diff --git a/plugins/sudoers/sudo_nss.c b/plugins/sudoers/sudo_nss.c
index 5a1b3e124..ceccc7b32 100644
--- a/plugins/sudoers/sudo_nss.c
+++ b/plugins/sudoers/sudo_nss.c
@@ -99,6 +99,10 @@ sudo_read_nss(void)
 		/* NOTFOUND affects the most recent entry */
 		tq_last(&snl)->ret_if_notfound = true;
 		got_match = false;
+	    } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) {
+		/* SUCCESS affects the most recent entry */
+		tq_last(&snl)->ret_if_found = true;
+		got_match = false;
 	    } else
 		got_match = false;
 	}
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 6998797de..fc2a51c68 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -393,7 +393,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	validated = nss->lookup(nss, validated, pwflag);
 
 	if (ISSET(validated, VALIDATE_OK)) {
-	    /* Handle "= auth" in netsvc.conf */
+	    /* Handle [SUCCESS=return] */
 	    if (nss->ret_if_found)
 		break;
 	} else {