From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sat, 27 Sep 2014 02:55:19 +0000 (-0600)
Subject: If all authentication methods fail init/setup, fail with an error.
X-Git-Tag: SUDO_1_8_12^2~182
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d28c525ede05b4c5cc5f485d989ed32bd0c40195;p=sudo

If all authentication methods fail init/setup, fail with an error.
---

diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c
index adae8a76b..3e8062352 100644
--- a/plugins/sudoers/auth/sudo_auth.c
+++ b/plugins/sudoers/auth/sudo_auth.c
@@ -196,7 +196,6 @@ verify_user(struct passwd *pw, char *prompt, int validated)
     (void) sigaction(SIGTSTP, &sa, &osa);
 
     /* Make sure we have at least one auth method. */
-    /* XXX - check FLAG_DISABLED too */
     if (auth_switch[0].name == NULL) {
 	audit_failure(NewArgc, NewArgv, N_("no authentication methods"));
     	log_warningx(SLOG_SEND_MAIL,
@@ -207,9 +206,14 @@ verify_user(struct passwd *pw, char *prompt, int validated)
     }
 
     while (--counter) {
+	int num_methods = 0;
+
 	/* Do any per-method setup and unconfigure the method if needed */
 	for (auth = auth_switch; auth->name; auth++) {
-	    if (auth->setup && !IS_DISABLED(auth)) {
+	    if (IS_DISABLED(auth))
+		continue;
+	    num_methods++;
+	    if (auth->setup != NULL) {
 		status = (auth->setup)(pw, &prompt, auth);
 		if (status == AUTH_FAILURE)
 		    SET(auth->flags, FLAG_DISABLED);
@@ -217,6 +221,12 @@ verify_user(struct passwd *pw, char *prompt, int validated)
 		    goto done;		/* assume error msg already printed */
 	    }
 	}
+	if (num_methods == 0) {
+	    audit_failure(NewArgc, NewArgv, N_("no authentication methods"));
+	    log_warningx(SLOG_SEND_MAIL,
+		N_("Unable to initialize authentication methods."));
+	    debug_return_int(-1);
+	}
 
 	/* Get the password unless the auth function will do it for us */
 	if (standalone) {