From 547d02ddf34343a1d682744260bc32e3c3a2e924 Mon Sep 17 00:00:00 2001
From: Robert Manner <robert.manner@quest.com>
Date: Tue, 13 Jan 2026 14:29:04 +0100
Subject: [PATCH] plugins/sudoers/lookup.c: fix NOTBEFORE to be able to deny

If someone specifies both a NOTBEFORE and a NOTAFTER rule, the NOTAFTER
rule always overrided the result of the NOTBEFORE. Let each of them be
able to deny.
---
 plugins/sudoers/lookup.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/sudoers/lookup.c b/plugins/sudoers/lookup.c
index 031221fcec..9fda4bbe7d 100644
--- a/plugins/sudoers/lookup.c
+++ b/plugins/sudoers/lookup.c
@@ -126,7 +126,7 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct sudoers_context *ctx,
 		    if (cs->notbefore != UNSPEC) {
 			date_match = now < cs->notbefore ? DENY : ALLOW;
 		    }
-		    if (cs->notafter != UNSPEC) {
+		    if (date_match != DENY && cs->notafter != UNSPEC) {
 			date_match = now > cs->notafter ? DENY : ALLOW;
 		    }
 		    /*
@@ -269,7 +269,7 @@ sudoers_lookup_check(struct sudo_nss *nss, struct sudoers_context *ctx,
 		if (cs->notbefore != UNSPEC) {
 		    date_match = now < cs->notbefore ? DENY : ALLOW;
 		}
-		if (cs->notafter != UNSPEC) {
+		if (date_match != DENY && cs->notafter != UNSPEC) {
 		    date_match = now > cs->notafter ? DENY : ALLOW;
 		}
 		if (date_match != DENY) {