From bcc0eeb57518b3549e22f21c84532c46341a740a Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Wed, 15 Nov 2017 15:09:25 -0700
Subject: [PATCH] Avoid calling cmnd_matches() in list/verify mode if we
 already have a match.

---
 plugins/sudoers/parse.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
index 1f5149bb7..a12e88c5a 100644
--- a/plugins/sudoers/parse.c
+++ b/plugins/sudoers/parse.c
@@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
 		if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW)
 		    continue;
 		TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
+		    if ((pwcheck == any && cs->tags.nopasswd == true) ||
+			(pwcheck == all && cs->tags.nopasswd != true))
+			nopass = cs->tags.nopasswd;
+		    if (match == ALLOW)
+			continue;
 		    /* Only check the command when listing another user. */
 		    if (user_uid == 0 || list_pw == NULL ||
 			user_uid == list_pw->pw_uid ||
 			cmnd_matches(cs->cmnd) == ALLOW)
 			    match = ALLOW;
-		    if ((pwcheck == any && cs->tags.nopasswd == true) ||
-			(pwcheck == all && cs->tags.nopasswd != true))
-			nopass = cs->tags.nopasswd;
 		}
 	    }
 	}