Initial bits of sudoers plugin; still needs work.

2010-03-14 19:58:47 -04:00
parent 3116e254b4
commit 9b0205846b
44 changed files with 1030 additions and 1395 deletions
--- a/plugins/sudoers/Makefile.in
+++ b/plugins/sudoers/Makefile.in
@@ -1,6 +1,5 @@
 #
-# Copyright (c) 1996, 1998-2005, 2007-2009
+# Copyright (c) 2010 Todd C. Miller <Todd.Miller@courtesan.com>
 #	Todd C. Miller <Todd.Miller@courtesan.com>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,10 +14,6 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
 # Sponsored in part by the Defense Advanced Research Projects
 # Agency (DARPA) and Air Force Research Laboratory, Air Force
 # Materiel Command, USAF, under agreement number F39502-99-1-0512.
 #
 # @configure_input@
 #
@@ -27,34 +22,29 @@
 srcdir = @srcdir@
 devdir = @devdir@
 authdir = $(srcdir)/auth
-top_builddir = .
+top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 incdir = $(top_srcdir)/include
 compat = $(top_srcdir)/compat
 # Compiler & tools to use
 CC = @CC@
 FLEX = @FLEX@
 YACC = @YACC@
 NROFF = nroff -Tascii
 LIBTOOL = @LIBTOOL@
 AR=@AR@
 RANLIB=@RANLIB@
 # Our install program supports extra flags...
-INSTALL = $(SHELL) $(srcdir)/install-sh -c
+INSTALL = $(SHELL) $(top_srcdir)/install-sh -c
 # Libraries
-LIBS = @LIBS@
+LIBS =
 NET_LIBS = @NET_LIBS@
 SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS)
 # C preprocessor flags
-CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@
+CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(srcdir) @CPPFLAGS@
 # Usually -O and/or -g
 CFLAGS = @CFLAGS@
 # Flags to pass to the link stage
-LDFLAGS = -L. @LDFLAGS@
+LDFLAGS =
 SUDO_LDFLAGS = @SUDO_LDFLAGS@ $(LDFLAGS)
 # Where to install things...
 prefix = @prefix@
@@ -64,30 +54,11 @@ sbindir = @sbindir@
 sysconfdir = @sysconfdir@
 libexecdir = @libexecdir@
 datarootdir = @datarootdir@
-mandir = @mandir@
+plugindir = @PLUGINDIR@
 noexecfile = @NOEXECFILE@
 noexecdir = @NOEXECDIR@
 # Directory in which to install sudo.
 sudodir = $(bindir)
 # Directory in which to install visudo
 visudodir = $(sbindir)
 # Directory in which to install the sudoers file
 sudoersdir = $(sysconfdir)
 # Directory in which to install the man page
 mantype = @MANTYPE@
 mansectsu = @mansectsu@
 mansectform = @mansectform@
 mandirsu = $(mandir)/$(mantype)$(mansectsu)
 mandirform = $(mandir)/$(mantype)$(mansectform)
 # User and group ids the installed files should be "owned" by
 install_uid = 0
 install_gid = 0
 # User, group, and mode the sudoers file should be "owned" by (configure)
 sudoers_uid = @SUDOERS_UID@
 sudoers_gid = @SUDOERS_GID@
@@ -100,86 +71,38 @@ DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -DSUDOERS_UID=$(sudoer
 SHELL = /bin/sh
-PROGS = @PROGS@
+# XXX - configure will substitute in .o files not .lo files
 AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@
-SRCS = aix.c alias.c alloc.c audit.c boottime.c bsm_audit.c check.c \
+COMMON_OBJS = alias.lo atobool.lo defaults.lo gram.lo \
-       closefrom.c def_data.c defaults.c env.c error.c fileops.c find_path.c \
+	      list.lo match.lo pwutil.lo timestr.lo toke.lo redblack.lo \
-       fnmatch.c getcwd.c getprogname.c getspwuid.c gettime.c glob.c \
+	      zero_bytes.lo @NONUNIX_GROUPS_IMPL@
       goodpath.c gram.c gram.y interfaces.c isblank.c lbuf.c ldap.c list.c \
       logging.c match.c mkstemp.c memrchr.c nanosleep.c parse.c pwutil.c \
       pty.c script.c set_perms.c sigaction.c snprintf.c strcasecmp.c \
       strerror.c strlcat.c strlcpy.c strsignal.c sudo.c sudo_noexec.c \
       sudo_edit.c sudo_nss.c term.c testsudoers.c tgetpass.c toke.c toke.l \
       tsgetgrpw.c utimes.c vasgroups.c visudo.c zero_bytes.c redblack.c \
       selinux.c sesh.c sudoreplay.c getdate.c getdate.y getline.c \
       timestr.c $(AUTH_SRCS)
-AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
+# XXX - add @SUDOERS_OBJS@ in configure.in
-	    auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \
+SUDOERS_OBJS = $(AUTH_OBJS) alloc.lo boottime.lo check.lo fmt_string.lo \
-	    auth/secureware.c auth/securid.c auth/securid5.c auth/sia.c \
+	       error.lo env.lo getspwuid.lo gettime.lo goodpath.lo fileops.lo \
-	    auth/sudo_auth.c
+	       find_path.lo interfaces.lo lbuf.lo logging.lo parse.lo \
 	       set_perms.lo sudoers.lo sudo_nss.lo @SUDOERS_OBJS@
-HDRS = alloc.h bsm_audit.h compat.h def_data.h defaults.h error.h ins_2001.h \
+LIBOBJDIR = $(top_srcdir)/@ac_config_libobj_dir@/
       ins_classic.h ins_csops.h ins_goons.h insults.h interfaces.h lbuf.h \
       list.h logging.h missing.h nonunix.h redblack.h parse.h sudo.h \
       sudo_nss.h gram.h auth/sudo_auth.h emul/charclass.h emul/fnmatch.h \
       emul/glob.h emul/timespec.h emul/utime.h
-AUTH_OBJS = sudo_auth.o @AUTH_OBJS@
+LTLIBOBJS = $(top_srcdir)/@ac_config_libobj_dir@/libmissing_pic.a
 COMMON_OBJS = alias.o alloc.o defaults.o error.o getline.o gram.o \
 	      list.o match.o pwutil.o timestr.o toke.o redblack.o \
 	      term.o zero_bytes.o @NONUNIX_GROUPS_IMPL@
 SUDO_OBJS = $(AUTH_OBJS) @SUDO_OBJS@ audit.o boottime.o check.o \
 	    env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
 	    interfaces.o lbuf.o logging.o parse.o set_perms.o sudo.o \
 	    sudo_edit.o sudo_nss.o tgetpass.o
 VISUDO_OBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o
 REPLAY_OBJS = getdate.o sudoreplay.o
 TEST_OBJS = interfaces.o testsudoers.o tsgetgrpw.o
 LIB_OBJS = @LIBOBJS@
 VERSION = @PACKAGE_VERSION@
-DISTFILES = $(SRCS) $(HDRS) ChangeLog HISTORY INSTALL INSTALL.configure \
+SUDODEP = $(srcdir)/sudoers.h $(incdir)/compat.h \
-            LICENSE Makefile.in PORTING README README.LDAP TROUBLESHOOTING \
+	  $(srcdir)/defaults.h $(incdir)/error.h $(incdir)/list.h \
-	    UPGRADE WHATSNEW aclocal.m4 acsite.m4 aixcrypt.exp config.guess \
+	  $(srcdir)/logging.h $(incdir)/missing.h $(srcdir)/sudo_nss.h \
-	    config.h.in config.sub configure configure.in def_data.in \
+	  $(devdir)/def_data.h $(top_builddir)/pathnames.h $(top_builddir)/config.h
 	    indent.pro install-sh ltmain.sh mkdefaults mkinstalldirs \
 	    pathnames.h.in sample.pam sample.syslog.conf sample.sudoers \
 	    schema.ActiveDirectory schema.OpenLDAP schema.iPlanet sudo.cat \
 	    sudo.man.in sudo.pod sudo.psf sudo_usage.h.in sudoers sudoers.cat \
            sudoers.man.in sudoers.pod sudoers.ldap.cat sudoers.ldap.man.in \
 	    sudoers.ldap.pod sudoers2ldif sudoreplay.cat sudoreplay.man.in \
 	    sudoreplay.pod visudo.cat visudo.man.in visudo.pod auth/API \
 	    sudo.man.pl sudoers.man.pl 
 BINFILES= ChangeLog HISTORY LICENSE README TROUBLESHOOTING \
 	  UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \
 	  sudo sudo.cat sudo.man sudo.pod sudoers sudoers.cat sudoers.man \
 	  sudoers.pod sudoreplay.cat sudoreplay.man sudoreplay.pod \
 	  visudo visudo.cat visudo.man visudo.pod
 BINSPECIAL= INSTALL.binary Makefile.binary.in libtool
 SUDODEP = $(srcdir)/sudo.h $(srcdir)/alloc.h $(srcdir)/compat.h \
 	  $(srcdir)/defaults.h $(srcdir)/error.h $(srcdir)/list.h \
 	  $(srcdir)/logging.h $(srcdir)/missing.h $(srcdir)/sudo_nss.h \
 	  $(devdir)/def_data.h pathnames.h config.h
 AUTHDEP = $(SUDODEP) $(authdir)/sudo_auth.h
 INSDEP = $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h $(srcdir)/ins_csops.h \
 	 $(srcdir)/ins_goons.h $(srcdir)/insults.h
-all: $(PROGS)
+all: sudoers.la
-.SUFFIXES: .o .c .h .l .y .man .cat .lo
+.SUFFIXES: .o .c .h .lo
 .c.o:
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $<
@@ -187,316 +110,133 @@ all: $(PROGS)
 .c.lo:
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $<
-.man.cat:
+sudoers.la: $(SUDOERS_OBJS) $(COMMON_OBJS) $(LTLIBOBJS)
-	@rm -f $@
+	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(SUDOERS_OBJS) $(COMMON_OBJS) $(LTLIBOBJS) -module -avoid-version -rpath $(plugindir)
 	sed '1s/^/.if n .ll 78n/' $< | $(NROFF) -man > $@
-libsudo.a: $(LIB_OBJS) $(COMMON_OBJS)
+# Sudoers dependencies
-	$(AR) rv $@ $(LIB_OBJS) $(COMMON_OBJS)
+sudoers.lo: $(srcdir)/sudoers.c $(SUDODEP) $(srcdir)/interfaces.h
-	$(RANLIB) $@
+	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudoers.c
 alias.lo: $(srcdir)/alias.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(srcdir)/redblack.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alias.c
 boottime.lo: $(srcdir)/boottime.c $(top_builddir)/config.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/boottime.c
 check.lo: $(srcdir)/check.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/check.c
 defaults.lo: $(srcdir)/defaults.c $(SUDODEP) $(srcdir)/def_data.c $(authdir)/sudo_auth.h $(devdir)/gram.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/defaults.c
 env.lo: $(srcdir)/env.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/env.c
 find_path.lo: $(srcdir)/find_path.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/find_path.c
 getdate.lo: $(srcdir)/getdate.c $(incdir)/compat.h $(top_builddir)/config.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getdate.c
 getspwuid.lo: $(srcdir)/getspwuid.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getspwuid.c
 gettime.lo: $(srcdir)/gettime.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/gettime.c
 goodpath.lo: $(srcdir)/goodpath.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/goodpath.c
 gram.lo: $(devdir)/gram.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(devdir)/gram.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/gram.c
 interfaces.lo: $(srcdir)/interfaces.c $(SUDODEP) $(srcdir)/interfaces.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/interfaces.c
 ldap.lo: $(srcdir)/ldap.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ldap.c
 logging.lo: $(srcdir)/logging.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/logging.c
 match.lo: $(srcdir)/match.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/match.c
 parse.lo: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(devdir)/gram.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c
 pwutil.lo: $(srcdir)/pwutil.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/pwutil.c
 redblack.lo: $(srcdir)/redblack.c $(SUDODEP) $(srcdir)/redblack.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/redblack.c
 set_perms.lo: $(srcdir)/set_perms.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/set_perms.c
