From 88faa58735e4035aaf7fae6f74d755e6b6843f86 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 15 Nov 2017 15:06:45 -0700 Subject: [PATCH] In list (-l) or verify (-v) mode, if we have a match but authentication is required, clear FLAG_NOPASSWD so that when listpw/verifypw is set to "all" and there are multiple sudoers sources a password will be required unless none of the entries in all sources require authentication. From Radovan Sroka of RedHat --- plugins/sudoers/ldap.c | 2 ++ plugins/sudoers/parse.c | 2 ++ plugins/sudoers/sssd.c | 2 ++ 3 files changed, 6 insertions(+) diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 95661c5fc..c5c183604 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -3340,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag) case any: if (doauth == false) SET(ret, FLAG_NOPASSWD); + else + CLR(ret, FLAG_NOPASSWD); break; default: break; diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c index 749a3eb21..1f5149bb7 100644 --- a/plugins/sudoers/parse.c +++ b/plugins/sudoers/parse.c @@ -202,6 +202,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag) SET(validated, FLAG_CHECK_USER); else if (nopass == true) SET(validated, FLAG_NOPASSWD); + else + CLR(validated, FLAG_NOPASSWD); debug_return_int(validated); } diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 37c984c2a..09ca9feeb 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -1342,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag) case any: if (doauth == false) SET(ret, FLAG_NOPASSWD); + else + CLR(ret, FLAG_NOPASSWD); break; default: break;