From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Mon, 7 Sep 2015 12:06:08 +0000 (-0600)
Subject: Avoid touching the time stamp directory for "sudo -k command"
X-Git-Tag: SUDO_1_8_15^2~67
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9dedc65a7f92f15c6f56f999514bf8979d53ba5f;p=sudo

Avoid touching the time stamp directory for "sudo -k command"
---

diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
index a540d030b..c37d4bb5f 100644
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -87,23 +87,34 @@ getpass_resume(int signo, void *vclosure)
 static int
 check_user_interactive(int validated, int mode, struct passwd *auth_pw)
 {
-    struct sudo_conv_callback callback;
+    struct sudo_conv_callback cb, *callback = NULL;
     struct getpass_closure closure;
+    void *cookie = NULL;
     int status = TS_ERROR;
     int rval = -1;
     char *prompt;
     bool lectured;
     debug_decl(check_user_interactive, SUDOERS_DEBUG_AUTH)
 
-    /* Always need a password when -k was specified with the command. */
-    if (ISSET(mode, MODE_IGNORE_TICKET))
-	SET(validated, FLAG_CHECK_USER);
+    /* Open, lock and read time stamp file if we are using it. */
+    if (!ISSET(mode, MODE_IGNORE_TICKET)) {
+	/* Open time stamp file and check its status. */
+	cookie = timestamp_open(user_name, user_sid);
+	if (timestamp_lock(cookie, auth_pw))
+	    status = timestamp_status(cookie, auth_pw);
 
-    /* Open timestamp file and check its status. */
-    closure.auth_pw = auth_pw;
-    closure.cookie = timestamp_open(user_name, user_sid);
-    if (timestamp_lock(closure.cookie, auth_pw))
-	status = timestamp_status(closure.cookie, auth_pw);
+	/* Construct callback for getpass function. */
+	memset(&cb, 0, sizeof(cb));
+	cb.version = SUDO_CONV_CALLBACK_VERSION;
+	cb.closure = &closure;
+	cb.on_suspend = getpass_suspend;
+	cb.on_resume = getpass_resume;
+	callback = &cb;
+
+	/* Closure for getpass_{suspend,resume} */
+	closure.auth_pw = auth_pw;
+	closure.cookie = cookie;
+    }
 
     switch (status) {
     case TS_FATAL:
@@ -135,14 +146,7 @@ check_user_interactive(int validated, int mode, struct passwd *auth_pw)
 	if (prompt == NULL)
 	    goto done;
 
-	/* Construct callback for getpass function. */
-	memset(&callback, 0, sizeof(callback));
-	callback.version = SUDO_CONV_CALLBACK_VERSION;
-	callback.closure = &closure;
-	callback.on_suspend = getpass_suspend;
-	callback.on_resume = getpass_resume;
-
-	rval = verify_user(auth_pw, prompt, validated, &callback);
+	rval = verify_user(auth_pw, prompt, validated, callback);
 	if (rval == true && lectured)
 	    (void)set_lectured();	/* lecture error not fatal */
 	free(prompt);
@@ -150,16 +154,14 @@ check_user_interactive(int validated, int mode, struct passwd *auth_pw)
     }
 
     /*
-     * Only update timestamp if user was validated.
-     * Failure to update the timestamp is not a fatal error.
+     * Only update time stamp if user was validated.
+     * Failure to update the time stamp is not a fatal error.
      */
-    if (rval == true && ISSET(validated, VALIDATE_SUCCESS) &&
-	!ISSET(mode, MODE_IGNORE_TICKET) && status != TS_ERROR) {
-	(void)timestamp_update(closure.cookie, auth_pw);
-    }
+    if (rval == true && ISSET(validated, VALIDATE_SUCCESS) && status != TS_ERROR)
+	(void)timestamp_update(cookie, auth_pw);
 done:
-    if (closure.cookie != NULL)
-	timestamp_close(closure.cookie);
+    if (cookie != NULL)
+	timestamp_close(cookie);
     debug_return_int(rval);
 }