starlingx/integ
Code Issues Proposed changes

rebase sudo patch to CentOS7.5

Browse Source 
the CVE patch is not used, so delete it.

Story: 2003389
Task: 24492

Change-Id: I67b5612992c6cf3c2d67d067b484e98450188ff8
Signed-off-by: slin14 <shuicheng.lin@intel.com>
This commit is contained in:
slin14 2018-08-14 23:44:18 +08:00 committed by chenyan
parent 3fd3486f27
commit 8406a10d58
5 changed files with 37 additions and 425 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
base/sudo/centos/meta_patches/0001-Update-package-versioning-for-TIS-format.patch
View File

@ -1,7 +1,7 @@
From 39b08b2cc4eb6d47490593a599db95703b74b754 Mon Sep 17 00:00:00 2001 From 21db84dcb55f87c792a6d59cef0c68741a9d24b1 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com> From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:50:44 -0400 Date: Mon, 2 Oct 2017 16:50:44 -0400
Subject: [PATCH 1/3] WRS: 0001-Update-package-versioning-for-TIS-format.patch Subject: [PATCH 1/4] WRS: 0001-Update-package-versioning-for-TIS-format.patch
Conflicts: Conflicts:
SPECS/sudo.spec SPECS/sudo.spec
@ -10,18 +10,18 @@ Conflicts:
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index c3a1a52..7d1486b 100644 index c8d2f64..b6402bb 100644
--- a/SPECS/sudo.spec --- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec +++ b/SPECS/sudo.spec
@@ -1,7 +1,7 @@ @@ -1,7 +1,7 @@
Summary: Allows restricted root access for specified users Summary: Allows restricted root access for specified users
Name: sudo Name: sudo
Version: 1.8.19p2 Version: 1.8.19p2
-Release: 11%{?dist} -Release: 14%{?dist}
+Release: 11.el7_4%{?_tis_dist}.%{tis_patch_ver} +Release: 14.el7_5%{?_tis_dist}.%{tis_patch_ver}
License: ISC License: ISC
Group: Applications/System Group: Applications/System
URL: http://www.courtesan.com/sudo/ URL: http://www.courtesan.com/sudo/
-- --
1.9.1 2.7.4

30
base/sudo/centos/meta_patches/0002-spec-include-TiS-changes.patch
View File

@ -1,35 +1,35 @@
From abc3ec24a957002962bb4038946291b84bea3859 Mon Sep 17 00:00:00 2001 From 70046603b8d607445e2fbf5e7d934bcd43a77dc8 Mon Sep 17 00:00:00 2001
From: Scott Little <scott.little@windriver.com> From: Scott Little <scott.little@windriver.com>
Date: Mon, 2 Oct 2017 16:50:44 -0400 Date: Mon, 2 Oct 2017 16:50:44 -0400
Subject: [PATCH 2/3] WRS: 0002-spec-include-TiS-changes.patch Subject: [PATCH 2/4] WRS: 0002-spec-include-TiS-changes.patch
--- ---
SPECS/sudo.spec | 17 +++++++++++++++-- SPECS/sudo.spec | 15 +++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-) 1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 7d1486b..d731ba9 100644 index b6402bb..acbcb26 100644
--- a/SPECS/sudo.spec --- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec +++ b/SPECS/sudo.spec
@@ -64,6 +64,8 @@ Patch17: sudo-1.8.19p2-get_process_ttyname.patch @@ -78,6 +78,8 @@ Patch24: sudo-1.8.19p2-sssd-double-free.patch
# 1459152 - CVE-2017-1000368: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367) # 1560657 - sudo blocks in poll() for /dev/ptmx with iolog enabled
Patch18: sudo-1.8.19p2-CVE-2017-1000368.patch Patch25: sudo-1.8.19p2-iolog-zombie.patch
+# WRS patches +# WRS patches
+ +
%description %description
Sudo (superuser do) allows a system administrator to give certain Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands users (or groups of users) the ability to run some (or all) commands
@@ -106,6 +108,8 @@ plugins that use %{name}. @@ -127,6 +129,8 @@ plugins that use %{name}.
%patch17 -p1 -b .get_process_ttyname %patch24 -p1 -b .double-free
%patch18 -p1 -b .CVE-2017-1000368 %patch25 -p1 -b .iolog-zombie
+# WRS patches +# WRS patches
+ +
%build %build
autoreconf -I m4 -fv --install autoreconf -I m4 -fv --install
@@ -132,7 +136,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL @@ -153,7 +157,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL
--with-ignore-dot \ --with-ignore-dot \
--with-tty-tickets \ --with-tty-tickets \
--with-ldap \ --with-ldap \
@ -38,7 +38,7 @@ index 7d1486b..d731ba9 100644
--with-selinux \ --with-selinux \
--with-passprompt="[sudo] password for %p: " \ --with-passprompt="[sudo] password for %p: " \
--with-linux-audit \ --with-linux-audit \
@@ -158,6 +162,12 @@ install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers @@ -179,6 +183,12 @@ install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf
install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf
@ -51,7 +51,7 @@ index 7d1486b..d731ba9 100644
# Remove execute permission on this script so we don't pull in perl deps # Remove execute permission on this script so we don't pull in perl deps
chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif
@@ -226,7 +236,8 @@ rm -rf $RPM_BUILD_ROOT @@ -247,7 +257,8 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/visudo.8* %{_mandir}/man8/visudo.8*
%dir %{_docdir}/sudo-%{version} %dir %{_docdir}/sudo-%{version}
%{_docdir}/sudo-%{version}/* %{_docdir}/sudo-%{version}/*
@ -62,5 +62,5 @@ index 7d1486b..d731ba9 100644
# Make sure permissions are ok even if we're updating # Make sure permissions are ok even if we're updating
%post %post
-- --
1.9.1 2.7.4

