sudoers error recovery can be configured via an "error_recovery" setting.

This setting is an argument to the sudoers plugin, similar to how
sudoers_file, sudoers_mode, sudoers_uid, etc. are implemented.
The default value is true.

doc/sudoers.man.in

@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "July 5, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "August 17, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -98,6 +98,25 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400
 .PP
 The following plugin arguments are supported:
 .TP 10n
+error_recovery=bool
+The
+\fIerror_recovery\fR
+argument can be used to control whether
+\fBsudoers\fR
+should attempt to recover from parse errors in the
+\fIsudoers\fR
+file.
+If set to
+\fItrue\fR
+(the default),
+\fBsudoers\fR
+will try to recover from a parse error by discarding the portion
+of the line that contains the error until the end of the line.
+A value of
+\fIfalse\fR
+will disable error recovery.
+Prior to version 1.9.3, no error recovery was performed.
+.TP 10n
 ldap_conf=pathname
 The
 \fIldap_conf\fR

doc/sudoers.mdoc.in

@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd July 5, 2020
+.Dd August 17, 2020
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -91,6 +91,24 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400
 .Pp
 The following plugin arguments are supported:
 .Bl -tag -width 8n
+.It error_recovery=bool
+The
+.Em error_recovery
+argument can be used to control whether
+.Nm
+should attempt to recover from parse errors in the
+.Em sudoers
+file.
+If set to
+.Em true
+(the default),
+.Nm
+will try to recover from a parse error by discarding the portion
+of the line that contains the error until the end of the line.
+A value of
+.Em false
+will disable error recovery.
+Prior to version 1.9.3, no error recovery was performed.
 .It ldap_conf=pathname
 The
 .Em ldap_conf

plugins/sudoers/file.c

@@ -109,7 +109,7 @@ sudo_file_parse(struct sudo_nss *nss)
 	    log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
 		N_("parse error in %s"), errorfile);
 	}
-	if (error) {
+	if (error || !sudoers_recovery) {
 	    /* unrecoverable error */
 	    debug_return_ptr(NULL);
 	}

plugins/sudoers/policy.c

@@ -49,6 +49,7 @@ struct sudoers_exec_args {
 
 static unsigned int sudo_version;
 static const char *interfaces_string;
+bool sudoers_recovery = true;
 sudo_conv_t sudo_conv;
 sudo_printf_t sudo_printf;
 const char *path_ldap_conf = _PATH_LDAP_CONF;
@@ -97,10 +98,14 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 #define MATCHES(s, v)	\
     (strncmp((s), (v), sizeof(v) - 1) == 0)
 
+#define INVALID(v) do {	\
+    sudo_warn(U_("invalid %.*s set by sudo front-end"), \
+	(int)(sizeof(v) - 2), (v)); \
+} while (0)
+
 #define CHECK(s, v) do {	\
     if ((s)[sizeof(v) - 1] == '\0') { \
-	sudo_warn(U_("invalid %.*s set by sudo front-end"), \
-	    (int)(sizeof(v) - 2), v); \
+	INVALID(v); \
 	goto bad; \
     } \
 } while (0)
@@ -108,6 +113,15 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
     /* Parse sudo.conf plugin args. */
     if (info->plugin_args != NULL) {
 	for (cur = info->plugin_args; *cur != NULL; cur++) {
+	    if (MATCHES(*cur, "error_recovery=")) {
+		int val = sudo_strtobool(*cur + sizeof("error_recovery=") - 1);
+		if (val == -1) {
+		    INVALID("error_recovery=");	/* Not a fatal error. */
+		} else {
+		    sudoers_recovery = val;
+		}
+		continue;
+	    }
 	    if (MATCHES(*cur, "sudoers_file=")) {
 		CHECK(*cur, "sudoers_file=");
 		sudoers_file = *cur + sizeof("sudoers_file=") - 1;
@@ -485,6 +499,8 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 	sudo_debug_printf(SUDO_DEBUG_INFO, "user_info: %s", *cur);
 
 #undef MATCHES
+#undef INVALID
+#undef CHECK
     debug_return_int(flags);
 
 oom:

plugins/sudoers/sudoers.h

@@ -298,6 +298,7 @@ extern char *errorfile;
 extern int errorlineno;
 extern bool parse_error;
 extern bool sudoers_warnings;
+extern bool sudoers_recovery;
 extern bool sudoers_strict;
 
 /* toke.l */