From 1f37620953699fe71b09760fe01e33eb6ada771c Mon Sep 17 00:00:00 2001

From: "Todd C. Miller" <Todd.Miller@courtesan.com>

Date: Wed, 15 Nov 2017 12:27:39 -0700

Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep

 checking even after we get a match since the value of doauth may depend on

 evaluating all the results.  From Radovan Sroka of RedHat.

In list (-l) or verify (-v) mode, if we have a match but authentication

is required, clear FLAG_NOPASSWD so that when listpw/verifypw is

set to "all" and there are multiple sudoers sources a password will

be required unless none of the entries in all sources require

authentication.  From Radovan Sroka of RedHat

Avoid calling cmnd_matches() in list/verify mode if we already have

a match.

---

 plugins/sudoers/ldap.c  |  5 ++++-

 plugins/sudoers/parse.c | 10 +++++++---

 plugins/sudoers/sssd.c  |  5 ++++-

 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c

index 46309cba..c5c18360 100644

--- a/plugins/sudoers/ldap.c

+++ b/plugins/sudoers/ldap.c

@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)

 		(pwcheck == all && doauth != true)) {

 		doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate");

 	    }

+	    if (matched == true)

+		continue;

 	    /* Only check the command when listing another user. */

 	    if (user_uid == 0 || list_pw == NULL ||

 		user_uid == list_pw->pw_uid ||

 		sudo_ldap_check_command(ld, entry, NULL) == true) {

 		matched = true;

-		break;

 	    }

 	}

 	if (matched == true || user_uid == 0) {

@@ -3339,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)

 		case any:

 		    if (doauth == false)

 			SET(ret, FLAG_NOPASSWD);

+		    else

+			CLR(ret, FLAG_NOPASSWD);

 		    break;

 		default:

 		    break;

diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c

index 749a3eb2..a12e88c5 100644

--- a/plugins/sudoers/parse.c

+++ b/plugins/sudoers/parse.c

@@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)

 		if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW)

 		    continue;

 		TAILQ_FOREACH(cs, &priv->cmndlist, entries) {

+		    if ((pwcheck == any && cs->tags.nopasswd == true) ||

+			(pwcheck == all && cs->tags.nopasswd != true))

+			nopass = cs->tags.nopasswd;

+		    if (match == ALLOW)

+			continue;

 		    /* Only check the command when listing another user. */

 		    if (user_uid == 0 || list_pw == NULL ||

 			user_uid == list_pw->pw_uid ||

 			cmnd_matches(cs->cmnd) == ALLOW)

 			    match = ALLOW;

-		    if ((pwcheck == any && cs->tags.nopasswd == true) ||

-			(pwcheck == all && cs->tags.nopasswd != true))

-			nopass = cs->tags.nopasswd;

 		}

 	    }

 	}

@@ -202,6 +204,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)

 	    SET(validated, FLAG_CHECK_USER);

 	else if (nopass == true)

 	    SET(validated, FLAG_NOPASSWD);

+	else

+	    CLR(validated, FLAG_NOPASSWD);

 	debug_return_int(validated);

     }

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c

index 65b4d875..09ca9fee 100644

--- a/plugins/sudoers/sssd.c

+++ b/plugins/sudoers/sssd.c

@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)

 		    (pwcheck == all && doauth != true)) {

 		    doauth = !!sudo_sss_check_bool(handle, rule, "authenticate");

 		}

+		if (matched == true)

+		    continue;

 		/* Only check the command when listing another user. */

 		if (user_uid == 0 || list_pw == NULL ||

 		    user_uid == list_pw->pw_uid ||

 		    sudo_sss_check_command(handle, rule, NULL) == true) {

 		    matched = true;

-		    break;

 		}

 	    }

 	}

@@ -1341,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)

 		case any:

 		    if (doauth == false)

 			SET(ret, FLAG_NOPASSWD);

+		    else

+			CLR(ret, FLAG_NOPASSWD);

 		    break;

 		default:

 		    break;

-- 

2.14.3