From 1b78263838a566a447849745a65303d055e042789aa0ce59f2e9c6d8544fa893 Mon Sep 17 00:00:00 2001
From: Jason Sikes <jsikes@suse.com>
Date: Tue, 23 Aug 2022 23:14:55 +0000
Subject: [PATCH] Accepting request 998277 from
 home:jsikes:branches:Base:System

Updated. Enjoy!

OBS-URL: https://build.opensuse.org/request/show/998277
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=215
---
 sudo-1.9.10-update_sudouser_to_utf8.patch | 116 ++++++++++++++++++++++
 sudo-1.9.10.tar.gz                        |   3 -
 sudo-1.9.10.tar.gz.sig                    | Bin 566 -> 0 bytes
 sudo-1.9.11p3.tar.gz                      |   3 +
 sudo-1.9.11p3.tar.gz.sig                  | Bin 0 -> 566 bytes
 sudo-sudoers.patch                        |  15 +--
 sudo.changes                              |  81 +++++++++++++++
 sudo.spec                                 |   7 +-
 8 files changed, 212 insertions(+), 13 deletions(-)
 create mode 100644 sudo-1.9.10-update_sudouser_to_utf8.patch
 delete mode 100644 sudo-1.9.10.tar.gz
 delete mode 100644 sudo-1.9.10.tar.gz.sig
 create mode 100644 sudo-1.9.11p3.tar.gz
 create mode 100644 sudo-1.9.11p3.tar.gz.sig

