Skip to content

Commit 28837b2

Browse files
millertmillert
committed
check_user: restrict the special case for running as the invoking user
The intent is to allow the user to run a command or edit a file as themself without entering a password. It should not apply to listing a command via "sudo -l command".
1 parent 9c98d0f commit 28837b2

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

plugins/sudoers/check.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -136,8 +136,8 @@ check_user(struct sudoers_context *ctx, unsigned int validated,
136136
ret = AUTH_SUCCESS;
137137
goto done;
138138
}
139-
if (ctx->user.uid == 0 || (ctx->user.uid == ctx->runas.pw->pw_uid &&
140-
(ctx->runas.gr == NULL ||
139+
if (ctx->user.uid == 0 || (ISSET(mode, MODE_RUN|MODE_EDIT) &&
140+
ctx->user.uid == ctx->runas.pw->pw_uid && (ctx->runas.gr == NULL ||
141141
user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) {
142142
if (ctx->runas.role == NULL && ctx->runas.type == NULL &&
143143
ctx->runas.apparmor_profile == NULL &&

0 commit comments

Comments
 (0)