 sudo_nss.lo: $(srcdir)/sudo_nss.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_nss.c
 timestr.lo: $(srcdir)/timestr.c $(incdir)/compat.h $(top_builddir)/config.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/timestr.c
 toke.lo: $(devdir)/toke.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(devdir)/gram.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/toke.c
 tsgetgrpw.lo: $(srcdir)/tsgetgrpw.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tsgetgrpw.c
 vasgroups.lo: $(srcdir)/vasgroups.c $(srcdir)/nonunix.h $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/vasgroups.c
 error.lo: $(srcdir)/error.c $(incdir)/error.h $(incdir)/compat.h $(top_builddir)/config.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/error.c
-sudo: libsudo.a $(SUDO_OBJS)
+# Upper level sudo dependencies
-	$(CC) -o $@ $(SUDO_OBJS) $(SUDO_LDFLAGS) -lsudo $(SUDO_LIBS) @ZLIB@
+alloc.lo: $(top_srcdir)/src/alloc.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/alloc.c
 atobool.lo: $(top_srcdir)/src/atobool.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/atobool.c
 fileops.lo: $(top_srcdir)/src/fileops.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/fileops.c
 fmt_string.lo: $(top_srcdir)/src/fmt_string.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/fmt_string.c
 list.lo: $(top_srcdir)/src/list.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/list.c
 lbuf.lo: $(top_srcdir)/src/lbuf.c $(SUDODEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/lbuf.c
 zero_bytes.lo: $(top_srcdir)/src/zero_bytes.c $(incdir)/compat.h $(top_builddir)/config.h
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/zero_bytes.c
-visudo: libsudo.a $(VISUDO_OBJS)
+# Auth dependencies
-	$(CC) -o $@ $(VISUDO_OBJS) $(LDFLAGS) -lsudo $(LIBS) $(NET_LIBS)
+sudo_auth.lo: $(authdir)/sudo_auth.c $(AUTHDEP) $(INSDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sudo_auth.c
 afs.lo: $(authdir)/afs.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/afs.c
 aix_auth.lo: $(authdir)/aix_auth.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/aix_auth.c
 bsdauth.lo: $(authdir)/bsdauth.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/bsdauth.c
 dce.lo: $(authdir)/dce.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/dce.c
 fwtk.lo: $(authdir)/fwtk.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/fwtk.c
 kerb4.lo: $(authdir)/kerb4.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb4.c
 kerb5.lo: $(authdir)/kerb5.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb5.c
 pam.lo: $(authdir)/pam.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/pam.c
 passwd.lo: $(authdir)/passwd.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/passwd.c
 rfc1938.lo: $(authdir)/rfc1938.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/rfc1938.c
 secureware.lo: $(authdir)/secureware.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/secureware.c
 securid.lo: $(authdir)/securid.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid.c
 securid5.lo: $(authdir)/securid5.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid5.c
 sia.lo: $(authdir)/sia.c $(AUTHDEP)
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
-sudoreplay: libsudo.a $(REPLAY_OBJS)
+install: install-dirs install-plugin
 	$(CC) -o $@ $(REPLAY_OBJS) $(LDFLAGS) -lsudo $(LIBS) @ZLIB@
 testsudoers: $(TEST_OBJS)
 	$(CC) -o $@ $(TEST_OBJS) $(LDFLAGS) -lsudo $(LIBS) $(NET_LIBS)
 sudo_noexec.lo: $(srcdir)/sudo_noexec.c
 	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c
 sudo_noexec.la: sudo_noexec.lo
 	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
 # Uncomment the following if you want "make distclean" to clean the parser
@DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h getdate
 # Uncomment the lines before -@true if you intend to modify gram.y
 $(devdir)/gram.c $(devdir)/gram.h: $(srcdir)/gram.y
@DEV@	$(YACC) -d $(srcdir)/gram.y
@DEV@	mv -f y.tab.c gram.c
@DEV@	if cmp -s y.tab.h gram.h; then rm -f y.tab.h; else mv -f y.tab.h gram.h; fi
 	-@true
 # Uncomment the lines before -@true if you intend to modify toke.l
 $(devdir)/toke.c: $(srcdir)/toke.l
@DEV@	$(FLEX) $(srcdir)/toke.l
@DEV@	mv -f lex.yy.c toke.c
 	-@true
 # Uncomment the lines before -@true if you intend to modify getdate.y
 $(devdir)/getdate.c: $(srcdir)/getdate.y
@DEV@	echo "expect 10 shift/reduce conflicts"
@DEV@	$(YACC) $(srcdir)/getdate.y
@DEV@	mv -f y.tab.c getdate.c
 	-@true
 # Uncomment the following if you intend to modify def_data.in
@DEV@$(devdir)/def_data.h $(devdir)/def_data.c: $(srcdir)/def_data.in
@DEV@	perl $(srcdir)/mkdefaults -o def_data $(srcdir)/def_data.in
 # Dependencies (not counting auth functions)
 aix.o: $(srcdir)/aix.c
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/aix.c
 alias.o: $(srcdir)/alias.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/redblack.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alias.c
 alloc.o: $(srcdir)/alloc.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alloc.c
 audit.o: $(srcdir)/audit.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/audit.c
 boottime.o: $(srcdir)/boottime.c config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/boottime.c
 bsm_audit.o: $(srcdir)/bsm_audit.c $(SUDODEP) bsm_audit.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/bsm_audit.c
 check.o: $(srcdir)/check.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/check.c
 closefrom.o: $(srcdir)/closefrom.c config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/closefrom.c
 defaults.o: $(srcdir)/defaults.c $(SUDODEP) $(srcdir)/def_data.c $(authdir)/sudo_auth.h $(devdir)/gram.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/defaults.c
 env.o: $(srcdir)/env.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/env.c
 error.o: $(srcdir)/error.c $(srcdir)/compat.h $(srcdir)/error.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/error.c
 fileops.o: $(srcdir)/fileops.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/fileops.c
 find_path.o: $(srcdir)/find_path.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/find_path.c
 fnmatch.o: $(srcdir)/fnmatch.c $(srcdir)/emul/fnmatch.h $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/fnmatch.c
 getcwd.o: $(srcdir)/getcwd.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getcwd.c
 getdate.o: $(srcdir)/getdate.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getdate.c
 getline.o: $(srcdir)/getline.c config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getline.c
 getprogname.o: $(srcdir)/getprogname.c config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getprogname.c
 getspwuid.o: $(srcdir)/getspwuid.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getspwuid.c
 gettime.o: $(srcdir)/gettime.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/gettime.c
 glob.o: $(srcdir)/glob.c $(srcdir)/emul/glob.h $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/glob.c
 goodpath.o: $(srcdir)/goodpath.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/goodpath.c
 gram.o: $(devdir)/gram.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/gram.c
 interfaces.o: $(srcdir)/interfaces.c $(SUDODEP) $(srcdir)/interfaces.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/interfaces.c
 isblank.o: $(srcdir)/isblank.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/isblank.c
 lbuf.o: $(srcdir)/lbuf.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/lbuf.c
 ldap.o: $(srcdir)/ldap.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ldap.c
 list.o: $(srcdir)/list.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/list.c
 logging.o: $(srcdir)/logging.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/logging.c
 match.o: $(srcdir)/match.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/match.c
 memrchr.o: $(srcdir)/memrchr.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/memrchr.c
 mkstemp.o: $(srcdir)/mkstemp.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mkstemp.c
 nanosleep.o: $(srcdir)/nanosleep.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/nanosleep.c
 parse.o: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c
 pwutil.o: $(srcdir)/pwutil.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/pwutil.c
 pty.o: $(srcdir)/pty.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/pty.c
 redblack.o: $(srcdir)/redblack.c $(SUDODEP) $(srcdir)/redblack.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/redblack.c
 script.o: $(srcdir)/script.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/script.c
 set_perms.o: $(srcdir)/set_perms.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/set_perms.c
 sigaction.o: $(srcdir)/sigaction.c $(srcdir)/compat.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sigaction.c
 snprintf.o: $(srcdir)/snprintf.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/snprintf.c
 strcasecmp.o: $(srcdir)/strcasecmp.c $(srcdir)/compat.h  config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strcasecmp.c
 strerror.o: $(srcdir)/strerror.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strerror.c
 strlcat.o: $(srcdir)/strlcat.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strlcat.c
 strlcpy.o: $(srcdir)/strlcpy.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strlcpy.c
 strsignal.o: $(srcdir)/strsignal.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strsignal.c
 selinux.o: $(srcdir)/selinux.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/selinux.c
 sudo.o: $(srcdir)/sudo.c $(SUDODEP) sudo_usage.h $(srcdir)/interfaces.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo.c
 sudoreplay.o: $(srcdir)/sudoreplay.c $(srcdir)/alloc.h $(srcdir)/compat.h $(srcdir)/error.h $(srcdir)/missing.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudoreplay.c
 sudo_edit.o: $(srcdir)/sudo_edit.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_edit.c
 sudo_noexec.o: $(srcdir)/sudo_noexec.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c
 sudo_nss.o: $(srcdir)/sudo_nss.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_nss.c
 term.o: $(srcdir)/term.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/term.c
 testsudoers.o: $(srcdir)/testsudoers.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/testsudoers.c
 tgetpass.o: $(srcdir)/tgetpass.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tgetpass.c
