Add "intercept" Defaults setting to allow interception of sub-commands.

This causes "intercept" to be set to true in command_info[] which
the sudo front-end will use to determine whether or not to intercept
attempts to run further commands, such as from a shell.  Also add
"log_children" which will use the same mechanism but only log (audit)
further commands.

doc/sudoers.man.in

@@ -1190,8 +1190,9 @@ Chroot_Spec ::= 'CHROOT=directory'
 
 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
               'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
-              'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
-              'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
+              'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'INTERCEPT:' |
+              'NOINTERCEPT:' | 'PASSWD:' | 'NOPASSWD:' | 'SETENV:' |
+              'NOSETENV:')
 .RE
 .fi
 .PP
@@ -1607,6 +1608,8 @@ The following tag values are supported:
 \fRNOLOG_OUTPUT\fR,
 \fRMAIL\fR,
 \fRNOMAIL\fR,
+\fRINTERCEPT\fR,
+\fRNOINTERCEPT\fR,
 \fRPASSWD\fR,
 \fRNOPASSWD\fR,
 \fRSETENV\fR,
@@ -1767,7 +1770,9 @@ and
 \fI/usr/bin/lprm\fR
 as
 \fBroot\fR
-on the machine rushmore without authenticating himself.
+on the machine
+\(lqrushmore\(rq
+without authenticating himself.
 If we only want
 \fBray\fR
 to be able to
@@ -1832,6 +1837,42 @@ the
 tag is implied for that command; this default may be overridden by use of the
 \fRNOSETENV\fR
 tag.
+.TP 2n
+\fIINTERCEPT\fR and \fINOINTERCEPT\fR
+.sp
+If
+\fBsudo\fR
+has been compiled with
+\fIintercept\fR
+support and the underlying operating system supports it, the
+\fRINTERCEPT\fR
+tag can be used to cause programs spawned by a command to be checked against
+\fIsudoers\fR
+and logged just like they would be if run through
+\fBsudo\fR
+directly.
+This is useful in conjunction with commands that allow shell escapes
+such as editors, shells and paginators.
+.sp
+In the following example, user
+\fBchuck\fR
+may run any command on the machine
+\(lqresearch\(rq
+in intercept mode.
+.nf
+.sp
+.RS 2n
+chuck	research = INTERCEPT: ALL
+.RE
+.fi
+.RS 2n
+.sp
+See the
+\fIPreventing shell escapes\fR
+section below for more details on how
+\fRINTERCEPT\fR
+works and whether or not it will work on your system.
+.RE
 .SS "Wildcards"
 \fBsudo\fR
 allows shell-style
@@ -2717,6 +2758,29 @@ by default.
 .sp
 This setting is only supported by version 1.8.29 or higher.
 .TP 18n
+log_children
+If set,
+\fBsudoers\fR
+will log when a command runs a child process.
+For example, if a shell is run by
+\fBsudo\fR,
+the individual commands run via the shell will be logged.
+This flag is
+\fIoff\fR
+by default.
+.sp
+The
+\fIlog_children\fR
+flag uses the same underlying mechanism as the
+\fIintercept\fR
+and
+\fInoexec\fR
+settings.
+See
+\fIPreventing shell escapes\fR
+for more information on what systems support this option and its limitations.
+This setting is only supported by version 1.9.8 or higher.
+.TP 18n
 log_denied
 If set,
 \fBsudoers\fR
@@ -2970,6 +3034,24 @@ by default.
 .sp
 This setting is only supported by version 1.8.18 or higher.
 .TP 18n
+intercept
+If set, all commands run via
+\fBsudo\fR
+will behave as if the
+\fRINTERCEPT\fR
+tag has been set, unless overridden by an
+\fRNOINTERCEPT\fR
+tag.
+See the description of
+\fIINTERCEPT and NOINTERCEPT\fR
+above as well as the
+\fIPreventing shell escapes\fR
+section at the end of this manual.
+This flag is
+\fIoff\fR
