--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:sudo
User: [email protected]
Usertags: pu
Hi,
I am hereby submitting sudo 1.9.16p2-3+deb13u1 for pre-approval for
trixie-updates and the next point release.
[ Reason ]
#1124399 makes sudo segfault on some i386 hosts such as AMD Geode
#1126085 makes sudo fail on some DSA systems due to : in sudoers.d file
names
[ Impact ]
AMD Geode users will still be unable to use sudo on amd64
DSA will have to change their file names
[ Tests ]
A small Autopkgtest suite. Both fixes are in unstable and testing.
The complete testsuite was pulled from unstable. The testsuite we
released in trixie didn't work too well in the unshare backend of
autopkgtest.
[ Risks ]
Not sure. It's sudo.
[ Checklist ]
[X ] *all* changes are documented in the d/changelog
[X ] I reviewed all changes and I approve them
[X ] attach debdiff against the package in (old)stable
[X ] the issue is verified as fixed in unstable
[ Changes ]
An upstream patch was included to address #1126085
A patch submitted by Marcos Del Sol Vives fixes the Geode problem by
turning off an unneded hardenng on i386. That patch is already in
bookworm and it has passed a TC discussion
The testsuite was updated from unstable. This is the majority of the
attached debdiff.
diff -Nru sudo-1.9.16p2/debian/changelog sudo-1.9.16p2/debian/changelog
--- sudo-1.9.16p2/debian/changelog 2025-06-30 07:55:33.000000000 +0200
+++ sudo-1.9.16p2/debian/changelog 2026-02-11 20:22:01.000000000 +0100
@@ -1,3 +1,14 @@
+sudo (1.9.16p2-3+deb13u1) trixie; urgency=medium
+
+ [ Marc Haber ]
+ * add upstream patch: Do not perform path expansion
+ Thanks to Adam D. Barratt" <[email protected]> (Closes: #1126085)
+ * Enable Intel CET on amd64 only.
+ Thanks to Marcos Del Sol Vives (Closes: #1124339)
+ * Pull more robust test suite from unstable
+
+ -- Marc Haber <[email protected]> Wed, 11 Feb 2026 20:22:01
+0100
+
sudo (1.9.16p2-3) unstable; urgency=high
* backport upstream patch for CVE-2025-32463
diff -Nru
sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch
sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch
---
sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch
1970-01-01 01:00:00.000000000 +0100
+++
sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch
2026-02-11 20:22:01.000000000 +0100
@@ -0,0 +1,34 @@
+From: "Todd C. Miller" <[email protected]>
+Date: Sat, 24 Jan 2026 11:30:06 -0700
+Subject: open_sudoers: Do not perform path expansion on files in an
+ includedir
+
+A file in an includedir containing one or more colons (':') in the
+name we was being expanded as a colon-separated path instead of
+being opened as-is. This fixes a regression introduced in
+sudo 1.9.14. Bug #1085
+---
+ plugins/sudoers/sudoers.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
+index 0f75c96..fecd279 100644
+--- a/plugins/sudoers/sudoers.c
++++ b/plugins/sudoers/sudoers.c
+@@ -1286,7 +1286,15 @@ open_sudoers(const char *path, char **outfile, bool
doedit, bool *keepopen)
+ int error, fd;
+ debug_decl(open_sudoers, SUDOERS_DEBUG_PLUGIN);
+
+- fd = sudo_open_conf_path(path, fname, sizeof(fname), open_file);
++ if (outfile == NULL) {
++ /* Single file, do not treat as a path. */
++ fd = open_file(path, O_RDONLY|O_NONBLOCK);
++ if (fd != -1)
++ (void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
++ } else {
++ /* Could be a colon-separated path of file names. */
++ fd = sudo_open_conf_path(path, fname, sizeof(fname), open_file);
++ }
+ if (sudoers_ctx.parser_conf.ignore_perms) {
+ /* Skip sudoers security checks when ignore_perms is set. */
+ if (fd == -1 || fstat(fd, &sb) == -1)
diff -Nru sudo-1.9.16p2/debian/patches/amd64-ibt.diff
sudo-1.9.16p2/debian/patches/amd64-ibt.diff
--- sudo-1.9.16p2/debian/patches/amd64-ibt.diff 1970-01-01 01:00:00.000000000
+0100
+++ sudo-1.9.16p2/debian/patches/amd64-ibt.diff 2026-02-11 20:22:01.000000000
+0100
@@ -0,0 +1,28 @@
+From: Marcos Del Sol Vives <[email protected]>
+Date: Tue, 2 Sep 2025 00:00:35 +0200
+Subject: Enable Intel CET on amd64 only
+
+---
+ m4/hardening.m4 | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/m4/hardening.m4 b/m4/hardening.m4
+index f7d2a8c..cc7ee01 100644
+--- a/m4/hardening.m4
++++ b/m4/hardening.m4
+@@ -105,6 +105,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
+ ])
+ fi
+
++ if test "$host_cpu" = "x86_64"; then
+ # Check for control-flow transfer instrumentation (Intel CET).