 timestr.o: $(srcdir)/timestr.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/timestr.c
 toke.o: $(devdir)/toke.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/toke.c
 tsgetgrpw.o: $(srcdir)/tsgetgrpw.c $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tsgetgrpw.c
 utimes.o: $(srcdir)/utimes.c $(srcdir)/compat.h $(srcdir)/emul/utime.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/utimes.c
 vasgroups.o: $(srcdir)/vasgroups.c $(srcdir)/nonunix.h $(SUDODEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/vasgroups.c
 visudo.o: $(srcdir)/visudo.c $(SUDODEP) $(devdir)/gram.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/visudo.c
 zero_bytes.o: $(srcdir)/zero_bytes.c $(srcdir)/compat.h config.h
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/zero_bytes.c
 sudo_auth.o: $(authdir)/sudo_auth.c $(AUTHDEP) $(INSDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sudo_auth.c
 afs.o: $(authdir)/afs.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/afs.c
 aix_auth.o: $(authdir)/aix_auth.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/aix_auth.c
 bsdauth.o: $(authdir)/bsdauth.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/bsdauth.c
 dce.o: $(authdir)/dce.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/dce.c
 fwtk.o: $(authdir)/fwtk.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/fwtk.c
 kerb4.o: $(authdir)/kerb4.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb4.c
 kerb5.o: $(authdir)/kerb5.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb5.c
 pam.o: $(authdir)/pam.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/pam.c
 passwd.o: $(authdir)/passwd.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/passwd.c
 rfc1938.o: $(authdir)/rfc1938.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/rfc1938.c
 secureware.o: $(authdir)/secureware.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/secureware.c
 securid.o: $(authdir)/securid.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid.c
 securid5.o: $(authdir)/securid5.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid5.c
 sia.o: $(authdir)/sia.c $(AUTHDEP)
 	$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c
 sudo.man.in: $(srcdir)/sudo.pod
 	@rm -f $(srcdir)/$@
 	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ )
 sudo.man: sudo.man.in
 	CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
 sudo.cat: sudo.man
 visudo.man.in: $(srcdir)/visudo.pod
 	@rm -f $(srcdir)/$@
 	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
 visudo.man: visudo.man.in
 	CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
 visudo.cat: visudo.man
 sudoers.man.in: $(srcdir)/sudoers.pod
 	@rm -f $(srcdir)/$@
 	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudoers.man.pl >> $@ )
 sudoers.man:: sudoers.man.in
 	CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
 sudoers.cat: sudoers.man
 sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod
 	@rm -f $(srcdir)/$@
 	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
 sudoers.ldap.man:: sudoers.ldap.man.in
 	CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
 sudoers.ldap.cat: sudoers.ldap.man
 sudoreplay.man.in: $(srcdir)/sudoreplay.pod
 	@rm -f $(srcdir)/$@
 	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoreplay.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoreplay.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
 sudoreplay.man:: sudoreplay.man.in
 	CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status
 sudoers.cat: sudoers.man
@DEV@HISTORY: history.pod
@DEV@	pod2text -l -i0 $> > $@
@DEV@
@DEV@LICENSE: license.pod
@DEV@	pod2text -l -i0 $> | sed '1,2d' > $@
 ChangeLog:
 	hg log --style=changelog -b default > $@
 install: install-dirs install-binaries @INSTALL_NOEXEC@ install-sudoers install-man
 install-dirs:
-	$(SHELL) $(srcdir)/mkinstalldirs $(DESTDIR)$(sudodir) \
+	$(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(plugindir)
 	    $(DESTDIR)$(visudodir) $(DESTDIR)$(sudoersdir) \
 	    $(DESTDIR)$(mandirsu) $(DESTDIR)$(mandirform) \
 	    $(DESTDIR)$(noexecdir)
-install-binaries: install-dirs $(PROGS)
+install-binaries:
 	$(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo
 	rm -f $(DESTDIR)$(sudodir)/sudoedit
 	ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit
 	if [ -f sudoreplay ]; then $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sudoreplay $(DESTDIR)$(sudodir)/sudoreplay; fi
 	$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo
 	if [ -f sesh ]; then $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(libexecdir)/sesh; fi
-install-noexec: install-dirs sudo_noexec.la
+install-man:
 	if [ -f .libs/$(noexecfile) ]; then $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0755 .libs/$(noexecfile) $(DESTDIR)$(noexecdir); fi
-install-sudoers: install-dirs
+install-plugin: install-dirs sudoers.la
-	test -f $(DESTDIR)$(sudoersdir)/sudoers || \
+	$(LIBTOOL) --mode=install $(INSTALL) sudoers.la $(plugindir)
 	    $(INSTALL) -O $(sudoers_uid) -G $(sudoers_gid) -M $(sudoers_mode) \
 		$(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers
 install-man: install-dirs
 	$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu)
 	@rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)
 	ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)
 	@REPLAY@$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu)
 	$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu)
 	$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform)
 	@LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform)
@MAN_POSTINSTALL@
 check:
 	@echo nothing to check
 clean:
-	-rm -f *.a *.o *.lo stamp-* $(PROGS) testsudoers core *.core core.*
+	-rm -f *.a *.o *.lo *.la stamp-* core *.core core.*
 mostlyclean: clean
 distclean: clean
-	-rm -rf Makefile pathnames.h config.h config.status config.cache \
+	-rm -rf Makefile sudoers.lo .libs
 		config.log libtool sudo_noexec.lo .libs $(GENERATED) \
 		sudo.man sudoers.man sudoers.ldap.man visudo.man sudo_usage.h \
 		Makefile.binary
 clobber: distclean
@@ -504,74 +244,3 @@ realclean: distclean
 	rm -f TAGS tags
 cleandir: realclean
 dist: ChangeLog
 	pax -w -x ustar -s '/^/sudo-$(VERSION)\//' -f ../sudo-$(VERSION).tar \
 		$(DISTFILES)
 	gzip -9f ../sudo-$(VERSION).tar
 	ls -l ../sudo-$(VERSION).tar.gz
 bindist: ChangeLog
 	( \
 	  ARCH=`uname -m|sed 's:/:_:g'`+`uname -sr|sed 's/ /_/g'` ; \
 	  mkdir tmp.$$ARCH ; \
 	  tdir=tmp.$$ARCH/sudo-$(VERSION) ; \
 	  mkdir $$tdir ; \
 	  for i in $(BINFILES) ; do \
 	    if [ -f $$i ]; then \
 	      cp $$i $$tdir ; \
 	    elif [ -f $(srcdir)/$$i ]; then \
 	      cp $(srcdir)/$$i $$tdir ; \
 	    else \
 	      echo cannot find $$i ; \
 	      exit 1 ; \
 	    fi ; \
 	  done ; \
 	  if [ -f sudo_noexec.la ]; then \
 	    cp libtool $$tdir ; \
 	    $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la `pwd`/$$tdir ; \
 	    ln $$tdir/sudo_noexec.la $$tdir/sudo_noexec.lai ; \
 	    ln -s . $$tdir/.libs ; \
 	  fi ; \
 	  cp $(srcdir)/INSTALL.binary $$tdir/INSTALL ; \
 	  sh ./config.status --file=Makefile.binary && cp Makefile.binary $$tdir/Makefile ; \
 	  strip $$tdir/sudo ; \
 	  strip $$tdir/visudo ; \
 	  cd tmp.$$ARCH && tar Ocf ../sudo-$(VERSION)-$$ARCH.tar sudo-$(VERSION) && cd .. ; \
 	  gzip -f --best sudo-$(VERSION)-$$ARCH.tar ; \
 	  rm -rf tmp.$$ARCH ; \
 	)
 depot:
 	( \
 	  tdir=tmp.depot ; \
 	  mkdir $$tdir ; \
 	  for i in sudo visudo sudo.man visudo.man sudoers.man sudoers ChangeLog HISTORY LICENSE README TROUBLESHOOTING UPGRADE sample.syslog.conf sample.sudoers; do \
 	    if [ -f $$i ]; then \
 	      cp $$i $$tdir ; \
 	    elif [ -f $(srcdir)/$$i ]; then \
 	      cp $(srcdir)/$$i $$tdir ; \
 	    else \
 	      echo cannot find $$i ; \
 	      exit 1 ; \
 	    fi ; \
 	  done ; \
 	  if [ -f sudo_noexec.la ]; then \
 	    cp libtool $$tdir ; \
 	    $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la `pwd`/$$tdir ; \
 	  fi ; \
 	  sed 's/@VERSION@/$(VERSION)/g' <$(srcdir)/sudo.psf >$$tdir/sudo.psf ; \
 	  printf '#!/sbin/sh\nrm -f /usr/local/bin/sudoedit\nln /usr/local/bin/sudo /usr/local/bin/sudoedit\n' > $$tdir/sudo-exec.postinstall ; \
 	  printf '#!/sbin/sh\nrm -f /usr/local/man/man1m/sudoedit.1m\nln /usr/local/man/man1m/sudo.1m /usr/local/man/man1m/sudoedit.1m\n' > $$tdir/sudo-man.postinstall ; \
 	  printf '#!/sbin/sh\nif [ ! -s /etc/sudoers ]; then\n\techo installing /usr/local/doc/sudo/sudoers as /etc/sudoers\n\techo use /usr/local/sbin/visudo to configure sudo\n\tcp /usr/local/doc/sudo/sudoers /etc/sudoers\n\tchmod 440 /etc/sudoers\n\tchown root:root /etc/sudoers\nfi\n' > $$tdir/sudo-config.postinstall ; \
 	  chmod 755 $$tdir/sudo-exec.postinstall $$tdir/sudo-man.postinstall $$tdir/sudo-config.postinstall ; \
 	  strip $$tdir/sudo ; \
 	  strip $$tdir/visudo ; \
 	  cd $$tdir ; \
 	  swpackage -x target_type=tape -d ../sudo-$(VERSION).depot -s sudo.psf ; \
 	  cd .. ; \
 	  gzip -f --best sudo-$(VERSION).depot; \
 	  rm -rf tmp.depot ; \
 	)
 .PHONY:	ChangeLog
--- a/plugins/sudoers/alias.c
+++ b/plugins/sudoers/alias.c
@@ -41,7 +41,7 @@
 # include <unistd.h>
 #endif /* HAVE_UNISTD_H */
-#include "sudo.h"
+#include "sudoers.h"
 #include "parse.h"
 #include "redblack.h"
 #include <gram.h>
--- a/plugins/sudoers/auth/afs.c
+++ b/plugins/sudoers/auth/afs.c
@@ -44,7 +44,7 @@
 #endif /* HAVE_UNISTD_H */
 #include <pwd.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 #include <afs/stds.h>
--- a/plugins/sudoers/auth/aix_auth.c
+++ b/plugins/sudoers/auth/aix_auth.c
@@ -43,7 +43,7 @@
 #endif /* HAVE_UNISTD_H */
 #include <pwd.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 /*
@@ -61,7 +61,7 @@ aixauth_verify(pw, prompt, auth)
    int reenter = 1;
    int rval = AUTH_FAILURE;
-    pass = tgetpass(prompt, def_passwd_timeout * 60, tgetpass_flags);
+    pass = auth_getpass(prompt, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
    if (pass) {
 	/* XXX - should probably print message on failure. */
 	if (authenticate(pw->pw_name, pass, &reenter, &message) == 0)
--- a/plugins/sudoers/auth/bsdauth.c
+++ b/plugins/sudoers/auth/bsdauth.c
@@ -48,7 +48,7 @@
 #include <login_cap.h>
 #include <bsd_auth.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 extern char *login_style;		/* from sudo.c */
@@ -114,9 +114,9 @@ bsdauth_verify(pw, prompt, auth)
     * S/Key.
