +1,7 @@
+In the default (ie unconfigured) configuration sudo asks for root password.
+This allows to use an ordinary user account for administration of a freshly
+installed system. When configuring sudo, please make sure to delete the two
+following lines:
+
+Defaults targetpw    # ask for the password of the target user i.e. root
+%users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

README_313276.test

@@ -0,0 +1,19 @@
+To verify that sudo works with SSSD,
+there's has to be a working LDAP server where the sudoers file
+will be saved, local running SSSD and sudo configured to use
+the SSSD plugin.
+
+The sudoers file has to be stored in LDAP.
+A [sudo] service has to be configured in /etc/sssd/sssd.conf
+Sudo needs to be instructed to use SSSD, this is done in /etc/nsswitch.conf,
+by adding a line "sudoers: files sss"
+
+Related material:
+
+/usr/share/doc/packages/sudo/README.LDAP provides a guide how to
+make sudo work with LDAP.
+
+man sudoers.ldap(5) describes the LDAP-based sudoers file
+
+man sssd-ldap(5) describes the LDAP sudo options.
+

fate_313276_test.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+if [ $(id -u) -ne 0 ]; then
+	printf "Please run the test as root.\n"
+	exit 1
+fi
+
+if sudo -V | grep -q -- --with-sssd; then
+	printf "OK: Sudo has support for SSSD compiled in.\n"
+	exit 0
+fi
+
+printf "Error: SSSD support isn't compiled in.\n"
+exit 1

sudo-i.pamd

@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  optional       pam_keyinit.so force revoke
+session  include        common-session
+# session  optional       pam_xauth.so

sudo-sudoers.patch

@@ -0,0 +1,89 @@
+Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in
+===================================================================
+--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in
++++ sudo-1.9.15p2/plugins/sudoers/sudoers.in
+@@ -41,32 +41,23 @@
+ ##
+ ## Defaults specification
+ ##
+-## You may wish to keep some of the following environment variables
+-## when running commands via sudo.
+-##
+-## Locale settings
+-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
+-##
+-## Run X applications through sudo; HOME is used to find the
+-## .Xauthority file.  Note that other programs use HOME to find   
+-## configuration files and this may lead to privilege escalation!
+-# Defaults env_keep += "HOME"
+-##
+-## X11 resource path settings
+-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
+-##
+-## Desktop path settings
+-# Defaults env_keep += "QTDIR KDEDIR"
+-##
+-## Allow sudo-run commands to inherit the callers' ConsoleKit session
+-# Defaults env_keep += "XDG_SESSION_COOKIE"
+-##
+-## Uncomment to enable special input methods.  Care should be taken as
+-## this may allow users to subvert the command being run via sudo.
+-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+-##
+-## Uncomment to use a hard-coded PATH instead of the user's to find commands
+-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
++## Prevent environment variables from influencing programs in an
++## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
++Defaults always_set_home
++Defaults env_reset
++## Change env_reset to !env_reset in previous line to keep all environment variables
++## Following list will no longer be necessary after this change
++Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
++## Comment out the preceding line and uncomment the following one if you need
++## to use special input methods. This may allow users to compromise the root
++## account if they are allowed to run commands without authentication.
++#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
++
++## Do not insult users when they enter an incorrect password.
++Defaults !insults
++
++## Use this PATH instead of the user's to find commands.
++Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
+ ##
+ ## Uncomment to restore the historic behavior where a command is run in
+ ## the user's own terminal.
+@@ -81,7 +72,6 @@
+ ## Set maxseq to a smaller number if you don't have unlimited disk space.
+ # Defaults log_output
+ # Defaults!/usr/bin/sudoreplay !log_output
+-# Defaults!/usr/local/bin/sudoreplay !log_output
+ # Defaults!REBOOT !log_output
+ # Defaults maxseq = 1000
+ ##
+@@ -95,6 +85,12 @@
+ ## slower by these options and also can clutter up the logs.
+ # Defaults!PKGMAN !intercept, !log_subcmds
+ 
++## In the default (unconfigured) configuration, sudo asks for the root password.
++## This allows use of an ordinary user account for administration of a freshly
++## installed system.
++Defaults targetpw   # ask for the password of the target user i.e. root
++ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
++
+ ##
+ ## Runas alias specification
+ ##
+@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL
+ ## Same thing without a password
+ # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
+ 
+-## Uncomment to allow members of group sudo to execute any command
+-# %sudo	ALL=(ALL:ALL) ALL
+-
+-## Uncomment to allow any user to run sudo if they know the password
+-## of the user they are running the command as (root by default).
+-# Defaults targetpw  # Ask for the password of the target user
+-# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+-
+ ## Read drop-in files from @sysconfdir@/sudoers.d
+ @includedir @sysconfdir@/sudoers.d

