Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected] Control: affects -1 + src:sudo User: [email protected] Usertags: pu
Hi, I am hereby submitting sudo 1.9.16p2-3+deb13u1 for pre-approval for trixie-updates and the next point release. [ Reason ] #1124399 makes sudo segfault on some i386 hosts such as AMD Geode #1126085 makes sudo fail on some DSA systems due to : in sudoers.d file names [ Impact ] AMD Geode users will still be unable to use sudo on amd64 DSA will have to change their file names [ Tests ] A small Autopkgtest suite. Both fixes are in unstable and testing. The complete testsuite was pulled from unstable. The testsuite we released in trixie didn't work too well in the unshare backend of autopkgtest. [ Risks ] Not sure. It's sudo. [ Checklist ] [X ] *all* changes are documented in the d/changelog [X ] I reviewed all changes and I approve them [X ] attach debdiff against the package in (old)stable [X ] the issue is verified as fixed in unstable [ Changes ] An upstream patch was included to address #1126085 A patch submitted by Marcos Del Sol Vives fixes the Geode problem by turning off an unneded hardenng on i386. That patch is already in bookworm and it has passed a TC discussion The testsuite was updated from unstable. This is the majority of the attached debdiff.
diff -Nru sudo-1.9.16p2/debian/changelog sudo-1.9.16p2/debian/changelog --- sudo-1.9.16p2/debian/changelog 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/changelog 2026-02-11 20:22:01.000000000 +0100 @@ -1,3 +1,14 @@ +sudo (1.9.16p2-3+deb13u1) trixie; urgency=medium + + [ Marc Haber ] + * add upstream patch: Do not perform path expansion + Thanks to Adam D. Barratt" <[email protected]> (Closes: #1126085) + * Enable Intel CET on amd64 only. + Thanks to Marcos Del Sol Vives (Closes: #1124339) + * Pull more robust test suite from unstable + + -- Marc Haber <[email protected]> Wed, 11 Feb 2026 20:22:01 +0100 + sudo (1.9.16p2-3) unstable; urgency=high * backport upstream patch for CVE-2025-32463 diff -Nru sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch --- sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.9.16p2/debian/patches/0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch 2026-02-11 20:22:01.000000000 +0100 @@ -0,0 +1,34 @@ +From: "Todd C. Miller" <[email protected]> +Date: Sat, 24 Jan 2026 11:30:06 -0700 +Subject: open_sudoers: Do not perform path expansion on files in an + includedir + +A file in an includedir containing one or more colons (':') in the +name we was being expanded as a colon-separated path instead of +being opened as-is. This fixes a regression introduced in +sudo 1.9.14. Bug #1085 +--- + plugins/sudoers/sudoers.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c +index 0f75c96..fecd279 100644 +--- a/plugins/sudoers/sudoers.c ++++ b/plugins/sudoers/sudoers.c +@@ -1286,7 +1286,15 @@ open_sudoers(const char *path, char **outfile, bool doedit, bool *keepopen) + int error, fd; + debug_decl(open_sudoers, SUDOERS_DEBUG_PLUGIN); + +- fd = sudo_open_conf_path(path, fname, sizeof(fname), open_file); ++ if (outfile == NULL) { ++ /* Single file, do not treat as a path. */ ++ fd = open_file(path, O_RDONLY|O_NONBLOCK); ++ if (fd != -1) ++ (void)fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); ++ } else { ++ /* Could be a colon-separated path of file names. */ ++ fd = sudo_open_conf_path(path, fname, sizeof(fname), open_file); ++ } + if (sudoers_ctx.parser_conf.ignore_perms) { + /* Skip sudoers security checks when ignore_perms is set. */ + if (fd == -1 || fstat(fd, &sb) == -1) diff -Nru sudo-1.9.16p2/debian/patches/amd64-ibt.diff sudo-1.9.16p2/debian/patches/amd64-ibt.diff --- sudo-1.9.16p2/debian/patches/amd64-ibt.diff 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.9.16p2/debian/patches/amd64-ibt.diff 2026-02-11 20:22:01.000000000 +0100 @@ -0,0 +1,28 @@ +From: Marcos Del Sol Vives <[email protected]> +Date: Tue, 2 Sep 2025 00:00:35 +0200 +Subject: Enable Intel CET on amd64 only + +--- + m4/hardening.m4 | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/m4/hardening.m4 b/m4/hardening.m4 +index f7d2a8c..cc7ee01 100644 +--- a/m4/hardening.m4 ++++ b/m4/hardening.m4 +@@ -105,6 +105,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ + ]) + fi + ++ if test "$host_cpu" = "x86_64"; then + # Check for control-flow transfer instrumentation (Intel CET). + AX_CHECK_COMPILE_FLAG([-fcf-protection], [ + AX_CHECK_LINK_FLAG([-fcf-protection], [ +@@ -112,6 +113,7 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [ + AX_APPEND_FLAG([-Wc,-fcf-protection], [HARDENING_LDFLAGS]) + ]) + ]) ++ fi + fi + + # Linker-specific hardening flags. diff -Nru sudo-1.9.16p2/debian/patches/series sudo-1.9.16p2/debian/patches/series --- sudo-1.9.16p2/debian/patches/series 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/patches/series 2026-02-11 20:22:01.000000000 +0100 @@ -5,3 +5,5 @@ X11R6.patch 0007-upstream-patch-for-CVE-2025-32463.patch 0008-upstream-patch-for-CVE-2025-32462.patch +0008-open_sudoers-Do-not-perform-path-expansion-on-files-.patch +amd64-ibt.diff diff -Nru sudo-1.9.16p2/debian/tests/01-getroot sudo-1.9.16p2/debian/tests/01-getroot --- sudo-1.9.16p2/debian/tests/01-getroot 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/tests/01-getroot 2026-02-11 20:22:01.000000000 +0100 @@ -9,7 +9,7 @@ # Note: we do need the 'xfoo' syntax here, since POSIX special-cases # the $passwd value '!' as negation. if [ "x$passwd" = "x*" ] || [ "x$passwd1" = "x!" ]; then - echo "root:rootpassword" | chpasswd + echo "root:riegh@oh4ahR" | chpasswd fi TESTNR="01" @@ -19,7 +19,7 @@ PATH="/bin:/usr/bin:/sbin:/usr/sbin" ACCTA="test${TESTNR}a" ACCTB="test${TESTNR}b" -PASSWD="test${TESTNR}23456" +PASSWD="test${TESTNR}Terah9ien7e" HOMEDIRA="/home/${ACCTA}" HOMEDIRB="/home/${ACCTB}" LDIFDIR="${DIR}/ldif" diff -Nru sudo-1.9.16p2/debian/tests/02-1003969-audit-no-resolve sudo-1.9.16p2/debian/tests/02-1003969-audit-no-resolve --- sudo-1.9.16p2/debian/tests/02-1003969-audit-no-resolve 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/tests/02-1003969-audit-no-resolve 2026-02-11 20:22:01.000000000 +0100 @@ -7,21 +7,29 @@ COMMONDIR="${BASEDIR}/common" DIR="${BASEDIR}/${TESTNR}" PATH="/bin:/usr/bin:/sbin:/usr/sbin" -ACCTA="test${TESTNR}a" -ACCTB="test${TESTNR}b" -PASSWD="test${TESTNR}23456" HOMEDIRA="/root" -LDIFDIR="${DIR}/ldif" trap ' printf "\ntrap handler\n" - mv /etc/resolv.conf.disabled /etc/resolv.conf || true - mv /etc/hosts.disabled /etc/hosts || true + if [ -e /etc/resolv.conf.disabled ]; then + cp /etc/resolv.conf.disabled /etc/resolv.conf || true + rm -f /etc/resolv.conf.disabled || true + fi + if [ -e /etc/hosts.disabled ]; then + cp /etc/hosts.disabled /etc/hosts || true + rm -f /etc/hosts.disabled || true + fi ' 0 INT QUIT ABRT PIPE TERM printf "========= test %s\.1: sudo to nobody\n" "${TESTNR}" -mv /etc/resolv.conf /etc/resolv.conf.disabled -mv /etc/hosts /etc/hosts.disabled +if [ -e /etc/resolv.conf ]; then + cp /etc/resolv.conf /etc/resolv.conf.disabled + : >/etc/resolv.conf +fi +if [ -e /etc/hosts ]; then + cp /etc/hosts /etc/hosts.disabled + : >/etc/hosts +fi RET=0 printf "trying sudo to nobody\n" cd "${HOMEDIRA}" @@ -35,7 +43,7 @@ printf >&2 "stderr:\n" cat >&2 ${HOMEDIRA}/stderr printf >&2 "exit code %s\n" "${RET}" - printf >&2 "exit 1\n" "${RET}" + printf >&2 "exit 1\n" exit 1 fi diff -Nru sudo-1.9.16p2/debian/tests/03/10_dsa::util::sudo[dfsg-team-role] sudo-1.9.16p2/debian/tests/03/10_dsa::util::sudo[dfsg-team-role] --- sudo-1.9.16p2/debian/tests/03/10_dsa::util::sudo[dfsg-team-role] 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.9.16p2/debian/tests/03/10_dsa::util::sudo[dfsg-team-role] 2026-02-11 20:22:01.000000000 +0100 @@ -0,0 +1 @@ +root ALL=(ALL:ALL) /usr/bin/----marker----/this-is-the-sudoersd-10_dsa\:\:util\:\:sudo[dfsg-team-role]-file diff -Nru sudo-1.9.16p2/debian/tests/03/root sudo-1.9.16p2/debian/tests/03/root --- sudo-1.9.16p2/debian/tests/03/root 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.9.16p2/debian/tests/03/root 2026-02-11 20:22:01.000000000 +0100 @@ -0,0 +1 @@ +root ALL=(ALL:ALL) /usr/bin/----marker----/this-is-the-sudoersd-root-file diff -Nru sudo-1.9.16p2/debian/tests/03/sudoersd/10_dsa::util::sudo[dfsg-team-role] sudo-1.9.16p2/debian/tests/03/sudoersd/10_dsa::util::sudo[dfsg-team-role] --- sudo-1.9.16p2/debian/tests/03/sudoersd/10_dsa::util::sudo[dfsg-team-role] 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.9.16p2/debian/tests/03/sudoersd/10_dsa::util::sudo[dfsg-team-role] 2026-02-11 20:22:01.000000000 +0100 @@ -0,0 +1 @@ +root ALL=(ALL:ALL) /usr/bin/----marker----/this-is-the-sudoersd-10_dsa\:\:util\:\:sudo[dfsg-team-role]-file diff -Nru sudo-1.9.16p2/debian/tests/03/sudoersd/root sudo-1.9.16p2/debian/tests/03/sudoersd/root --- sudo-1.9.16p2/debian/tests/03/sudoersd/root 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.9.16p2/debian/tests/03/sudoersd/root 2026-02-11 20:22:01.000000000 +0100 @@ -0,0 +1 @@ +root ALL=(ALL:ALL) /usr/bin/----marker----/this-is-the-sudoersd-root-file diff -Nru sudo-1.9.16p2/debian/tests/03-1126085-sudoersd sudo-1.9.16p2/debian/tests/03-1126085-sudoersd --- sudo-1.9.16p2/debian/tests/03-1126085-sudoersd 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.9.16p2/debian/tests/03-1126085-sudoersd 2026-02-11 20:22:01.000000000 +0100 @@ -0,0 +1,32 @@ +#!/bin/sh + +set -e + +TESTNR="03" +BASEDIR="$(pwd)/debian/tests" +COMMONDIR="${BASEDIR}/common" +DIR="${BASEDIR}/${TESTNR}" +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +FILES="$(find $DIR/sudoersd/ -type f)" +echo $FILES +DSTFILES="$(echo $FILES | sed "s|${DIR}/sudoersd|/etc/sudoers.d|g")" +echo $DSTFILES + +trap ' + true +' 0 INT QUIT ABRT PIPE TERM + +printf "copy files to sudoers ... " +cp $FILES /etc/sudoers.d/ +printf "collect sudo -l output ... " +OUTPUT="$(sudo -l | grep -- ----marker----)" +EXPECTED=" (ALL : ALL) /usr/bin/----marker----/this-is-the-sudoersd-10_dsa\:\:util\:\:sudo[dfsg-team-role]-file + (ALL : ALL) /usr/bin/----marker----/this-is-the-sudoersd-root-file" +if [ "$OUTPUT" != "$EXPECTED" ]; then + printf "sudo -l output not as expected, Test failed\n" + exit 1 +fi + +printf "test series sucessful, exit 0\n" +exit 0 + diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/ldap.conf sudo-1.9.16p2/debian/tests/04/ldif/ldap.conf --- sudo-1.9.16p2/debian/tests/04/ldif/ldap.conf 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/tests/04/ldif/ldap.conf 2026-02-11 20:22:01.000000000 +0100 @@ -1,5 +1,5 @@ BASE dc=example,dc=com -URI ldaps://[::1]:636/ +URI ldaps://[::1]:1636/ TLS_CACERT /etc/ldap/server_cert.pem TLS_REQCERT allow SASL_NOCANON on diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/slapd.conf