     */
    if ((s = auth_challenge(as)) == NULL) {
-	pass = tgetpass(prompt, def_passwd_timeout * 60, tgetpass_flags);
+	pass = auth_getpass(prompt, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
    } else {
-	pass = tgetpass(s, def_passwd_timeout * 60, tgetpass_flags);
+	pass = auth_getpass(prompt, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
 	if (pass && *pass == '\0') {
 	    if ((prompt = strrchr(s, '\n')))
 		prompt++;
@@ -131,8 +131,8 @@ bsdauth_verify(pw, prompt, auth)
 	    while (isspace(prompt[len]) || prompt[len] == ':')
 		prompt[len--] = '\0';
 	    easprintf(&s, "%s [echo on]: ", prompt);
-	    pass = tgetpass(s, def_passwd_timeout * 60,
+	    pass = auth_getpass(prompt, def_passwd_timeout * 60,
-		tgetpass_flags | TGP_ECHO);
+		SUDO_CONV_PROMPT_ECHO_ON);
 	    free(s);
 	}
    }
--- a/plugins/sudoers/auth/dce.c
+++ b/plugins/sudoers/auth/dce.c
@@ -61,7 +61,7 @@
 #include <dce/sec_login.h>
 #include <dce/dce_error.h> /* required to call dce_error_inq_text routine */
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 static int check_dce_status __P((error_status_t, char *));
--- a/plugins/sudoers/auth/fwtk.c
+++ b/plugins/sudoers/auth/fwtk.c
@@ -46,7 +46,7 @@
 #include <auth.h>
 #include <firewall.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 int
@@ -103,16 +103,17 @@ restart:
    /* Get the password/response from the user. */
    if (strncmp(resp, "challenge ", 10) == 0) {
 	(void) snprintf(buf, sizeof(buf), "%s\nResponse: ", &resp[10]);
-	pass = tgetpass(buf, def_passwd_timeout * 60, tgetpass_flags);
+	pass = auth_getpass(buf, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
 	if (pass && *pass == '\0') {
-	    pass = tgetpass("Response [echo on]: ",
+	    pass = auth_getpass("Response [echo on]: ",
-		def_passwd_timeout * 60, tgetpass_flags | TGP_ECHO);
+		def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_ON);
 	}
    } else if (strncmp(resp, "chalnecho ", 10) == 0) {
-	pass = tgetpass(&resp[10], def_passwd_timeout * 60, tgetpass_flags);
+	pass = auth_getpass(&resp[10], def_passwd_timeout * 60,
 	    SUDO_CONV_PROMPT_ECHO_OFF);
    } else if (strncmp(resp, "password", 8) == 0) {
-	pass = tgetpass(prompt, def_passwd_timeout * 60,
+	pass = auth_getpass(prompt, def_passwd_timeout * 60,
-	    tgetpass_flags);
+	    SUDO_CONV_PROMPT_ECHO_OFF);
    } else if (strncmp(resp, "display ", 8) == 0) {
 	fprintf(stderr, "%s\n", &resp[8]);
 	strlcpy(buf, "response dummy", sizeof(buf));
--- a/plugins/sudoers/auth/kerb4.c
+++ b/plugins/sudoers/auth/kerb4.c
@@ -44,7 +44,7 @@
 #include <pwd.h>
 #include <krb.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 int
--- a/plugins/sudoers/auth/kerb5.c
+++ b/plugins/sudoers/auth/kerb5.c
@@ -50,7 +50,7 @@
 #include <com_err.h>
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 #ifdef HAVE_HEIMDAL
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -62,7 +62,7 @@
 # endif
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 /* Only OpenPAM and Linux PAM use const qualifiers. */
@@ -257,17 +257,17 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
    PAM_CONST struct pam_message *pm;
    const char *prompt;
    char *pass;
-    int n, flags, std_prompt;
+    int n, type, std_prompt;
    if ((*response = malloc(num_msg * sizeof(struct pam_response))) == NULL)
 	return(PAM_SYSTEM_ERR);
    zero_bytes(*response, num_msg * sizeof(struct pam_response));
    for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) {
-	flags = tgetpass_flags;
+	type = SUDO_CONV_PROMPT_ECHO_OFF;
 	switch (pm->msg_style) {
 	    case PAM_PROMPT_ECHO_ON:
-		SET(flags, TGP_ECHO);
+		type = SUDO_CONV_PROMPT_ECHO_ON;
 	    case PAM_PROMPT_ECHO_OFF:
 		prompt = def_prompt;
@@ -289,7 +289,7 @@ sudo_conv(num_msg, msg, response, appdata_ptr)
 		    prompt = pm->msg;
 #endif
 		/* Read the password unless interrupted. */
-		pass = tgetpass(prompt, def_passwd_timeout * 60, flags);
+		pass = auth_getpass(prompt, def_passwd_timeout * 60, type);
 		if (pass == NULL) {
 		    /* We got ^C instead of a password; abort quickly. */
 		    if (errno == EINTR)
--- a/plugins/sudoers/auth/passwd.c
+++ b/plugins/sudoers/auth/passwd.c
@@ -43,7 +43,7 @@
 #endif /* HAVE_UNISTD_H */
 #include <pwd.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 #define DESLEN			13
--- a/plugins/sudoers/auth/rfc1938.c
+++ b/plugins/sudoers/auth/rfc1938.c
@@ -60,7 +60,7 @@
 # define rfc1938verify(a,b)		opieverify((a),(b))
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 int
--- a/plugins/sudoers/auth/secureware.c
+++ b/plugins/sudoers/auth/secureware.c
@@ -50,7 +50,7 @@
 #endif /* __hpux */
 #include <prot.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 int
--- a/plugins/sudoers/auth/securid.c
+++ b/plugins/sudoers/auth/securid.c
@@ -50,7 +50,7 @@
 #include <sdconf.h>
 #include <sdacmvls.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 union config_record configure;
--- a/plugins/sudoers/auth/securid5.c
+++ b/plugins/sudoers/auth/securid5.c
@@ -52,7 +52,7 @@
 #include <acexport.h>
 #include <sdacmvls.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 /*
@@ -160,8 +160,8 @@ securid_verify(pw, pass, auth)
    SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;
    int rval;
-    pass = (char *) tgetpass("Enter your PASSCODE: ",
+    pass = auth_getpass("Enter your PASSCODE: ",
-	def_passwd_timeout * 60, tgetpass_flags);
+	def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
    /* Have ACE verify password */
    switch (SD_Check(*sd, pass, pw->pw_name)) {
@@ -192,11 +192,11 @@ securid_verify(pw, pass, auth)
                /* Sometimes (when current token close to expire?)
                   ACE challenges for the next token displayed
                   (entered without the PIN) */
-        	pass = (char *) tgetpass("\
+        	pass = auth_getpass("\
 !!! ATTENTION !!!\n\
 Wait for the token code to change, \n\
 then enter the new token code.\n", \
-		def_passwd_timeout * 60, tgetpass_flags);
+		def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
 		if (SD_Next(*sd, pass) == ACM_OK) {
 			rval = AUTH_SUCCESS;
--- a/plugins/sudoers/auth/sia.c
+++ b/plugins/sudoers/auth/sia.c
@@ -46,7 +46,7 @@
 #include <pwd.h>
 #include <siad.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 static int sudo_collect	__P((int, int, uchar_t *, int, prompt_t *));
--- a/plugins/sudoers/auth/sudo_auth.c
+++ b/plugins/sudoers/auth/sudo_auth.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999-2005, 2008-2009 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1999-2005, 2008-2010 Todd C. Miller <Todd.Miller@courtesan.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -48,10 +48,12 @@
 #include <time.h>
 #include <signal.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "sudo_auth.h"
 #include "insults.h"
 sudo_conv_t sudo_conv;
 sudo_auth auth_switch[] = {
 #ifdef AUTH_STANDALONE
    AUTH_STANDALONE
@@ -84,15 +86,12 @@ sudo_auth auth_switch[] = {
    AUTH_ENTRY(0, NULL, NULL, NULL, NULL, NULL)
 };
-void
+int
-verify_user(pw, prompt)
+verify_user(struct passwd *pw, char *prompt)
    struct passwd *pw;
    char *prompt;
 {
    int counter = def_passwd_tries + 1;
    int success = AUTH_FAILURE;
-    int status;
+    int flags, status, rval;
    int flags;
    char *p;
    sudo_auth *auth;
    sigaction_t sa, osa;
@@ -115,6 +114,7 @@ verify_user(pw, prompt)
 	    "There are no authentication methods compiled into sudo!",
 	    "If you want to turn off authentication, use the",
 	    "--disable-authentication configure option.");
 	return -1;
    }
    /* Set FLAG_ONEANDONLY if there is only one auth method. */
@@ -134,7 +134,7 @@ verify_user(pw, prompt)
 #ifdef HAVE_BSM_AUDIT
 		audit_failure(NewArgv, "authentication failure");
 #endif
-		exit(1);		/* assume error msg already printed */
+		return -1;		/* assume error msg already printed */
 	    }
 	    if (NEEDS_USER(auth))
@@ -156,7 +156,7 @@ verify_user(pw, prompt)
 #ifdef HAVE_BSM_AUDIT
 		    audit_failure(NewArgv, "authentication failure");
 #endif
-		    exit(1);		/* assume error msg already printed */
+		    return -1;		/* assume error msg already printed */
 		}
 		if (NEEDS_USER(auth))
@@ -168,8 +168,7 @@ verify_user(pw, prompt)
 #ifdef AUTH_STANDALONE
 	p = prompt;
 #else
-	p = (char *) tgetpass(prompt, def_passwd_timeout * 60,
+	p = auth_getpass(prompt, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
 	    tgetpass_flags);
 #endif /* AUTH_STANDALONE */
 	/* Call authentication functions. */
@@ -189,11 +188,12 @@ verify_user(pw, prompt)
 		goto cleanup;
 	}
 #ifndef AUTH_STANDALONE
-	if (p)
+	if (repl.reply)
-	    zero_bytes(p, strlen(p));
+	    zero_bytes(p, strlen(repl.reply));
 #endif
-	if (!ISSET(tgetpass_flags, TGP_ASKPASS))
+	/* XXX - need way to know if askpass was used */
-	    pass_warn(stderr);
+	//if (!ISSET(tgetpass_flags, TGP_ASKPASS))
 	    pass_warn();
    }
 cleanup:
@@ -208,7 +208,7 @@ cleanup:
 #ifdef HAVE_BSM_AUDIT
 		audit_failure(NewArgv, "authentication failure");
 #endif
-		exit(1);		/* assume error msg already printed */
+		return -1;		/* assume error msg already printed */
 	    }
 	    if (NEEDS_USER(auth))
@@ -219,7 +219,8 @@ cleanup:
    switch (success) {
 	case AUTH_SUCCESS:
 	    (void) sigaction(SIGTSTP, &osa, NULL);
-	    return;
+	    rval = TRUE;
 	    break;
 	case AUTH_INTR:
 	case AUTH_FAILURE:
 	    if (counter != def_passwd_tries) {
@@ -227,43 +228,73 @@ cleanup:
 		    flags = 0;
 		else
 		    flags = NO_MAIL;
 #ifdef HAVE_BSM_AUDIT
 		audit_failure(NewArgv, "authentication failure");
 #endif
 		log_error(flags, "%d incorrect password attempt%s",
 		    def_passwd_tries - counter,
 		    (def_passwd_tries - counter == 1) ? "" : "s");
 	    }
 	    /* FALLTHROUGH */
 	case AUTH_FATAL:
 #ifdef HAVE_BSM_AUDIT
 	    audit_failure(NewArgv, "authentication failure");
 #endif
-	    exit(1);
+	    rval = FALSE;
 	    break;
 	case AUTH_FATAL:
 	default:
 #ifdef HAVE_BSM_AUDIT
 	    audit_failure(NewArgv, "authentication failure");
 #endif
 	    rval = -1;
 	    break;
    }
-    /* NOTREACHED */
+
    return rval;
 }
 void
-pass_warn(fp)
+pass_warn(void)
    FILE *fp;
 {
    struct sudo_conv_message msg;
    struct sudo_conv_reply repl;
    /* Call conversation function */
    memset(&msg, 0, sizeof(msg));
    msg.msg_type = SUDO_CONV_ERROR_MSG;
 #ifdef INSULT
    if (def_insults)
-	(void) fprintf(fp, "%s\n", INSULT);
+	msg.msg = INSULT;
    else
 #endif
-	(void) fprintf(fp, "%s\n", def_badpass_message);
+	msg.msg = def_badpass_message;
    memset(&repl, 0, sizeof(repl));
    sudo_conv(1, &msg, &repl);
 }
 char *
 auth_getpass(const char *prompt, int timeout, int type)
 {
    struct sudo_conv_message msg;
    struct sudo_conv_reply repl;
    /* Call conversation function */
    memset(&msg, 0, sizeof(msg));
    msg.msg_type = SUDO_CONV_PROMPT_ECHO_OFF;
    msg.timeout = def_passwd_timeout * 60;
    msg.msg = prompt;
    memset(&repl, 0, sizeof(repl));
    sudo_conv(1, &msg, &repl);
    /* XXX - check for ENOTTY? */
    return repl.reply;
 }
 #ifdef notyet
 void
-dump_auth_methods()
+dump_auth_methods(void)
 {
    sudo_auth *auth;
    /* XXX - conversation function */
    (void) fputs("Authentication methods:", stdout);
    for (auth = auth_switch; auth->name; auth++)
        (void) printf(" '%s'", auth->name);
    (void) putchar('\n');
 }
 #endif
--- a/plugins/sudoers/auth/sudo_auth.h
+++ b/plugins/sudoers/auth/sudo_auth.h
@@ -45,6 +45,12 @@ typedef struct sudo_auth {
 #define IS_CONFIGURED(x)	((x)->flags & FLAG_CONFIGURED)
 #define IS_ONEANDONLY(x)	((x)->flags & FLAG_ONEANDONLY)
 /* Like tgetpass() but uses conversation function */
 char *auth_getpass(const char *prompt, int timeout, int type);
 /* Pointer to conversation function to use with auth_getpass(). */
 extern sudo_conv_t sudo_conv;
 /* Prototypes for standalone methods */
 int fwtk_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
 int fwtk_verify __P((struct passwd *pw, char *prompt, sudo_auth *auth));
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -56,7 +56,7 @@
 # include <compat/timespec.h>
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 /* Status codes for timestamp_status() */
 #define TS_CURRENT		0
@@ -69,7 +69,7 @@
 #define TS_MAKE_DIRS		1
 #define TS_REMOVE		2
-static void  build_timestamp	__P((char **, char **));
+static int   build_timestamp	__P((char **, char **));
 static int   timestamp_status	__P((char *, char *, char *, int));
 static char *expand_prompt	__P((char *, char *, char *));
 static void  lecture		__P((int));
@@ -78,8 +78,9 @@ static void  update_timestamp	__P((char *, char *));
 /*
 * This function only returns if the user can successfully
 * verify who he/she is.