sudo.keyring

@@ -0,0 +1,79 @@
+pub   1024D/0x5A89DFA27EE470C4 2002-10-02
+uid                 [ unknown] Todd C. Miller <Todd.Miller@courtesan.com>
+sub   1024g/0x4ACA1697D017E72F 2002-10-02
+
+pub   4096R/0xA9F4C021CEA470FB 2017-12-03
+uid                 [ unknown] Todd C. Miller <Todd.Miller@sudo.ws>
+sub   4096R/0x8BBF1A6CF4565623 2017-12-03
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQGiBD2bdiURBACyoSsYq9t8jiLnhABRZcgDP2vaoJoGJD3eb9HNsv2+0IrcHaut
+s1QR1AY88AGTMnQTFWjH1vIXz/YCKnvgqklfbVCMehvkOUKvGv2eP7IkmWvVPIQb
+kayHCtChOKW86hqxZXyT8sbBJqHGHq7xBbg71uZ/CSaTY3ATencRX+UndwCg6ujz
+FFQhKoVwnPdYPkYA10kp2UsD/2Act3O9UJabaln5MLqLQrxo1Cqa3+ht4liAAOr3
+psMPcieyIULQ4yE19Jvb90s2sao88BUPVeDxBHV/nhcNQxlH4Boc+kWtU36XSxU3
+yrUhZDQIvrM4o1yCSgNSwUM88+qYm6ETAT0sZAiFT9biMjsT4Bw13KihyYtE2L36
+LdXOA/9MEH8zWRqUjQMt4X1yKTjwmIotAd9xetVNj+4lfTgmsnlZoex7T94Id0+B
+FDDSj4gpQ7GpFa0qOQgTyaUo5HgoPFw4F9TjebWiyey2SznIw4960KoAwfSTdSOG
+GoD96xuBsmQGCfdIFW43SJngXKiOpF/3VHoUxGYhTefOSGHAvLQqVG9kZCBDLiBN
+aWxsZXIgPFRvZGQuTWlsbGVyQGNvdXJ0ZXNhbi5jb20+iFkEExECABkFAj2bdiUE
+CwcDAgMVAgMDFgIBAh4BAheAAAoJEFqJ36J+5HDEQigAoLdD+y5EQzvogb6oybhC
+pBBmefqYAKDGlnXX7JNBJYBv/r5TBg4+zLOOL7kBDQQ9m3YnEAQAzhN0fOfOz3+z
+m0rHJ+hCW06ME9W1UWTgPdkh6izMO29j5tsq7MDOEoiBA8fGNV9+1nqXS3PWsYpP
+qnm+Yx/8zHPsepiOWe3UaJruBfFT8BlGSzN6p9aO1liQOnv57XouRab5tUFZPDM7
+ADHGAlruyvZjzywj/v6FWNoY6DLiqosAAwUEAKSap7csw/skFED0lF/lsllvmRa7
+4kd/lEYGPB62Cyau/4nucrnZrBNP7wSIdpCLzQxq6l/j/vP5aUV8qN2W6+DY1CZA
+rodtZKPUNGHCdop9ZcskEx6eOG2ivYpgn0z6scoXUJ4g5kCSshzPedG4DOLHFMtE
+hVDWxnHdtn0UFCntiEYEGBECAAYFAj2bdicACgkQWonfon7kcMTOeACgmCPD1Is5