+.sp
+This setting is only supported by version 1.9.8 or higher.
+.TP 18n
 netgroup_tuple
 If set, netgroup lookups will be performed using the full netgroup
 tuple: host name, user name and domain (if one is set).
@@ -6145,7 +6227,7 @@ access control and logging.
 Common programs that permit shell escapes include shells (obviously),
 editors, paginators, mail and terminal programs.
 .PP
-There are two basic approaches to this problem:
+There are three basic approaches to this problem:
 .TP 10n
 restrict
 Avoid giving users access to commands that allow the user to run
@@ -6160,7 +6242,8 @@ Due to the large number of programs that
 offer shell escapes, restricting users to the set of programs that
 do not is often unworkable.
 .TP 10n
-noexec
+intercept
+.br
 Many systems that support shared libraries have the ability to
 override default library functions by pointing an environment
 variable (usually
@@ -6168,19 +6251,24 @@ variable (usually
 to an alternate shared library.
 On such systems,
 \fBsudo\fR's
-\fInoexec\fR
-functionality can be used to prevent a program run by
-\fBsudo\fR
-from executing any other programs.
+\fIintercept\fR
+functionality can be used to transparently intercept an attempt to
+run a new command, allow or deny it based on
+\fIsudoers\fR,
+and log the result.
+For example, this can be used to restrict the commands run from
+within a shell.
 Note, however, that this applies only to dynamically-linked
 executables.
 Statically-linked executables and executables
 running under binary emulation are not affected.
+Also, many shells support built-in commands that cannot be intercepted by
+\fBsudo\fR.
 .sp
 The
-\fInoexec\fR
-feature is known to work on SunOS, Solaris, *BSD,
-Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and above.
+\fIintercept\fR
+feature is known to work on Solaris, *BSD, Linux, macOS, HP-UX 11.x
+and AIX 5.3 and above.
 It should be supported on most operating systems that support the
 \fRLD_PRELOAD\fR
 environment variable.
@@ -6189,6 +6277,46 @@ Check your operating system's manual pages for the dynamic linker
 \fRLD_PRELOAD\fR
 is supported.
 .sp
+To enable intercept mode on a per-command basis, use the
+\fRINTERCEPT\fR
+tag as documented in the User Specification section above.
+Here is that example again:
+.nf
+.sp
+.RS 10n
+chuck	research = INTERCEPT: ALL
+.RE
+.fi
+.RS 10n
+.sp
+This allows user
+\fBchuck\fR
+to run any command on the machine
+\(lqresearch\(rq
+in intercept mode.
+Any commands run via shell escapes will be validated and logged by
+\fBsudo\fR.
+If you are unsure whether or not your system is capable of supporting
+\fIintercept\fR,
+you can always just try it out and check whether or not external
+commands run via a shell are logged when
+\fIintercept\fR
+is enabled.
+.RE
+.TP 10n
+noexec
+\fBsudo\fR's
+\fInoexec\fR
+functionality can be used to prevent a program run by
+\fBsudo\fR
+from executing any other programs.
+On most systems, it uses the same mechanism as
+\fIintercept\fR
+(see above) and thus the same caveats apply.
+On Linux, a
+\fBseccomp\fR()
+filter is used to implement
+\fInoexec\fR.
 On Solaris 10 and higher,
 \fInoexec\fR
 uses Solaris privileges instead of the
@@ -6199,8 +6327,7 @@ To enable
 \fInoexec\fR
 for a command, use the
 \fRNOEXEC\fR
-tag as documented
-in the User Specification section above.
+tag as documented in the User Specification section above.
 Here is that example again:
 .nf
 .sp

