From 2cbdc26540bf118527eca825f5cf7de05b6f4a08 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Wed, 15 Nov 2017 12:27:39 -0700
Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep
 checking even after we get a match since the value of doauth may depend on
 evaluating all the results.  From Radovan Sroka of RedHat.

---
 plugins/sudoers/ldap.c | 3 ++-
 plugins/sudoers/sssd.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 46309cba7..95661c5fc 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
 		(pwcheck == all && doauth != true)) {
 		doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate");
 	    }
+	    if (matched == true)
+		continue;
 	    /* Only check the command when listing another user. */
 	    if (user_uid == 0 || list_pw == NULL ||
 		user_uid == list_pw->pw_uid ||
 		sudo_ldap_check_command(ld, entry, NULL) == true) {
 		matched = true;
-		break;
 	    }
 	}
 	if (matched == true || user_uid == 0) {
diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 65b4d8759..37c984c2a 100644
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
 		    (pwcheck == all && doauth != true)) {
 		    doauth = !!sudo_sss_check_bool(handle, rule, "authenticate");
 		}
+		if (matched == true)
+		    continue;
 		/* Only check the command when listing another user. */
 		if (user_uid == 0 || list_pw == NULL ||
 		    user_uid == list_pw->pw_uid ||
 		    sudo_sss_check_command(handle, rule, NULL) == true) {
 		    matched = true;
-		    break;
 		}
 	    }
 	}
-- 
2.40.0