 * XXX - check return values
 */
-void
+int
 check_user(validated, mode)
    int validated;
    int mode;
@@ -87,25 +88,30 @@ check_user(validated, mode)
    char *timestampdir = NULL;
    char *timestampfile = NULL;
    char *prompt;
-    int status;
+    int status, rval = TRUE;
    /* Always prompt for a password when -k was specified with the command. */
    if (ISSET(mode, MODE_INVALIDATE)) {
 	SET(validated, FLAG_CHECK_USER);
    } else {
 	if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt())
-	    return;
+	    return TRUE;
    }
-    build_timestamp(&timestampdir, &timestampfile);
+    if (build_timestamp(&timestampdir, &timestampfile) == -1)
 	return -1;
    status = timestamp_status(timestampdir, timestampfile, user_name,
 	TS_MAKE_DIRS);
    if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
 	/* Bail out if we are non-interactive and a password is required */
-	if (ISSET(mode, MODE_NONINTERACTIVE))
+	if (ISSET(mode, MODE_NONINTERACTIVE)) {
-	    errorx(1, "sorry, a password is required to run %s", getprogname());
+	    warningx("sorry, a password is required to run %s", getprogname());
 	    return -1;
 	}
 #if 0 /* XXX - checks need to be done in main driver */
 	/* If user specified -A, make sure we have an askpass helper. */
 	if (ISSET(tgetpass_flags, TGP_ASKPASS)) {
 	    if (user_askpass == NULL)
@@ -124,19 +130,22 @@ check_user(validated, mode)
 	}
 	if (!ISSET(tgetpass_flags, TGP_ASKPASS))
 #endif
 	    lecture(status);
 	/* Expand any escapes in the prompt. */
 	prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
 	    user_name, user_shost);
-	verify_user(auth_pw, prompt);
+	rval = verify_user(auth_pw, prompt);
    }
    /* Only update timestamp if user was validated. */
    if (ISSET(validated, VALIDATE_OK) && !ISSET(mode, MODE_INVALIDATE) && status != TS_ERROR)
 	update_timestamp(timestampdir, timestampfile);
    efree(timestampdir);
    efree(timestampfile);
    return rval;
 }
 /*
@@ -258,7 +267,7 @@ expand_prompt(old_prompt, user, host)
    }
    if (subst) {
-	new_prompt = (char *) emalloc(++len);
+	new_prompt = emalloc(++len);
 	endp = new_prompt + len;
 	for (p = old_prompt, np = new_prompt; *p; p++) {
 	    if (p[0] =='%') {
@@ -341,7 +350,7 @@ user_is_exempt()
 /*
 * Fills in timestampdir as well as timestampfile if using tty tickets.
 */
-static void
+static int
 build_timestamp(timestampdir, timestampfile)
    char **timestampdir;
    char **timestampfile;
@@ -351,8 +360,10 @@ build_timestamp(timestampdir, timestampfile)
    dirparent = def_timestampdir;
    len = easprintf(timestampdir, "%s/%s", dirparent, user_name);
-    if (len >= PATH_MAX)
+    if (len >= PATH_MAX) {
 	log_error(0, "timestamp path too long: %s", *timestampdir);
 	return -1;
    }
    /*
     * Timestamp file may be a file in the directory or NUL to use
@@ -370,15 +381,21 @@ build_timestamp(timestampdir, timestampfile)
 		p, runas_pw->pw_name);
 	else
 	    len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, p);
-	if (len >= PATH_MAX)
+	if (len >= PATH_MAX) {
 	    log_error(0, "timestamp path too long: %s", *timestampfile);
 	    return -1;
 	}
    } else if (def_targetpw) {
 	len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name,
 	    runas_pw->pw_name);
-	if (len >= PATH_MAX)
+	if (len >= PATH_MAX) {
 	    log_error(0, "timestamp path too long: %s", *timestampfile);
 	    return -1;
 	}
    } else
 	*timestampfile = NULL;
    return len;
 }
 /*
@@ -578,7 +595,9 @@ remove_timestamp(remove)
    char *timestampdir, *timestampfile, *path;
    int status;
-    build_timestamp(&timestampdir, &timestampfile);
+    if (build_timestamp(&timestampdir, &timestampfile) == -1)
 	return;
    status = timestamp_status(timestampdir, timestampfile, user_name,
 	TS_REMOVE);
    if (status == TS_OLD || status == TS_CURRENT) {
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -45,7 +45,7 @@
 #include <pwd.h>
 #include <ctype.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "parse.h"
 #include <gram.h>
--- a/plugins/sudoers/env.c
+++ b/plugins/sudoers/env.c
@@ -47,7 +47,7 @@
 #include <errno.h>
 #include <pwd.h>
-#include "sudo.h"
+#include "sudoers.h"
 /*
 * Flags used in rebuild_env()
@@ -209,6 +209,31 @@ static const char *initial_keepenv_table[] = {
    NULL
 };
 /*
 * Initialize env based on envp.
 */
 int
 env_init(char * const envp[])
 {
    char * const *ep;
    size_t len;
    int rval = -1;
    for (ep = envp; *ep != NULL; ep++)
 	continue;
    len = (size_t)(ep - envp);
    env.env_size = len + 1 + 128;
    env.envp = emalloc2(env.env_size, sizeof(char *));
 #ifdef ENV_DEBUG
    memset(env.envp, 0, env.env_size * sizeof(char *));
 #endif
    memcpy(env.envp, envp, len * sizeof(char *));
    env.envp[len] = '\0';
    rval = 0;
    return rval;
 }
 /*
 * Similar to setenv(3) but operates on sudo's private copy of the environment
 * (not environ) and it always overwrites.  The dupcheck param determines
@@ -250,8 +275,10 @@ setenv(var, val, overwrite)
    const char *cp;
    size_t esize;
-    if (!var || *var == '\0')
+    if (!var || *var == '\0') {
-	return(EINVAL);
+	errno = EINVAL;
 	return -1;
    }
    /*
     * POSIX says a var name with '=' is an error but BSD
@@ -302,7 +329,7 @@ setenv(var, val, overwrite)
 #endif
    }
    sudo_putenv(estring, TRUE, overwrite);
-    return(0);
+    return 0;
 }
 /*
@@ -325,7 +352,7 @@ unsetenv(var)
 #ifdef UNSETENV_VOID
 	return;
 #else
-	return(-1);
+	return -1;
 #endif
    }
@@ -365,7 +392,7 @@ unsetenv(var)
 	}
    }
 #ifndef UNSETENV_VOID
-    return(0);
+    return 0;
 #endif
 }
@@ -383,7 +410,7 @@ putenv(string)
 {
    if (strchr(string, '=') == NULL) {
 	errno = EINVAL;
-	return(-1);
+	return -1;
    }
    /* Sync env.envp with environ as needed. */
    if (env.envp != environ) {
@@ -412,7 +439,7 @@ putenv(string)
 #endif
    }
    sudo_putenv((char *)string, TRUE, TRUE);
-    return(0);
+    return 0;
 }
 /*
@@ -490,7 +517,7 @@ matches_env_delete(var)
 	    break;
 	}
    }
-    return(match);
+    return match;
 }
 /*
@@ -520,7 +547,7 @@ matches_env_check(var)
 	    break;
 	}
    }
-    return(keepit);
+    return keepit;
 }
 /*
@@ -549,7 +576,7 @@ matches_env_keep(var)
 	    break;
 	}
    }
-    return(keepit);
+    return keepit;
 }
 /*
@@ -760,8 +787,9 @@ rebuild_env(sudo_mode, noexec)
 	easprintf(&cp, "%s %s", user_cmnd, user_args);
 	sudo_setenv("SUDO_COMMAND", cp, TRUE);
 	efree(cp);
-    } else
+    } else {
 	sudo_setenv("SUDO_COMMAND", user_cmnd, TRUE);
    }
    /* Add the SUDO_USER, SUDO_UID, SUDO_GID environment variables. */
    sudo_setenv("SUDO_USER", user_name, TRUE);
--- a/plugins/sudoers/error.c
+++ b/plugins/sudoers/error.c
@@ -0,0 +1,93 @@
 /*
 * Copyright (c) 2004-2005 Todd C. Miller <Todd.Miller@courtesan.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <setjmp.h>
 #include <config.h>
 #include <compat.h>
 #include "error.h"
 static void _warning(int, const char *, va_list);
       void cleanup(int);
 sigjmp_buf error_jmp;
 void
 error(int eval, const char *fmt, ...)
 {
 	va_list ap;
 	va_start(ap, fmt);
 	_warning(1, fmt, ap);
 	va_end(ap);
 	cleanup(0);
 	if (error_jmp)
 	    siglongjmp(error_jmp, 1);
 	else
 	    exit(eval);
 }
 void
 errorx(int eval, const char *fmt, ...)
 {
 	va_list ap;
 	va_start(ap, fmt);
 	_warning(0, fmt, ap);
 	va_end(ap);
 	cleanup(0);
 	if (error_jmp)
 	    siglongjmp(error_jmp, 1);
 	else
 	    exit(eval);
 }
 void
 warning(const char *fmt, ...)
 {
 	va_list ap;
 	va_start(ap, fmt);
 	_warning(1, fmt, ap);
 	va_end(ap);
 }
 void
 warningx(const char *fmt, ...)