+KhRmc+7kY4ILfdUX5OUAn2mdSBk/pObAfpdPzasJT7QxIQFLmQINBFokaiQBEADM
+mTjkUBpTgLLiv85lz0UGmgVj39si2Gd3RC2/qz3UmHhS0qnL4x3LejZQOifaevT3
+wIgOjU+YtyHleW2lZp0a/ndtFgXHeVJTQ12Ej5NbOHBFECWkWyXj1Rv/vBopI7Ox
+ERjAjoUQLSu6nsksclYoO0pZywm+K17os1i5Qbi0djdYjHT5Asiqnef5g02a8DJz
+QCq37VM046gFRhnp/unJoi4iexpjH/HL4tlRO7/3pDwV6MFVWDhNcrlP6AnmSzYb
+Fv8Nt4MsbWU0oYa1TtRmuqxn5R/Lb9i4Uj793qZz3I/cDqv78kd3lRJ5TbjXR1D2
+alhGVP6+0KWOKd5rpDSwYNojwKdVI6faJUOjRRSHGmZiNYFWp5UXDQUeFXmzEFWa
+XgIXbmH0SqpVkKvwhH/sn0G3ryLXnPizjM3RSmoxSzpJNTHBFGPBLd9eJ724IvF5
+Qigo8IdpPTZUv7EHmK2va97nH+AK7HDAPWTsOpM49CZXy1xz9N8Be3I8ayUgMO6a
+VuAKpQFGEpuNGq+DCvyUOyVa5jeEf50wWHXBMPlVjdZK/46aNKmg9YyGDmZn1YIG
+eAc6mhW0yM/+vvz9Wof5+RHHOBbVmAI7e7Mm7gR6xLZ0zty9FdPtEvxPnzzPIBjS
+tPxvFr3j/9maW7iJNX1c/FTqXY+VAfUy7mpvrEZrGQARAQABtCRUb2RkIEMuIE1p
+bGxlciA8VG9kZC5NaWxsZXJAc3Vkby53cz6JAk4EEwEIADgWIQRZ0enMuis3ZwT9
+01up9MAhzqRw+wUCWiRqJAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCp
+9MAhzqRw+5TmEACtyNWwMIfo/0okILNHryc61nA96XznSsQS9u5AaRN06l6dp+1i
+x7FrSlXvCq1Oq7kajsF8Nnq9y2r7Os9ZsZSwGF1JGTt/qBT8N+Y+pEIe7igTSxv3
+UJINuY2uQvR6y7GOmvMVHvLUAR48WXhS3w4UVlBfDx4UEuLFocurDsNgqYBEv3QY
+ORUNCVMZlJg6/d8X3KpAK+Og3V13L8NjqZ546sRZub42FjJhxNh1mKLU+Q1Y+9Jm
+B3EMBBOTY+OAnwQJiLcW3l1RdA8d2wTQ3+CnwywJrcUm3yKwMGgPxs8+ywol9B2G
+5DtXYO82Flzfzb8kHQ6JRKBFVa3dz2NZt82VIIovfEl90zvBaEJVlNH/XH5qsVLY
+LHB/NZUwxxz573HSMW4YCQgZZWaZ0byjb27KYd6S7Tj/DV5uQvVmGcRQ7sAcJoKV
+G3XVlm+n5XnCWXddySOtt3XZbByIAyC5iu8LuLjCauO0sUX0L4yKnc0e4bqCglIm
+JGZuuOL5tLYOL7Bd/RWj2uC+dpPaol6VAefGDUv8GqKa+Y28FRXKVvxcQwLYLm4D
+A6hYV9f/0RjjPT/8VDk/dfytydhpaDnNu1nieAa5lx3/BPYPiuLgWg4DXpfW4IIG
