From 32be23f693e5f9d1b112d4f3b9a597eaeb176ee6 Mon Sep 17 00:00:00 2001
From: Bdale Garbee <bdale@gag.com>
Date: Tue, 11 Jan 2011 10:18:15 -0700
Subject: [PATCH] patch from upstream to fix special case in password checking
 code when only the gid is changing, closes #609641

---
 check.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/check.c b/check.c
index afb6c22..badf3e4 100644
--- a/check.c
+++ b/check.c
@@ -119,7 +119,13 @@ check_user(validated, mode)
     if (ISSET(mode, MODE_INVALIDATE)) {
 	SET(validated, FLAG_CHECK_USER);
     } else {
-	if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt())
+	/*
+	 * Don't prompt for the root passwd or if the user is exempt.
+	 * If the user is not changing uid/gid, no need for a password.
+	 */
+	if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
+	    (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) ||
+	    user_is_exempt())
 	    return;
     }
 
-- 
2.30.2