In list (-l) or verify (-v) mode, if we have a match but authentication

is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
set to "all" and there are multiple sudoers sources a password will
be required unless none of the entries in all sources require
authentication.  From Radovan Sroka of RedHat

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 95661c5fcdef992e7f268804428abbd237585cd6..c5c1836044a47a920b01a7dfcee775f8aef0119a 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -3340,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
                case any:
                    if (doauth == false)
                        SET(ret, FLAG_NOPASSWD);
+                   else
+                       CLR(ret, FLAG_NOPASSWD);
                    break;
                default:
                    break;

diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
index 749a3eb21816256da9a1fedfc3d2c60478ef2bcd..1f5149bb739388a0096089647e95cce58dee4dd3 100644 (file)
--- a/plugins/sudoers/parse.c
+++ b/plugins/sudoers/parse.c
@@ -202,6 +202,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
            SET(validated, FLAG_CHECK_USER);
        else if (nopass == true)
            SET(validated, FLAG_NOPASSWD);
+       else
+           CLR(validated, FLAG_NOPASSWD);
        debug_return_int(validated);
     }
 

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 37c984c2aa92618e43e1ef5a95bc0ef54bebdc88..09ca9feeb55221d3913b1951b66a5556fea80cd4 100644 (file)
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -1342,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
                case any:
                    if (doauth == false)
                        SET(ret, FLAG_NOPASSWD);
+                   else
+                       CLR(ret, FLAG_NOPASSWD);
                    break;
                default:
                    break;