From 8e021c39fa72b22eddc2a2c77b1073e282904754 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 5 Sep 2017 09:30:19 -0600
Subject: [PATCH] Fix a logic error in 96651906de42 which prevented sudo from
 using the PAM-supplied prompt.  Bug #799

---
 plugins/sudoers/auth/pam.c | 42 +++++++++++++++++++++-----------------
 1 file changed, 23 insertions(+), 19 deletions(-)

diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index dbf18bf11..939f2c29a 100644
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -435,28 +435,32 @@ use_pam_prompt(const char *pam_prompt)
     size_t user_len;
     debug_decl(use_pam_prompt, SUDOERS_DEBUG_AUTH)
 
-    if (!def_passprompt_override) {
-	/* If sudo prompt matches "^Password: ?$", use PAM prompt. */
-	if (PROMPT_IS_PASSWORD(def_prompt))
-	    debug_return_bool(true);
+    /* Always use sudo prompt if passprompt_override is set. */
+    if (def_passprompt_override)
+	debug_return_bool(false);
 
-	/* If PAM prompt matches "^Password: ?$", use sudo prompt. */
-	if (PAM_PROMPT_IS_PASSWORD(pam_prompt))
-	    debug_return_bool(false);
+    /* If sudo prompt matches "^Password: ?$", use PAM prompt. */
+    if (PROMPT_IS_PASSWORD(def_prompt))
+	debug_return_bool(true);
 
-	/*
-	 * Some PAM modules use "^username's Password: ?$" instead of
-	 * "^Password: ?" so check for that too.
-	 */
-	user_len = strlen(user_name);
-	if (strncmp(pam_prompt, user_name, user_len) == 0) {
-	    const char *cp = pam_prompt + user_len;
-	    if (strncmp(cp, "'s Password:", 12) == 0 &&
-		(cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0')))
-		debug_return_bool(false);
-	}
+    /* If PAM prompt matches "^Password: ?$", use sudo prompt. */
+    if (PAM_PROMPT_IS_PASSWORD(pam_prompt))
+	debug_return_bool(false);
+
+    /*
+     * Some PAM modules use "^username's Password: ?$" instead of
+     * "^Password: ?" so check for that too.
+     */
+    user_len = strlen(user_name);
+    if (strncmp(pam_prompt, user_name, user_len) == 0) {
+	const char *cp = pam_prompt + user_len;
+	if (strncmp(cp, "'s Password:", 12) == 0 &&
+	    (cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0')))
+	    debug_return_bool(false);
     }
-    debug_return_bool(false);
+
+    /* Otherwise, use the PAM prompt. */
+    debug_return_bool(true);
 }
 
 /*
-- 
2.40.0