From: Todd C. Miller Date: Wed, 23 May 2012 19:37:24 +0000 (-0400) Subject: Don't prompt for a password if the user is in the exempt group, is X-Git-Tag: SUDO_1_7_10~85 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=26f39852b2f90d7dadd1cf8ae4887eaf31d95dee;p=sudo Don't prompt for a password if the user is in the exempt group, is root, or is running the command as themselves even if the -k option was specified. This makes "sudo -k command" consistent with the behavior one would get if the user ran "sudo -k" immediately before running the command. --HG-- branch : 1.7 --- diff --git a/check.c b/check.c index f1d2d8bd8..45acb2df8 100644 --- a/check.c +++ b/check.c @@ -106,30 +106,25 @@ check_user(validated, mode) char *timestampfile = NULL; char *prompt; struct stat sb; - int status, need_pass = def_authenticate; + int status; /* Init authentication system regardless of whether we need a password. */ auth_pw = get_authpw(); sudo_auth_init(auth_pw); - if (need_pass) { - /* Always need a password when -k was specified with the command. */ - if (ISSET(mode, MODE_INVALIDATE)) { - SET(validated, FLAG_CHECK_USER); - } else { - /* - * Don't prompt for the root passwd or if the user is exempt. - * If the user is not changing uid/gid, no need for a password. - */ - if (user_uid == 0 || (user_uid == runas_pw->pw_uid && - (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) - || user_is_exempt()) - need_pass = FALSE; - } - } - if (!need_pass) + /* + * Don't prompt for the root passwd or if the user is exempt. + * If the user is not changing uid/gid, no need for a password. + */ + if (!def_authenticate || user_uid == 0 || (user_uid == runas_pw->pw_uid && + (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) + || user_is_exempt()) goto done; + /* Always need a password when -k was specified with the command. */ + if (ISSET(mode, MODE_INVALIDATE)) + SET(validated, FLAG_CHECK_USER); + /* Stash the tty's ctime for tty ticket comparison. */ if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) { tty_info.dev = sb.st_dev; diff --git a/testsudoers.c b/testsudoers.c index 139c7c7cd..8008616e4 100644 --- a/testsudoers.c +++ b/testsudoers.c @@ -126,7 +126,7 @@ main(argc, argv) dflag = 0; grfile = pwfile = runas_group = runas_user = NULL; - while ((ch = getopt(argc, argv, "dg:G:h:p:u:")) != -1) { + while ((ch = getopt(argc, argv, "dg:P:h:p:u:")) != -1) { switch (ch) { case 'd': dflag = 1; @@ -134,12 +134,12 @@ main(argc, argv) case 'h': user_host = optarg; break; - case 'G': - grfile = optarg; - break; case 'g': runas_group = optarg; break; + case 'P': + grfile = optarg; + break; case 'p': pwfile = optarg; break; @@ -567,6 +567,6 @@ dump_sudoers() void usage() { - (void) fprintf(stderr, "usage: %s [-d] [-G grfile] [-g group] [-h host] [-p pwfile] [-u user] [args]\n", getprogname()); + (void) fprintf(stderr, "usage: %s [-d] [-g group] [-h host] [-P grfile] [-p pwfile] [-u user] [args]\n", getprogname()); exit(1); }