sudo-1.9.16p2/debian/tests/04/ldif/slapd.conf --- sudo-1.9.16p2/debian/tests/04/ldif/slapd.conf 1970-01-01 01:00:00.000000000 +0100 +++ sudo-1.9.16p2/debian/tests/04/ldif/slapd.conf 2026-02-11 20:22:01.000000000 +0100 @@ -0,0 +1,22 @@ +# OpenLDAP 2.4 (bullseye) only +modulepath /usr/lib/ldap +moduleload back_mdb +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/nis.schema +include /etc/ldap/schema/inetorgperson.schema + +database mdb +maxsize 1073741824 +directory /var/lib/ldap + +# Suffix and root DN must come in this order +suffix "dc=example,dc=com" +rootdn "cn=admin,dc=example,dc=com" +rootpw ldappw + +# TLS optional +TLSCertificateFile /etc/ldap/server_cert.pem +TLSCertificateKeyFile /etc/ldap/server_key.pem +TLSCACertificateFile /etc/ldap/server_cert.pem + diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/sssd.conf sudo-1.9.16p2/debian/tests/04/ldif/sssd.conf --- sudo-1.9.16p2/debian/tests/04/ldif/sssd.conf 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/tests/04/ldif/sssd.conf 2026-02-11 20:22:01.000000000 +0100 @@ -7,7 +7,7 @@ id_provider = ldap auth_provider = ldap -ldap_uri = ldaps://[::1]:636/ +ldap_uri = ldaps://[::1]:1636/ ldap_search_base = dc=example,dc=com ldap_tls_cacert = /etc/ldap/server_cert.pem diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/sss-ous.ldif sudo-1.9.16p2/debian/tests/04/ldif/sss-ous.ldif --- sudo-1.9.16p2/debian/tests/04/ldif/sss-ous.ldif 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/tests/04/ldif/sss-ous.ldif 2026-02-11 20:22:01.000000000 +0100 @@ -1,3 +1,10 @@ +dn: dc=example,dc=com +objectClass: top +objectClass: dcObject +objectClass: organization +o: Example Organization +dc: example + dn: ou=users,dc=example,dc=com objectClass: top objectClass: organizationalUnit diff -Nru sudo-1.9.16p2/debian/tests/04/ldif/tls.ldif sudo-1.9.16p2/debian/tests/04/ldif/tls.ldif --- sudo-1.9.16p2/debian/tests/04/ldif/tls.ldif 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/tests/04/ldif/tls.ldif 2026-02-11 20:22:01.000000000 +0100 @@ -1,10 +1,32 @@ dn: cn=config changetype: modify +delete: olcTLSCACertificateFile +- + +dn: cn=config +changetype: modify +delete: olcTLSCertificateFile +- + +dn: cn=config +changetype: modify +delete: olcTLSCertificateKeyFile +- + +dn: cn=config +changetype: modify add: olcTLSCACertificateFile olcTLSCACertificateFile: /etc/ldap/server_cert.pem - + +dn: cn=config +changetype: modify +add: olcTLSCertificateFile +olcTLSCertificateFile: /etc/ldap/server_cert.pem +- + +dn: cn=config +changetype: modify add: olcTLSCertificateKeyFile olcTLSCertificateKeyFile: /etc/ldap/server_key.pem - -add: olcTLSCertificateFile -olcTLSCertificateFile: /etc/ldap/server_cert.pem diff -Nru sudo-1.9.16p2/debian/tests/04-getroot-sssd sudo-1.9.16p2/debian/tests/04-getroot-sssd --- sudo-1.9.16p2/debian/tests/04-getroot-sssd 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/tests/04-getroot-sssd 2026-02-11 20:22:01.000000000 +0100 @@ -17,58 +17,89 @@ HOMEDIRB="/home/${ACCTB}" LDIFDIR="${DIR}/ldif" SSSDCONF="/etc/sssd/sssd.conf" +RUNDIR="/run/slapd" +VARRUNDIR="/var/run/slapd" trap ' kill $(pidof slapd) 2>/dev/null || true kill $(pidof sssd) 2>/dev/null || true + kill $(pidof socat) 2>/dev/null || true + rm -f /dev/log || true ' 0 INT QUIT ABRT PIPE TERM # openssl req -x509 -days 365 -nodes -newkey rsa:4096 -keyout server_key.pem -out server_cert.pem --subj "/C=DE/CN=emptysid86.zugschlus.de" +printf "make and chown dirs ... " +mkdir -p "${RUNDIR}" "${VARRUNDIR}" +chown openldap "${VARRUNDIR}" < ${LDIFDIR}/debconf