doc/sudoers.mdoc.in

@@ -1143,8 +1143,9 @@ Chroot_Spec ::= 'CHROOT=directory'
 
 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
               'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
-              'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
-              'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
+              'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'INTERCEPT:' |
+              'NOINTERCEPT:' | 'PASSWD:' | 'NOPASSWD:' | 'SETENV:' |
+              'NOSETENV:')
 .Ed
 .Pp
 A
@@ -1527,6 +1528,8 @@ The following tag values are supported:
 .Li NOLOG_OUTPUT ,
 .Li MAIL ,
 .Li NOMAIL ,
+.Li INTERCEPT ,
+.Li NOINTERCEPT ,
 .Li PASSWD ,
 .Li NOPASSWD ,
 .Li SETENV ,
@@ -1673,7 +1676,9 @@ and
 .Pa /usr/bin/lprm
 as
 .Sy root
-on the machine rushmore without authenticating himself.
+on the machine
+.Dq rushmore
+without authenticating himself.
 If we only want
 .Sy ray
 to be able to
@@ -1733,6 +1738,36 @@ the
 tag is implied for that command; this default may be overridden by use of the
 .Li NOSETENV
 tag.
+.It Em INTERCEPT No and Em NOINTERCEPT
+.sp
+If
+.Nm sudo
+has been compiled with
+.Em intercept
+support and the underlying operating system supports it, the
+.Li INTERCEPT
+tag can be used to cause programs spawned by a command to be checked against
+.Em sudoers
+and logged just like they would be if run through
+.Nm sudo
+directly.
+This is useful in conjunction with commands that allow shell escapes
+such as editors, shells and paginators.
+.Pp
+In the following example, user
+.Sy chuck
+may run any command on the machine
+.Dq research
+in intercept mode.
+.Bd -literal
+chuck	research = INTERCEPT: ALL
+.Ed
+.Pp
+See the
+.Sx Preventing shell escapes
+section below for more details on how
+.Li INTERCEPT
+works and whether or not it will work on your system.
 .El
 .Ss Wildcards
 .Nm sudo
@@ -2563,6 +2598,28 @@ This flag is
 by default.
 .Pp
 This setting is only supported by version 1.8.29 or higher.
+.It log_children
+If set,
+.Nm
+will log when a command runs a child process.
+For example, if a shell is run by
+.Nm sudo ,
+the individual commands run via the shell will be logged.
+This flag is
+.Em off
+by default.
+.Pp
+The
+.Em log_children
+flag uses the same underlying mechanism as the
+.Em intercept
+and
+.Em noexec
+settings.
+See
+.Sx Preventing shell escapes
+for more information on what systems support this option and its limitations.
+This setting is only supported by version 1.9.8 or higher.
 .It log_denied
 If set,
 .Nm
@@ -2799,6 +2856,23 @@ This flag is
 by default.
 .Pp
 This setting is only supported by version 1.8.18 or higher.
+.It intercept
+If set, all commands run via
+.Nm sudo
+will behave as if the
+.Li INTERCEPT
+tag has been set, unless overridden by an
+.Li NOINTERCEPT
+tag.
+See the description of
+.Em INTERCEPT and NOINTERCEPT
+above as well as the
+.Sx Preventing shell escapes
+section at the end of this manual.
+This flag is
+.Em off
+.Pp
+This setting is only supported by version 1.9.8 or higher.
 .It netgroup_tuple
 If set, netgroup lookups will be performed using the full netgroup
 tuple: host name, user name and domain (if one is set).
@@ -5678,7 +5752,7 @@ access control and logging.
 Common programs that permit shell escapes include shells (obviously),
 editors, paginators, mail and terminal programs.
 .Pp
-There are two basic approaches to this problem:
+There are three basic approaches to this problem:
 .Bl -tag -width 8n
 .It restrict
 Avoid giving users access to commands that allow the user to run
@@ -5692,7 +5766,7 @@ running editors via
 Due to the large number of programs that
 offer shell escapes, restricting users to the set of programs that
 do not is often unworkable.
-.It noexec
+.It intercept
 Many systems that support shared libraries have the ability to
 override default library functions by pointing an environment
 variable (usually
@@ -5700,19 +5774,24 @@ variable (usually
 to an alternate shared library.
 On such systems,
 .Nm sudo Ns 's
-.Em noexec
-functionality can be used to prevent a program run by
-.Nm sudo
-from executing any other programs.
+.Em intercept
+functionality can be used to transparently intercept an attempt to
+run a new command, allow or deny it based on
+.Em sudoers ,
+and log the result.
+For example, this can be used to restrict the commands run from
+within a shell.
 Note, however, that this applies only to dynamically-linked
 executables.
 Statically-linked executables and executables
 running under binary emulation are not affected.
+Also, many shells support built-in commands that cannot be intercepted by
+.Nm sudo .
 .Pp
 The
-.Em noexec
-feature is known to work on SunOS, Solaris, *BSD,
-Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and above.
+.Em intercept
+feature is known to work on Solaris, *BSD, Linux, macOS, HP-UX 11.x
+and AIX 5.3 and above.
 It should be supported on most operating systems that support the
 .Ev LD_PRELOAD
 environment variable.
@@ -5721,6 +5800,40 @@ Check your operating system's manual pages for the dynamic linker
 .Ev LD_PRELOAD
 is supported.
 .Pp
+To enable intercept mode on a per-command basis, use the
+.Li INTERCEPT
+tag as documented in the User Specification section above.
+Here is that example again:
+.Bd -literal
+chuck	research = INTERCEPT: ALL
+.Ed
+.Pp
+This allows user
+.Sy chuck
+to run any command on the machine
+.Dq research
+in intercept mode.
+Any commands run via shell escapes will be validated and logged by
+.Nm sudo .
+If you are unsure whether or not your system is capable of supporting
+.Em intercept ,
+you can always just try it out and check whether or not external
+commands run via a shell are logged when
+.Em intercept
+is enabled.
+.It noexec
+.Nm sudo Ns 's
+.Em noexec
+functionality can be used to prevent a program run by
+.Nm sudo
+from executing any other programs.
+On most systems, it uses the same mechanism as
+.Em intercept
+(see above) and thus the same caveats apply.
+On Linux, a
+.Fn seccomp
+filter is used to implement
+.Em noexec .
 On Solaris 10 and higher,
 .Em noexec
 uses Solaris privileges instead of the
@@ -5731,8 +5844,7 @@ To enable
 .Em noexec
 for a command, use the
 .Li NOEXEC
-tag as documented
-in the User Specification section above.
+tag as documented in the User Specification section above.
 Here is that example again:
 .Bd -literal
 aaron	shanty = NOEXEC: /usr/bin/more, /usr/bin/vi

