Don't prompt for a password if the user is in the exempt group, is

root, or is running the command as themselves even if the -k option
was specified.  This makes "sudo -k command" consistent with the
behavior one would get if the user ran "sudo -k" immediately before
running the command.

--HG--
branch : 1.7

diff --git a/check.c b/check.c
index f1d2d8bd8386d89d0696fba08caf1e907fa1f84b..45acb2df8ad25034100184bc2ab16903ea14dff9 100644 (file)
--- a/check.c
+++ b/check.c
@@ -106,30 +106,25 @@ check_user(validated, mode)
     char *timestampfile = NULL;
     char *prompt;
     struct stat sb;
-    int status, need_pass = def_authenticate;
+    int status;
 
     /* Init authentication system regardless of whether we need a password. */
     auth_pw = get_authpw();
     sudo_auth_init(auth_pw);
 
-    if (need_pass) {
-       /* Always need a password when -k was specified with the command. */
-       if (ISSET(mode, MODE_INVALIDATE)) {
-           SET(validated, FLAG_CHECK_USER);
-       } else {
-           /*
-            * Don't prompt for the root passwd or if the user is exempt.
-            * If the user is not changing uid/gid, no need for a password.
-            */
-           if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
-               (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))
-               || user_is_exempt())
-               need_pass = FALSE;              
-       }
-    }
-    if (!need_pass)
+    /*
+     * Don't prompt for the root passwd or if the user is exempt.
+     * If the user is not changing uid/gid, no need for a password.
+     */
+    if (!def_authenticate || user_uid == 0 || (user_uid == runas_pw->pw_uid &&
+       (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))
+       || user_is_exempt())
        goto done;
 
+    /* Always need a password when -k was specified with the command. */
+    if (ISSET(mode, MODE_INVALIDATE))
+       SET(validated, FLAG_CHECK_USER);
+
     /* Stash the tty's ctime for tty ticket comparison. */
     if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
        tty_info.dev = sb.st_dev;

diff --git a/testsudoers.c b/testsudoers.c
index 139c7c7cddfebce7dba2eff284deecde60da70af..8008616e400c2b5e167c3b1c55e2873e9a305aef 100644 (file)
--- a/testsudoers.c
+++ b/testsudoers.c
@@ -126,7 +126,7 @@ main(argc, argv)
 
     dflag = 0;
     grfile = pwfile = runas_group = runas_user = NULL;
-    while ((ch = getopt(argc, argv, "dg:G:h:p:u:")) != -1) {
+    while ((ch = getopt(argc, argv, "dg:P:h:p:u:")) != -1) {
        switch (ch) {
            case 'd':
                dflag = 1;
@@ -134,12 +134,12 @@ main(argc, argv)
            case 'h':
                user_host = optarg;
                break;
-           case 'G':
-               grfile = optarg;
-               break;
            case 'g':
                runas_group = optarg;
                break;
+           case 'P':
+               grfile = optarg;
+               break;
            case 'p':
                pwfile = optarg;
                break;
@@ -567,6 +567,6 @@ dump_sudoers()
 void
 usage()
 {
-    (void) fprintf(stderr, "usage: %s [-d] [-G grfile] [-g group] [-h host] [-p pwfile] [-u user] <user> <command> [args]\n", getprogname());
+    (void) fprintf(stderr, "usage: %s [-d] [-g group] [-h host] [-P grfile] [-p pwfile] [-u user] <user> <command> [args]\n", getprogname());
     exit(1);
 }