+IMaEULDOfN7xOELfbTnIru89aWc+kqdzfrMPhLwxClHg2JWrjuE+BPzMXrkCDQRa
+JGokARAAxGZu+BKBt8rY8lF/7wQBfrqx2nlUTvdMlmUELT3e8Gw/z7+qArjYn+Xm
+7TTh490KMaATKFnDol0vfvlMXre4hyCC1/+B2qjEKiUCvVhwmKQFNV3pmbugTlbd
+EnHuf5sbzU32HWb2x2L4jMcrN97CQq6qx65S05uo7TS7DM7xPUCrGZKeXvlQVmJv
+0gH3symIy2ZQoLtTYyMoaDfifKLHbQfR2WSxPy7cb6mjX1jMOD8dGGazLDGohCDp
+Lhs4MbFTjwh1PBhFETBbAh5/ElNefpfT25w7RkPaMLiXmxTSQu/uugldjAsz5uQ8
+D39TueoeFymBOUH76dM1VewNzHxZTp0GpnOfvhtleKg/870tNhLphf811g1HxeNM
++W9oU5kY/dcFo71SHwuVzMSGU3QOuJmLso3epFsMfs5mDML8UT+gXZgI2gfu0VPj
+a4ashJ6Pd+OUpH7awFNLa7CoGILpBTIN1xxUCyzk1DNkscWYCgMUobdSEi/W59iC
+PlrDW5tPCfIzTA06F6WhjFKoYaM9oqBM113J9j+t4FK7gkrao9ksF6eKaohNEiGJ
+WRFJUwHf1jiHWafwZTAm1ZE9yuUksBbWrcEYdoak4CRcc1BaZWNd4PKn9IFoFSjb
+e8WAGoRLcv0sNujmN+UiQ+LesIUw3QA0YWXsN9sijUxroC/ClZMAEQEAAYkCNgQY
+AQgAIBYhBFnR6cy6KzdnBP3TW6n0wCHOpHD7BQJaJGokAhsMAAoJEKn0wCHOpHD7
+ok0QAJSNCcZAUTmQRlhncToRg6lLqwgIDx/GLYq6F/WDYn6Me2QalyUskpFX12qm
+JBlaMFHAus7bhbtyQBcEmPW9MY+HhItvRYXpKMbgEdxnMvD5uY+zDHiScRECH8gt
+Zy8Uld0HiCy2aWgwt3LtVRuLu/wt5KsLq1s9zpEHQ0P9AHnz+EWFArCHCC8FatWE
+47zZLDLOuMSLeS7HBSheloyTwezfdzbKnyD3JVwoTID0LP2Wo5FspqwYkIN93zRy
+TrlC6lmPR+TMzMsAeAh2kHpoV03z6isTO59jIqj1Nrai8fhd4DyfnRBBjkoXJTPe
+TM+MFa1gdU2B8VJfoqG7Ti780Tg83Z4/H9EEdD/pHzI8ay6xX5ABJhDnPHTPz3fK
+PaxwrfOJGyCvAr8qbCVql1Dp8b3sTAlWbG/Cqz7q3NhF298o4A1EDu5IADWKOhek
+djF/dutRHMCbvJKA0q4XiZu9YVYv7yysRPTicwvN9W5z7a5oIJLCXXtetNtoFZFo
+UDDZjmaCA6pcbFX9FZ96b9jLNa/BKvtlCTsosJHxf9XNiSx5dW9wHuojr60wvLxV
+K/N2anvjEfYuVxlfcKjOHpJuOX7xAcOAVAWnNvY/vSZCvAo2azMB5NOxu2Iz3pyq
+ARpClI6b14giASYMfWkb2Bfx2Sc44SHXcm5MxiTt51tB8i+d
+=bkRz
+-----END PGP PUBLIC KEY BLOCK-----