+ AX_CHECK_COMPILE_FLAG([-fcf-protection], [
+ AX_CHECK_LINK_FLAG([-fcf-protection], [
+@@ -112,6 +113,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
+ AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS])
+ ])
+ ])
++ fi
+ fi
+
+ # Linker-specific hardening flags.
diff -Nru sudo-1.9.16p2/debian/patches/series
sudo-1.9.16p2/debian/patches/series
--- sudo-1.9.16p2/debian/patches/series 2025-06-30 07:55:33.000000000 +0200
+++ sudo-1.9.16p2/debian/patches/series 2026-02-11 20:22:01.000000000 +0100
@@ -5,3 +5,5 @@
X11R6.patch
0007-upstream-patch-for-CVE-2025-32463.patch
0008-upstream-patch-for-CVE-2025-32462.patch
+0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch
+amd64-ibt.diff
diff -Nru sudo-1.9.16p2/debian/tests/01-getroot
sudo-1.9.16p2/debian/tests/01-getroot
--- sudo-1.9.16p2/debian/tests/01-getroot 2025-06-30 07:55:33.000000000
+0200
+++ sudo-1.9.16p2/debian/tests/01-getroot 2026-02-11 20:22:01.000000000
+0100
@@ -9,7 +9,7 @@
# Note: we do need the 'xfoo' syntax here, since POSIX special-cases
# the $passwd value '!' as negation.
if [ "x$passwd" = "x*" ] || [ "x$passwd1" = "x!" ]; then
- echo "root:rootpassword" | chpasswd
+ echo "root:riegh@oh4ahR" | chpasswd
fi
TESTNR="01"
@@ -19,7 +19,7 @@
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
ACCTA="test${TESTNR}a"
ACCTB="test${TESTNR}b"
-PASSWD="test${TESTNR}23456"
+PASSWD="test${TESTNR}Terah9ien7e"
HOMEDIRA="/home/${ACCTA}"
HOMEDIRB="/home/${ACCTB}"
LDIFDIR="${DIR}/ldif"
diff -Nru sudo-1.9.16p2/debian/tests/02-1003969-audit-no-resolve
sudo-1.9.16p2/debian/tests/02-1003969-audit-no-resolve
--- sudo-1.9.16p2/debian/tests/02-1003969-audit-no-resolve 2025-06-30
07:55:33.000000000 +0200
+++ sudo-1.9.16p2/debian/tests/02-1003969-audit-no-resolve 2026-02-11
20:22:01.000000000 +0100
@@ -7,21 +7,29 @@
COMMONDIR="${BASEDIR}/common"
DIR="${BASEDIR}/${TESTNR}"
PATH="/bin:/usr/bin:/sbin:/usr/sbin"
-ACCTA="test${TESTNR}a"
-ACCTB="test${TESTNR}b"
-PASSWD="test${TESTNR}23456"
HOMEDIRA="/root"
-LDIFDIR="${DIR}/ldif"
trap '
printf "\ntrap handler\n"
- mv /etc/resolv.conf.disabled /etc/resolv.conf || true
- mv /etc/hosts.disabled /etc/hosts || true
+ if [ -e /etc/resolv.conf.disabled ]; then
+ cp /etc/resolv.conf.disabled /etc/resolv.conf || true
+ rm -f /etc/resolv.conf.disabled || true
+ fi
+ if [ -e /etc/hosts.disabled ]; then
+ cp /etc/hosts.disabled /etc/hosts || true
+ rm -f /etc/hosts.disabled || true
+ fi
' 0 INT QUIT ABRT PIPE TERM
printf "========= test %s\.1: sudo to nobody\n" "${TESTNR}"
-mv /etc/resolv.conf /etc/resolv.conf.disabled
-mv /etc/hosts /etc/hosts.disabled
