From 2b7659f709dd5ca5fc8657e8047697924aebbf76 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Thu, 17 May 2012 10:20:14 -0400
Subject: [PATCH] Don't prompt for a password if the user is in the exempt
 group, is root, or is running the command as themselves even if the -k option
 was specified.  This makes "sudo -k command" consistent with the behavior one
 would get if the user ran "sudo -k" immediately before running the command.

---
 plugins/sudoers/check.c | 28 +++++++++++-----------------
 1 file changed, 11 insertions(+), 17 deletions(-)

diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
index d66445ce0..0d6be0189 100644
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -104,7 +104,6 @@ check_user(int validated, int mode)
     char *prompt;
     struct stat sb;
     int status, rval = true;
-    bool need_pass = def_authenticate;
     debug_decl(check_user, SUDO_DEBUG_AUTH)
 
     /*
@@ -117,24 +116,19 @@ check_user(int validated, int mode)
 	goto done;
     }
 
-    if (need_pass) {
-	/* Always need a password when -k was specified with the command. */
-	if (ISSET(mode, MODE_IGNORE_TICKET)) {
-	    SET(validated, FLAG_CHECK_USER);
-	} else {
-	    /*
-	     * Don't prompt for the root passwd or if the user is exempt.
-	     * If the user is not changing uid/gid, no need for a password.
-	     */
-	    if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
-		(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))
-		|| user_is_exempt())
-		need_pass = false;
-	}
-    }
-    if (!need_pass)
+    /*
+     * Don't prompt for the root passwd or if the user is exempt.
+     * If the user is not changing uid/gid, no need for a password.
+     */
+    if (!def_authenticate || user_uid == 0 || (user_uid == runas_pw->pw_uid &&
+	(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))
+	|| user_is_exempt())
 	goto done;
 
+    /* Always need a password when -k was specified with the command. */
+    if (ISSET(mode, MODE_IGNORE_TICKET))
+	SET(validated, FLAG_CHECK_USER);
+
     /* Stash the tty's ctime for tty ticket comparison. */
     if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
 	tty_info.dev = sb.st_dev;