diff --git a/sudo-1.9.10-update_sudouser_to_utf8.patch b/sudo-1.9.10-update_sudouser_to_utf8.patch
new file mode 100644
index 0000000..8e51797
--- /dev/null
+++ b/sudo-1.9.10-update_sudouser_to_utf8.patch
@@ -0,0 +1,116 @@
+From 7f9ea23e7447b8e1308fc282cd13b6cf5d39d3c4 Mon Sep 17 00:00:00 2001
+From: William Brown <wbrown@suse.de>
+Date: Mon, 25 Jul 2022 15:21:39 +1000
+Subject: [PATCH] Update sudoUser to be utf8 in ldap schemas
+
+In most unix-style LDAP servers, uid is a utf8 string defined by
+OID 1.3.6.1.4.1.1466.115.121.1.15. However, sudoUser was defined
+as an IA5 String (OID 1.3.6.1.4.1.1466.115.121.1.26) which meant
+that sudoUser could only represent a subset of possible values.
+
+In some cases when using sudoers.ldap, the uid from the machine
+which was utf8 was fed back into sudo which would then issue a
+search for sudoUsers. If this uid contained utf8 characters, the
+ldap server would refuse to match into sudoUsers because these
+were limited to IA5.
+
+This is a safe-forward upgrade as IA5 is a subset of UTF8 meaning
+that this change will not impact existing deployments and their
+rules.
+---
+ docs/schema.OpenLDAP | 14 +++++++-------
+ docs/schema.iPlanet  |  6 +++---
+ docs/schema.olcSudo  | 14 +++++++-------
+ 3 files changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/docs/schema.OpenLDAP b/docs/schema.OpenLDAP
+index e1d525f84..451c5250a 100644
+--- a/docs/schema.OpenLDAP
++++ b/docs/schema.OpenLDAP
+@@ -7,9 +7,9 @@
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+     NAME 'sudoUser'
+     DESC 'User(s) who may  run sudo'
+-    EQUALITY caseExactIA5Match
+-    SUBSTR caseExactIA5SubstringsMatch
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
++    EQUALITY caseExactMatch
++    SUBSTR caseExactSubstringsMatch
++    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+     NAME 'sudoHost'
+@@ -39,14 +39,14 @@ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+     NAME 'sudoRunAsUser'
+     DESC 'User(s) impersonated by sudo'
+-    EQUALITY caseExactIA5Match
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
++    EQUALITY caseExactMatch
++    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+     NAME 'sudoRunAsGroup'
+     DESC 'Group(s) impersonated by sudo'
+-    EQUALITY caseExactIA5Match
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
++    EQUALITY caseExactMatch
++    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ 
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+     NAME 'sudoNotBefore'
+diff --git a/docs/schema.iPlanet b/docs/schema.iPlanet
+index e51286436..56ad02bc0 100644
+--- a/docs/schema.iPlanet
++++ b/docs/schema.iPlanet
+@@ -1,11 +1,11 @@
+ dn: cn=schema
+-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
++attributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may  run sudo' EQUALITY caseExactMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
+-attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'SUDO' )
++attributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
++attributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'SUDO' )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.8 NAME 'sudoNotBefore' DESC 'Start of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.9 NAME 'sudoNotAfter' DESC 'End of time interval for which the entry is valid' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+ attributeTypes: ( 1.3.6.1.4.1.15953.9.1.10 NAME 'sudoOrder' DESC 'an integer to order the sudoRole entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+diff --git a/docs/schema.olcSudo b/docs/schema.olcSudo
+index 8748dfc2a..8948ca4ae 100644
+--- a/docs/schema.olcSudo
++++ b/docs/schema.olcSudo
+@@ -9,9 +9,9 @@ cn: sudoschema
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.1
+     NAME 'sudoUser'
+     DESC 'User(s) who may  run sudo'
+-    EQUALITY caseExactIA5Match
+-    SUBSTR caseExactIA5SubstringsMatch
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
++    EQUALITY caseExactMatch
++    SUBSTR caseExactSubstringsMatch
++    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ #
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.2
+     NAME 'sudoHost'
+@@ -41,14 +41,14 @@ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.5
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.6
+     NAME 'sudoRunAsUser'
+     DESC 'User(s) impersonated by sudo'
+-    EQUALITY caseExactIA5Match
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
++    EQUALITY caseExactMatch
++    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ #
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.7
+     NAME 'sudoRunAsGroup'
+     DESC 'Group(s) impersonated by sudo'
+-    EQUALITY caseExactIA5Match
+-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
++    EQUALITY caseExactMatch
++    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ #
+ olcattributetypes: ( 1.3.6.1.4.1.15953.9.1.8
+     NAME 'sudoNotBefore'
diff --git a/sudo-1.9.10.tar.gz b/sudo-1.9.10.tar.gz
deleted file mode 100644
index df3423a..0000000
--- a/sudo-1.9.10.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:44a1461098e7c7b8e6ac597499c24fb2e43748c0c139a8b4944e57d1349a64f4
-size 4516568
diff --git a/sudo-1.9.10.tar.gz.sig b/sudo-1.9.10.tar.gz.sig
deleted file mode 100644
index 09462e323f6e24d9123712a8f686128a1cc4d0b1b6a04f4149d169441a85aeb6..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 566
zcmV-60?GY}0y6{v0SEvc79j*#(do>(D>r8Z{nJ~i^uQs`q;UHM0%9Qw82}0i5UKRQ
zA<m?5`_qmP0HD-sqzr)zg3SVJs}GUroBr%?fUZrc6P<DUAStShA$|X@{w}!L{p6=B
zK(xv7{u=SrWdBO1B=R5iWc*`y9yqkA1Xv*DgfRiRE>k-GW$_7gAW_Jx8T`l*pBUj`
z&H*&3i`_-^`(vbNyYz)T<b&Ua6xoI_NUBuFrbd_vg+`GX?{0IFTFLs;R3y)2&UC55
zX5huZ*QxQ)#xrni_7kN3lg{8nGc*rXM1{2G<J6#0iWf&z>ADZ9{V>oQP8`V4wfY;O
z17}a|yqZXel)el4lrC(ij&!}yhBjvS&*&oRL?RO#Qu1PF*OQUxH5nuB82m4LC3FcD
zKmHH-3A=@O3&O7!^yx-DF=f0`X+^tpFomP5bCLhQ1_DOCUfkmQj`uBk{<F)~PO5I)
z-hIvNjyZ7}?E0nwdt@~iOh9Z}iZ=IB&6A0(N;cXqp-%q0rET^kdBkNOt^xt`tX6i+
zFwc5bPZgZtpmCU{8x3Wzl@oxk`^RT$V~ZaqY8rpl`;On!DlPijIoA%E>sZ@-0z2$L
z=tKDfw5@k%Ihhj2O<(d0_NaV_(Un4fVjnEEUn6xXsB?&-hyw!$qvO9q@#iB!LXrBa
zX&SEhHVILj8cWY%<4UWx^__XT4lL4rgG{&kM+~*+u#s0nhdeYoDKFt{U|7@tAfX6<
EMxs<2b^rhX

