update to 1.8.18p1

- fixes CVE-2016-7076

.gitignore

@@ -1,18 +1,6 @@
-sudo-1.7.2p6.tar.gz
-sudo-1.7.2p2-sudoers
-/sudo-1.7.4p4.tar.gz
-/sudo-1.7.2p2-sudoers
-/sudo-1.7.4p4-sudoers
-/sudo-1.7.4p5.tar.gz
-/sudo-1.8.1p2.tar.gz
-/sudo-1.8.3p1.tar.gz
-/sudo-1.8.5.tar.gz
-/sudo-1.8.6.tar.gz
-/sudo-1.8.6p3.tar.gz
-/sudo-1.8.6p7.tar.gz
-/sudo-1.8.8.tar.gz
-/sudo-1.8.8-sudoers
-/sudo-1.8.11.tar.gz
-/sudo-1.8.11p2.tar.gz
-/sudo-1.8.12.tar.gz
-/sudo-1.8.14b4.tar.gz
+/sudo-1.8.17p1.tar.gz
+/sudo-1.8.18b2.tar.gz
+/sudo-1.8.18rc2.tar.gz
+/sudo-1.8.18rc4.tar.gz
+/sudo-1.8.18.tar.gz
+/sudo-1.8.18p1.tar.gz

sources

@@ -1,2 +1 @@
-3d4f5c159a562c39c66c7f3aaef3c5b3  sudo-1.8.14b4.tar.gz
-775b863cdff3a2ee2a26c2d53b51aff5  sudo-1.8.8-sudoers
+28f5214d5bcb5af5710decb95184a0a6  sudo-1.8.18p1.tar.gz

sudo-1.7.2p1-envdebug.patch

@@ -1,12 +0,0 @@
-diff -up sudo-1.7.2p1/configure.in.envdebug sudo-1.7.2p1/configure.in
---- sudo-1.7.2p1/configure.in.envdebug	2009-10-30 12:18:09.000000000 +0100
-+++ sudo-1.7.2p1/configure.in	2009-10-30 12:19:01.000000000 +0100
-@@ -1214,7 +1214,7 @@ AC_ARG_ENABLE(env_debug,
- [AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])],
- [ case "$enableval" in
-     yes)	AC_MSG_RESULT(yes)
--		AC_DEFINE(ENV_DEBUG)
-+		AC_DEFINE(ENV_DEBUG, [], [Environment debugging.])
- 		;;
-     no)		AC_MSG_RESULT(no)
- 		;;

sudo-1.8.11p2-auditfix.patch

@@ -1,17 +0,0 @@
-diff -up sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix sudo-1.8.11p2/plugins/sudoers/linux_audit.c
---- sudo-1.8.11p2/plugins/sudoers/linux_audit.c.auditfix	2014-11-03 12:44:53.674230966 +0100
-+++ sudo-1.8.11p2/plugins/sudoers/linux_audit.c	2014-11-03 12:45:13.407021599 +0100
-@@ -57,10 +57,10 @@ linux_audit_open(void)
-     au_fd = audit_open();
-     if (au_fd == -1) {
- 	/* Kernel may not have audit support. */
--	if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
--	    sudo_warn(U_("unable to open audit system"));
-+	if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
- 	    au_fd = AUDIT_NOT_CONFIGURED;
--	}
-+	else
-+	    sudo_warn(U_("unable to open audit system"));
-     } else {
- 	(void)fcntl(au_fd, F_SETFD, FD_CLOEXEC);
-     }

sudo-1.8.14b3-ldapconfpatch.patch

@@ -1,55 +0,0 @@
-diff -up sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.14b3/plugins/sudoers/ldap.c
---- sudo-1.8.14b3/plugins/sudoers/ldap.c.ldapconfpatch	2015-07-07 18:51:11.000000000 +0200
-+++ sudo-1.8.14b3/plugins/sudoers/ldap.c	2015-07-09 11:03:25.686645581 +0200
-@@ -1922,6 +1922,33 @@ sudo_check_krb5_ccname(const char *ccnam
- }
- #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
- 
-+/*
-+ * Read a line of input, remove whole line comments and strip off leading
-+ * and trailing spaces.  Returns static storage that is reused.
-+ */
-+static char *
-+sudo_ldap_parseln(fp)
-+    FILE *fp;
-+{
-+    size_t len;
-+    char *cp = NULL;
-+    static char buf[LINE_MAX];
-+
-+    if (fgets(buf, sizeof(buf), fp) != NULL) {
-+	/* Remove comments */
-+	if (*buf == '#')
-+	    *buf = '\0';
-+
-+	/* Trim leading and trailing whitespace/newline */
-+	len = strlen(buf);
-+	while (len > 0 && isspace((unsigned char)buf[len - 1]))
-+	    buf[--len] = '\0';
-+	for (cp = buf; isblank(*cp); cp++)
-+	    continue;
-+    }
-+    return(cp);
-+}
-+
- static bool
- sudo_ldap_read_config(void)
- {
-@@ -1955,7 +1982,7 @@ sudo_ldap_read_config(void)
-     if ((fp = fopen(path_ldap_conf, "r")) == NULL)
- 	debug_return_bool(false);
- 
--    while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
-+    while ((line = sudo_ldap_parseln(fp)) != NULL) {
- 	if (*line == '\0')
- 	    continue;		/* skip empty line */
- 
-@@ -1975,7 +2002,7 @@ sudo_ldap_read_config(void)
- 	if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
- 	    sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
-     }
--    free(line);
-+
-     fclose(fp);
- 
-     if (!ldap_conf.host) {

