If passwd_tries is less than 1, check_user() will always return

false (since the user didn't authenticate).  The normal reason for
this is an authentication error but in this case no authentication
was tries so no warning message has been displayed to the user.  If
the user wasn't given a chance to authenticate, set inform_user to
true when calling log_denial() from sudoers_policy_main().

An alternate approach would be for check_user() to return true
in this case but seems more confusing.

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 9e244797757d0fc950248b8c2e0a49b8d0356620..10c1d6aa28dde1fbb8005aa7864a72016fb1b1e9 100644 (file)
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -427,7 +427,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     case false:
        /* Note: log_denial() calls audit for us. */
        if (!ISSET(validated, VALIDATE_SUCCESS)) {
-           if (!log_denial(validated, false))
+           /* Only display a denial message if no password was read. */
+           if (!log_denial(validated, def_passwd_tries <= 0))
                goto done;
        }
        goto bad;