When listing another user, only apply NOPASSWD for "ALL" or "list"

millert · millert · commit e2a2982153a3 · 2025-08-29T18:22:50.000-06:00
For "sudo -U otheruser -l", we only want to apply the NOPASSWD tag
if the matching command in sudoers is "ALL" or "list".  Those are
the only commands in sudoers that permit the use of the -U option.
Thanks to Marc Schoolderman of the sudo-rs project for reporting this.
diff --git a/plugins/sudoers/lookup.c b/plugins/sudoers/lookup.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2004-2005, 2007-2025 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -128,14 +128,6 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct sudoers_context *ctx,
 		    int date_match = UNSPEC;
 		    int runas_match = UNSPEC;
 
-		    if (pwcheck == any) {
-			if (cs->tags.nopasswd == true || priv_nopass == true)
-			    nopass = true;
-		    } else if (pwcheck == all) {
-			if (cs->tags.nopasswd != true && priv_nopass != true)
-			    nopass = false;
-		    }
-
 		    if (cs->notbefore != UNSPEC) {
 			date_match = now < cs->notbefore ? DENY : ALLOW;
 		    }
@@ -184,6 +176,22 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct sudoers_context *ctx,
 			    break;
 			}
 		    }
+
+		    /*
+		     * Apply the NOPASSWD tag if the entry matched.
+		     * This is relevant for "sudo -U otheruser -l".
+		     */
+		    if (cmnd_match == ALLOW && runas_match == ALLOW &&
+			    date_match != DENY) {
+			if (pwcheck == any) {
+			    if (cs->tags.nopasswd == true || priv_nopass == true)
+				nopass = true;
+			} else if (pwcheck == all) {
+			    if (cs->tags.nopasswd != true && priv_nopass != true)
+				nopass = false;
+			}
+		    }
+
 		    if (callback != NULL) {
 			callback(nss->parse_tree, us, user_match, priv,
 			    host_match, cs, date_match, runas_match,
diff --git a/plugins/sudoers/regress/testsudoers/test31.out.ok b/plugins/sudoers/regress/testsudoers/test31.out.ok
@@ -74,6 +74,44 @@ ALL = NOPASSWD: list, !list
 
 Command denied
 
+'sudo -U root -l' with a matching ALL=ALL rule and non-matching NOPASSWD
+Parses OK
+
+Entries for user admin:
+
+ALL = PASSWD: ALL
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = NOPASSWD: /bin/ls
+	host  allowed
+	runas allowed
+	cmnd  unmatched
+
+Password required
+
+Command allowed
+
+'sudo -U root -l' with a matching list rule and non-matching NOPASSWD
+Parses OK
+
+Entries for user admin:
+
+ALL = PASSWD: list
+	host  allowed
+	runas allowed
+	cmnd  allowed
+
+ALL = NOPASSWD: /bin/ls
+	host  allowed
+	runas allowed
+	cmnd  unmatched
+
+Password required
+
+Command allowed
+
 'sudo -l command' with a matching command
 Parses OK
 
diff --git a/plugins/sudoers/regress/testsudoers/test31.sh b/plugins/sudoers/regress/testsudoers/test31.sh
@@ -44,6 +44,20 @@ $TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF'
 admin ALL = NOPASSWD: list, !list
 EOF
 
+echo ""
+echo "'sudo -U root -l' with a matching ALL=ALL rule and non-matching NOPASSWD"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF'
+admin ALL = PASSWD: ALL
+admin ALL = NOPASSWD: /bin/ls
+EOF
+
+echo ""
+echo "'sudo -U root -l' with a matching list rule and non-matching NOPASSWD"
+$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF'
+admin ALL = PASSWD: list
+admin ALL = NOPASSWD: /bin/ls
+EOF
+
 echo ""
 echo "'sudo -l command' with a matching command"
 $TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin /bin/ls <<'EOF'