+if [ -e /etc/resolv.conf ]; then
+ cp /etc/resolv.conf /etc/resolv.conf.disabled
+ : >/etc/resolv.conf
+fi
+if [ -e /etc/hosts ]; then
+ cp /etc/hosts /etc/hosts.disabled
+ : >/etc/hosts
+fi
RET=0
printf "trying sudo to nobody\n"
cd "${HOMEDIRA}"
@@ -35,7 +43,7 @@
printf >&2 "stderr:\n"
cat >&2 ${HOMEDIRA}/stderr
printf >&2 "exit code %s\n" "${RET}"
- printf >&2 "exit 1\n" "${RET}"
+ printf >&2 "exit 1\n"
exit 1
fi
diff -Nru sudo-1.9.16p2/debian/tests/03/10_dsa::util::sudo[dfsg-team-role]
sudo-1.9.16p2/debian/tests/03/10_dsa::util::sudo[dfsg-team-role]
--- sudo-1.9.16p2/debian/tests/03/10_dsa::util::sudo[dfsg-team-role]
1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.9.16p2/debian/tests/03/10_dsa::util::sudo[dfsg-team-role]
2026-02-11 20:22:01.000000000 +0100
@@ -0,0 +1 @@
+root ALL=(ALL:ALL)
/usr/bin/----marker----/this-is-the-sudoersd-10_dsa\:\:util\:\:sudo[dfsg-team-role]-file
diff -Nru sudo-1.9.16p2/debian/tests/03/root sudo-1.9.16p2/debian/tests/03/root
--- sudo-1.9.16p2/debian/tests/03/root 1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.9.16p2/debian/tests/03/root 2026-02-11 20:22:01.000000000 +0100
@@ -0,0 +1 @@
+root ALL=(ALL:ALL) /usr/bin/----marker----/this-is-the-sudoersd-root-file
diff -Nru
sudo-1.9.16p2/debian/tests/03/sudoersd/10_dsa::util::sudo[dfsg-team-role]
sudo-1.9.16p2/debian/tests/03/sudoersd/10_dsa::util::sudo[dfsg-team-role]
--- sudo-1.9.16p2/debian/tests/03/sudoersd/10_dsa::util::sudo[dfsg-team-role]
1970-01-01 01:00:00.000000000 +0100
+++ sudo-1.9.16p2/debian/tests/03/sudoersd/10_dsa::util::sudo[dfsg-team-role]
2026-02-11 20:22:01.000000000 +0100
@@ -0,0 +1 @@
+root ALL=(ALL:ALL)
/usr/bin/----marker----/this-is-the-sudoersd-10_dsa\:\:util\:\:sudo[dfsg-team-role]-file
diff -Nru sudo-1.9.16p2/debian/tests/03/sudoersd/root
sudo-1.9.16p2/debian/tests/03/sudoersd/root
--- sudo-1.9.16p2/debian/tests/03/sudoersd/root 1970-01-01 01:00:00.000000000
+0100
+++ sudo-1.9.16p2/debian/tests/03/sudoersd/root 2026-02-11 20:22:01.000000000
+0100
@@ -0,0 +1 @@
+root ALL=(ALL:ALL) /usr/bin/----marker----/this-is-the-sudoersd-root-file
diff -Nru sudo-1.9.16p2/debian/tests/03-1126085-sudoersd
sudo-1.9.16p2/debian/tests/03-1126085-sudoersd
--- sudo-1.9.16p2/debian/tests/03-1126085-sudoersd 1970-01-01
01:00:00.000000000 +0100
+++ sudo-1.9.16p2/debian/tests/03-1126085-sudoersd 2026-02-11
20:22:01.000000000 +0100
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+set -e
+
+TESTNR="03"
+BASEDIR="$(pwd)/debian/tests"
+COMMONDIR="${BASEDIR}/common"
+DIR="${BASEDIR}/${TESTNR}"
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+FILES="$(find $DIR/sudoersd/ -type f)"
