Don't prompt for a password if the user is in the exempt group, is

root, or is running the command as themselves even if the -k option
was specified.  This makes "sudo -k command" consistent with the
behavior one would get if the user ran "sudo -k" immediately before
running the command.

plugins/sudoers/check.c

@@ -104,7 +104,6 @@ check_user(int validated, int mode)
     char *prompt;
     struct stat sb;
     int status, rval = true;
-    bool need_pass = def_authenticate;
     debug_decl(check_user, SUDO_DEBUG_AUTH)
 
     /*
@@ -117,24 +116,19 @@ check_user(int validated, int mode)
 	goto done;
     }
 
-    if (need_pass) {
-	/* Always need a password when -k was specified with the command. */
-	if (ISSET(mode, MODE_IGNORE_TICKET)) {
-	    SET(validated, FLAG_CHECK_USER);
-	} else {
     /*
      * Don't prompt for the root passwd or if the user is exempt.
      * If the user is not changing uid/gid, no need for a password.
      */
-	    if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
+    if (!def_authenticate || user_uid == 0 || (user_uid == runas_pw->pw_uid &&
 	(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))
 	|| user_is_exempt())
-		need_pass = false;
-	}
-    }
-    if (!need_pass)
 	goto done;
 
+    /* Always need a password when -k was specified with the command. */
+    if (ISSET(mode, MODE_IGNORE_TICKET))
+	SET(validated, FLAG_CHECK_USER);
+
     /* Stash the tty's ctime for tty ticket comparison. */
     if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
 	tty_info.dev = sb.st_dev;