isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

In list (-l) or verify (-v) mode, if we have a match but authentication

Browse Source 
is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
set to "all" and there are multiple sudoers sources a password will
be required unless none of the entries in all sources require
authentication.  From Radovan Sroka of RedHat
This commit is contained in:
Todd C. Miller
2017-11-15 15:06:45 -07:00
parent 2cbdc26540
commit 88faa58735
3 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/sudoers/ldap.c
View File

@@ -3340,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
case any: case any:
if (doauth == false) if (doauth == false)
SET(ret, FLAG_NOPASSWD); SET(ret, FLAG_NOPASSWD);
else
CLR(ret, FLAG_NOPASSWD);
break; break;
default: default:
break; break;

2
plugins/sudoers/parse.c
View File

@@ -202,6 +202,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
SET(validated, FLAG_CHECK_USER); SET(validated, FLAG_CHECK_USER);
else if (nopass == true) else if (nopass == true)
SET(validated, FLAG_NOPASSWD); SET(validated, FLAG_NOPASSWD);
else
CLR(validated, FLAG_NOPASSWD);
debug_return_int(validated); debug_return_int(validated);
} }

2
plugins/sudoers/sssd.c
View File

@@ -1342,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
case any: case any:
if (doauth == false) if (doauth == false)
SET(ret, FLAG_NOPASSWD); SET(ret, FLAG_NOPASSWD);
else
CLR(ret, FLAG_NOPASSWD);
break; break;
default: default:
break; break;