plugins/sudoers/lookup.c: fix NOTBEFORE to be able to deny

manner82 · millert · commit 140331b5689f · 2026-01-13T08:40:41.000-07:00
If someone specifies both a NOTBEFORE and a NOTAFTER rule, the NOTAFTER
rule always overrided the result of the NOTBEFORE. Let each of them be
able to deny.
diff --git a/plugins/sudoers/lookup.c b/plugins/sudoers/lookup.c
@@ -126,7 +126,7 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct sudoers_context *ctx,
 		    if (cs->notbefore != UNSPEC) {
 			date_match = now < cs->notbefore ? DENY : ALLOW;
 		    }
-		    if (cs->notafter != UNSPEC) {
+		    if (date_match != DENY && cs->notafter != UNSPEC) {
 			date_match = now > cs->notafter ? DENY : ALLOW;
 		    }
 		    /*
@@ -269,7 +269,7 @@ sudoers_lookup_check(struct sudo_nss *nss, struct sudoers_context *ctx,
 		if (cs->notbefore != UNSPEC) {
 		    date_match = now < cs->notbefore ? DENY : ALLOW;
 		}
-		if (cs->notafter != UNSPEC) {
+		if (date_match != DENY && cs->notafter != UNSPEC) {
 		    date_match = now > cs->notafter ? DENY : ALLOW;
 		}
 		if (date_match != DENY) {

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ sudoers_lookup_pseudo(struct sudo_nss_list snl, struct sudoers_context ctx,`
`126`	`126`	`if (cs->notbefore != UNSPEC) {`
`127`	`127`	`date_match = now < cs->notbefore ? DENY : ALLOW;`
`128`	`128`	`}`
`129`		`- if (cs->notafter != UNSPEC) {`
	`129`	`+ if (date_match != DENY && cs->notafter != UNSPEC) {`
`130`	`130`	`date_match = now > cs->notafter ? DENY : ALLOW;`
`131`	`131`	`}`
`132`	`132`	`/*`
`@@ -269,7 +269,7 @@ sudoers_lookup_check(struct sudo_nss nss, struct sudoers_context ctx,`
`269`	`269`	`if (cs->notbefore != UNSPEC) {`
`270`	`270`	`date_match = now < cs->notbefore ? DENY : ALLOW;`
`271`	`271`	`}`
`272`		`- if (cs->notafter != UNSPEC) {`
	`272`	`+ if (date_match != DENY && cs->notafter != UNSPEC) {`
`273`	`273`	`date_match = now > cs->notafter ? DENY : ALLOW;`
`274`	`274`	`}`
`275`	`275`	`if (date_match != DENY) {`