sudo-1.8.14b4-docpassexpire.patch

@@ -1,38 +0,0 @@
-diff -up sudo-1.8.14b4/doc/sudoers.cat.docpassexpire sudo-1.8.14b4/doc/sudoers.cat
---- sudo-1.8.14b4/doc/sudoers.cat.docpassexpire	2015-06-09 00:47:07.000000000 +0200
-+++ sudo-1.8.14b4/doc/sudoers.cat	2015-07-14 13:11:11.116000185 +0200
-@@ -1328,8 +1328,8 @@ SSUUDDOOEERRSS OOPPTTIIOONN
-                        fractional component if minute granularity is
-                        insufficient, for example 2.5.  The default is 5.  Set
-                        this to 0 to always prompt for a password.  If set to a
--                       value less than 0 the user's time stamp will never
--                       expire.  This can be used to allow users to create or
-+                       value less than 0 the user's time stamp will not
-+                       expire until reboot.  This can be used to allow users to create or
-                        delete their own time stamps via ``sudo -v'' and ``sudo
-                        -k'' respectively.
- 
-diff -up sudo-1.8.14b4/doc/sudoers.man.in.docpassexpire sudo-1.8.14b4/doc/sudoers.man.in
---- sudo-1.8.14b4/doc/sudoers.man.in.docpassexpire	2015-07-14 13:11:11.116000185 +0200
-+++ sudo-1.8.14b4/doc/sudoers.man.in	2015-07-14 13:14:17.261222481 +0200
-@@ -2822,7 +2822,7 @@ Set this to
- to always prompt for a password.
- If set to a value less than
- \fR0\fR
--the user's time stamp will never expire.
-+the user's time stamp will not expire until reboot.
- This can be used to allow users to create or delete their own time stamps via
- \(Lq\fRsudo -v\fR\(Rq
- and
-diff -up sudo-1.8.14b4/doc/sudoers.mdoc.in.docpassexpire sudo-1.8.14b4/doc/sudoers.mdoc.in
---- sudo-1.8.14b4/doc/sudoers.mdoc.in.docpassexpire	2015-04-07 18:15:50.000000000 +0200
-+++ sudo-1.8.14b4/doc/sudoers.mdoc.in	2015-07-14 13:11:11.117000176 +0200
-@@ -2647,7 +2647,7 @@ Set this to
- to always prompt for a password.
- If set to a value less than
- .Li 0
--the user's time stamp will never expire.
-+the user's time stamp will not expire until reboot.
- This can be used to allow users to create or delete their own time stamps via
- .Dq Li sudo -v
- and