+echo $FILES
+DSTFILES="$(echo $FILES | sed "s|${DIR}/sudoersd|/etc/sudoers.d|g")"
+echo $DSTFILES
+
+trap '
+ true
+' 0 INT QUIT ABRT PIPE TERM
+
+printf "copy files to sudoers ... "
+cp $FILES /etc/sudoers.d/
+printf "collect sudo -l output ... "
+OUTPUT="$(sudo -l | grep -- ----marker----)"
+EXPECTED=" (ALL : ALL)
/usr/bin/----marker----/this-is-the-sudoersd-10_dsa\:\:util\:\:sudo[dfsg-team-role]-file
+ (ALL : ALL) /usr/bin/----marker----/this-is-the-sudoersd-root-file"
+if [ "$OUTPUT" != "$EXPECTED" ]; then
+ printf "sudo -l output not as expected, Test failed\n"
+ exit 1
+fi
+
+printf "test series sucessful, exit 0\n"
+exit 0
+
diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/ldap.conf
sudo-1.9.16p2/debian/tests/04/ldif/ldap.conf
--- sudo-1.9.16p2/debian/tests/04/ldif/ldap.conf 2025-06-30
07:55:33.000000000 +0200
+++ sudo-1.9.16p2/debian/tests/04/ldif/ldap.conf 2026-02-11
20:22:01.000000000 +0100
@@ -1,5 +1,5 @@
BASE dc=example,dc=com
-URI ldaps://[::1]:636/
+URI ldaps://[::1]:1636/
TLS_CACERT /etc/ldap/server_cert.pem
TLS_REQCERT allow
SASL_NOCANON on
diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/slapd.conf
sudo-1.9.16p2/debian/tests/04/ldif/slapd.conf
--- sudo-1.9.16p2/debian/tests/04/ldif/slapd.conf 1970-01-01
01:00:00.000000000 +0100
+++ sudo-1.9.16p2/debian/tests/04/ldif/slapd.conf 2026-02-11
20:22:01.000000000 +0100
@@ -0,0 +1,22 @@
+# OpenLDAP 2.4 (bullseye) only
+modulepath /usr/lib/ldap
+moduleload back_mdb
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/nis.schema
+include /etc/ldap/schema/inetorgperson.schema
+
+database mdb
+maxsize 1073741824
+directory /var/lib/ldap
+
+# Suffix and root DN must come in this order
+suffix "dc=example,dc=com"
+rootdn "cn=admin,dc=example,dc=com"
+rootpw ldappw
+
+# TLS optional
+TLSCertificateFile /etc/ldap/server_cert.pem
+TLSCertificateKeyFile /etc/ldap/server_key.pem
+TLSCACertificateFile /etc/ldap/server_cert.pem
+
diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/sssd.conf
sudo-1.9.16p2/debian/tests/04/ldif/sssd.conf
--- sudo-1.9.16p2/debian/tests/04/ldif/sssd.conf 2025-06-30
07:55:33.000000000 +0200
+++ sudo-1.9.16p2/debian/tests/04/ldif/sssd.conf 2026-02-11
20:22:01.000000000 +0100
@@ -7,7 +7,7 @@
id_provider = ldap
auth_provider = ldap
-ldap_uri = ldaps://[::1]:636/
+ldap_uri = ldaps://[::1]:1636/
ldap_search_base = dc=example,dc=com
ldap_tls_cacert = /etc/ldap/server_cert.pem
diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/sss-ous.ldif
sudo-1.9.16p2/debian/tests/04/ldif/sss-ous.ldif
--- sudo-1.9.16p2/debian/tests/04/ldif/sss-ous.ldif 2025-06-30