plugins/sudoers/cvtsudoers_json.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2013-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2013-2021 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -682,6 +682,11 @@ print_cmndspec_json(struct json_container *jsonc,
 	    value.u.boolean = tag.noexec;
 	    sudo_json_add_value_as_object(jsonc, "noexec", &value);
 	}
+	if (tag.intercept != UNSPEC) {
+	    value.type = JSON_BOOL;
+	    value.u.boolean = tag.intercept;
+	    sudo_json_add_value_as_object(jsonc, "intercept", &value);
+	}
 	if (tag.send_mail != UNSPEC) {
 	    value.type = JSON_BOOL;
 	    value.u.boolean = tag.send_mail;

plugins/sudoers/cvtsudoers_ldif.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2018 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2018-2021 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -386,6 +386,10 @@ print_cmndspec_ldif(FILE *fp, struct sudoers_parse_tree *parse_tree,
 	    print_attribute_ldif(fp, "sudoOption",
 		tag.noexec ? "noexec" : "!noexec");
 	}
+	if (tag.intercept != UNSPEC) {
+	    print_attribute_ldif(fp, "sudoOption",
+		tag.intercept ? "intercept" : "!intercept");
+	}
 	if (tag.send_mail != UNSPEC) {
 	    if (tag.send_mail) {
 		print_attribute_ldif(fp, "sudoOption", "mail_all_cmnds");

plugins/sudoers/def_data.c

@@ -577,6 +577,14 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"admin_flag", T_STR|T_BOOL|T_CHPATH,
 	N_("Path to the file that is created the first time sudo is run: %s"),
 	NULL,
+    }, {
+	"intercept", T_FLAG,
+	N_("Intercept further commands and apply sudoers restrictions to them"),
+	NULL,
+    }, {
+	"log_children", T_FLAG,
+	N_("Log any child processes run by the command"),
+	NULL,
     }, {
 	"log_exit_status", T_FLAG,
 	N_("Log the exit status of commands"),

