Add sudoers option to perform authentication even in non-interative mode.

If noninteractive_auth is set, authentication methods that do not
require input from the user's terminal may proceed.  It is off by
default, which restores the pre-1.9.9 behavior of "sudo -n".

docs/sudoers.man.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "January 27, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "February 1, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3251,6 +3251,23 @@ This flag is
 \fIoff\fR
 by default.
 .TP 18n
+noninteractive_auth
+If set, authentication will be attempted even in non-interactive mode
+(when
+\fBsudo\fR's
+\fB\-n\fR
+option is specified).
+This allows authentication methods that don't require user interaction
+to succeed.
+Authentication methods that require input from the user's terminal
+will still fail.
+If disabled, authentication will not be attempted in non-interactive mode.
+This flag is
+\fIoff\fR
+by default.
+.sp
+This setting is only supported by version 1.9.10 or higher.
+.TP 18n
 pam_acct_mgmt
 On systems that use PAM for authentication,
 \fBsudo\fR

docs/sudoers.mdoc.in

@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd January 27, 2022
+.Dd February 1, 2022
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3063,6 +3063,22 @@ section at the end of this manual.
 This flag is
 .Em off
 by default.
+.It noninteractive_auth
+If set, authentication will be attempted even in non-interactive mode
+(when
+.Nm sudo Ns 's
+.Fl n
+option is specified).
+This allows authentication methods that don't require user interaction
+to succeed.
+Authentication methods that require input from the user's terminal
+will still fail.
+If disabled, authentication will not be attempted in non-interactive mode.
+This flag is
+.Em off
+by default.
+.Pp
+This setting is only supported by version 1.9.10 or higher.
 .It pam_acct_mgmt
 On systems that use PAM for authentication,
 .Nm sudo

plugins/sudoers/check.c

@@ -125,6 +125,12 @@ check_user_interactive(int validated, int mode, struct getpass_closure *closure)
 	FALLTHROUGH;
 
     default:
+	if (ISSET(mode, MODE_NONINTERACTIVE) && !def_noninteractive_auth) {
+	    validated |= FLAG_NO_USER_INPUT;
+	    log_auth_failure(validated, 0);
+	    goto done;
+	}
+
 	/* XXX - should not lecture if askpass helper is being used. */
 	lectured = display_lecture(closure->tstat);
 

plugins/sudoers/def_data.c

@@ -645,6 +645,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"rlimit_stack", T_RLIMIT|T_BOOL,
 	N_("The maximum size to which the process's stack may grow (in bytes): %s"),
 	NULL,
+    }, {
+	"noninteractive_auth", T_FLAG,
+	N_("Attempt authentication even when in non-interactive mode"),
+	NULL,
     }, {
 	"log_passwords", T_FLAG,
 	N_("Store plaintext passwords in I/O log input"),

plugins/sudoers/def_data.h

@@ -300,9 +300,11 @@
 #define def_rlimit_rss          (sudo_defs_table[I_RLIMIT_RSS].sd_un.str)
 #define I_RLIMIT_STACK          149
 #define def_rlimit_stack        (sudo_defs_table[I_RLIMIT_STACK].sd_un.str)
-#define I_LOG_PASSWORDS         150
+#define I_NONINTERACTIVE_AUTH   150
+#define def_noninteractive_auth (sudo_defs_table[I_NONINTERACTIVE_AUTH].sd_un.flag)
+#define I_LOG_PASSWORDS         151
 #define def_log_passwords       (sudo_defs_table[I_LOG_PASSWORDS].sd_un.flag)
-#define I_PASSPROMPT_REGEX      151
+#define I_PASSPROMPT_REGEX      152
 #define def_passprompt_regex    (sudo_defs_table[I_PASSPROMPT_REGEX].sd_un.list)
 
 enum def_tuple {

plugins/sudoers/def_data.in

@@ -466,6 +466,9 @@ rlimit_rss
 rlimit_stack
 	T_RLIMIT|T_BOOL
 	"The maximum size to which the process's stack may grow (in bytes): %s"
+noninteractive_auth
+	T_FLAG
+	"Attempt authentication even when in non-interactive mode"
 log_passwords
 	T_FLAG
 	"Store plaintext passwords in I/O log input"

plugins/sudoers/defaults.c

@@ -591,6 +591,7 @@ init_defaults(void)
     def_log_denied = true;
     def_log_format = sudo;
     def_runas_allow_unknown_id = false;
+    def_noninteractive_auth = false;
 
     /* Syslog options need special care since they both strings and ints */
 #if (LOGGING & SLOG_SYSLOG)