In sudo_ldap_lookup(), always do the initial sudoers check as the

invoking user.  If we are listing another user's privs we will
do a separate lookup using list_pw later.

--HG--
branch : 1.7

diff --git a/ldap.c b/ldap.c
index 580285cb3a81ea6000f771756df3a587e5ab372d..8adb435682da6547c60eb53a08abc76389ca680d 100644 (file)
--- a/ldap.c
+++ b/ldap.c
@@ -2120,7 +2120,6 @@ sudo_ldap_lookup(nss, ret, pwflag)
     LDAP *ld;
     LDAPMessage *entry;
     int i, rc, setenv_implied, matched = UNSPEC;
-    struct passwd *pw = list_pw ? list_pw : sudo_user.pw;
     struct ldap_result *lres = NULL;
 
     if (handle == NULL || handle->ld == NULL)
@@ -2128,7 +2127,7 @@ sudo_ldap_lookup(nss, ret, pwflag)
     ld = handle->ld;
 
     /* Fetch list of sudoRole entries that match user and host. */
-    lres = sudo_ldap_result_get(nss, pw);
+    lres = sudo_ldap_result_get(nss, sudo_user.pw);
 
     /*
      * The following queries are only determine whether or not a