From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Tue, 19 Apr 2016 16:08:51 +0000 (-0600)
Subject: When determining whether or not "sudo -l" or "sudo -b" should prompt
X-Git-Tag: SUDO_1_8_17^2~134
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6717c32022153bcc0aa9afa87aa96e208a6a86c5;p=sudo

When determining whether or not "sudo -l" or "sudo -b" should prompt
for a password, take all sudoers sources into account.  In other
words, if both file and ldap sudoers sources are in use, "sudo -v"
will now require that all entries in both sources be have NOPASSWD
(file) or !authenticate (ldap) in the entries.
---

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index ffb5e7f25..97c2c756f 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -3178,22 +3178,17 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
 	if (matched == true || user_uid == 0) {
 	    SET(ret, VALIDATE_SUCCESS);
 	    CLR(ret, VALIDATE_FAILURE);
-	    if (def_authenticate) {
-		switch (pwcheck) {
-		    case always:
-			SET(ret, FLAG_CHECK_USER);
-			break;
-		    case all:
-		    case any:
-			if (doauth == false)
-			    def_authenticate = false;
-			break;
-		    case never:
-			def_authenticate = false;
-			break;
-		    default:
-			break;
-		}
+	    switch (pwcheck) {
+		case always:
+		    SET(ret, FLAG_CHECK_USER);
+		    break;
+		case all:
+		case any:
+		    if (doauth == false)
+			SET(ret, FLAG_NOPASSWD);
+		    break;
+		default:
+		    break;
 	    }
 	}
 	goto done;
diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
index 0ac4f808a..18155e44c 100644
--- a/plugins/sudoers/parse.c
+++ b/plugins/sudoers/parse.c
@@ -197,8 +197,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
 	    SET(validated, VALIDATE_FAILURE);
 	if (pwcheck == always && def_authenticate)
 	    SET(validated, FLAG_CHECK_USER);
-	else if (pwcheck == never || nopass == true)
-	    def_authenticate = false;
+	else if (nopass == true)
+	    SET(validated, FLAG_NOPASSWD);
 	debug_return_int(validated);
     }
 
diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index a6b48b499..167bfa37e 100644
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -1146,22 +1146,17 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
 	if (matched == true || user_uid == 0) {
 	    SET(ret, VALIDATE_SUCCESS);
 	    CLR(ret, VALIDATE_FAILURE);
-	    if (def_authenticate) {
-		switch (pwcheck) {
-		    case always:
-			SET(ret, FLAG_CHECK_USER);
-			break;
-		    case all:
-		    case any:
-			if (doauth == false)
-			    def_authenticate = false;
-			break;
-		    case never:
-			def_authenticate = false;
-			break;
-		    default:
-			break;
-		}
+	    switch (pwcheck) {
+		case always:
+		    SET(ret, FLAG_CHECK_USER);
+		    break;
+		case all:
+		case any:
+		    if (doauth == false)
+			SET(ret, FLAG_NOPASSWD);
+		    break;
+		default:
+		    break;
 	    }
 	}
 	goto done;
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 811a2cb9c..767d5a06d 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1993-1996, 1998-2015 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1993-1996, 1998-2016 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -261,6 +261,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     char *iolog_path = NULL;
     mode_t cmnd_umask = 0777;
     struct sudo_nss *nss;
+    bool nopass = false;
     int cmnd_status = -1, oldlocale, validated;
     int rval = -1;
     debug_decl(sudoers_policy_main, SUDOERS_DEBUG_PLUGIN)
@@ -343,6 +344,33 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     TAILQ_FOREACH(nss, snl, entries) {
 	validated = nss->lookup(nss, validated, pwflag);
 
+	/*
+	 * The NOPASSWD tag needs special handling among all sources
+	 * in -l or -v mode.
+	 */
+	if (pwflag) {
+	    enum def_tuple pwcheck =
+		(pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
+	    switch (pwcheck) {
+	    case all:
+		if (!ISSET(validated, FLAG_NOPASSWD))
+		    nopass = false;
+		break;
+	    case any:
+		if (ISSET(validated, FLAG_NOPASSWD))
+		    nopass = true;
+		break;
+	    case never:
+		nopass = true;
+		break;
+	    case always:
+		nopass = false;
+		break;
+	    default:
+		break;
+	    }
+	}
+
 	if (ISSET(validated, VALIDATE_ERROR)) {
 	    /* The lookup function should have printed an error. */
 	    goto done;
@@ -356,6 +384,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 		break;
 	}
     }
+    if (pwflag && nopass)
+	def_authenticate = false;
 
     /* Restore user's locale. */
     sudoers_setlocale(oldlocale, NULL);
diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index 7fda05050..da2698c53 100644
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -123,6 +123,7 @@ struct sudo_user {
 #define FLAG_NON_INTERACTIVE	0x100
 #define FLAG_BAD_PASSWORD	0x200
 #define FLAG_AUTH_ERROR		0x400
+#define FLAG_NOPASSWD		0x800
 
 /*
  * find_path()/set_cmnd() return values