sudo.pamd

@@ -0,0 +1,7 @@
+#%PAM-1.0
+auth     include        common-auth
+account  include        common-account
+password include        common-password
+session  optional       pam_keyinit.so revoke
+session  include        common-session-nonlogin
+# session  optional       pam_xauth.so

sudo.spec

@@ -0,0 +1,341 @@
+#
+# spec file for package sudo
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%if %{defined _distconfdir} && 0%{?suse_version} >= 1600
+%define confdir %{_distconfdir}
+%define confmode 0444
+%else
+%define confdir %{_sysconfdir}
+%define confmode 0440
+%endif
+
+Name:           sudo
+Version:        1.9.15p5
+Release:        0
+Summary:        Execute some commands as root
+License:        ISC
+Group:          System/Base
+URL:            https://www.sudo.ws/
+Source0:        https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
+Source1:        https://www.sudo.ws/dist/%{name}-%{version}.tar.gz.sig
+Source2:        %{name}.keyring
+Source3:        sudo.pamd
+Source4:        sudo-i.pamd
+Source5:        README.SUSE
+Source6:        fate_313276_test.sh
+Source7:        README_313276.test
+Source8:        50-wheel-auth-self.conf
+Source9:        51-wheel.rules
+Source10:       system-group-sudo.conf
+# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
+Patch0:         sudo-sudoers.patch
+BuildRequires:  audit-devel
+BuildRequires:  cyrus-sasl-devel
+BuildRequires:  groff
+BuildRequires:  libopenssl-devel
+BuildRequires:  libselinux-devel
+BuildRequires:  openldap2-devel
+BuildRequires:  pam-devel
+BuildRequires:  python3-devel
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-tools
+BuildRequires:  zlib-devel
+Requires(pre):  coreutils
+Requires(pre):  permissions
+Recommends:     sudo-plugin-python
+
+%description
+Sudo is a command that allows users to execute some commands as root.
+%if %{defined _distconfdir}
+Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers
+(in that order, whichever one it finds first), to determine what users have
+%else
+The %{_sysconfdir}/sudoers file specifies which users have
+%endif
+access to sudo and which commands they can run. Sudo logs all its
+activities to syslogd, so the system administrator can keep an eye on
+things. Sudo asks for the password to initialize a check period of a
+given time N (where N is defined at installation and is set to 5
+minutes by default). Administrators can edit the sudoers file with 'visudo'.
+
+%package plugin-python
+Summary:        Plugin API for python
+Group:          System/Base
+Requires:       %{name} = %{version}
+
+%description plugin-python
+This package contains the sudo plugin which allows to write sudo plugins
+in python. The API closely follows the C sudo plugin API described by
+sudo_plugin(5).
+
+%package devel
+Summary:        Header files needed for sudo plugin development
+Group:          Development/Libraries/C and C++
+Requires:       %{name} = %{version}
+
+%description devel
+These header files are needed for building of sudo plugins.
+
+%package test
+Summary:        Tests for the package
+Group:          Development/Tools/Other
+Requires:       %{name} = %{version}
+
+%description test
+Tests for fate#313276
+
+%package policy-wheel-auth-self
+Summary:        Users in the wheel group can authenticate as admin
+Group:          System/Base
+Requires:       %{name} = %{version}
+Requires:       group(wheel)
+
+%description policy-wheel-auth-self
+Sudo authentication policy that allows users in the wheel group to
+authenticate as root with their own password
+
+%package policy-sudo-auth-self
+Summary:        Users in the sudo group can authenticate as admin
+Group:          System/Base
+Requires:       %{name} = %{version}
