From 5b51b7f11a91172d5eb9b24a111347f8825f2b3e Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 29 Aug 2016 10:04:24 -0600
Subject: [PATCH] Fix "sudo -l command" in the LDAP and SSS backends when the
 command is not allowed.

---
 plugins/sudoers/ldap.c | 5 +++--
 plugins/sudoers/sssd.c | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 764def51b..5130bcd69 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -2568,8 +2568,9 @@ sudo_ldap_display_cmnd(struct sudo_nss *nss, struct passwd *pw)
 	goto done;
     for (i = 0; i < lres->nentries; i++) {
 	entry = lres->entries[i].entry;
-	if (sudo_ldap_check_command(ld, entry, NULL) &&
-	    sudo_ldap_check_runas(ld, entry)) {
+	if (!sudo_ldap_check_runas(ld, entry))
+	    continue;
+	if (sudo_ldap_check_command(ld, entry, NULL) == true) {
 	    found = true;
 	    goto done;
 	}
diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index edd708460..14179fc59 100644
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -1380,8 +1380,9 @@ sudo_sss_display_cmnd(struct sudo_nss *nss, struct passwd *pw)
 
     for (i = 0; i < sss_result->num_rules; i++) {
 	rule = sss_result->rules + i;
-	if (sudo_sss_check_command(handle, rule, NULL) &&
-	    sudo_sss_check_runas(handle, rule)) {
+	if (!sudo_sss_check_runas(handle, rule))
+	    continue;
+	if (sudo_sss_check_command(handle, rule, NULL) == true) {
 	    found = true;
 	    goto done;
 	}
-- 
2.40.0