plugins/sudoers/def_data.h

@@ -266,7 +266,11 @@
 #define def_selinux             (sudo_defs_table[I_SELINUX].sd_un.flag)
 #define I_ADMIN_FLAG            132
 #define def_admin_flag          (sudo_defs_table[I_ADMIN_FLAG].sd_un.str)
-#define I_LOG_EXIT_STATUS       133
+#define I_INTERCEPT             133
+#define def_intercept           (sudo_defs_table[I_INTERCEPT].sd_un.flag)
+#define I_LOG_CHILDREN          134
+#define def_log_children        (sudo_defs_table[I_LOG_CHILDREN].sd_un.flag)
+#define I_LOG_EXIT_STATUS       135
 #define def_log_exit_status     (sudo_defs_table[I_LOG_EXIT_STATUS].sd_un.flag)
 
 enum def_tuple {

plugins/sudoers/def_data.in

@@ -415,6 +415,12 @@ selinux
 admin_flag
 	T_STR|T_BOOL|T_CHPATH
 	"Path to the file that is created the first time sudo is run: %s"
+intercept
+	T_FLAG
+	"Intercept further commands and apply sudoers restrictions to them"
+log_children
+	T_FLAG
+	"Log any child processes run by the command"
 log_exit_status
 	T_FLAG
 	"Log the exit status of commands"

plugins/sudoers/fmtsudoers.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2004-2005, 2007-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2004-2005, 2007-2021 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -152,6 +152,8 @@ sudoers_defaults_to_tags(const char *var, const char *val, int op,
 	    tags->log_output = op == true;
 	} else if (strcmp(var, "noexec") == 0) {
 	    tags->noexec = op == true;
+	} else if (strcmp(var, "intercept") == 0) {
+	    tags->intercept = op == true;
 	} else if (strcmp(var, "setenv") == 0) {
 	    tags->setenv = op == true;
 	} else if (strcmp(var, "mail_all_cmnds") == 0 ||
@@ -251,6 +253,8 @@ sudoers_format_cmndspec(struct sudo_lbuf *lbuf,
     }
     if (TAG_CHANGED(prev_cs, cs, tags, setenv))
 	sudo_lbuf_append(lbuf, tags.setenv ? "SETENV: " : "NOSETENV: ");
+    if (TAG_CHANGED(prev_cs, cs, tags, intercept))
+	sudo_lbuf_append(lbuf, tags.intercept ? "INTERCEPT: " : "NOINTERCEPT: ");
     if (TAG_CHANGED(prev_cs, cs, tags, noexec))
 	sudo_lbuf_append(lbuf, tags.noexec ? "NOEXEC: " : "EXEC: ");
     if (TAG_CHANGED(prev_cs, cs, tags, nopasswd))

plugins/sudoers/gram.h

@@ -1,4 +1,4 @@
-/* A Bison parser, made by GNU Bison 3.7.5.  */
+/* A Bison parser, made by GNU Bison 3.7.6.  */
 
 /* Bison interface for Yacc-like parsers in C
 
@@ -16,7 +16,7 @@
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.  */
+   along with this program.  If not, see <https://www.gnu.org/licenses/>.  */
 