sudo-1.8.8-clangbugs.patch

@@ -1,60 +0,0 @@
-diff -up sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs sudo-1.8.8/plugins/sudoers/auth/pam.c
---- sudo-1.8.8/plugins/sudoers/auth/pam.c.clangbugs	2013-09-30 23:41:07.899529555 +0200
-+++ sudo-1.8.8/plugins/sudoers/auth/pam.c	2013-09-30 23:41:58.988707761 +0200
-@@ -246,6 +246,7 @@ sudo_pam_begin_session(struct passwd *pw
- 	    (void) pam_end(pamh, *pam_status | PAM_DATA_SILENT);
- 	    pamh = NULL;
- 	    status = AUTH_FAILURE;
-+	    goto done;
- 	}
-     }
- 
-diff -up sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs sudo-1.8.8/plugins/sudoers/sssd.c
---- sudo-1.8.8/plugins/sudoers/sssd.c.clangbugs	2013-09-30 23:44:20.404200629 +0200
-+++ sudo-1.8.8/plugins/sudoers/sssd.c	2013-09-30 23:49:05.998194738 +0200
-@@ -310,11 +310,10 @@ static int sudo_sss_close(struct sudo_ns
-     debug_decl(sudo_sss_close, SUDO_DEBUG_SSSD);
- 
-     if (nss && nss->handle) {
--	handle = nss->handle;
--	dlclose(handle->ssslib);
-+	    handle = nss->handle;
-+	    dlclose(handle->ssslib);
-+	    efree(nss->handle);
-     }
--
--    efree(nss->handle);
-     debug_return_int(0);
- }
- 
-@@ -705,17 +704,21 @@ sudo_sss_result_get(struct sudo_nss *nss
- 	sudo_sss_result_filterp, _SUDO_SSS_FILTER_INCLUDE, NULL);
- 
-     if (f_sss_result != NULL) {
--	if (f_sss_result->num_rules > 0) {
--	    if (state != NULL) {
--		sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
--		*state |= _SUDO_SSS_STATE_HOSTMATCH;
-+	    if (f_sss_result->num_rules > 0) {
-+		    if (state != NULL) {
-+			    sudo_debug_printf(SUDO_DEBUG_DEBUG, "state |= HOSTMATCH");
-+			    *state |= _SUDO_SSS_STATE_HOSTMATCH;
-+		    }
- 	    }
--	}
--    }
- 
--    sudo_debug_printf(SUDO_DEBUG_DEBUG,
--	"u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
--	u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
-+	    sudo_debug_printf(SUDO_DEBUG_DEBUG,
-+	                      "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
-+	                      u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
-+    } else {
-+	    sudo_debug_printf(SUDO_DEBUG_DEBUG,
-+	                      "u_sss_result=(%p, %u) => f_sss_result=NULL",
-+	                      u_sss_result, u_sss_result->num_rules);
-+    }
- 
-     handle->fn_free_result(u_sss_result);
- 

sudo-1.8.8-sssdfixes.patch

@@ -1,119 +0,0 @@
-diff -up sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.8/plugins/sudoers/sssd.c
---- sudo-1.8.8/plugins/sudoers/sssd.c.sssdfixes	2013-09-30 23:18:49.641913457 +0200
-+++ sudo-1.8.8/plugins/sudoers/sssd.c	2013-09-30 23:25:54.819376696 +0200
-@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s
-  * Walk through search results and return true if we have a runas match,
-  * else false.  RunAs info is optional.
-  */
--static int
-+static bool
- sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
- {
--    int ret;
-+    bool ret;
-     debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);
- 
-     if (rule == NULL)
--	 debug_return_int(false);
-+	 debug_return_bool(false);
- 
-     ret = sudo_sss_check_runas_user(handle, rule) != false &&
- 	 sudo_sss_check_runas_group(handle, rule) != false;
- 
--    debug_return_int(ret);
-+    debug_return_bool(ret);
- }
- 
--static int
-+static bool
- sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
- {
-     char **val_array, *val;
--    int ret = false, i;
-+    bool ret = false;
-+    int i;
-     debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);
- 
-     if (rule == NULL)
--	debug_return_int(ret);
-+	debug_return_bool(ret);
- 
-     /* get the values from the rule */
-     switch (handle->fn_get_values(rule, "sudoHost", &val_array))
-@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand
- 	break;
-     case ENOENT:
- 	sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
--	debug_return_int(false);
-+	debug_return_bool(false);
-     default:
- 	sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
--	debug_return_int(ret);
-+	debug_return_bool(ret);
-     }
- 
-     /* walk through values */
-@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand
- 
-     handle->fn_free_values(val_array);
- 
--    debug_return_int(ret);
-+    debug_return_bool(ret);
-+}
-+
-+/*
-+ * Look for netgroup specifcations in the sudoUser attribute and
-+ * if found, filter according to netgroup membership.
-+ *  returns:
-+ *   true -> netgroup spec found && negroup member
-+ *  false -> netgroup spec found && not a meber of netgroup
-+ *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
-+ */
-+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
-+{
-+	bool ret = false, netgroup_spec_found = false;
-+	char **val_array, *val;
-+	int i;
-+	debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
-+
-+	if (!handle || !rule)
-+		debug_return_bool(ret);
-+
-+	switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {
-+		case 0:
-+			break;
-+		case ENOENT:
-+			sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");
-+			debug_return_bool(ret);
-+		default:
-+			sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
-+			debug_return_bool(ret);
-+	}
-+
-+	for (i = 0; val_array[i] != NULL && !ret; ++i) {
-+		val = val_array[i];
-+		if (*val == '+') {
-+			netgroup_spec_found = true;
-+		}
-+		sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
-+		if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
-+			ret = true;
-+			sudo_debug_printf(SUDO_DEBUG_DIAG,
-+			                  "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
-+		}
-+	}
-+	handle->fn_free_values(val_array);
-+	debug_return_bool(netgroup_spec_found ? ret : true);
- }
- 
- static int
-@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_
-     (void)unused;
-     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
- 
--    if (sudo_sss_check_host(handle, rule))
-+    if (sudo_sss_check_host(handle, rule) &&
-+        sudo_sss_filter_user_netgroup(handle, rule))
- 	debug_return_int(1);
-     else
- 	debug_return_int(0);