17
base/sudo/centos/meta_patches/0004-remove-make-check.patch
View File

@ -1,8 +1,18 @@
From b531e69617e54bd767ff58d1794e48b8150d74b9 Mon Sep 17 00:00:00 2001
From: slin14 <shuicheng.lin@intel.com>
Date: Tue, 14 Aug 2018 22:10:32 +0800
Subject: [PATCH 4/4] remove-make-check
Signed-off-by: slin14 <shuicheng.lin@intel.com>
---
SPECS/sudo.spec | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec
index 4a34dba..fcb2e05 100644 index 8c3f395..17531f7 100644
--- a/SPECS/sudo.spec --- a/SPECS/sudo.spec
+++ b/SPECS/sudo.spec +++ b/SPECS/sudo.spec
@@ -145,7 +145,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL @@ -166,7 +166,8 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL
# --without-kerb4 # --without-kerb4
make -j"%(nproc)" make -j"%(nproc)"
@ -12,3 +22,6 @@ index 4a34dba..fcb2e05 100644
%install %install
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
--
2.7.4

2
base/sudo/centos/srpm_path
View File

@ -1 +1 @@
mirror:Source/sudo-1.8.19p2-11.el7_4.src.rpm mirror:Source/sudo-1.8.19p2-14.el7_5.src.rpm