 /* As a special exception, you may create a larger work that contains
    part or all of the Bison parser skeleton and distribute that work
@@ -83,27 +83,29 @@ extern int sudoersdebug;
     NOMAIL = 284,                  /* NOMAIL  */
     FOLLOWLNK = 285,               /* FOLLOWLNK  */
     NOFOLLOWLNK = 286,             /* NOFOLLOWLNK  */
-    ALL = 287,                     /* ALL  */
-    HOSTALIAS = 288,               /* HOSTALIAS  */
-    CMNDALIAS = 289,               /* CMNDALIAS  */
-    USERALIAS = 290,               /* USERALIAS  */
-    RUNASALIAS = 291,              /* RUNASALIAS  */
-    ERROR = 292,                   /* ERROR  */
-    NOMATCH = 293,                 /* NOMATCH  */
-    CHROOT = 294,                  /* CHROOT  */
-    CWD = 295,                     /* CWD  */
-    TYPE = 296,                    /* TYPE  */
-    ROLE = 297,                    /* ROLE  */
-    PRIVS = 298,                   /* PRIVS  */
-    LIMITPRIVS = 299,              /* LIMITPRIVS  */
-    CMND_TIMEOUT = 300,            /* CMND_TIMEOUT  */
-    NOTBEFORE = 301,               /* NOTBEFORE  */
-    NOTAFTER = 302,                /* NOTAFTER  */
-    MYSELF = 303,                  /* MYSELF  */
-    SHA224_TOK = 304,              /* SHA224_TOK  */
-    SHA256_TOK = 305,              /* SHA256_TOK  */
-    SHA384_TOK = 306,              /* SHA384_TOK  */
-    SHA512_TOK = 307               /* SHA512_TOK  */
+    INTERCEPT = 287,               /* INTERCEPT  */
+    NOINTERCEPT = 288,             /* NOINTERCEPT  */
+    ALL = 289,                     /* ALL  */
+    HOSTALIAS = 290,               /* HOSTALIAS  */
+    CMNDALIAS = 291,               /* CMNDALIAS  */
+    USERALIAS = 292,               /* USERALIAS  */
+    RUNASALIAS = 293,              /* RUNASALIAS  */
+    ERROR = 294,                   /* ERROR  */
+    NOMATCH = 295,                 /* NOMATCH  */
+    CHROOT = 296,                  /* CHROOT  */
+    CWD = 297,                     /* CWD  */
+    TYPE = 298,                    /* TYPE  */
+    ROLE = 299,                    /* ROLE  */
+    PRIVS = 300,                   /* PRIVS  */
+    LIMITPRIVS = 301,              /* LIMITPRIVS  */
+    CMND_TIMEOUT = 302,            /* CMND_TIMEOUT  */
+    NOTBEFORE = 303,               /* NOTBEFORE  */
+    NOTAFTER = 304,                /* NOTAFTER  */
+    MYSELF = 305,                  /* MYSELF  */
+    SHA224_TOK = 306,              /* SHA224_TOK  */
+    SHA256_TOK = 307,              /* SHA256_TOK  */
+    SHA384_TOK = 308,              /* SHA384_TOK  */
+    SHA512_TOK = 309               /* SHA512_TOK  */
   };
   typedef enum yytokentype yytoken_kind_t;
 #endif
@@ -141,27 +143,29 @@ extern int sudoersdebug;
 #define NOMAIL 284
 #define FOLLOWLNK 285
 #define NOFOLLOWLNK 286
-#define ALL 287
-#define HOSTALIAS 288
-#define CMNDALIAS 289
-#define USERALIAS 290
-#define RUNASALIAS 291
-#define ERROR 292
-#define NOMATCH 293
-#define CHROOT 294
-#define CWD 295
-#define TYPE 296
-#define ROLE 297
-#define PRIVS 298
-#define LIMITPRIVS 299
-#define CMND_TIMEOUT 300
-#define NOTBEFORE 301
-#define NOTAFTER 302
-#define MYSELF 303
-#define SHA224_TOK 304
-#define SHA256_TOK 305
-#define SHA384_TOK 306
-#define SHA512_TOK 307
+#define INTERCEPT 287
+#define NOINTERCEPT 288
+#define ALL 289
+#define HOSTALIAS 290
+#define CMNDALIAS 291
+#define USERALIAS 292
+#define RUNASALIAS 293
+#define ERROR 294
+#define NOMATCH 295
+#define CHROOT 296
+#define CWD 297
+#define TYPE 298
+#define ROLE 299
+#define PRIVS 300
+#define LIMITPRIVS 301
+#define CMND_TIMEOUT 302
+#define NOTBEFORE 303
+#define NOTAFTER 304
+#define MYSELF 305
+#define SHA224_TOK 306
+#define SHA256_TOK 307
+#define SHA384_TOK 308
+#define SHA512_TOK 309
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -181,7 +185,7 @@ union YYSTYPE
     char *string;
     int tok;
 
-#line 185 "y.tab.h"
+#line 189 "y.tab.h"
 