sudo-1.8.8-strictuidgid.patch

@@ -1,53 +0,0 @@
-diff -up sudo-1.8.8/plugins/sudoers/match.c.strictuidgid sudo-1.8.8/plugins/sudoers/match.c
---- sudo-1.8.8/plugins/sudoers/match.c.strictuidgid	2013-09-30 23:30:12.359263967 +0200
-+++ sudo-1.8.8/plugins/sudoers/match.c	2013-09-30 23:31:04.335443002 +0200
-@@ -777,14 +777,16 @@ hostname_matches(char *shost, char *lhos
- bool
- userpw_matches(char *sudoers_user, char *user, struct passwd *pw)
- {
--    debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
--
--    if (pw != NULL && *sudoers_user == '#') {
--	uid_t uid = (uid_t) atoi(sudoers_user + 1);
--	if (uid == pw->pw_uid)
--	    debug_return_bool(true);
--    }
--    debug_return_bool(strcmp(sudoers_user, user) == 0);
-+	debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
-+	if (pw != NULL && *sudoers_user == '#') {
-+		char *end = NULL;
-+		uid_t uid = (uid_t) strtol(sudoers_user + 1, &end, 10);
-+		if (end != NULL && (sudoers_user[1] != '\0' && *end == '\0')) {
-+			if (uid == pw->pw_uid)
-+				debug_return_bool(true);
-+		}
-+	}
-+	debug_return_bool(strcmp(sudoers_user, user) == 0);
- }
- 
- /*
-@@ -794,14 +796,16 @@ userpw_matches(char *sudoers_user, char
- bool
- group_matches(char *sudoers_group, struct group *gr)
- {
--    debug_decl(group_matches, SUDO_DEBUG_MATCH)
--
--    if (*sudoers_group == '#') {
--	gid_t gid = (gid_t) atoi(sudoers_group + 1);
--	if (gid == gr->gr_gid)
--	    debug_return_bool(true);
--    }
--    debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
-+	debug_decl(group_matches, SUDO_DEBUG_MATCH)
-+	if (*sudoers_group == '#') {
-+		char *end = NULL;
-+		gid_t gid = (gid_t) strtol(sudoers_group + 1, &end, 10);
-+		if (end != NULL && (sudoers_group[1] != '\0' && *end == '\0')) {
-+			if (gid == gr->gr_gid)
-+				debug_return_bool(true);
-+		}
-+	}
-+	debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
- }
- 
- /*

sudo.spec

@@ -1,12 +1,12 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.8.14b4
-Release: 2%{?dist}
+Version: 1.8.18p1
+Release: 1%{?dist}
 License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
 Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
-Source1: sudo-1.8.8-sudoers
+Source1: sudoers
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: /etc/pam.d/system-auth
 Requires: /usr/bin/vi
@@ -26,11 +26,6 @@ BuildRequires: zlib-devel
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# Patch to read ldap.conf more closely to nss_ldap
-Patch2: sudo-1.8.14b3-ldapconfpatch.patch
-# Patch makes changes in documentation bz:1162070
-Patch3: sudo-1.8.14b4-docpassexpire.patch
-
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -56,8 +51,6 @@ plugins that use %{name}.
 %setup -q
 
 %patch1 -p1 -b .strip
-%patch2 -p1 -b .ldapconfpatch
-%patch3 -p1 -b .docpassexpire
 
 %build
 # Remove bundled copy of zlib
@@ -77,6 +70,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
         --sbindir=%{_sbindir} \
         --libdir=%{_libdir} \
         --docdir=%{_pkgdocdir} \
+        --disable-root-mailer \
         --with-logging=syslog \
         --with-logfac=authpriv \
         --with-pam \
@@ -100,6 +94,7 @@ make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` s
 
 chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* 
 install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
+install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
 install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
 install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
 
