isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

When determining whether or not "sudo -l" or "sudo -b" should prompt

Browse Source 
for a password, take all sudoers sources into account.  In other
words, if both file and ldap sudoers sources are in use, "sudo -v"
will now require that all entries in both sources be have NOPASSWD
(file) or !authenticate (ldap) in the entries.
This commit is contained in:
Todd C. Miller
2016-04-19 10:08:51 -06:00
parent b2d1c457ce
commit 6717c32022
5 changed files with 56 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
plugins/sudoers/ldap.c
View File

@@ -3178,22 +3178,17 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
if (matched == true || user_uid == 0) {
SET(ret, VALIDATE_SUCCESS);
CLR(ret, VALIDATE_FAILURE);
if (def_authenticate) {
switch (pwcheck) {
case always:
SET(ret, FLAG_CHECK_USER);
break;
case all:
case any:
if (doauth == false)
def_authenticate = false;
break;
case never:
def_authenticate = false;
break;
default:
break;
}
switch (pwcheck) {
case always:
SET(ret, FLAG_CHECK_USER);
break;
case all:
case any:
if (doauth == false)
SET(ret, FLAG_NOPASSWD);
break;
default:
break;
}
}
goto done;