 };
 typedef union YYSTYPE YYSTYPE;

plugins/sudoers/gram.y

@@ -2,7 +2,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2020
+ * Copyright (c) 1996, 1998-2005, 2007-2013, 2014-2021
  *	Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -129,6 +129,8 @@ static void alias_error(const char *name, int errnum);
 %token <tok>	 NOMAIL			/* don't mail log message */
 %token <tok>	 FOLLOWLNK		/* follow symbolic links */
 %token <tok>	 NOFOLLOWLNK		/* don't follow symbolic links */
+%token <tok>	 INTERCEPT		/* intercept children of command */
+%token <tok>	 NOINTERCEPT		/* disable intercepting of children */
 %token <tok>	 ALL			/* ALL keyword */
 %token <tok>	 HOSTALIAS		/* Host_Alias keyword */
 %token <tok>	 CMNDALIAS		/* Cmnd_Alias keyword */
@@ -468,6 +470,8 @@ cmndspeclist	:	cmndspec
 				$3->tags.nopasswd = prev->tags.nopasswd;
 			    if ($3->tags.noexec == UNSPEC)
 				$3->tags.noexec = prev->tags.noexec;
+			    if ($3->tags.intercept == UNSPEC)
+				$3->tags.intercept = prev->tags.intercept;
 			    if ($3->tags.setenv == UNSPEC &&
 				prev->tags.setenv != IMPLIED)
 				$3->tags.setenv = prev->tags.setenv;
@@ -876,6 +880,12 @@ cmndtag		:	/* empty */ {
 		|	cmndtag EXEC {
 			    $$.noexec = false;
 			}
+		|	cmndtag INTERCEPT {
+			    $$.intercept = true;
+			}
+		|	cmndtag NOINTERCEPT {
+			    $$.intercept = false;
+			}
 		|	cmndtag SETENV {
 			    $$.setenv = true;
 			}

plugins/sudoers/parse.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2004-2005, 2007-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2004-2005, 2007-2021 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -300,6 +300,11 @@ apply_cmndspec(struct cmndspec *cs)
 	    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
 		"def_noexec -> %s", def_noexec ? "true" : "false");
 	}
+	if (cs->tags.intercept != UNSPEC) {
+	    def_intercept = cs->tags.intercept;
+	    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+		"def_intercept -> %s", def_intercept ? "true" : "false");
+	}
 	if (cs->tags.setenv != UNSPEC) {
 	    def_setenv = cs->tags.setenv;
 	    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
@@ -566,6 +571,8 @@ display_priv_long(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
 		    sudo_lbuf_append(lbuf, "%ssetenv, ", cs->tags.setenv ? "" : "!");
 		if (TAG_SET(cs->tags.noexec))
 		    sudo_lbuf_append(lbuf, "%snoexec, ", cs->tags.noexec ? "" : "!");
+		if (TAG_SET(cs->tags.intercept))
+		    sudo_lbuf_append(lbuf, "%sintercept, ", cs->tags.intercept ? "" : "!");
 		if (TAG_SET(cs->tags.nopasswd))
 		    sudo_lbuf_append(lbuf, "%sauthenticate, ", cs->tags.nopasswd ? "!" : "");
 		if (TAG_SET(cs->tags.log_input))

