From dacb1e47f3bb4a1ab0a4c3f66a517fdf08d5d327 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Fri, 9 Sep 2011 09:57:39 -0400
Subject: [PATCH] Honor NOPASSWD tag for denied commands too.

---
 plugins/sudoers/parse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
index 303d13500..8ce68584b 100644
--- a/plugins/sudoers/parse.c
+++ b/plugins/sudoers/parse.c
@@ -250,6 +250,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
     } else if (match == DENY) {
 	SET(validated, VALIDATE_NOT_OK);
 	CLR(validated, VALIDATE_OK);
+	if (tags != NULL && tags->nopasswd != UNSPEC)
+	    def_authenticate = !tags->nopasswd;
     }
     restore_perms();
     return validated;
-- 
2.40.0