In list (-l) or verify (-v) mode, if we have a match but authentication

is required, clear FLAG_NOPASSWD so that when listpw/verifypw is set to "all" and there are multiple sudoers sources a password will be required unless none of the entries in all sources require authentication. From Radovan Sroka of RedHat
2017-11-15 15:06:45 -07:00
parent 2cbdc26540
commit 88faa58735
3 changed files with 6 additions and 0 deletions
--- a/plugins/sudoers/parse.c
+++ b/plugins/sudoers/parse.c
@@ -202,6 +202,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
 	    SET(validated, FLAG_CHECK_USER);
 	else if (nopass == true)
 	    SET(validated, FLAG_NOPASSWD);
+	else
+	    CLR(validated, FLAG_NOPASSWD);
 	debug_return_int(validated);
    }