401
base/sudo/files/sudo-CVE-2015-5602.patch
View File

@ -1,401 +0,0 @@
sudo: CVE-2015-5602
the patch is based on:
https://www.sudo.ws/repos/sudo/rev/9636fd256325
https://www.sudo.ws/repos/sudo/rev/c2e36a80a279
Rewritten sudoedit_checkdir support that checks all the dirs in the
path and refuses to follow symlinks in writable directories.
This is a better fix for CVE-2015-5602.
Adapted from a diff by Ben Hutchings. Bug #707
Signed-off-by: Li Wang <li.wang@windriver.com>
---
plugins/sudoers/policy.c | 5
src/sudo.c | 10 +
src/sudo.h | 3
src/sudo_edit.c | 289 +++++++++++++++++++++++++++++++++++++++++++++--
4 files changed, 296 insertions(+), 11 deletions(-)
--- a/src/sudo_edit.c
+++ b/src/sudo_edit.c
@@ -79,6 +79,267 @@ switch_user(uid_t euid, gid_t egid, int
debug_return;
}
+static bool
+group_matches(gid_t target, gid_t gid, int ngroups, GETGROUPS_T *groups)
+{
+ int i;
+ debug_decl(group_matches, SUDO_DEBUG_EDIT)
+
+ if (target == gid) {
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "user gid %u matches directory gid %u", (unsigned int)gid,
+ (unsigned int)target);
+ debug_return_bool(true);
+ }
+ for (i = 0; i < ngroups; i++) {
+ if (target == groups[i]) {
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "user gid %u matches directory gid %u", (unsigned int)gid,
+ (unsigned int)target);
+ debug_return_bool(true);
+ }
+ }
+ debug_return_bool(false);
+}
+
+#ifdef O_NOFOLLOW
+static int
+sudo_edit_openat_nofollow(int dfd, char *path, int oflags, mode_t mode)
+{
+ debug_decl(sudo_edit_open_nofollow, SUDO_DEBUG_EDIT)
+
+ debug_return_int(openat(dfd, path, oflags|O_NOFOLLOW, mode));
+}
+#else
+/*
+ * Returns true if fd and path don't match or path is a symlink.
+ * Used on older systems without O_NOFOLLOW.
+ */
+static bool
+sudo_edit_is_symlink(int fd, char *path)
+{
+ struct stat sb1, sb2;
+ debug_decl(sudo_edit_is_symlink, SUDO_DEBUG_EDIT)
+
+ /*
+ * Treat [fl]stat() failure like there was a symlink.
+ */
+ if (fstat(fd, &sb1) == -1 || lstat(path, &sb2) == -1)
+ debug_return_bool(true);
+
+ /*
+ * Make sure we did not open a link and that what we opened
+ * matches what is currently on the file system.
+ */
+ if (S_ISLNK(sb2.st_mode) ||
+ sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) {
+ debug_return_bool(true);
+ }
+
+ debug_return_bool(false);
+}
+
+static int
+sudo_edit_openat_nofollow(char *path, int oflags, mode_t mode)
+{
+ struct stat sb1, sb2;
+ int fd;
+ debug_decl(sudo_edit_openat_nofollow, SUDO_DEBUG_EDIT)
+
+ fd = openat(dfd, path, oflags, mode);
+ if (fd == -1)
+ debug_return_int(-1);
+
+ if (sudo_edit_is_symlink(fd, path)) {
+ close(fd);
+ fd = -1;
+ errno = ELOOP;
+ }
+
+ debug_return_int(fd);
+}
+#endif /* O_NOFOLLOW */
+
+/*
+ * Returns true if the directory described by sb is writable
+ * by the user. We treat directories with the sticky bit as
+ * unwritable unless they are owned by the user.
+ */
+static bool
+dir_is_writable(struct stat *sb, uid_t uid, gid_t gid, int ngroups,
+ GETGROUPS_T *groups)
+{
+ debug_decl(dir_is_writable, SUDO_DEBUG_EDIT)
+
+ /* If the user owns the dir we always consider it writable. */
+ if (sb->st_uid == uid) {
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "user uid %u matches directory uid %u", (unsigned int)uid,
+ (unsigned int)sb->st_uid);
+ debug_return_bool(true);
+ }
+
+ /* Other writable? */
+ if (ISSET(sb->st_mode, S_IWOTH)) {
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "directory is writable by other");
+ debug_return_bool(true);
+ }
+
+ /* Group writable? */
+ if (ISSET(sb->st_mode, S_IWGRP)) {
+ if (group_matches(sb->st_gid, gid, ngroups, groups)) {
+ sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+ "directory is writable by one of the user's groups");
+ debug_return_bool(true);
+ }
+ }
+
+ debug_return_bool(false);
+}
+
+/*
+ * Directory open flags for use with openat(2) and fstat(2).
+ * Use O_PATH and O_DIRECTORY where possible.
+ */
+#if defined(O_PATH) && defined(O_DIRECTORY)
+# define DIR_OPEN_FLAGS (O_PATH|O_DIRECTORY)
+#elif defined(O_PATH) && !defined(O_DIRECTORY)
+# define DIR_OPEN_FLAGS O_PATH
+#elif !defined(O_PATH) && defined(O_DIRECTORY)
+# define DIR_OPEN_FLAGS (O_RDONLY|O_DIRECTORY)
+#else
+# define DIR_OPEN_FLAGS (O_RDONLY|O_NONBLOCK)
+#endif
+
+static int
+sudo_edit_open_nonwritable(char *path, int oflags, mode_t mode)
+{
+ int dfd, fd, dflags = DIR_OPEN_FLAGS;
+#if defined(__linux__) && defined(O_PATH)
+ char *opath = path;
+#endif
+ bool is_writable;
+ struct stat sb;
+ debug_decl(sudo_edit_open_nonwritable, SUDO_DEBUG_EDIT)
+
+#if defined(__linux__) && defined(O_PATH)
+restart:
+#endif
+ if (path[0] == '/') {
+ dfd = open("/", dflags);
+ path++;
+ } else {
+ dfd = open(".", dflags);
+ if (path[0] == '.' && path[1] == '/')
+ path += 2;
+ }
+ if (dfd == -1)
+ debug_return_int(-1);
+
+ for (;;) {
+ char *slash;
+ int subdfd;
+
+ /*
+ * Look up one component at a time, avoiding symbolic links in
+ * writable directories.
+ */
+ if (fstat(dfd, &sb) == -1) {
+ close(dfd);
+#if defined(__linux__) && defined(O_PATH)
+ /* Linux prior to 3.6 can't fstat an O_PATH fd */
+ if (ISSET(dflags, O_PATH)) {
+ CLR(dflags, O_PATH);
+ path = opath;
+ goto restart;
+ }
+#endif
+ debug_return_int(-1);
+ }
+#ifndef O_DIRECTORY
+ if (!S_ISDIR(sb.st_mode)) {
+ close(dfd);
+ errno = ENOTDIR;
+ debug_return_int(-1);
+ }
+#endif
+ is_writable = dir_is_writable(&sb, user_details.uid, user_details.gid,
+ user_details.ngroups, user_details.groups);
+
+ while (path[0] == '/')
+ path++;
+ slash = strchr(path, '/');
+ if (slash == NULL)
+ break;
+ *slash = '\0';
+ if (is_writable)
+ subdfd = sudo_edit_openat_nofollow(dfd, path, dflags, 0);
+ else
+ subdfd = openat(dfd, path, dflags, 0);
+ *slash = '/'; /* restore path */
+ close(dfd);
+ if (subdfd == -1)
+ debug_return_int(-1);
+ path = slash + 1;
+ dfd = subdfd;
+ }
+
+ if (is_writable) {
+ close(dfd);
+ errno = EISDIR;
+ debug_return_int(-1);
+ }
+
+ fd = openat(dfd, path, oflags, mode);
+ close(dfd);
+ debug_return_int(fd);
+}
+
+#ifdef O_NOFOLLOW
+static int
+sudo_edit_open(char *path, int oflags, mode_t mode, int sflags)
+{
+ int fd;
+ debug_decl(sudo_edit_open, SUDO_DEBUG_EDIT)
+
+ if (!ISSET(sflags, CD_SUDOEDIT_FOLLOW))
+ oflags |= O_NOFOLLOW;
+ if (ISSET(sflags, CD_SUDOEDIT_CHECKDIR) && user_details.uid != 0)
+ fd = sudo_edit_open_nonwritable(path, oflags|O_NONBLOCK, mode);
+ else
+ fd = open(path, oflags|O_NONBLOCK, mode);
+ if (fd != -1 && !ISSET(oflags, O_NONBLOCK))
+ (void) fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+ debug_return_int(fd);
+}
+#else
+static int
+sudo_edit_open(char *path, int oflags, mode_t mode, int sflags)
+{
+ struct stat sb1, sb2;
+ int fd;
+ debug_decl(sudo_edit_open, SUDO_DEBUG_EDIT)
+
+ if (ISSET(sflags, CD_SUDOEDIT_CHECKDIR) && user_details.uid != 0)
+ fd = sudo_edit_open_nonwritable(path, oflags|O_NONBLOCK, mode);
+ else
+ fd = open(path, oflags|O_NONBLOCK, mode);
+ if (fd == -1)
+ debug_return_int(-1);
+ if (!ISSET(oflags, O_NONBLOCK))
+ (void) fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
+
+ if (!ISSET(sflags, CD_SUDOEDIT_FOLLOW) && sudo_edit_is_symlink(fd, path)) {
+ close(fd);
+ fd = -1;
+ errno = ELOOP;
+ }
+
+ debug_return_int(fd);
+}
+#endif /* O_NOFOLLOW */
+
/*
* Wrapper to allow users to edit privileged files with their own uid.
*/
@@ -97,8 +358,8 @@ sudo_edit(struct command_details *comman
