plugins/sudoers/lookup.c: fix NOTBEFORE to be able to deny

manner82 · manner82 · commit 85e3d50e5e75 · 2026-01-13T14:29:48.000+01:00
If someone specifies both a NOTBEFORE and a NOTAFTER rule, the NOTAFTER
rule always overrided the result of the NOTBEFORE. Let each of them be
able to deny.
diff --git a/plugins/sudoers/lookup.c b/plugins/sudoers/lookup.c
@@ -269,7 +269,7 @@ sudoers_lookup_check(struct sudo_nss *nss, struct sudoers_context *ctx,
 		if (cs->notbefore != UNSPEC) {
 		    date_match = now < cs->notbefore ? DENY : ALLOW;
 		}
-		if (cs->notafter != UNSPEC) {
+                if (date_match != DENY && cs->notafter != UNSPEC) {
 		    date_match = now > cs->notafter ? DENY : ALLOW;
 		}
 		if (date_match != DENY) {

Original file line number	Diff line number	Diff line change
`@@ -269,7 +269,7 @@ sudoers_lookup_check(struct sudo_nss nss, struct sudoers_context ctx,`
`269`	`269`	`if (cs->notbefore != UNSPEC) {`
`270`	`270`	`date_match = now < cs->notbefore ? DENY : ALLOW;`
`271`	`271`	`}`
`272`		`- if (cs->notafter != UNSPEC) {`
	`272`	`+ if (date_match != DENY && cs->notafter != UNSPEC) {`
`273`	`273`	`date_match = now > cs->notafter ? DENY : ALLOW;`
`274`	`274`	`}`
`275`	`275`	`if (date_match != DENY) {`