07:55:33.000000000 +0200
+++ sudo-1.9.16p2/debian/tests/04/ldif/sss-ous.ldif 2026-02-11
20:22:01.000000000 +0100
@@ -1,3 +1,10 @@
+dn: dc=example,dc=com
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: Example Organization
+dc: example
+
dn: ou=users,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/tls.ldif
sudo-1.9.16p2/debian/tests/04/ldif/tls.ldif
--- sudo-1.9.16p2/debian/tests/04/ldif/tls.ldif 2025-06-30 07:55:33.000000000
+0200
+++ sudo-1.9.16p2/debian/tests/04/ldif/tls.ldif 2026-02-11 20:22:01.000000000
+0100
@@ -1,10 +1,32 @@
dn: cn=config
changetype: modify
+delete: olcTLSCACertificateFile
+-
+
+dn: cn=config
+changetype: modify
+delete: olcTLSCertificateFile
+-
+
+dn: cn=config
+changetype: modify
+delete: olcTLSCertificateKeyFile
+-
+
+dn: cn=config
+changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/server_cert.pem
-
+
+dn: cn=config
+changetype: modify
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/server_cert.pem
+-
+
+dn: cn=config
+changetype: modify
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/server_key.pem
-
-add: olcTLSCertificateFile
-olcTLSCertificateFile: /etc/ldap/server_cert.pem
diff -Nru sudo-1.9.16p2/debian/tests/04-getroot-sssd
sudo-1.9.16p2/debian/tests/04-getroot-sssd
--- sudo-1.9.16p2/debian/tests/04-getroot-sssd 2025-06-30 07:55:33.000000000
+0200
+++ sudo-1.9.16p2/debian/tests/04-getroot-sssd 2026-02-11 20:22:01.000000000
+0100
@@ -17,58 +17,89 @@
HOMEDIRB="/home/${ACCTB}"
LDIFDIR="${DIR}/ldif"
SSSDCONF="/etc/sssd/sssd.conf"
+RUNDIR="/run/slapd"
+VARRUNDIR="/var/run/slapd"
trap '
kill $(pidof slapd) 2>/dev/null || true
kill $(pidof sssd) 2>/dev/null || true
+ kill $(pidof socat) 2>/dev/null || true
+ rm -f /dev/log || true
' 0 INT QUIT ABRT PIPE TERM
# openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem
-out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de"
+printf "make and chown dirs ... "
+mkdir -p "${RUNDIR}" "${VARRUNDIR}"
+chown openldap "${VARRUNDIR}"
< ${LDIFDIR}/debconf debconf-set-selections
+
printf "clean up ldap database ... "
rm -rf /var/lib/ldap/*.mdb
+
printf "move configuration in place ... "
mkdir -p /etc/ldap /etc/sssd
cp ${LDIFDIR}/server_*.pem /etc/ldap/
cp ${LDIFDIR}/ldap.conf /etc/ldap/
chown openldap:openldap /etc/ldap/server_*.pem
chmod 600 /etc/ldap/server_key.pem
+# slapd.conf is only needed for OpenLDAP 2.4 on bullseye
+# but since it's already there now, use it for OpenLDAP 2.5+ as well
+# this is a testsuite. If you want /etc/ldap/slapd.d to be used (again),
+# please submit a patch that will also work on bullseye.
