From: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Sat, 8 Dec 2018 15:10:04 +0000 (-0700)
Subject: In sudo_pam_approval(), for the exempt case, only overwrite pam
X-Git-Tag: SUDO_1_8_27^2~17
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5242773489abf058e49e886fc7ed3e2026256574;p=sudo

In sudo_pam_approval(), for the exempt case, only overwrite pam
status when the passwd is expired or needs to be updated.
---

diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index b7d916cd8..872189142 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -225,8 +225,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
 	    break;
 	case PAM_NEW_AUTHTOK_REQD:
 	    /* Ignore if user is exempt from password restrictions. */
-	    if (exempt)
+	    if (exempt) {
+		rc = *pam_status;
 		break;
+	    }
 	    /* New password required, try to change it. */
 	    log_warningx(0, N_("Account or password is "
 		"expired, reset your password and try again"));
@@ -241,8 +243,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
 	    break;
 	case PAM_AUTHTOK_EXPIRED:
 	    /* Ignore if user is exempt from password restrictions. */
-	    if (exempt)
+	    if (exempt) {
+		rc = *pam_status;
 		break;
+	    }
 	    /* Password expired, cannot be updated by user. */
 	    log_warningx(0,
 		N_("Password expired, contact your system administrator"));
@@ -269,8 +273,7 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
 	    status = AUTH_FATAL;
 	    break;
     }
-    /* Ignore errors if user is exempt from password restrictions. */
-    *pam_status = exempt ? PAM_SUCCESS : rc;
+    *pam_status = rc;
     debug_return_int(status);
 }