 {
 	va_list ap;
 	va_start(ap, fmt);
 	_warning(0, fmt, ap);
 	va_end(ap);
 }
 static void
 _warning(int use_errno, const char *fmt, va_list ap)
 {
 	int serrno = errno;
 	fputs(getprogname(), stderr);
 	if (fmt != NULL) {
 		fputs(": ", stderr);
 		vfprintf(stderr, fmt, ap);
 	}
 	if (use_errno) {
 	    fputs(": ", stderr);
 	    fputs(strerror(serrno), stderr);
 	}
 	putc('\n', stderr);
 }
--- a/plugins/sudoers/find_path.c
+++ b/plugins/sudoers/find_path.c
@@ -43,7 +43,7 @@
 # include <unistd.h>
 #endif /* HAVE_UNISTD_H */
-#include "sudo.h"
+#include "sudoers.h"
 /*
 * This function finds the full pathname for a command and
--- a/plugins/sudoers/getspwuid.c
+++ b/plugins/sudoers/getspwuid.c
@@ -68,7 +68,7 @@
 # include <auth.h>
 #endif /* HAVE_GETAUTHUID */
-#include "sudo.h"
+#include "sudoers.h"
 /*
 * Exported for auth/secureware.c
@@ -85,19 +85,18 @@ char *
 sudo_getepw(pw)
    const struct passwd *pw;
 {
-    char *epw;
+    char *epw = NULL;
    /* If there is a function to check for shadow enabled, use it... */
 #ifdef HAVE_ISCOMSEC
    if (!iscomsec())
-	return(estrdup(pw->pw_passwd));
+	goto done;
 #endif /* HAVE_ISCOMSEC */
 #ifdef HAVE_ISSECURE
    if (!issecure())
-	return(estrdup(pw->pw_passwd));
+	goto done;
 #endif /* HAVE_ISSECURE */
    epw = NULL;
 #ifdef HAVE_GETPRPWNAM
    {
 	struct pr_passwd *spw;
@@ -106,10 +105,8 @@ sudo_getepw(pw)
 # ifdef __alpha
 	    crypt_type = spw->ufld.fd_oldcrypt;
 # endif /* __alpha */
-	    epw = estrdup(spw->ufld.fd_encrypt);
+	    epw = spw->ufld.fd_encrypt;
 	}
 	if (epw)
 	    return(epw);
    }
 #endif /* HAVE_GETPRPWNAM */
 #ifdef HAVE_GETSPNAM
@@ -117,9 +114,7 @@ sudo_getepw(pw)
 	struct spwd *spw;
 	if ((spw = getspnam(pw->pw_name)) && spw->sp_pwdp)
-	    epw = estrdup(spw->sp_pwdp);
+	    epw = spw->sp_pwdp;
 	if (epw)
 	    return(epw);
    }
 #endif /* HAVE_GETSPNAM */
 #ifdef HAVE_GETSPWUID
@@ -127,9 +122,7 @@ sudo_getepw(pw)
 	struct s_passwd *spw;
 	if ((spw = getspwuid(pw->pw_uid)) && spw->pw_passwd)
-	    epw = estrdup(spw->pw_passwd);
+	    epw = spw->pw_passwd;
 	if (epw)
 	    return(epw);
    }
 #endif /* HAVE_GETSPWUID */
 #ifdef HAVE_GETPWANAM
@@ -137,9 +130,7 @@ sudo_getepw(pw)
 	struct passwd_adjunct *spw;
 	if ((spw = getpwanam(pw->pw_name)) && spw->pwa_passwd)
-	    epw = estrdup(spw->pwa_passwd);
+	    epw = spw->pwa_passwd;
 	if (epw)
 	    return(epw);
    }
 #endif /* HAVE_GETPWANAM */
 #ifdef HAVE_GETAUTHUID
@@ -147,14 +138,15 @@ sudo_getepw(pw)
 	AUTHORIZATION *spw;
 	if ((spw = getauthuid(pw->pw_uid)) && spw->a_password)
-	    epw = estrdup(spw->a_password);
+	    epw = spw->a_password;
 	if (epw)
 	    return(epw);
    }
 #endif /* HAVE_GETAUTHUID */
-    /* Fall back on normal password. */
+#if defined(HAVE_ISCOMSEC) || defined(HAVE_ISSECURE)
-    return(estrdup(pw->pw_passwd));
+done:
 #endif
    /* If no shadow password, fall back on regular password. */
    return estrdup(epw ? epw : pw->pw_passwd);
 }
 void
--- a/plugins/sudoers/goodpath.c
+++ b/plugins/sudoers/goodpath.c
@@ -36,7 +36,7 @@
 #endif /* HAVE_UNISTD_H */
 #include <errno.h>
-#include "sudo.h"
+#include "sudoers.h"
 /*
 * Verify that path is a normal file and executable by root.
--- a/plugins/sudoers/gram.c
+++ b/plugins/sudoers/gram.c
@@ -1,11 +1,3 @@
 #ifndef lint
 /*static char yysccsid[] = "from: @(#)yaccpar	1.9 (Berkeley) 02/21/93";*/
 static char yyrcsid[]
 #if __GNUC__ >= 2
  __attribute__ ((unused))
 #endif /* __GNUC__ >= 2 */
  = "$OpenBSD: skeleton.c,v 1.29 2008/07/08 15:06:50 otto Exp $";
 #endif
 #include <stdlib.h>
 #include <string.h>
 #define YYBYACC 1
@@ -17,7 +9,7 @@ static char yyrcsid[]
 #define yyerrok (yyerrflag=0)
 #define YYRECOVERING() (yyerrflag!=0)
 #define YYPREFIX "yy"
-#line 2 "gram.y"
+#line 2 "./gram.y"
 /*
 * Copyright (c) 1996, 1998-2005, 2007-2009
 *	Todd C. Miller <Todd.Miller@courtesan.com>
@@ -69,7 +61,7 @@ static char yyrcsid[]
 #endif /* YYBISON && HAVE_ALLOCA_H && !__GNUC__ */
 #include <limits.h>
-#include "sudo.h"
+#include "sudoers.h" /* XXX */
 #include "parse.h"
 /*
@@ -118,6 +110,7 @@ yyerror(s)
 	errorfile = estrdup(sudoers);
    }
    if (verbose && s != NULL) {
 	/* XXX - conversation function when called via plugin */
 #ifndef TRACELEXER
 	(void) fprintf(stderr, ">>> %s: %s near line %d <<<\n", sudoers, s,
 	    sudolineno ? sudolineno - 1 : 0);
@@ -127,7 +120,7 @@ yyerror(s)
    }
    parse_error = TRUE;
 }
-#line 117 "gram.y"
+#line 114 "./gram.y"
 #ifndef YYSTYPE_DEFINED
 #define YYSTYPE_DEFINED
 typedef union {
@@ -143,7 +136,7 @@ typedef union {
    int tok;
 } YYSTYPE;
 #endif /* YYSTYPE_DEFINED */
-#line 151 "y.tab.c"
+#line 140 "y.tab.c"
 #define COMMAND 257
 #define ALIAS 258
 #define DEFVAR 259
@@ -625,7 +618,7 @@ short *yyss;
 short *yysslim;
 YYSTYPE *yyvs;
 int yystacksize;
-#line 600 "gram.y"
+#line 597 "./gram.y"
 static struct defaults *
 new_default(var, val, op)
    char *var;
@@ -816,7 +809,7 @@ init_parser(path, quiet)
    sudolineno = 1;
    verbose = !quiet;
 }
-#line 772 "y.tab.c"
+#line 761 "y.tab.c"
 /* allocate initial stack or double stack size, up to YYMAXDEPTH */
 #if defined(__cplusplus) || defined(__STDC__)
 static int yygrowstack(void)
@@ -1022,127 +1015,127 @@ yyreduce:
    switch (yyn)
    {
 case 1:
-#line 190 "gram.y"
+#line 187 "./gram.y"
 { ; }
 break;
 case 5:
-#line 198 "gram.y"
+#line 195 "./gram.y"
 {
 			    ;
 			}
 break;
 case 6:
-#line 201 "gram.y"
+#line 198 "./gram.y"
 {
 			    yyerrok;
 			}
 break;
 case 7:
-#line 204 "gram.y"
+#line 201 "./gram.y"
 {
 			    add_userspec(yyvsp[-1].member, yyvsp[0].privilege);
 			}
 break;
 case 8:
-#line 207 "gram.y"
+#line 204 "./gram.y"
 {
 			    ;
 			}
 break;
 case 9:
-#line 210 "gram.y"
+#line 207 "./gram.y"
 {
 			    ;
 			}
 break;
 case 10:
-#line 213 "gram.y"
+#line 210 "./gram.y"
 {
 			    ;
 			}
 break;
 case 11:
-#line 216 "gram.y"
+#line 213 "./gram.y"
 {
 			    ;
 			}
 break;
 case 12:
-#line 219 "gram.y"
+#line 216 "./gram.y"
 {
 			    add_defaults(DEFAULTS, NULL, yyvsp[0].defaults);
 			}
 break;
 case 13:
-#line 222 "gram.y"
+#line 219 "./gram.y"
 {
 			    add_defaults(DEFAULTS_USER, yyvsp[-1].member, yyvsp[0].defaults);
 			}
 break;
 case 14:
-#line 225 "gram.y"
+#line 222 "./gram.y"
 {
 			    add_defaults(DEFAULTS_RUNAS, yyvsp[-1].member, yyvsp[0].defaults);
 			}
 break;
 case 15:
-#line 228 "gram.y"
+#line 225 "./gram.y"
 {
 			    add_defaults(DEFAULTS_HOST, yyvsp[-1].member, yyvsp[0].defaults);
 			}
 break;
 case 16:
-#line 231 "gram.y"
+#line 228 "./gram.y"
 {
 			    add_defaults(DEFAULTS_CMND, yyvsp[-1].member, yyvsp[0].defaults);
 			}
 break;
 case 18:
-#line 237 "gram.y"
+#line 234 "./gram.y"
 {
 			    list_append(yyvsp[-2].defaults, yyvsp[0].defaults);
 			    yyval.defaults = yyvsp[-2].defaults;
 			}
 break;
 case 19:
-#line 243 "gram.y"
+#line 240 "./gram.y"
 {
 			    yyval.defaults = new_default(yyvsp[0].string, NULL, TRUE);
 			}
 break;
 case 20:
-#line 246 "gram.y"
+#line 243 "./gram.y"
 {
 			    yyval.defaults = new_default(yyvsp[0].string, NULL, FALSE);
 			}
 break;
 case 21:
-#line 249 "gram.y"
+#line 246 "./gram.y"
 {
 			    yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, TRUE);
 			}
 break;
 case 22:
-#line 252 "gram.y"
+#line 249 "./gram.y"
 {
 			    yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '+');
 			}
 break;
 case 23:
-#line 255 "gram.y"
+#line 252 "./gram.y"
 {
 			    yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '-');
 			}
 break;
 case 25:
-#line 261 "gram.y"
+#line 258 "./gram.y"
 {
 			    list_append(yyvsp[-2].privilege, yyvsp[0].privilege);
 			    yyval.privilege = yyvsp[-2].privilege;
 			}
 break;
 case 26:
-#line 267 "gram.y"
+#line 264 "./gram.y"
 {
 			    struct privilege *p = emalloc(sizeof(*p));
 			    list2tq(&p->hostlist, yyvsp[-2].member);
@@ -1153,51 +1146,51 @@ case 26:
 			}
 break;
 case 27:
-#line 277 "gram.y"
+#line 274 "./gram.y"
 {
 			    yyval.member = yyvsp[0].member;
 			    yyval.member->negated = FALSE;
 			}
 break;
 case 28:
-#line 281 "gram.y"
+#line 278 "./gram.y"
 {
 			    yyval.member = yyvsp[0].member;
 			    yyval.member->negated = TRUE;
 			}
 break;
 case 29:
-#line 287 "gram.y"
+#line 284 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, ALIAS);
 			}
 break;
 case 30:
-#line 290 "gram.y"
+#line 287 "./gram.y"
 {
 			    yyval.member = new_member(NULL, ALL);
 			}
 break;
 case 31:
-#line 293 "gram.y"
+#line 290 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, NETGROUP);
 			}
 break;
 case 32:
-#line 296 "gram.y"
+#line 293 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, NTWKADDR);
 			}
 break;
 case 33:
-#line 299 "gram.y"
+#line 296 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, WORD);
 			}
 break;
 case 35:
-#line 305 "gram.y"
+#line 302 "./gram.y"
 {
 			    list_append(yyvsp[-2].cmndspec, yyvsp[0].cmndspec);
 #ifdef HAVE_SELINUX
@@ -1228,7 +1221,7 @@ case 35:
 			}
 break;
 case 36:
-#line 335 "gram.y"
+#line 332 "./gram.y"
 {
 			    struct cmndspec *cs = emalloc(sizeof(*cs));
 			    if (yyvsp[-3].runas != NULL) {
@@ -1255,80 +1248,80 @@ case 36:
 			}
 break;
 case 37:
-#line 361 "gram.y"
+#line 358 "./gram.y"
 {
 			    yyval.member = yyvsp[0].member;
 			    yyval.member->negated = FALSE;
 			}
 break;
 case 38:
-#line 365 "gram.y"
+#line 362 "./gram.y"
 {
 			    yyval.member = yyvsp[0].member;
