From 1f37620953699fe71b09760fe01e33eb6ada771c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 15 Nov 2017 12:27:39 -0700 Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep checking even after we get a match since the value of doauth may depend on evaluating all the results. From Radovan Sroka of RedHat. In list (-l) or verify (-v) mode, if we have a match but authentication is required, clear FLAG_NOPASSWD so that when listpw/verifypw is set to "all" and there are multiple sudoers sources a password will be required unless none of the entries in all sources require authentication. From Radovan Sroka of RedHat Avoid calling cmnd_matches() in list/verify mode if we already have a match. --- plugins/sudoers/ldap.c | 5 ++++- plugins/sudoers/parse.c | 10 +++++++--- plugins/sudoers/sssd.c | 5 ++++- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 46309cba..c5c18360 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag) (pwcheck == all && doauth != true)) { doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate"); } + if (matched == true) + continue; /* Only check the command when listing another user. */ if (user_uid == 0 || list_pw == NULL || user_uid == list_pw->pw_uid || sudo_ldap_check_command(ld, entry, NULL) == true) { matched = true; - break; } } if (matched == true || user_uid == 0) { @@ -3339,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag) case any: if (doauth == false) SET(ret, FLAG_NOPASSWD); + else + CLR(ret, FLAG_NOPASSWD); break; default: break; diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c index 749a3eb2..a12e88c5 100644 --- a/plugins/sudoers/parse.c +++ b/plugins/sudoers/parse.c @@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag) if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW) continue; TAILQ_FOREACH(cs, &priv->cmndlist, entries) { + if ((pwcheck == any && cs->tags.nopasswd == true) || + (pwcheck == all && cs->tags.nopasswd != true)) + nopass = cs->tags.nopasswd; + if (match == ALLOW) + continue; /* Only check the command when listing another user. */ if (user_uid == 0 || list_pw == NULL || user_uid == list_pw->pw_uid || cmnd_matches(cs->cmnd) == ALLOW) match = ALLOW; - if ((pwcheck == any && cs->tags.nopasswd == true) || - (pwcheck == all && cs->tags.nopasswd != true)) - nopass = cs->tags.nopasswd; } } } @@ -202,6 +204,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag) SET(validated, FLAG_CHECK_USER); else if (nopass == true) SET(validated, FLAG_NOPASSWD); + else + CLR(validated, FLAG_NOPASSWD); debug_return_int(validated); } diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 65b4d875..09ca9fee 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) (pwcheck == all && doauth != true)) { doauth = !!sudo_sss_check_bool(handle, rule, "authenticate"); } + if (matched == true) + continue; /* Only check the command when listing another user. */ if (user_uid == 0 || list_pw == NULL || user_uid == list_pw->pw_uid || sudo_sss_check_command(handle, rule, NULL) == true) { matched = true; - break; } } } @@ -1341,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) case any: if (doauth == false) SET(ret, FLAG_NOPASSWD); + else + CLR(ret, FLAG_NOPASSWD); break; default: break; -- 2.14.3