This means that lhost and shost in struct sudoers_parse_tree
are no longer const and that free_pa...

For example, MacOSX11.sdk instead of MacOSX11.3.sdk.

If present, the host name is copied into the struct sudoers_parse_tree.

In the future the parsed files will be merged before they are output.

This will be used to store multiple parse trees and merge them
into a single sudoers_parse_tree.

Only needed when building the seed corpus zip files.

This helps to avoid issues with mismatched headers and libraries.

This can happen when no changes were made. Also preserve the edited
temp file on error if we are...

Avoids a name clash with the set_perms() function.

Rename "is_writable" variable to "writable".

This is supported beginning with sudo 1.9.9 and plugin API 1.17.

We can assume that systems without strtoull() have 32-bit resource limits.

The special value "user" means preserve the invoking user's limit.
The value "default" means don'...

The default for rlimit_core is "0,0"
Resource limits are passed back to the front-end in command_...

This can be used in conjunction with the -c option to check that
the sudoers file ownership and p...

We only want to apply SELinux to confined users. This is a bit of
a hack as unconfined_r is spec...

This makes it possible to determine whether we really need to execute
the command via the sesh he...

The front-end uses this to decide whether or not to enable SELinux.
If selinux-rbac is true _or_ ...

The SELinux policy may not allow uid/gid changes which will break
the writability checks and caus...

The timegm() function is non-standard but widely available.
Provide an implementation for those s...

Also add missing Makefile targets for them.

Otherwise, the resulting time may be off by and hour, depending on
whether DST is currently activ...

Until arm64e on macOS is finalized, continue to build arm64 packages.

We originally used arm64 here but the correct ABI is arm64e.
The arm64 arch will be removed in a ...

Older versions of OpenSSL and wolfSSL lack BIO_new_fd().
Also explicitly include openssl/bio.h an...

Fedora does not appear to have an official wolfssl package.

Based on changes from Hayden Roche

This way there is no include file order issue with the
PROTOBUF_C_VERSION_NUMBER check.

While they are defined to the same value in OpenSSL one should not
rely on this.

With this change, sudo_sendlog can now round-trip sudo-style I/O
logs that use the newer log.json...

This was removed when Linux genentropy() was disabled.

Define MAP_FAILED where relevant if undefined

On systems such as HP-UX 10.20, MAP_FAILED is not
defined.

From Jeremy Huddleston Sequoia

Try to fill the write buffer and then send to the server instead
of sending records one at a time.

We may need to use RAND_bytes() in the getentropy() emulation.

This test needs to be done after AC_LANG_WERROR to avoid including
sys/sysctl.h on systems where ...

The glibc getentropy() emulation will fail on older kernels that
don't support getrandom().
Also ...

Apparently this code was never compiled anywhere.

We need to call iolog_flush_all() _before_ scheduling the commit point.
If we fail to schedule to...

Now that struct eventlog includes the exit parameters we can simplify
how eventlog_exit() is called.

It is now possible to pass a NULL run_time to eventlog_exit().

Also document that logs are flushed before sending a commit point
even when flushing is disabled.

The commit point message means we have written the data to disk so
we should not be buffering it ...

If the connecton is interrupted before sudo sends back a commit_point
message, resuming at [0, 0]...

Since "cd" is a shell built-in command it cannot be run directly
via sudo. The user either needs...

We already avoid installing it when --disable-shared-util is specified.

Fixes a problem where the exit value from mkpkg was 0 even on error.

For CSV output we double quotes strings that contain commas. For
each literal double quote chara...

We now do separate builds with LDAP/SSSD enabled, logsrv client/server
disabled, and static-sudoe...

This introduces a sudoers-specific version of LT_STATIC instead of
appending the --tag=disable-sh...

May be needed for Fedora rawhide and Ubuntu testing, among others.

Fixes check_noexec with ASAN on Fedora where libasan.so just includes
the actual library file.

We need to disable leak sanitizer during "make check" because it
uses ptrace which is not allowed...