 			    yyval.member->negated = TRUE;
 			}
 break;
 case 39:
-#line 371 "gram.y"
+#line 368 "./gram.y"
 {
 			    yyval.string = yyvsp[0].string;
 			}
 break;
 case 40:
-#line 376 "gram.y"
+#line 373 "./gram.y"
 {
 			    yyval.string = yyvsp[0].string;
 			}
 break;
 case 41:
-#line 381 "gram.y"
+#line 378 "./gram.y"
 {
 			    yyval.seinfo.role = NULL;
 			    yyval.seinfo.type = NULL;
 			}
 break;
 case 42:
-#line 385 "gram.y"
+#line 382 "./gram.y"
 {
 			    yyval.seinfo.role = yyvsp[0].string;
 			    yyval.seinfo.type = NULL;
 			}
 break;
 case 43:
-#line 389 "gram.y"
+#line 386 "./gram.y"
 {
 			    yyval.seinfo.type = yyvsp[0].string;
 			    yyval.seinfo.role = NULL;
 			}
 break;
 case 44:
-#line 393 "gram.y"
+#line 390 "./gram.y"
 {
 			    yyval.seinfo.role = yyvsp[-1].string;
 			    yyval.seinfo.type = yyvsp[0].string;
 			}
 break;
 case 45:
-#line 397 "gram.y"
+#line 394 "./gram.y"
 {
 			    yyval.seinfo.type = yyvsp[-1].string;
 			    yyval.seinfo.role = yyvsp[0].string;
 			}
 break;
 case 46:
-#line 403 "gram.y"
+#line 400 "./gram.y"
 {
 			    yyval.runas = NULL;
 			}
 break;
 case 47:
-#line 406 "gram.y"
+#line 403 "./gram.y"
 {
 			    yyval.runas = yyvsp[-1].runas;
 			}
 break;
 case 48:
-#line 411 "gram.y"
+#line 408 "./gram.y"
 {
 			    yyval.runas = emalloc(sizeof(struct runascontainer));
 			    yyval.runas->runasusers = yyvsp[0].member;
@@ -1336,7 +1329,7 @@ case 48:
 			}
 break;
 case 49:
-#line 416 "gram.y"
+#line 413 "./gram.y"
 {
 			    yyval.runas = emalloc(sizeof(struct runascontainer));
 			    yyval.runas->runasusers = yyvsp[-2].member;
@@ -1344,7 +1337,7 @@ case 49:
 			}
 break;
 case 50:
-#line 421 "gram.y"
+#line 418 "./gram.y"
 {
 			    yyval.runas = emalloc(sizeof(struct runascontainer));
 			    yyval.runas->runasusers = NULL;
@@ -1352,73 +1345,73 @@ case 50:
 			}
 break;
 case 51:
-#line 428 "gram.y"
+#line 425 "./gram.y"
 {
 			    yyval.tag.nopasswd = yyval.tag.noexec = yyval.tag.setenv = yyval.tag.transcript = UNSPEC;
 			}
 break;
 case 52:
-#line 431 "gram.y"
+#line 428 "./gram.y"
 {
 			    yyval.tag.nopasswd = TRUE;
 			}
 break;
 case 53:
-#line 434 "gram.y"
+#line 431 "./gram.y"
 {
 			    yyval.tag.nopasswd = FALSE;
 			}
 break;
 case 54:
-#line 437 "gram.y"
+#line 434 "./gram.y"
 {
 			    yyval.tag.noexec = TRUE;
 			}
 break;
 case 55:
-#line 440 "gram.y"
+#line 437 "./gram.y"
 {
 			    yyval.tag.noexec = FALSE;
 			}
 break;
 case 56:
-#line 443 "gram.y"
+#line 440 "./gram.y"
 {
 			    yyval.tag.setenv = TRUE;
 			}
 break;
 case 57:
-#line 446 "gram.y"
+#line 443 "./gram.y"
 {
 			    yyval.tag.setenv = FALSE;
 			}
 break;
 case 58:
-#line 449 "gram.y"
+#line 446 "./gram.y"
 {
 			    yyval.tag.transcript = TRUE;
 			}
 break;
 case 59:
-#line 452 "gram.y"
+#line 449 "./gram.y"
 {
 			    yyval.tag.transcript = FALSE;
 			}
 break;
 case 60:
-#line 457 "gram.y"
+#line 454 "./gram.y"
 {
 			    yyval.member = new_member(NULL, ALL);
 			}
 break;
 case 61:
-#line 460 "gram.y"
+#line 457 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, ALIAS);
 			}
 break;
 case 62:
-#line 463 "gram.y"
+#line 460 "./gram.y"
 {
 			    struct sudo_command *c = emalloc(sizeof(*c));
 			    c->cmnd = yyvsp[0].command.cmnd;
@@ -1427,7 +1420,7 @@ case 62:
 			}
 break;
 case 65:
-#line 475 "gram.y"
+#line 472 "./gram.y"
 {
 			    char *s;
 			    if ((s = alias_add(yyvsp[-2].string, HOSTALIAS, yyvsp[0].member)) != NULL) {
@@ -1437,14 +1430,14 @@ case 65:
 			}
 break;
 case 67:
-#line 485 "gram.y"
+#line 482 "./gram.y"
 {
 			    list_append(yyvsp[-2].member, yyvsp[0].member);
 			    yyval.member = yyvsp[-2].member;
 			}
 break;
 case 70:
-#line 495 "gram.y"
+#line 492 "./gram.y"
 {
 			    char *s;
 			    if ((s = alias_add(yyvsp[-2].string, CMNDALIAS, yyvsp[0].member)) != NULL) {
@@ -1454,14 +1447,14 @@ case 70:
 			}
 break;
 case 72:
-#line 505 "gram.y"
+#line 502 "./gram.y"
 {
 			    list_append(yyvsp[-2].member, yyvsp[0].member);
 			    yyval.member = yyvsp[-2].member;
 			}
 break;
 case 75:
-#line 515 "gram.y"
+#line 512 "./gram.y"
 {
 			    char *s;
 			    if ((s = alias_add(yyvsp[-2].string, RUNASALIAS, yyvsp[0].member)) != NULL) {
@@ -1471,7 +1464,7 @@ case 75:
 			}
 break;
 case 78:
-#line 528 "gram.y"
+#line 525 "./gram.y"
 {
 			    char *s;
 			    if ((s = alias_add(yyvsp[-2].string, USERALIAS, yyvsp[0].member)) != NULL) {
@@ -1481,96 +1474,96 @@ case 78:
 			}
 break;
 case 80:
-#line 538 "gram.y"
+#line 535 "./gram.y"
 {
 			    list_append(yyvsp[-2].member, yyvsp[0].member);
 			    yyval.member = yyvsp[-2].member;
 			}
 break;
 case 81:
-#line 544 "gram.y"
+#line 541 "./gram.y"
 {
 			    yyval.member = yyvsp[0].member;
 			    yyval.member->negated = FALSE;
 			}
 break;
 case 82:
-#line 548 "gram.y"
+#line 545 "./gram.y"
 {
 			    yyval.member = yyvsp[0].member;
 			    yyval.member->negated = TRUE;
 			}
 break;
 case 83:
-#line 554 "gram.y"
+#line 551 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, ALIAS);
 			}
 break;
 case 84:
-#line 557 "gram.y"
+#line 554 "./gram.y"
 {
 			    yyval.member = new_member(NULL, ALL);
 			}
 break;
 case 85:
-#line 560 "gram.y"
+#line 557 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, NETGROUP);
 			}
 break;
 case 86:
-#line 563 "gram.y"
+#line 560 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, USERGROUP);
 			}
 break;
 case 87:
-#line 566 "gram.y"
+#line 563 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, WORD);
 			}
 break;
 case 89:
-#line 572 "gram.y"
+#line 569 "./gram.y"
 {
 			    list_append(yyvsp[-2].member, yyvsp[0].member);
 			    yyval.member = yyvsp[-2].member;
 			}
 break;
 case 90:
-#line 578 "gram.y"
+#line 575 "./gram.y"
 {
 			    yyval.member = yyvsp[0].member;
 			    yyval.member->negated = FALSE;
 			}
 break;
 case 91:
-#line 582 "gram.y"
+#line 579 "./gram.y"
 {
 			    yyval.member = yyvsp[0].member;
 			    yyval.member->negated = TRUE;
 			}
 break;
 case 92:
-#line 588 "gram.y"
+#line 585 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, ALIAS);
 			}
 break;
 case 93:
-#line 591 "gram.y"
+#line 588 "./gram.y"
 {
 			    yyval.member = new_member(NULL, ALL);
 			}
 break;
 case 94:
-#line 594 "gram.y"
+#line 591 "./gram.y"
 {
 			    yyval.member = new_member(yyvsp[0].string, WORD);
 			}
 break;
-#line 1526 "y.tab.c"
+#line 1515 "y.tab.c"
    }
    yyssp -= yym;
    yystate = *yyssp;
--- a/plugins/sudoers/gram.y
+++ b/plugins/sudoers/gram.y
@@ -50,7 +50,7 @@
 #endif /* YYBISON && HAVE_ALLOCA_H && !__GNUC__ */
 #include <limits.h>
-#include "sudo.h"
+#include "sudoers.h" /* XXX */
 #include "parse.h"
 /*
@@ -99,6 +99,7 @@ yyerror(s)
 	errorfile = estrdup(sudoers);
    }
    if (verbose && s != NULL) {
 	/* XXX - conversation function when called via plugin */
 #ifndef TRACELEXER
 	(void) fprintf(stderr, ">>> %s: %s near line %d <<<\n", sudoers, s,
 	    sudolineno ? sudolineno - 1 : 0);
--- a/plugins/sudoers/interfaces.c
+++ b/plugins/sudoers/interfaces.c
@@ -81,7 +81,7 @@ struct rtentry;
 # include <ifaddrs.h>
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 #include "interfaces.h"
 /* Minix apparently lacks IFF_LOOPBACK */
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -77,7 +77,7 @@
 # endif
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 #include "parse.h"
 #include "lbuf.h"
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -55,11 +55,11 @@
 #include <errno.h>
 #include <fcntl.h>
-#include "sudo.h"
+#include "sudoers.h"
 static void do_syslog		__P((int, char *));
 static void do_logfile		__P((char *));
-static void send_mail		__P((char *));
+static void send_mail		__P((const char *fmt, ...));
 static int should_mail		__P((int));
 static void mysyslog		__P((int, const char *, ...));
 static char *new_logline	__P((const char *, int));
@@ -184,15 +184,9 @@ do_logfile(msg)
    fp = fopen(def_logfile, "a");
    (void) umask(oldmask);
    if (fp == NULL) {
-	easprintf(&full_line, "Can't open log file: %s: %s",
+	send_mail("Can't open log file: %s: %s", def_logfile, strerror(errno));
 	    def_logfile, strerror(errno));
 	send_mail(full_line);
 	efree(full_line);
    } else if (!lock_file(fileno(fp), SUDO_LOCK)) {
-	easprintf(&full_line, "Can't lock log file: %s: %s",
+	send_mail("Can't lock log file: %s: %s", def_logfile, strerror(errno));
 	    def_logfile, strerror(errno));
 	send_mail(full_line);
 	efree(full_line);
    } else {
 	time_t now;
@@ -369,13 +363,14 @@ log_error(flags, fmt, va_alist)
    va_start(ap);
 #endif
    /* Become root if we are not already to avoid user interference */
    set_perms(PERM_ROOT|PERM_NOEXIT);
    /* Expand printf-style format + args. */
    evasprintf(&message, fmt, ap);
    va_end(ap);
    /* Become root if we are not already to avoid user interference */
    /* XXX - could longjmp back with wrong uid */
    set_perms(PERM_ROOT|PERM_NOEXIT);
    if (ISSET(flags, MSG_ONLY))
 	logline = message;
    else
@@ -409,10 +404,14 @@ log_error(flags, fmt, va_alist)
    efree(logline);
 #if 0 /* XXX - longjmp instead */
    if (!ISSET(flags, NO_EXIT)) {
 	cleanup(0);
 	exit(1);
    }
 #endif
    set_perms(PERM_USER);
 }
 #define MAX_MAILFLAGS	63
@@ -421,14 +420,14 @@ log_error(flags, fmt, va_alist)
 * Send a message to MAILTO user
 */
 static void
-send_mail(line)
+send_mail(const char *fmt, ...)