debconf-set-selections + printf "clean up ldap database ... " rm -rf /var/lib/ldap/*.mdb + printf "move configuration in place ... " mkdir -p /etc/ldap /etc/sssd cp ${LDIFDIR}/server_*.pem /etc/ldap/ cp ${LDIFDIR}/ldap.conf /etc/ldap/ chown openldap:openldap /etc/ldap/server_*.pem chmod 600 /etc/ldap/server_key.pem +# slapd.conf is only needed for OpenLDAP 2.4 on bullseye +# but since it's already there now, use it for OpenLDAP 2.5+ as well +# this is a testsuite. If you want /etc/ldap/slapd.d to be used (again), +# please submit a patch that will also work on bullseye. +cp ${LDIFDIR}/slapd.conf /etc/ldap/ cp ${LDIFDIR}/sssd.conf /etc/sssd chown root:root /etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf cp ${LDIFDIR}/slapd-default /etc/default/slapd echo "slapd: [::1]" >> /etc/hosts.allow + printf "reconfigure slapd ... " DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -pcritical slapd 2>/dev/null kill $(pidof slapd) 2>/dev/null || true sleep 1 + +if ! [ -S /dev/log ]; then + echo "starting fake syslog socket on /dev/log" + + # remove stale file if present + [ -e /dev/log ] && rm -f /dev/log + + socat -u UNIX-RECV:/dev/log,mode=666 STDOUT >/dev/null 2>/dev/null & +fi + printf "start slapd ... " -slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d +slapd -f /etc/ldap/slapd.conf -h "ldaps://:1636/ ldapi:///" -g openldap -u openldap + +printf "check slapd running .... " +pgrep -a slapd # ldapsearch -x -LLL -s base -b "" namingContexts should work here -printf "set LDAP passwords" -ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null -ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw.ldif 2>/dev/null -ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/adminpw-example-com.ldif 2>/dev/null -printf "add users and groups OUs ..." -ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null -printf "add users ..." + +printf "add users and groups OUs ...\n" +ldapadd -x -c -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/sss-ous.ldif 2>/dev/null || true printf "sssd.conf ...\n" cp ${LDIFDIR}/sssd.conf "${SSSDCONF}" -printf "sudoers file ...\n"A +printf "sudoers file ...\n" mkdir -p /etc/sudoers.d/ -mv ${LDIFDIR}/ldapsudoers /etc/sudoers.d/ +cp ${LDIFDIR}/ldapsudoers /etc/sudoers.d/ chown root:root "${SSSDCONF}" /etc/sudoers.d/ /etc/sudoers.d/* chmod 755 /etc/sudoers.d/ chmod 600 "${SSSDCONF}" /etc/sudoers.d/* + +printf "start sssd ..." kill $(pidof sssd) 2>/dev/null || true sleep 1 sssd --logger=files -D +printf "check sssd running .... " +pgrep -a sssd + +printf "add users ..." for user in testuser1 testuser2; do ldapadd -x -D "cn=admin,dc=example,dc=com" -w ldappw -f ${LDIFDIR}/${user}.ldif 2>/dev/null + getent passwd ${user} mkdir -p /home/${user} chown ${user}:nogroup /home/${user} done diff -Nru sudo-1.9.16p2/debian/tests/control sudo-1.9.16p2/debian/tests/control --- sudo-1.9.16p2/debian/tests/control 2025-06-30 07:55:33.000000000 +0200 +++ sudo-1.9.16p2/debian/tests/control 2026-02-11 20:22:01.000000000 +0100 @@ -1,16 +1,11 @@ Tests: 01-getroot -Depends: sudo, adduser +Depends: adduser, sudo, cracklib-runtime Restrictions: needs-root Tests: 02-1003969-audit-no-resolve Depends: sudo Restrictions: needs-root -Tests: 03-getroot-ldap -Depends: sudo-ldap, adduser, slapd, ldap-utils, cron -Restrictions: needs-root - Tests: 04-getroot-sssd -Depends: sudo, adduser, slapd, ldap-utils, sssd-common, sssd-ldap, cron +Depends: adduser, cron, ldap-utils, procps, slapd, sssd-common, sssd-ldap, sudo, socat, libnss-sss, libpam-sss Restrictions: needs-root -