plugins/sudoers/parse.h

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1996, 1998-2000, 2004, 2007-2020
+ * Copyright (c) 1996, 1998-2000, 2004, 2007-2021
  *	Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -48,6 +48,7 @@
  */
 #define TAGS_INIT(t)	do {						       \
     (t)->follow = UNSPEC;						       \
+    (t)->intercept = UNSPEC;						       \
     (t)->log_input = UNSPEC;						       \
     (t)->log_output = UNSPEC;						       \
     (t)->noexec = UNSPEC;						       \
@@ -62,6 +63,8 @@
 #define TAGS_MERGE(t, t2) do {						       \
     if ((t2).follow != UNSPEC)						       \
 	(t).follow = (t2).follow;					       \
+    if ((t2).intercept != UNSPEC)					       \
+	(t).intercept = (t2).intercept;					       \
     if ((t2).log_input != UNSPEC)					       \
 	(t).log_input = (t2).log_input;					       \
     if ((t2).log_output != UNSPEC)					       \
@@ -80,10 +83,10 @@
  * Returns true if any tag are not UNSPEC, else false.
  */
 #define TAGS_SET(t)							       \
-    ((t).follow != UNSPEC || (t).log_input != UNSPEC ||			       \
-     (t).log_output != UNSPEC || (t).noexec != UNSPEC ||		       \
-     (t).nopasswd != UNSPEC || (t).send_mail != UNSPEC ||		       \
-     (t).setenv != UNSPEC)
+    ((t).follow != UNSPEC || (t).intercept != UNSPEC ||			       \
+     (t).log_input != UNSPEC || (t).log_output != UNSPEC ||		       \
+     (t).noexec != UNSPEC || (t).nopasswd != UNSPEC ||			       \
+     (t).send_mail != UNSPEC ||	(t).setenv != UNSPEC)
 
 /*
  * Returns true if the specified tag is not UNSPEC or IMPLIED, else false.
@@ -96,6 +99,7 @@
  */
 #define TAGS_CHANGED(ot, nt) \
     ((TAG_SET((nt).follow) && (nt).follow != (ot).follow) || \
+    (TAG_SET((nt).intercept) && (nt).intercept != (ot).intercept) || \
     (TAG_SET((nt).log_input) && (nt).log_input != (ot).log_input) || \
     (TAG_SET((nt).log_output) && (nt).log_output != (ot).log_output) || \
     (TAG_SET((nt).noexec) && (nt).noexec != (ot).noexec) || \
@@ -121,13 +125,14 @@ struct command_digest {
  * Possible values: true, false, IMPLIED, UNSPEC.
  */
 struct cmndtag {
-    signed int nopasswd: 3;
-    signed int noexec: 3;
-    signed int setenv: 3;
+    signed int follow: 3;
+    signed int intercept: 3;
     signed int log_input: 3;
     signed int log_output: 3;
+    signed int noexec: 3;
+    signed int nopasswd: 3;
     signed int send_mail: 3;
-    signed int follow: 3;
+    signed int setenv: 3;
 };
 
 /*

plugins/sudoers/policy.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2010-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+ * Copyright (c) 2010-2021 Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -611,7 +611,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	debug_return_bool(true);	/* nothing to do */
 
     /* Increase the length of command_info as needed, it is *not* checked. */
-    command_info = calloc(55, sizeof(char *));
+    command_info = calloc(57, sizeof(char *));
     if (command_info == NULL)
 	goto oom;
 
@@ -620,6 +620,10 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	if (command_info[info_len++] == NULL)
 	    goto oom;
     }
+    if (def_log_children) {
+	if ((command_info[info_len++] = strdup("log_children=true")) == NULL)
+	    goto oom;
+    }
     if (def_log_input || def_log_output) {
 	if (iolog_path)
 	    command_info[info_len++] = iolog_path;	/* now owned */
@@ -765,6 +769,10 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	if ((command_info[info_len++] = strdup("ignore_iolog_errors=true")) == NULL)
 	    goto oom;
     }
+    if (def_intercept) {
+	if ((command_info[info_len++] = strdup("intercept=true")) == NULL)
+	    goto oom;
+    }
     if (def_noexec) {
 	if ((command_info[info_len++] = strdup("noexec=true")) == NULL)
 	    goto oom;

plugins/sudoers/toke.l

@@ -2,7 +2,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1996, 1998-2005, 2007-2020
+ * Copyright (c) 1996, 1998-2005, 2007-2021
  *	Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -446,6 +446,16 @@ EXEC[[:blank:]]*:	{
 			    	return EXEC;
 			}
 
+INTERCEPT[[:blank:]]*:	{
+			    	LEXTRACE("INTERCEPT ");
+			    	return INTERCEPT;
+			}
+
+NOINTERCEPT[[:blank:]]*: {
+			    	LEXTRACE("NOINTERCEPT ");
+			    	return NOINTERCEPT;
+			}
+
 SETENV[[:blank:]]*:	{
 			    	LEXTRACE("SETENV ");
 			    	return SETENV;