When checking the results for "sudo -l" and "sudo -v", keep checking

even after we get a match since the value of doauth may depend on
evaluating all the results.  From Radovan Sroka of RedHat.

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 46309cba79a316665bd4020dad5571d1e3add425..95661c5fcdef992e7f268804428abbd237585cd6 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
                (pwcheck == all && doauth != true)) {
                doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate");
            }
+           if (matched == true)
+               continue;
            /* Only check the command when listing another user. */
            if (user_uid == 0 || list_pw == NULL ||
                user_uid == list_pw->pw_uid ||
                sudo_ldap_check_command(ld, entry, NULL) == true) {
                matched = true;
-               break;
            }
        }
        if (matched == true || user_uid == 0) {

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 65b4d87598622d8c15ad3b142428372a7d5290f8..37c984c2aa92618e43e1ef5a95bc0ef54bebdc88 100644 (file)
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
                    (pwcheck == all && doauth != true)) {
                    doauth = !!sudo_sss_check_bool(handle, rule, "authenticate");
                }
+               if (matched == true)
+                   continue;
                /* Only check the command when listing another user. */
                if (user_uid == 0 || list_pw == NULL ||
                    user_uid == list_pw->pw_uid ||
                    sudo_sss_check_command(handle, rule, NULL) == true) {
                    matched = true;
-                   break;
                }
            }
        }