diff --git a/sudo-1.9.11p3.tar.gz b/sudo-1.9.11p3.tar.gz
new file mode 100644
index 0000000..db66a26
--- /dev/null
+++ b/sudo-1.9.11p3.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:4687e7d2f56721708f59cca2e1352c056cb23de526c22725615a42bb094f1f70
+size 4826520
diff --git a/sudo-1.9.11p3.tar.gz.sig b/sudo-1.9.11p3.tar.gz.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..3cd371257ef6087cb55cc672f76db8f139cbd63f1cad6a26d578049a2e7d6567
GIT binary patch
literal 566
zcmV-60?GY}0y6{v0SEvc79j*#(do>(D>r8Z{nJ~i^uQs`q;UHM0%EbkF#rk)5UKRQ
zA<m?5`=kmF|5cplMgB+hJb(?K+~ZVf6&Aib<?^|TG;V#0EuN5%$^m{i&TCv-Zx@{j
zb@g*dj7oPcU~W@+&w%SBL)wi7gS6g;7RW#H{;%2j5zxQBC<UQL_<*?12NWLUB}Z8H
zt^OKTAEZ_$Oo=#g;VE@WM7$?Xq+J3)IhqwJe1tm8ob5{<f|&!EkOqoBn;lb?qz>}G
zk|>r5nJl$>!!X$Zt}<NMOVpE*cH-_O*OVQ}EcVFFX+is`gNVb+;Q{Qh*^OA6#_=yg
z=GAKXI#kr!b_C<Uzcnf}28qnG)<L53ao&@#ffcf4=o^AC888Oh2>fwFV7;!-cdC`S
zn1mkB%PUDrA;Xu0QLY@HuP<D0j-bdRj`H2}9?|1wq*-9JT2PYwyFh+a-!~7o4MSP6
z1(1S6+_sAs6Z&KNF&o%_mp(s$^B^yfXJqTW3DgO}kSy`$f^~1wV@0GJ4NJ(@jfla*
z`#{9bXlG6EVzx+Ny1_MfZl0=utho2E-7na!opokp&IntUKG4V7VwS>uk1&g6ZU7eF
zyNR4LGBBoE<2r~n@-@Vz2lp1h`T^sI@s(o5=}%SnuN>P+lcN1GxWgs>I`+|75pcT-
z)f|oI$6>d0nM1tW09A}E;VhPM48Y{ok*j<l@-kJNOiv|J=N#idwSI-~!wa7QdpbWm
EZN(uN&Hw-a

literal 0
HcmV?d00001

diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch
index 3db0d09..2806c4e 100644
--- a/sudo-sudoers.patch
+++ b/sudo-sudoers.patch
@@ -1,7 +1,7 @@
-Index: sudo-1.9.9/plugins/sudoers/sudoers.in
-===================================================================
---- sudo-1.9.9.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.9.9/plugins/sudoers/sudoers.in
+diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in
+index 5efda5d..ddd311a 100644
+--- a/plugins/sudoers/sudoers.in
++++ b/plugins/sudoers/sudoers.in
 @@ -32,30 +32,23 @@
  ##
  ## Defaults specification
@@ -50,12 +50,13 @@ Index: sudo-1.9.9/plugins/sudoers/sudoers.in
  ## Uncomment to use a hard-coded PATH instead of the user's to find commands
  # Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
  ##
-@@ -66,9 +59,15 @@
- ## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
+@@ -68,10 +61,16 @@
+ ## Set maxseq to a smaller number if you don't have unlimited disk space.
  # Defaults log_output
  # Defaults!/usr/bin/sudoreplay !log_output
 -# Defaults!/usr/local/bin/sudoreplay !log_output
  # Defaults!REBOOT !log_output
+ # Defaults maxseq = 1000
  
 +## In the default (unconfigured) configuration, sudo asks for the root password.
 +## This allows use of an ordinary user account for administration of a freshly
@@ -67,7 +68,7 @@ Index: sudo-1.9.9/plugins/sudoers/sudoers.in
  ##
  ## Runas alias specification
  ##
-@@ -84,13 +83,5 @@ root ALL=(ALL:ALL) ALL
+@@ -87,13 +86,5 @@ root ALL=(ALL:ALL) ALL
  ## Same thing without a password
  # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
  
