When determining whether or not "sudo -l" or "sudo -b" should prompt

for a password, take all sudoers sources into account.  In other
words, if both file and ldap sudoers sources are in use, "sudo -v"
will now require that all entries in both sources be have NOPASSWD
(file) or !authenticate (ldap) in the entries.

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index ffb5e7f25177aff826e3139d49c7b899eb898b18..97c2c756f60f3de5c921c8770d30ce414169161c 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -3178,22 +3178,17 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
        if (matched == true || user_uid == 0) {
            SET(ret, VALIDATE_SUCCESS);
            CLR(ret, VALIDATE_FAILURE);
-           if (def_authenticate) {
-               switch (pwcheck) {
-                   case always:
-                       SET(ret, FLAG_CHECK_USER);
-                       break;
-                   case all:
-                   case any:
-                       if (doauth == false)
-                           def_authenticate = false;
-                       break;
-                   case never:
-                       def_authenticate = false;
-                       break;
-                   default:
-                       break;
-               }
+           switch (pwcheck) {
+               case always:
+                   SET(ret, FLAG_CHECK_USER);
+                   break;
+               case all:
+               case any:
+                   if (doauth == false)
+                       SET(ret, FLAG_NOPASSWD);
+                   break;
+               default:
+                   break;
            }
        }
        goto done;

diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
index 0ac4f808a8139a8ccfdf40c17c7f9b3f86bb08f5..18155e44c55732ca62d6bb11446ce5c22424c860 100644 (file)
--- a/plugins/sudoers/parse.c
+++ b/plugins/sudoers/parse.c
@@ -197,8 +197,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
            SET(validated, VALIDATE_FAILURE);
        if (pwcheck == always && def_authenticate)
            SET(validated, FLAG_CHECK_USER);
-       else if (pwcheck == never || nopass == true)
-           def_authenticate = false;
+       else if (nopass == true)
+           SET(validated, FLAG_NOPASSWD);
        debug_return_int(validated);
     }
 

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index a6b48b499087a106ea459b21734142204c407a6e..167bfa37ee1c23c1f592012e1096414ab3ff2955 100644 (file)
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -1146,22 +1146,17 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
        if (matched == true || user_uid == 0) {
            SET(ret, VALIDATE_SUCCESS);
            CLR(ret, VALIDATE_FAILURE);
-           if (def_authenticate) {
-               switch (pwcheck) {
-                   case always:
-                       SET(ret, FLAG_CHECK_USER);
-                       break;
-                   case all:
-                   case any:
-                       if (doauth == false)
-                           def_authenticate = false;
-                       break;
-                   case never:
-                       def_authenticate = false;
-                       break;
-                   default:
-                       break;
-               }
+           switch (pwcheck) {
+               case always:
+                   SET(ret, FLAG_CHECK_USER);
+                   break;
+               case all:
+               case any:
+                   if (doauth == false)
+                       SET(ret, FLAG_NOPASSWD);
+                   break;
+               default:
+                   break;
            }
        }
        goto done;

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 811a2cb9c00418655477f9098cdea7f0f0d66d16..767d5a06d2324ba3f3a8cd69c1ccea759e5b0936 100644 (file)
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1993-1996, 1998-2015 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1993-1996, 1998-2016 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -261,6 +261,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     char *iolog_path = NULL;
     mode_t cmnd_umask = 0777;
     struct sudo_nss *nss;
+    bool nopass = false;
     int cmnd_status = -1, oldlocale, validated;
     int rval = -1;
     debug_decl(sudoers_policy_main, SUDOERS_DEBUG_PLUGIN)
@@ -343,6 +344,33 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     TAILQ_FOREACH(nss, snl, entries) {
        validated = nss->lookup(nss, validated, pwflag);
 
+       /*
+        * The NOPASSWD tag needs special handling among all sources
+        * in -l or -v mode.
+        */
+       if (pwflag) {
+           enum def_tuple pwcheck =
+               (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
+           switch (pwcheck) {
+           case all:
+               if (!ISSET(validated, FLAG_NOPASSWD))
+                   nopass = false;
+               break;
+           case any:
+               if (ISSET(validated, FLAG_NOPASSWD))
+                   nopass = true;
+               break;
+           case never:
+               nopass = true;
+               break;
+           case always:
+               nopass = false;
+               break;
+           default:
+               break;
+           }
+       }
+
        if (ISSET(validated, VALIDATE_ERROR)) {
            /* The lookup function should have printed an error. */
            goto done;
@@ -356,6 +384,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
                break;
        }
     }
+    if (pwflag && nopass)
+       def_authenticate = false;
 
     /* Restore user's locale. */
     sudoers_setlocale(oldlocale, NULL);

diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index 7fda0505099942f275d2756ba6978c0ecf75d3ce..da2698c5333c523b0e5412fd7ba28b5f4b04f6cd 100644 (file)
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -123,6 +123,7 @@ struct sudo_user {
 #define FLAG_NON_INTERACTIVE   0x100
 #define FLAG_BAD_PASSWORD      0x200
 #define FLAG_AUTH_ERROR                0x400
+#define FLAG_NOPASSWD          0x800
 
 /*
  * find_path()/set_cmnd() return values