From 28837b2af1d98c08f0cb75dd075fc290435775a1 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Wed, 30 Apr 2025 11:07:37 -0600
Subject: [PATCH] check_user: restrict the special case for running as the
 invoking user

The intent is to allow the user to run a command or edit a file as
themself without entering a password.  It should not apply to listing
a command via "sudo -l command".
---
 plugins/sudoers/check.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
index 60f4ba70e..476777bb3 100644
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -136,8 +136,8 @@ check_user(struct sudoers_context *ctx, unsigned int validated,
 	ret = AUTH_SUCCESS;
 	goto done;
     }
-    if (ctx->user.uid == 0 || (ctx->user.uid == ctx->runas.pw->pw_uid &&
-	(ctx->runas.gr == NULL ||
+    if (ctx->user.uid == 0 || (ISSET(mode, MODE_RUN|MODE_EDIT) &&
+	ctx->user.uid == ctx->runas.pw->pw_uid && (ctx->runas.gr == NULL ||
 	user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) {
 	if (ctx->runas.role == NULL && ctx->runas.type == NULL &&
 	    ctx->runas.apparmor_profile == NULL &&