@@ -155,6 +150,7 @@ rm -rf $RPM_BUILD_ROOT
 %config(noreplace) /etc/pam.d/sudo-i
 %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
 %dir /var/db/sudo
+%dir /var/db/sudo/lectured
 %attr(4111,root,root) %{_bindir}/sudo
 %{_bindir}/sudoedit
 %attr(0111,root,root) %{_bindir}/sudoreplay
@@ -193,6 +189,37 @@ rm -rf $RPM_BUILD_ROOT
 %{_libexecdir}/sudo/libsudo_util.so
 
 %changelog
+* Tue Nov 08 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.18p1-1
+- update to 1.8.18p1
+- fixes CVE-2016-7076
+
+* Wed Sep 21 2016 Radovan Sroka <rsroka@redhat.com> 1.8.18-1
+- update to 1.8.18
+- dropped sudo-1.8.14p1-ldapconfpatch.patch
+  upstreamed --> https://www.sudo.ws/pipermail/sudo-workers/2016-September/001006.html
+- added --disable-root-mailer as configure option
+  Resolves: rhbz#1324091
+
+* Mon Jul 11 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.17p1-1
+- update to 1.8.17p1
+- install the /var/db/sudo/lectured
+
+* Wed Jun  1 2016 Daniel Kopecek <dkopecek@redhat.com> 1.8.15-2
+- removed INPUTRC from env_keep to prevent a possible info leak
+  Resolves: rhbz#1340701
+
+* Thu Nov  5 2015 Daniel Kopecek <dkopecek@redhat.com> 1.8.15-1
+- update to 1.8.15
+- fixes CVE-2015-5602
+
+* Mon Jul 27 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p3-1
+- update to 1.8.14p3
+
+* Mon Jul 20 2015 Radovan Sroka <rsroka@redhat.com> 1.8.14p1-1
+- update to 1.8.14p1-1
+- rebase sudo-1.8.14b3-ldapconfpatch.patch -> sudo-1.8.14p1-ldapconfpatch.patch
+- rebase sudo-1.8.14b4-docpassexpire.patch -> sudo-1.8.14p1-docpassexpire.patch
+
 * Tue Jul 14 2015 Radovan Sroka <rsroka@redhat.com> 1.8.12-2
 - add patch3 sudo.1.8.14b4-passexpire.patch that makes change in documentation about timestamp_time
 - Resolves: rhbz#1162070

sudoers

@@ -0,0 +1,96 @@
+## Sudoers allows particular users to run various commands as
+## the root user, without needing the root password.
+##
+## Examples are provided at the bottom of the file for collections
+## of related commands, which can then be delegated out to particular
+## users or groups.
+## 
+## This file must be edited with the 'visudo' command.
+
+## Host Aliases
+## Groups of machines. You may prefer to use hostnames (perhaps using 
+## wildcards for entire domains) or IP addresses instead.
+# Host_Alias     FILESERVERS = fs1, fs2
+# Host_Alias     MAILSERVERS = smtp, smtp2
+
+## User Aliases
+## These aren't often necessary, as you can use regular groups
+## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname 
+## rather than USERALIAS
+# User_Alias ADMINS = jsmith, mikem
+
+
+## Command Aliases
+## These are groups of related commands...
+
+## Networking
+# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+
+## Installation and management of software
+# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
+
+## Services
+# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
+
+## Updating the locate database
+# Cmnd_Alias LOCATE = /usr/bin/updatedb
+
+## Storage
+# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
+
+## Delegating permissions
+# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp 
+
+## Processes
+# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
+
+## Drivers
+# Cmnd_Alias DRIVERS = /sbin/modprobe
+
+# Defaults specification
+
+#
+# Refuse to run if unable to disable echo on the tty.
+#
+Defaults   !visiblepw
+
+Defaults    env_reset
+Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+
+Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+
+## Next comes the main part: which users can run what software on 
+## which machines (the sudoers file can be shared between multiple
+## systems).
+## Syntax:
+##
+## 	user	MACHINE=COMMANDS
+##
+## The COMMANDS section may have other options added to it.
+##
+## Allow root to run any commands anywhere 
+root	ALL=(ALL) 	ALL
+
+## Allows members of the 'sys' group to run networking, software, 
+## service management apps and more.
+# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
+
+## Allows people in group wheel to run all commands
+%wheel	ALL=(ALL)	ALL
+
+## Same thing without a password
+# %wheel	ALL=(ALL)	NOPASSWD: ALL
+
+## Allows members of the users group to mount and unmount the 
+## cdrom as root
+# %users  ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
+
+## Allows members of the users group to shutdown this system
+# %users  localhost=/sbin/shutdown -h now
+
+## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
+#includedir /etc/sudoers.d