Fix "sudo -l command" in the LDAP and SSS backends when the command

is not allowed.

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 764def51b4cc37947c16835c11b3da0fdfb62c98..5130bcd69dc81b2f1f1a4af225441b5cb9b68cb8 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -2568,8 +2568,9 @@ sudo_ldap_display_cmnd(struct sudo_nss *nss, struct passwd *pw)
        goto done;
     for (i = 0; i < lres->nentries; i++) {
        entry = lres->entries[i].entry;
-       if (sudo_ldap_check_command(ld, entry, NULL) &&
-           sudo_ldap_check_runas(ld, entry)) {
+       if (!sudo_ldap_check_runas(ld, entry))
+           continue;
+       if (sudo_ldap_check_command(ld, entry, NULL) == true) {
            found = true;
            goto done;
        }

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index edd708460a4b48a6970afaa033796f0017283af7..14179fc5952564db77e3dec4439bfd2deac102ec 100644 (file)
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -1380,8 +1380,9 @@ sudo_sss_display_cmnd(struct sudo_nss *nss, struct passwd *pw)
 
     for (i = 0; i < sss_result->num_rules; i++) {
        rule = sss_result->rules + i;
-       if (sudo_sss_check_command(handle, rule, NULL) &&
-           sudo_sss_check_runas(handle, rule)) {
+       if (!sudo_sss_check_runas(handle, rule))
+           continue;
+       if (sudo_sss_check_command(handle, rule, NULL) == true) {
            found = true;
            goto done;
        }