[sudo-users] listpw/verifypw issues with sssd and ldap

[Todd C. Miller]

On Sun, 10 Apr 2016 10:13:57 -0700, Michael Fischer wrote:

> How do we address this?  Is it a simple fix?  Can you clarify the
> documentation in the interim?

Here's the fix that I plan to include in sudo 1.8.17.

 - todd

diff -r 2adcf1b17f83 plugins/sudoers/ldap.c
--- a/plugins/sudoers/ldap.c	Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/ldap.c	Sun Apr 17 06:25:01 2016 -0600
@@ -3178,10 +3178,7 @@
 		    case all:
 		    case any:
 			if (doauth == false)
-			    def_authenticate = false;
-			break;
-		    case never:
-			def_authenticate = false;
+			    SET(ret, FLAG_NOPASSWD);
 			break;
 		    default:
 			break;
diff -r 2adcf1b17f83 plugins/sudoers/parse.c
--- a/plugins/sudoers/parse.c	Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/parse.c	Sun Apr 17 06:25:01 2016 -0600
@@ -197,8 +197,8 @@
 	    SET(validated, VALIDATE_FAILURE);
 	if (pwcheck == always && def_authenticate)
 	    SET(validated, FLAG_CHECK_USER);
-	else if (pwcheck == never || nopass == true)
-	    def_authenticate = false;
+	else if (nopass == true)
+	    SET(validated, FLAG_NOPASSWD);
 	debug_return_int(validated);
     }
 
diff -r 2adcf1b17f83 plugins/sudoers/sssd.c
--- a/plugins/sudoers/sssd.c	Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/sssd.c	Sun Apr 17 06:25:01 2016 -0600
@@ -1154,10 +1154,7 @@
 		    case all:
 		    case any:
 			if (doauth == false)
-			    def_authenticate = false;
-			break;
-		    case never:
-			def_authenticate = false;
+			    SET(ret, FLAG_NOPASSWD);
 			break;
 		    default:
 			break;
diff -r 2adcf1b17f83 plugins/sudoers/sudoers.c
--- a/plugins/sudoers/sudoers.c	Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/sudoers.c	Sun Apr 17 06:25:01 2016 -0600
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1993-1996, 1998-2015 Todd C. Miller <Todd.Miller at courtesan.com>
+ * Copyright (c) 1993-1996, 1998-2016 Todd C. Miller <Todd.Miller at courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -261,6 +261,7 @@
     char *iolog_path = NULL;
     mode_t cmnd_umask = 0777;
     struct sudo_nss *nss;
+    bool nopass = false;
     int cmnd_status = -1, oldlocale, validated;
     int rval = -1;
     debug_decl(sudoers_policy_main, SUDOERS_DEBUG_PLUGIN)
@@ -343,6 +344,33 @@
     TAILQ_FOREACH(nss, snl, entries) {
 	validated = nss->lookup(nss, validated, pwflag);
 
+	/*
+	 * The NOPASSWD tag needs special handling among all sources
+	 * in -l or -v mode.
+	 */
+	if (pwflag) {
+	    enum def_tuple pwcheck =
+		(pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
+	    switch (pwcheck) {
+	    case all:
+		if (!ISSET(validated, FLAG_NOPASSWD))
+		    nopass = false;
+		break;
+	    case any:
+		if (ISSET(validated, FLAG_NOPASSWD))
+		    nopass = true;
+		break;
+	    case never:
+		nopass = true;
+		break;
+	    case always:
+		nopass = false;
+		break;
+	    default:
+		break;
+	    }
+	}
+
 	if (ISSET(validated, VALIDATE_ERROR)) {
 	    /* The lookup function should have printed an error. */
 	    goto done;
@@ -356,6 +384,8 @@
 		break;
 	}
     }
+    if (pwflag && nopass)
+	def_authenticate = false;
 
     /* Restore user's locale. */
     sudoers_setlocale(oldlocale, NULL);
diff -r 2adcf1b17f83 plugins/sudoers/sudoers.h
--- a/plugins/sudoers/sudoers.h	Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/sudoers.h	Sun Apr 17 06:25:01 2016 -0600
@@ -123,6 +123,7 @@
 #define FLAG_NON_INTERACTIVE	0x100
 #define FLAG_BAD_PASSWORD	0x200
 #define FLAG_AUTH_ERROR		0x400
+#define FLAG_NOPASSWD		0x800
 
 /*
  * find_path()/set_cmnd() return values