Version in base suite: 20.4.1-2

Base version: cloud-init_20.4.1-2
Target version: cloud-init_20.4.1-2+deb11u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/cloud-init/cloud-init_20.4.1-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/c/cloud-init/cloud-init_20.4.1-2+deb11u1.dsc

 changelog                                                              |    8 +
 patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch |   64 ++++++++++
 patches/series                                                         |    1 
 3 files changed, 73 insertions(+)

diff -Nru cloud-init-20.4.1/debian/changelog cloud-init-20.4.1/debian/changelog
--- cloud-init-20.4.1/debian/changelog	2021-03-19 16:18:59.000000000 +0000
+++ cloud-init-20.4.1/debian/changelog	2021-08-13 00:47:26.000000000 +0000
@@ -1,3 +1,11 @@
+cloud-init (20.4.1-2+deb11u1) bullseye; urgency=high
+
+  * Team upload.
+  * cherry-pick upstream fix for duplicate includes in /etc/sudoers
+    (Closes: #991629)
+
+ -- Ross Vandegrift <rvandegrift@debian.org>  Thu, 12 Aug 2021 18:47:26 -0600
+
 cloud-init (20.4.1-2) unstable; urgency=high
 
   * Avoid logging generated passwords to world-readable log files.
diff -Nru cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch
--- cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch	1970-01-01 00:00:00.000000000 +0000
+++ cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch	2021-08-13 00:47:26.000000000 +0000
@@ -0,0 +1,64 @@
+From: Jordi Massaguer Pla <jmassaguerpla@suse.de>
+Date: Fri, 29 Jan 2021 15:43:56 +0100
+Subject: includedir in suoders can be prefixed by "arroba" (#783)
+
+Since version 1.9.1, @includedir can be used in the sudoers files
+instead of #includedir:
+
+https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_1
+
+Actually "@includedir" is the modern syntax, and "#includedir" the historic
+syntax. It has been considered that "#includedir" was too puzzling because
+it started with a "#" that otherwise denotes comments.
+
+This happens to be the default in SUSE Linux enterprise sudoer package,
+so cloudinit should take this into account.
+
+Otherwise, cloudinit was adding an extra #includedir, which was
+resulting on the files under /etc/sudoers.d being included twice, one by
+@includedir from the SUSE package, one by the @includedir from
+cloudinit. The consequence of this, was that if you were defining an
+Cmnd_Alias inside any of those files, this was being defined twice and
+creating an error when using sudo.
+---
+ cloudinit/distros/__init__.py                |  2 +-
+ tests/unittests/test_distros/test_generic.py | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py
+index 1e11847..220bd11 100755
+--- a/cloudinit/distros/__init__.py
++++ b/cloudinit/distros/__init__.py
+@@ -673,7 +673,7 @@ class Distro(persistence.CloudInitPickleMixin, metaclass=abc.ABCMeta):
+         found_include = False
+         for line in sudoers_contents.splitlines():
+             line = line.strip()
+-            include_match = re.search(r"^#includedir\s+(.*)$", line)
++            include_match = re.search(r"^[#|@]includedir\s+(.*)$", line)
+             if not include_match:
+                 continue
+             included_dir = include_match.group(1).strip()
+diff --git a/tests/unittests/test_distros/test_generic.py b/tests/unittests/test_distros/test_generic.py
+index 4460748..336150b 100644
+--- a/tests/unittests/test_distros/test_generic.py
++++ b/tests/unittests/test_distros/test_generic.py
+@@ -119,6 +119,19 @@ class TestGenericDistro(helpers.FilesystemMockingTestCase):
+         self.assertIn("josh", contents)
+         self.assertEqual(2, contents.count("josh"))
+ 
++    def test_sudoers_ensure_only_one_includedir(self):
++        cls = distros.fetch("ubuntu")
++        d = cls("ubuntu", {}, None)
++        self.patchOS(self.tmp)
++        self.patchUtils(self.tmp)
++        for char in ['#', '@']:
++            util.write_file("/etc/sudoers", "{}includedir /b".format(char))
++            d.ensure_sudo_dir("/b")
++            contents = util.load_file("/etc/sudoers")
++            self.assertIn("includedir /b", contents)
++            self.assertTrue(os.path.isdir("/b"))
++            self.assertEqual(1, contents.count("includedir /b"))
++
+     def test_arch_package_mirror_info_unknown(self):
+         """for an unknown arch, we should get back that with arch 'default'."""
+         arch_mirrors = gapmi(package_mirrors, arch="unknown")
diff -Nru cloud-init-20.4.1/debian/patches/series cloud-init-20.4.1/debian/patches/series
--- cloud-init-20.4.1/debian/patches/series	2021-03-19 16:02:44.000000000 +0000
+++ cloud-init-20.4.1/debian/patches/series	2021-08-13 00:47:26.000000000 +0000
@@ -6,3 +6,4 @@
 0009-Drop-all-unused-extended-version-handling.patch
 0012-Fix-message-when-a-local-is-missing.patch
 dont_log_generated_passwords.patch
+0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch