From 5a59ce159e0c17fb35474c9c516d97703b338027 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 7 Jul 2022 20:11:44 -0600
Subject: [PATCH] Fix a NOPASSWD issue with a non-existent command when
 fdexec=always In command_matches_all(), if the command is fully-qualified and
 open_cmnd() return false, only treat it as an error if we are able to stat(2)
 the command.  For "sudo ALL" a non-existent command is not an error.

Reference: https://github.com/sudo-project/sudo/commit/5a59ce159e0c17fb35474c9c516d97703b338027
Conflict: match_command.c
---
 plugins/sudoers/match_command.c | 4 +++++--
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/plugins/sudoers/match_command.c b/plugins/sudoers/match_command.c
index 6d8b3a6..e020e81 100644
--- a/plugins/sudoers/match_command.c
+++ b/plugins/sudoers/match_command.c
@@ -353,11 +353,15 @@ command_matches_all(const char *runchroot,
 
     if (user_cmnd[0] == '/') {
 	/* Open the file for fdexec or for digest matching. */
-	if (!open_cmnd(user_cmnd, runchroot, digests, &fd))
-	    goto bad;
+	bool open_error = !open_cmnd(user_cmnd, runchroot, digests, &fd);
 #ifndef SUDOERS_NAME_MATCH
-	if (!do_stat(fd, user_cmnd, runchroot, intercepted, NULL))
-	    goto bad;
+	/* A non-existent file is not an error for "sudo ALL". */
+	if (do_stat(fd, user_cmnd, runchroot, intercepted, NULL)) {
+	    if (open_error) {
+	        /* File exists but we couldn't open it above? */
+	        goto bad;
+	    }
+	}
 #endif
     }
 
-- 
2.33.0