+Requires:       group(sudo)
+
+%description policy-sudo-auth-self
+Sudo authentication policy that allows users in the sudo group to
+authenticate as root with their own password
+
+%package -n system-group-sudo
+Summary:        System group 'sudo'
+Group:          System/Fhs
+%{sysusers_requires}
+
+%description -n system-group-sudo
+This package provides the system group 'sudo'.
+
+%prep
+%autosetup -p1
+
+%build
+%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf
+%ifarch s390 s390x %{sparc}
+F_PIE=-fPIE
+%else
+F_PIE=-fpie
+%endif
+export CFLAGS="%{optflags} -Wall $F_PIE -DLDAP_DEPRECATED"
+export LDFLAGS="-pie"
+%configure \
+    --libexecdir=%{_libexecdir}/sudo \
+    --docdir=%{_docdir}/%{name} \
+    --with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
+    --enable-tmpfiles.d=%{_tmpfilesdir} \
+%if %{defined _distconfdir}
+    --prefix=/usr \
+    --sysconfdir=%{_distconfdir} \
+    --enable-adminconf=%{_sysconfdir} \
+%endif
+    --with-pam \
+    --with-pam-login \
+    --with-ldap \
+    --with-selinux \
+    --with-linux-audit \
+    --with-logfac=auth \
+    --with-all-insults \
+    --with-ignore-dot \
+    --with-tty-tickets \
+    --enable-shell-sets-home \
+    --enable-warnings \
+    --enable-python \
+    --enable-openssl \
+    --with-sendmail=%{_sbindir}/sendmail \
+    --with-sudoers-mode=0440 \
+    --with-env-editor \
+    --without-secure-path \
+    --with-passprompt="[sudo] password for %%p: " \
+    --with-rundir=%{_localstatedir}/lib/sudo \
+    --with-sssd
+%if 0%{?sle_version} < 150000
+# the SLES12 way
+%make_build
+%else
+# -B required to make every build give the same result - maybe from bad build deps in Makefiles?
+%make_build -B
+%endif
+
+%install
+%make_install install_uid=`id -u` install_gid=`id -g`
+%if 0%{?suse_version} <= 1500
+sed -i '/^session/s/common-session-nonlogin/common-session/g' %{SOURCE3}
+%endif
+%if %{defined _distconfdir}
+install -d -m 755 %{buildroot}%{_pam_vendordir}
+install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/sudo
+install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/sudo-i
+%else
+install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/sudo
+install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/sudo-i
+%endif
+rm -f %{buildroot}%{_bindir}/sudoedit
+ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
+install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
+install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
+rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
+rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
+rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
+rm -f %{buildroot}%{confdir}/sudoers.dist
+
+%if %{defined _distconfdir}
+# Move /etc to /usr/etc/
+mkdir -p %{buildroot}%{_distconfdir}/sudoers.d %{buildroot}%{_sysconfdir}/sudoers.d
+chmod 644 %{buildroot}%{_distconfdir}/sudoers
+echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers
+%endif
+
+install -D -m 644 %{SOURCE8} %{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self
+install -D -m 644 %{SOURCE9} %{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules
+
+sed -e 's/wheel/sudo/g' < %{SOURCE8} > %{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self
+sed -e 's/wheel/sudo/g' < %{SOURCE9} > %{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules
+
+install -D -m 644 %{SOURCE10} %{buildroot}%{_sysusersdir}/system-group-sudo.conf
+
+%find_lang %{name}
+%find_lang sudoers
+cat sudoers.lang >> %{name}.lang
+# tests
+install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo
+install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo
+install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo
+
+install -d %{buildroot}%{_licensedir}/%{name}
+rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md
+
+%if %{defined _distconfdir}
+%pre
+# move outdated pam.d/*.rpmsave files away
+for i in sudo sudo-i ; do
+    test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i}.rpmsave.old ||:
+done
+
+%posttrans
+# Migration to /usr/etc.
+for i in  sudo sudo-i ; do
+  test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
+done
+test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave %{_sysconfdir}/sudoers ||:
+%endif
+
+%post
+[ -e  %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers
+%if 0%{?suse_version} <= 1130
+%run_permissions
+%else
+%set_permissions %{_bindir}/sudo
+%endif
+%tmpfiles_create %{_tmpfilesdir}/sudo.conf
+
+%verifyscript
+%verify_permissions -e %{_bindir}/sudo
+
+%pre -n system-group-sudo -f sudo.pre
+
+%files -f %{name}.lang
+%license LICENSE.md
+%doc %{_docdir}/%{name}
+%{_mandir}/man1/cvtsudoers.1%{?ext_man}
+%{_mandir}/man5/sudoers.5%{?ext_man}
+%{_mandir}/man5/sudo.conf.5%{?ext_man}
+%{_mandir}/man5/sudoers.ldap.5%{?ext_man}
+%{_mandir}/man5/sudoers_timestamp.5%{?ext_man}
+%{_mandir}/man8/sudo.8%{?ext_man}
+%{_mandir}/man8/sudoedit.8%{?ext_man}
+%{_mandir}/man8/sudoreplay.8%{?ext_man}
+%{_mandir}/man8/visudo.8%{?ext_man}
+%{_mandir}/man5/sudo_logsrv.proto.5%{?ext_man}
+%{_mandir}/man5/sudo_logsrvd.conf.5%{?ext_man}
+%{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
+%{_mandir}/man8/sudo_sendlog.8%{?ext_man}
+
+%{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root) %{confdir}/sudoers
+%attr(0750,root,root) %dir %{confdir}/sudoers.d
+%{?_distconfdir:%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d}
+%attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf
+%attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf
+
+%if %{defined _distconfdir}
+%{_pam_vendordir}/sudo
+%{_pam_vendordir}/sudo-i
+%else
+%config(noreplace) %{_sysconfdir}/pam.d/sudo
+%config(noreplace) %{_sysconfdir}/pam.d/sudo-i
+%endif
+%attr(4755,root,root) %{_bindir}/sudo
+%{_bindir}/sudoedit
+%{_bindir}/sudoreplay
+%{_bindir}/cvtsudoers
+%{_sbindir}/visudo
+%{_sbindir}/sudo_logsrvd
+%{_sbindir}/sudo_sendlog
+%dir %{_libexecdir}/%{name}
+%{_libexecdir}/%{name}/sesh
+%{_libexecdir}/%{name}/sudo_noexec.so
+%dir %{_libexecdir}/%{name}/%{name}
+%{_libexecdir}/%{name}/%{name}/sudoers.so
+%{_libexecdir}/%{name}/%{name}/group_file.so
+%{_libexecdir}/%{name}/%{name}/system_group.so
+%{_libexecdir}/%{name}/%{name}/audit_json.so
+%{_libexecdir}/%{name}/%{name}/sudo_intercept.so
+%{_libexecdir}/%{name}/libsudo_util.so.*
+%attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}
+%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts
+%dir %{_tmpfilesdir}
+%{_tmpfilesdir}/sudo.conf
+
+%files plugin-python
+%{_mandir}/man5/sudo_plugin_python.5%{?ext_man}
+%{_libexecdir}/%{name}/%{name}/python_plugin.so
+
+%files devel
+%doc plugins/sample/sample_plugin.c
+%{_includedir}/sudo_plugin.h
+%{_mandir}/man5/sudo_plugin.5%{?ext_man}
+%attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so
+%{_libexecdir}/%{name}/sudo/*.la
+%{_libexecdir}/%{name}/*.la
+
+%files test
+%{_localstatedir}/lib/tests
+
+%files policy-wheel-auth-self
+%{confdir}/sudoers.d/50-wheel-auth-self
+%dir /usr/share/polkit-1
+%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
+/usr/share/polkit-1/rules.d/51-wheel.rules
+
+%files policy-sudo-auth-self
+%{confdir}/sudoers.d/50-sudo-auth-self
+%dir /usr/share/polkit-1
+%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
+/usr/share/polkit-1/rules.d/51-sudo.rules
+
+%files -n system-group-sudo
+%defattr(-,root,root)
+%{_sysusersdir}/system-group-sudo.conf
+
+%changelog

system-group-sudo.conf

@@ -0,0 +1,2 @@
+# Type Name ID GECOS [HOME]
+g sudo -