sudo_auth_init: Fix setting FLAG_ONEANDONLY if only one auth method enabled

millert · millert · commit cc3d47b3b62b · 2026-03-29T14:11:21.000-06:00
The inner for loop did not skip over the first enabled auth method, so FLAG_ONEANDONLY was never set. Fix this by eliminating the inner loop entirely and just clear the variable if we find a second enabled auth method. Reported by Aaron Esau. Fixes GitHub issue #527.
diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c
@@ -1,7 +1,8 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1999-2005, 2008-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 1999-2005, 2008-2020, 2022-2026
+ *	Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -94,7 +95,7 @@ int
 sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw,
     unsigned int mode)
 {
-    sudo_auth *auth;
+    sudo_auth *auth, *highlander = NULL;
     debug_decl(sudo_auth_init, SUDOERS_DEBUG_AUTH);
 
     if (auth_switch[0].name == NULL)
@@ -147,20 +148,18 @@ sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw,
     }
 
     /* Set FLAG_ONEANDONLY if there is only one auth method. */
-    for (auth = auth_switch; auth->name; auth++) {
-	/* Find first enabled auth method. */
+    for (auth = auth_switch; auth->name != NULL; auth++) {
 	if (!IS_DISABLED(auth)) {
-	    sudo_auth *first = auth;
-	    /* Check for others. */
-	    for (; auth->name; auth++) {
-		if (!IS_DISABLED(auth))
-		    break;
+	    /* There can be only one... */
+	    if (highlander != NULL) {
+		highlander = NULL;
+		break;
 	    }
-	    if (auth->name == NULL)
-		SET(first->flags, FLAG_ONEANDONLY);
-	    break;
+	    highlander = auth;
 	}
     }
+    if (highlander != NULL)
+	SET(highlander->flags, FLAG_ONEANDONLY);
 
     debug_return_int(AUTH_SUCCESS);
 }

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,8 @@`
`1`	`1`	`/*`
`2`	`2`	`* SPDX-License-Identifier: ISC`
`3`	`3`	`*`
`4`		`- * Copyright (c) 1999-2005, 2008-2020 Todd C. Miller <[email protected]>`
	`4`	`+ * Copyright (c) 1999-2005, 2008-2020, 2022-2026`
	`5`	`+ * Todd C. Miller <[email protected]>`
`5`	`6`	`*`
`6`	`7`	`* Permission to use, copy, modify, and distribute this software for any`
`7`	`8`	`* purpose with or without fee is hereby granted, provided that the above`
`@@ -94,7 +95,7 @@ int`
`94`	`95`	`sudo_auth_init(const struct sudoers_context ctx, struct passwd pw,`
`95`	`96`	`unsigned int mode)`
`96`	`97`	`{`
`97`		`- sudo_auth *auth;`
	`98`	`+ sudo_auth auth, highlander = NULL;`
`98`	`99`	`debug_decl(sudo_auth_init, SUDOERS_DEBUG_AUTH);`
`99`	`100`
`100`	`101`	`if (auth_switch[0].name == NULL)`
`@@ -147,20 +148,18 @@ sudo_auth_init(const struct sudoers_context ctx, struct passwd pw,`
`147`	`148`	`}`
`148`	`149`
`149`	`150`	`/* Set FLAG_ONEANDONLY if there is only one auth method. */`
`150`		`- for (auth = auth_switch; auth->name; auth++) {`
`151`		`- /* Find first enabled auth method. */`
	`151`	`+ for (auth = auth_switch; auth->name != NULL; auth++) {`
`152`	`152`	`if (!IS_DISABLED(auth)) {`
`153`		`- sudo_auth *first = auth;`
`154`		`- /* Check for others. */`
`155`		`- for (; auth->name; auth++) {`
`156`		`- if (!IS_DISABLED(auth))`
`157`		`- break;`
	`153`	`+ /* There can be only one... */`
	`154`	`+ if (highlander != NULL) {`
	`155`	`+ highlander = NULL;`
	`156`	`+ break;`
`158`	`157`	`}`
`159`		`- if (auth->name == NULL)`
`160`		`- SET(first->flags, FLAG_ONEANDONLY);`
`161`		`- break;`
	`158`	`+ highlander = auth;`
`162`	`159`	`}`
`163`	`160`	`}`
	`161`	`+ if (highlander != NULL)`
	`162`	`+ SET(highlander->flags, FLAG_ONEANDONLY);`
`164`	`163`
`165`	`164`	`debug_return_int(AUTH_SUCCESS);`
`166`	`165`	`}`