    char *line;
 {
    FILE *mail;
    char *p;
    int fd, pfd[2], status;
    pid_t pid, rv;
    sigaction_t sa;
    va_list ap;
 #ifndef NO_ROOT_MAILER
    static char *root_envp[] = {
 	"HOME=/",
@@ -589,8 +588,14 @@ send_mail(line)
 	} else
 	    (void) fputc(*p, mail);
    }
-    (void) fprintf(mail, "\n\n%s : %s : %s : %s\n\n", user_host,
+
-	get_timestr(time(NULL), def_log_year), user_name, line);
+    (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host,
 	get_timestr(time(NULL), def_log_year), user_name);
    va_start(ap, fmt);
    (void) vfprintf(mail, fmt, ap);
    va_end(ap);
    fputs("\n\n", mail);
    fclose(mail);
    do {
 #ifdef HAVE_WAITPID
@@ -667,9 +672,11 @@ new_logline(message, serrno)
 	}
 	len += sizeof(LL_ENV_STR) + 2 + evlen;
    }
-    len += sizeof(LL_CMND_STR) - 1 + strlen(user_cmnd);
+    if (user_cmnd != NULL) {
-    if (user_args != NULL)
+	len += sizeof(LL_CMND_STR) - 1 + strlen(user_cmnd);
-	len += strlen(user_args) + 1;
+	if (user_args != NULL)
 	    len += strlen(user_args) + 1;
    }
    /*
     * Allocate and build up the line.
@@ -720,16 +727,18 @@ new_logline(message, serrno)
 	    goto toobig;
 	efree(evstr);
    }
-    if (strlcat(line, LL_CMND_STR, len) >= len ||
+    if (user_cmnd != NULL) {
-	strlcat(line, user_cmnd, len) >= len)
+	if (strlcat(line, LL_CMND_STR, len) >= len ||
-	goto toobig;
+	    strlcat(line, user_cmnd, len) >= len)
    if (user_args != NULL) {
 	if (strlcat(line, " ", len) >= len ||
 	    strlcat(line, user_args, len) >= len)
 	    goto toobig;
 	if (user_args != NULL) {
 	    if (strlcat(line, " ", len) >= len ||
 		strlcat(line, user_args, len) >= len)
 		goto toobig;
 	}
    }
-    return (line);
+    return line;
 toobig:
    errorx(1, "internal error: insufficient space for log line");
 }
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -78,7 +78,7 @@
 # endif
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 #include "interfaces.h"
 #include "parse.h"
 #include <gram.h>
--- a/plugins/sudoers/mon_systrace.c
+++ b/plugins/sudoers/mon_systrace.c
@@ -41,7 +41,7 @@
 # endif
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 #include "mon_systrace.h"
 /*
--- a/plugins/sudoers/parse.c
+++ b/plugins/sudoers/parse.c
@@ -43,7 +43,7 @@
 #include <pwd.h>
 #include <grp.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "parse.h"
 #include "lbuf.h"
 #include <gram.h>
--- a/plugins/sudoers/pwutil.c
+++ b/plugins/sudoers/pwutil.c
@@ -49,7 +49,7 @@
 #include <pwd.h>
 #include <grp.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "redblack.h"
 /*
--- a/plugins/sudoers/redblack.c
+++ b/plugins/sudoers/redblack.c
@@ -54,7 +54,7 @@
 # endif
 #endif /* STDC_HEADERS */
-#include "sudo.h"
+#include "sudoers.h"
 #include "redblack.h"
 static void rbrepair		__P((struct rbtree *, struct rbnode *));
--- a/plugins/sudoers/set_perms.c
+++ b/plugins/sudoers/set_perms.c
@@ -49,7 +49,7 @@
 # include <login_cap.h>
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 #ifdef __TANDEM
 # define ROOT_UID	65535
--- a/plugins/sudoers/sudo_nss.c
+++ b/plugins/sudoers/sudo_nss.c
@@ -41,7 +41,7 @@
 #include <grp.h>
 #include <ctype.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "lbuf.h"
 extern struct sudo_nss sudo_nss_file;
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -19,19 +19,20 @@
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
 */
-#ifndef _SUDO_SUDO_H
+#ifndef _SUDO_SUDOERS_H
-#define _SUDO_SUDO_H
+#define _SUDO_SUDOERS_H
 #include <pathnames.h>
 #include <limits.h>
 #include "compat.h"
 #include "alloc.h"
 #include "defaults.h"
-#include "error.h"
+#include "error.h" /* XXX */
 #include "alloc.h" /* XXX */
 #include "list.h"
 #include "logging.h"
 #include "missing.h"
 #include "sudo_nss.h"
 #include "sudo_plugin.h"
 #ifdef HAVE_MBR_CHECK_MEMBERSHIP
 # include <membership.h>
@@ -45,6 +46,7 @@ struct sudo_user {
    struct passwd *_runas_pw;
    struct group *_runas_gr;
    struct stat *cmnd_stat;
    char *name;
    char *path;
    char *shell;
    char *tty;
@@ -61,13 +63,15 @@ struct sudo_user {
    char *display;
    char *askpass;
    int   ngroups;
    uid_t uid;
    uid_t gid;
    GETGROUPS_T *groups;
    struct list_member *env_vars;
 #ifdef HAVE_SELINUX
    char *role;
    char *type;
 #endif
-    char  cwd[PATH_MAX];
+    char *cwd;
    char  sessid[7];
 #ifdef HAVE_MBR_CHECK_MEMBERSHIP
    uuid_t uuid;
@@ -98,9 +102,9 @@ struct sudo_user {
 /*
 * find_path()/load_cmnd() return values
 */
-#define FOUND                    1
+#define FOUND                   0
-#define NOT_FOUND                0
+#define NOT_FOUND               1
-#define NOT_FOUND_DOT		-1
+#define NOT_FOUND_DOT		2
 /*
 * Various modes sudo can be in (based on arguments) in hex
@@ -143,11 +147,11 @@ struct sudo_user {
 /*
 * Shortcuts for sudo_user contents.
 */
-#define user_name		(sudo_user.pw->pw_name)
+#define user_name		(sudo_user.name)
 #define user_uid		(sudo_user.uid)
 #define user_gid		(sudo_user.gid)
 #define user_passwd		(sudo_user.pw->pw_passwd)
 #define user_uid		(sudo_user.pw->pw_uid)
 #define user_uuid		(sudo_user.uuid)
 #define user_gid		(sudo_user.pw->pw_gid)
 #define user_dir		(sudo_user.pw->pw_dir)
 #define user_shell		(sudo_user.shell)
 #define user_ngroups		(sudo_user.ngroups)
@@ -188,12 +192,14 @@ struct sudo_user {
 #define SUDO_TLOCK	2		/* test & lock a file (non-blocking) */
 #define SUDO_UNLOCK	4		/* unlock a file */
 #if 0 /* XXX */
 /*
 * Flags for tgetpass()
 */
 #define TGP_ECHO	0x01		/* leave echo on when reading passwd */
 #define TGP_STDIN	0x02		/* read from stdin, not /dev/tty */
 #define TGP_ASKPASS	0x04		/* read from askpass helper program */
 #endif
 struct lbuf;
 struct passwd;
@@ -204,11 +210,10 @@ struct passwd;
 #define YY_DECL int yylex __P((void))
 char *sudo_goodpath	__P((const char *, struct stat *));
 char *tgetpass		__P((const char *, int, int));
 int find_path		__P((char *, char **, struct stat *, char *));
 int tty_present		__P((void));
-void check_user		__P((int, int));
+int check_user		__P((int, int));
-void verify_user	__P((struct passwd *, char *));
+int verify_user		__P((struct passwd *, char *));
 #ifdef HAVE_LDAP
 int sudo_ldap_open	__P((struct sudo_nss *));
 int sudo_ldap_close	__P((struct sudo_nss *));
@@ -235,7 +240,7 @@ int check_secureware	__P((char *));
 void sia_attempt_auth	__P((void));
 void pam_attempt_auth	__P((void));
 int yyparse		__P((void));
-void pass_warn		__P((FILE *));
+void pass_warn		__P((void));
 void dump_defaults	__P((void));
 void dump_auth_methods	__P((void));
 void init_envtables	__P((void));
@@ -288,12 +293,15 @@ time_t get_boottime __P((void));
 int user_in_group __P((struct passwd *, const char *));
 YY_DECL;
 /* atobool.c */
 int atobool(const char *str);
 /* Only provide extern declarations outside of sudo.c. */
 #ifndef _SUDO_MAIN
 extern struct sudo_user sudo_user;
 extern struct passwd *auth_pw, *list_pw;
-extern int tgetpass_flags;
+extern int tgetpass_flags; /* XXX */
 extern int long_list;
 extern uid_t timestamp_uid;
 #endif
@@ -301,4 +309,4 @@ extern uid_t timestamp_uid;
 extern int errno;
 #endif
-#endif /* _SUDO_SUDO_H */
+#endif /* _SUDO_SUDOERS_H */
--- a/plugins/sudoers/testsudoers.c
+++ b/plugins/sudoers/testsudoers.c
@@ -61,7 +61,7 @@
 #include <arpa/inet.h>
 #include <netdb.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "interfaces.h"
 #include "parse.h"
 #include <gram.h>
--- a/plugins/sudoers/toke.c
+++ b/plugins/sudoers/toke.c
@@ -1412,7 +1412,7 @@ char *yytext;
 # endif
 #endif
 #include <ctype.h>
-#include "sudo.h"
+#include "sudoers.h"
 #include "parse.h"
 #include <gram.h>
--- a/plugins/sudoers/tsgetgrpw.c
+++ b/plugins/sudoers/tsgetgrpw.c
@@ -47,7 +47,7 @@
 #include <pwd.h>
 #include <grp.h>
-#include "sudo.h"
+#include "sudoers.h"
 #ifndef LINE_MAX
 # define LINE_MAX 2048
--- a/plugins/sudoers/vasgroups.c
+++ b/plugins/sudoers/vasgroups.c
@@ -44,7 +44,7 @@
 #include "logging.h"
 #include "nonunix.h"
 #include "parse.h"
-#include "sudo.h"
+#include "sudoers.h"
 /* Pseudo-boolean types */
--- a/plugins/sudoers/visudo.c
+++ b/plugins/sudoers/visudo.c
@@ -80,7 +80,7 @@
 # include <compat/timespec.h>
 #endif
-#include "sudo.h"
+#include "sudoers.h"
 #include "interfaces.h"
 #include "parse.h"
 #include "redblack.h"