Bug 901

Summary: sudo -v does not honor NOPASSWD anymore
Product: Sudo Reporter: spidermario
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: oleksandr
Priority: low    
Version: 1.8.28   
Hardware: PC   
OS: Linux   
Attachments: Fix for bug #901

Description spidermario 2019-10-15 02:03:02 MDT 
Hi,

I just upgraded from sudo 1.8.27 to 1.8.28.

If the sudoers file contains this line:

  %root ALL=(ALL) NOPASSWD: ALL

With 1.8.27, it had the result of skipping the password prompt for “sudo -v”. With 1.8.28, it doesn’t anymore (“sudo -v” asks for the password).

Is the change intended?

Thanks.
Comment 1 Oleksandr Natalenko 2019-10-15 04:16:17 MDT 
Confirming this behaviour on Arch Linux after 1.8.28 upgrade.

As a possible temporary workaround, setting "Defaults verifypw=any" option brings back things to normal.

I have the same question though whether the change was intended. The man page says:

===
       By default, if the NOPASSWD tag is applied to any of a user's entries for the current host, the user will be able to run “sudo -l”
       without a password.  Additionally, a user may only run “sudo -v” without a password if all of the user's entries for the current host
       have the NOPASSWD tag.  This behavior may be overridden via the verifypw and listpw options.
===

Since there's only one user entry in my configuration, I'd say it contradicts to what the man page says, and thus the behaviour change is erroneous.
Comment 2 Todd C. Miller 2019-10-15 07:20:39 MDT 
This is fallout from the fix to Bug #869.
Comment 3 Todd C. Miller 2019-10-15 07:22:38 MDT 
Created attachment 529 [details]
Fix for bug #901
Comment 4 Todd C. Miller 2019-10-15 07:36:41 MDT 
Now committed as https://www.sudo.ws/repos/sudo/rev/aac35bcd8584
Comment 5 Todd C. Miller 2019-10-16 08:30:25 MDT 
Fixed in 1.8.28p1, out now.