struct tempfile {
char *tfile;
char *ofile;
- struct timeval omtim;
off_t osize;
+ struct timeval omtim;
} *tf = NULL;
debug_decl(sudo_edit, SUDO_DEBUG_EDIT)
@@ -153,7 +414,8 @@ sudo_edit(struct command_details *comman
rc = -1;
switch_user(command_details->euid, command_details->egid,
command_details->ngroups, command_details->groups);
- if ((ofd = open(files[i], O_RDONLY, 0644)) != -1 || errno == ENOENT) {
+ ofd = sudo_edit_open(files[i], O_RDONLY, 0644, command_details->flags);
+ if (ofd != -1 || errno == ENOENT) {
if (ofd == -1) {
zero_bytes(&sb, sizeof(sb)); /* new file */
rc = 0;
@@ -163,11 +425,17 @@ sudo_edit(struct command_details *comman
}
switch_user(ROOT_UID, user_details.egid,
user_details.ngroups, user_details.groups);
- if (rc || (ofd != -1 && !S_ISREG(sb.st_mode))) {
- if (rc)
- warning("%s", files[i]);
+ if (ofd != -1 && !S_ISREG(sb.st_mode)) {
+ warningx(_("%s: not a regular file"), files[i]);
+ close(ofd);
+ continue;
+ }
+ if (rc == -1) {
+ /* open() or fstat() error. */
+ if (ofd == -1 && errno == ELOOP)
+ warningx(_("%s: is a symbolic link"), files[i]);
else
- warningx(_("%s: not a regular file"), files[i]);
+ warning("%s", files[i]);
if (ofd != -1)
close(ofd);
continue;
@@ -258,9 +526,9 @@ sudo_edit(struct command_details *comman
rc = -1;
if (seteuid(user_details.uid) != 0)
fatal("seteuid(%d)", (int)user_details.uid);
- if ((tfd = open(tf[i].tfile, O_RDONLY, 0644)) != -1) {
+ tfd = sudo_edit_open(tf[i].tfile, O_RDONLY, 0644, 0);
+ if (tfd != -1)
rc = fstat(tfd, &sb);
- }
if (seteuid(ROOT_UID) != 0)
fatal("seteuid(ROOT_UID)");
if (rc || !S_ISREG(sb.st_mode)) {
@@ -289,8 +557,9 @@ sudo_edit(struct command_details *comman
}
switch_user(command_details->euid, command_details->egid,
command_details->ngroups, command_details->groups);
- ofd = open(tf[i].ofile, O_WRONLY|O_TRUNC|O_CREAT, 0644);
- switch_user(ROOT_UID, user_details.egid,
+ ofd = sudo_edit_open(tf[i].ofile, O_WRONLY|O_TRUNC|O_CREAT, 0644,
+ command_details->flags);
+ switch_user(ROOT_UID, user_details.egid,
user_details.ngroups, user_details.groups);
if (ofd == -1) {
warning(_("unable to write to %s"), tf[i].ofile);
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -383,8 +383,11 @@ sudoers_policy_exec_setup(char *argv[],
easprintf(&command_info[info_len++], "maxseq=%u", def_maxseq);
}
}
- if (ISSET(sudo_mode, MODE_EDIT))
+ if (ISSET(sudo_mode, MODE_EDIT)) {
command_info[info_len++] = estrdup("sudoedit=true");
+ command_info[info_len++] = estrdup("sudoedit_checkdir=true");
+ command_info[info_len++] = estrdup("sudoedit_follow=true");
+ }
if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
/* Set cwd to run user's homedir. */
command_info[info_len++] = fmt_string("cwd", runas_pw->pw_dir);
--- a/src/sudo.c
+++ b/src/sudo.c
@@ -727,6 +727,16 @@ command_info_to_details(char * const inf
SET(details->flags, CD_SUDOEDIT);
break;
}
+ if (strncmp("sudoedit_checkdir=", info[i], sizeof("sudoedit_checkdir=") - 1) == 0) {
+ if (atobool(info[i] + sizeof("sudoedit_checkdir=") - 1) == true)
+ SET(details->flags, CD_SUDOEDIT_CHECKDIR);
+ break;
+ }
+ if (strncmp("sudoedit_follow=", info[i], sizeof("sudoedit_follow=") - 1) == 0) {
+ if (atobool(info[i] + sizeof("sudoedit_follow=") - 1) == true)
+ SET(details->flags, CD_SUDOEDIT_FOLLOW);
+ break;
+ }
break;
case 't':
if (strncmp("timeout=", info[i], sizeof("timeout=") - 1) == 0) {
--- a/src/sudo.h
+++ b/src/sudo.h
@@ -129,6 +129,9 @@ struct user_details {
#define CD_USE_PTY 0x1000
#define CD_SET_UTMP 0x2000
#define CD_EXEC_BG 0x4000
+#define CD_SUDOEDIT_COPY 0x08000
+#define CD_SUDOEDIT_FOLLOW 0x10000
+#define CD_SUDOEDIT_CHECKDIR 0x20000
struct command_details {
uid_t uid;