From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Tue, 14 Nov 2017 20:58:35 +0000 (-0700)
Subject: If passwd_tries is less than 1, check_user() will always return
X-Git-Tag: SUDO_1_8_22^2~72
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a62cd4b4fe25eda6f99d73d7277a6db90a36337c;p=sudo

If passwd_tries is less than 1, check_user() will always return
false (since the user didn't authenticate).  The normal reason for
this is an authentication error but in this case no authentication
was tries so no warning message has been displayed to the user.  If
the user wasn't given a chance to authenticate, set inform_user to
true when calling log_denial() from sudoers_policy_main().

An alternate approach would be for check_user() to return true
in this case but seems more confusing.
---

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 9e2447977..10c1d6aa2 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -427,7 +427,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     case false:
 	/* Note: log_denial() calls audit for us. */
 	if (!ISSET(validated, VALIDATE_SUCCESS)) {
-	    if (!log_denial(validated, false))
+	    /* Only display a denial message if no password was read. */
+	    if (!log_denial(validated, def_passwd_tries <= 0))
 		goto done;
 	}
 	goto bad;