+cp ${LDIFDIR}/slapd.conf /etc/ldap/
cp ${LDIFDIR}/sssd.conf /etc/sssd
chown root:root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
cp ${LDIFDIR}/slapd-default /etc/default/slapd
echo "slapd: [::1]" >> /etc/hosts.allow
+
printf "reconfigure slapd ... "
DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null
kill $(pidof slapd) 2>/dev/null || true
sleep 1
+
+if ! [ -S /dev/log ]; then
+ echo "starting fake syslog socket on /dev/log"
+
+ # remove stale file if present
+ [ -e /dev/log ] && rm -f /dev/log
+
+ socat -u UNIX-RECV:/dev/log,mode=666 STDOUT >/dev/null 2>/dev/null &
+fi
+
printf "start slapd ... "
-slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
+slapd -f /etc/ldap/slapd.conf -h "ldaps://:1636/ ldapi:///" -g openldap -u
openldap
+
+printf "check slapd running .... "
+pgrep -a slapd
# ldapsearch -x -LLL -s base -b "" namingContexts should work here
-printf "set LDAP passwords"
-ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null
-ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw.ldif 2>/dev/null
-ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw-example-com.ldif
2>/dev/null
-printf "add users and groups OUs ..."
-ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f
${LDIFDIR}/sss-ous.ldif 2>/dev/null
-printf "add users ..."
+
+printf "add users and groups OUs ...\n"
+ldapadd -x -c -D "cn=admin,dc=example,dc=com" -w ldappw -f
${LDIFDIR}/sss-ous.ldif 2>/dev/null || true
printf "sssd.conf ...\n"
cp ${LDIFDIR}/sssd.conf "${SSSDCONF}"
-printf "sudoers file ...\n"A
+printf "sudoers file ...\n"
mkdir -p /etc/sudoers.d/
-mv ${LDIFDIR}/ldapsudoers /etc/sudoers.d/
+cp ${LDIFDIR}/ldapsudoers /etc/sudoers.d/
chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/*
chmod 755 /etc/sudoers.d/
chmod 600 "${SSSDCONF}" /etc/sudoers.d/*
+
+printf "start sssd ..."
kill $(pidof sssd) 2>/dev/null || true
sleep 1
sssd --logger=files -D
+printf "check sssd running .... "
+pgrep -a sssd
+
+printf "add users ..."
for user in testuser1 testuser2; do
ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f
${LDIFDIR}/${user}.ldif 2>/dev/null
+ getent passwd ${user}
mkdir -p /home/${user}
chown ${user}:nogroup /home/${user}
done
diff -Nru sudo-1.9.16p2/debian/tests/control sudo-1.9.16p2/debian/tests/control
--- sudo-1.9.16p2/debian/tests/control 2025-06-30 07:55:33.000000000 +0200
+++ sudo-1.9.16p2/debian/tests/control 2026-02-11 20:22:01.000000000 +0100
@@ -1,16 +1,11 @@
Tests: 01-getroot
-Depends: sudo, adduser
+Depends: adduser, sudo, cracklib-runtime
Restrictions: needs-root
Tests: 02-1003969-audit-no-resolve
Depends: sudo
Restrictions: needs-root
-Tests: 03-getroot-ldap
-Depends: sudo-ldap, adduser, slapd, ldap-utils, cron
-Restrictions: needs-root
-
Tests: 04-getroot-sssd
-Depends: sudo, adduser, slapd, ldap-utils, sssd-common, sssd-ldap, cron
+Depends: adduser, cron, ldap-utils, procps, slapd, sssd-common, sssd-ldap,
sudo, socat, libnss-sss, libpam-sss
Restrictions: needs-root
-
--- End Message ---
