From a26c783beafffa3eb79aa3e0df29af05f2f7c0a7 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Fri, 6 Jul 2007 19:51:03 +0000
Subject: [PATCH] Make pwcheck local to the pwflag block. Use pwcheck even if
 user didn't match since Defaults options may still apply.

---
 parse.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/parse.c b/parse.c
index 3f0d22c64..49e33e0b9 100644
--- a/parse.c
+++ b/parse.c
@@ -99,20 +99,12 @@ sudoers_lookup(pwflag)
     int pwflag;
 {
     int validated, matched, host_matched, runas_matched, cmnd_matched;
-    enum def_tupple pwcheck = 0;
     struct cmndspec *cs;
     struct cmndtag *tags = NULL;
     struct member *runas;
     struct privilege *priv;
     struct userspec *us;
 
-    /*
-     * We use pwflag to tell us when a password should be required
-     * for pseudo-commands.  XXX - pass in pwcheck, not pwflag
-     */
-    if (pwflag)
-	pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
-
     /* Assume the worst.  */
     validated = VALIDATE_NOT_OK | FLAG_NO_HOST | FLAG_NO_USER;
     if (pwflag && list_pw == NULL)
@@ -125,6 +117,9 @@ sudoers_lookup(pwflag)
      */
     if (pwflag) {
 	int nopass = UNSPEC;
+	enum def_tupple pwcheck;
+
+	pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
 
 	CLR(validated, FLAG_NO_USER);
 	CLR(validated, FLAG_NO_HOST);
@@ -151,11 +146,11 @@ sudoers_lookup(pwflag)
 	    /* User has an entry for this host. */
 	    CLR(validated, VALIDATE_NOT_OK);
 	    SET(validated, VALIDATE_OK);
-	    if (pwcheck == always && def_authenticate)
-		SET(validated, FLAG_CHECK_USER);
-	    else if (pwcheck == never || nopass == TRUE)
-		def_authenticate = FALSE;
 	}
+	if (pwcheck == always && def_authenticate)
+	    SET(validated, FLAG_CHECK_USER);
+	else if (pwcheck == never || nopass == TRUE)
+	    def_authenticate = FALSE;
 	return(validated);
     }
 
-- 
2.40.0