diff --git a/sudo.changes b/sudo.changes
index 09087f1..3eafa65 100644
--- a/sudo.changes
+++ b/sudo.changes
@@ -1,3 +1,84 @@
+-------------------------------------------------------------------
+Sat Aug 20 02:04:06 UTC 2022 - Jason Sikes <jsikes@suse.com>
+
+- Update to 1.9.11p3:
+  * Changes in Sudo 1.9.11
+    * Fixed a crash in the Python module with Python 3.9.10 on some systems.
+      Additionally, make check now passes for Python 3.9.10.
+    * Error messages sent via email now include more details, including the file
+      name and the line number and column of the error. Multiple errors are sent in
+      a single message. Previously, only the first error was included.
+    * Fixed logging of parse errors in JSON format. Previously, the JSON logger would
+      not write entries unless the command and runuser were set. These may not be
+      known at the time a parse error is encountered.
+    * Fixed a potential crash parsing sudoers lines larger than twice the value of
+      LINE_MAX on systems that lack the getdelim() function.
+    * The tests run by make check now unset the LANGUAGE environment variable.
+      Otherwise, localization strings will not match if LANGUAGE is set to a
+      non-English locale. Bug #1025.
+    * The “starttime” test now passed when run under Debian faketime. Bug #1026.
+    * The Kerberos authentication module now honors the custom password prompt if one
+      has been specified.
+    * The embedded copy of zlib has been updated to version 1.2.12.
+    * Updated the version of libtool used by sudo to version 2.4.7.
+    * Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE in the
+      header files (currently only GNU libc). This is required to allow the use of
+      64-bit time values on some 32-bit systems.
+    * Sudo’s intercept and log_subcmds options no longer force the command to run in
+      its own pseudo-terminal. It is now also possible to intercept the system(3) function.
+    * Fixed a bug in sudo_logsrvd when run in store-first relay mode where the commit
+      point messages sent by the server were incorrect if the command was suspended
+      or received a window size change event.
+    * Fixed a potential crash in sudo_logsrvd when the tls_dhparams configuration
+      setting was used.
+    * The intercept and log_subcmds functionality can now use ptrace(2) on Linux
+      systems that support seccomp(2) filtering. This has the advantage of working
+      for both static and dynamic binaries and can work with sudo’s SELinux RBAC mode.
+      The following architectures are currently supported: i386, x86_64, aarch64, arm,
+      mips (log_subcmds only), powerpc, riscv, and s390x. The default is to use
+      ptrace(2) where possible; the new intercept_type sudoers setting can be used
+      to explicitly set the type.
+    * New Georgian translation from translationproject.org.
+    * Fixed creating packages on CentOS Stream.
+    * Fixed a bug in the intercept and log_subcmds support where the execve(2)
+      wrapper was using the current environment instead of the passed environment
+      pointer. Bug #1030.
+    * Added AppArmor integration for Linux. A sudoers rule can now specify an
+      APPARMOR_PROFILE option to run a command confined by the named AppArmor profile.
+    * Fixed parsing of the server_log setting in sudo_logsrvd.conf. Non-paths were
+      being treated as paths and an actual path was treated as an error.
+
+  * Changes in Sudo 1.9.11p1:
+    * Correctly handle EAGAIN in the I/O read/right events. This fixes a hang seen on
+      some systems when piping a large amount of data through sudo, such as via rsync.
+      Bug #963.
+    * Changes to avoid implementation or unspecified behavior when bit shifting signed
+      values in the protobuf library.
+    * Fixed a compilation error on Linux/aarch64.
+    * Fixed the configure check for seccomp(2) support on Linux.
+    * Corrected the EBNF specification for tags in the sudoers manual page.
+      GitHub issue #153.
+
+  * Changes in Sudo 1.9.11p2:
+    * Fixed a compilation error on Linux/x86_64 with the x32 ABI.
+    * Fixed a regression introduced in 1.9.11p1 that caused a warning when logging to
+      sudo_logsrvd if the command returned no output.
+
+  * Changes in Sudo 1.9.11p3:
+    * Fixed “connection reset” errors on AIX when running shell scripts with the intercept
+      or log_subcmds sudoers options enabled. Bug #1034.
+    * Fixed very slow execution of shell scripts when the intercept or log_subcmds sudoers
+      options are set on systems that enable Nagle’s algorithm on the loopback device,
+      such as AIX. Bug #1034.
+
+  * Modified sudo-sudoers.patch
+
+- Added sudo-1.9.10-update_sudouser_to_utf8.patch
+  * [bsc#1197998]
+  * Enable sudouser LDAP schema to use UTF-8 encodings.
+  * Sourced from https://github.com/sudo-project/sudo/pull/163
+  * Credit to William Brown, william.brown@suse.com
+
 -------------------------------------------------------------------
 Mon Aug  8 09:17:43 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
 
diff --git a/sudo.spec b/sudo.spec
index 1df5382..6ecc064 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -17,7 +17,7 @@
 
 
 Name:           sudo
-Version:        1.9.10
+Version:        1.9.11p3
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@@ -33,6 +33,7 @@ Source6:        fate_313276_test.sh
 Source7:        README_313276.test
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch0:         sudo-sudoers.patch
+Patch1:         sudo-1.9.10-update_sudouser_to_utf8.patch
 BuildRequires:  audit-devel
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  groff
@@ -235,13 +236,13 @@ chmod 0440 %{_sysconfdir}/sudoers
 %{_tmpfilesdir}/sudo.conf
 
 %files plugin-python
-%{_mandir}/man8/sudo_plugin_python.8%{?ext_man}
+%{_mandir}/man5/sudo_plugin_python.5%{?ext_man}
 %{_libexecdir}/%{name}/%{name}/python_plugin.so
 
 %files devel
 %doc plugins/sample/sample_plugin.c
 %{_includedir}/sudo_plugin.h
-%{_mandir}/man8/sudo_plugin.8%{?ext_man}
+%{_mandir}/man5/sudo_plugin.5%{?ext_man}
 %attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so
 %{_libexecdir}/%{name}/sudo/*.la
 %{_libexecdir}/%{name}/*.la