From 5a641108826ef21774022c2e148814539b473d8f Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 11 Jan 2011 10:33:39 -0500
Subject: [PATCH] If the user is running sudo as himself but as a different
 group we need to prompt for a password.

--HG--
branch : 1.7
---
 check.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/check.c b/check.c
index b324c06bd..e2f237b69 100644
--- a/check.c
+++ b/check.c
@@ -120,7 +120,13 @@ check_user(validated, mode)
     if (ISSET(mode, MODE_INVALIDATE)) {
 	SET(validated, FLAG_CHECK_USER);
     } else {
-	if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt())
+	/*
+	 * Don't prompt for the root passwd or if the user is exempt.
+	 * If the user is not changing uid/gid, no need for a password.
+	 */
+	if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
+	    (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) ||
+	    user_is_exempt())
 	    return;
     }
 
-- 
2.40.0