From c82ff02bc3080d3b7edc3653ffaa8df9c5504d46 Mon Sep 17 00:00:00 2001
From: Max Bowsher <maxbowsher@gmail.com>
Date: Wed, 28 Dec 2022 12:48:57 +0000
Subject: [PATCH 1/2] Fix HelpOperation on sudo-protected paths

Fixes #18566
---
 vault/acl.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/vault/acl.go b/vault/acl.go
index 7aeb102bdab8..3a3f99a4c6ae 100644
--- a/vault/acl.go
+++ b/vault/acl.go
@@ -719,7 +719,9 @@ func (c *Core) performPolicyChecks(ctx context.Context, acl *ACL, te *logical.To
 		if !ret.ACLResults.Allowed {
 			return ret
 		}
-		if !ret.RootPrivs && opts.RootPrivsRequired {
+		// Since HelpOperation was fast-pathed inside AllowOperation, RootPrivs will not have been populated in this
+		// case, so we need to special-case that here as well, or we'll block HelpOperation on all sudo-protected paths.
+		if !ret.RootPrivs && opts.RootPrivsRequired && req.Operation != logical.HelpOperation {
 			return ret
 		}
 	}

From 0040b08bbf754740cb521f1be88aad9a66751d64 Mon Sep 17 00:00:00 2001
From: Max Bowsher <maxbowsher@gmail.com>
Date: Thu, 29 Dec 2022 10:21:01 +0000
Subject: [PATCH 2/2] Add changelog

---
 changelog/18568.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/18568.txt

diff --git a/changelog/18568.txt b/changelog/18568.txt
new file mode 100644
index 000000000000..a1fbabf2545a
--- /dev/null
+++ b/changelog/18568.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: Fix spurious `permission denied` for all HelpOperations on sudo-protected paths
+```