Add intercept_authenticate sudoers option, defaults to false.

By default, sudoers will not require authentication of commands run
via an intercepted session.  To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.

doc/sudoers.man.in

@@ -3049,6 +3049,25 @@ above as well as the
 section at the end of this manual.
 This flag is
 \fIoff\fR
+by default.
+.sp
+This setting is only supported by version 1.9.8 or higher.
+.TP 18n
+intercept_authenticate
+If set, commands run by an intercepted process must be authenticated
+when the user's time stamp is not current.
+For example, if a shell is run with
+\fIintercept\fR
+enabled, as soon as the invoking user's time stamp is out of date,
+subsequent commands will need to be authenticated.
+This flag has no effect unless the
+\fIintercept\fR
+flag is enabled or the
+\fIINTERCEPT\fR
+tag has been set for the command.
+This flag is
+\fIoff\fR
+by default.
 .sp
 This setting is only supported by version 1.9.8 or higher.
 .TP 18n

doc/sudoers.mdoc.in

@@ -2871,6 +2871,24 @@ above as well as the
 section at the end of this manual.
 This flag is
 .Em off
+by default.
+.Pp
+This setting is only supported by version 1.9.8 or higher.
+.It intercept_authenticate
+If set, commands run by an intercepted process must be authenticated
+when the user's time stamp is not current.
+For example, if a shell is run with
+.Em intercept
+enabled, as soon as the invoking user's time stamp is out of date,
+subsequent commands will need to be authenticated.
+This flag has no effect unless the
+.Em intercept
+flag is enabled or the
+.Em INTERCEPT
+tag has been set for the command.
+This flag is
+.Em off
+by default.
 .Pp
 This setting is only supported by version 1.9.8 or higher.
 .It netgroup_tuple

plugins/sudoers/check.c

@@ -299,8 +299,14 @@ user_is_exempt(void)
     bool ret = false;
     debug_decl(user_is_exempt, SUDOERS_DEBUG_AUTH);
 
-    if (def_exempt_group)
-	ret = user_in_group(sudo_user.pw, def_exempt_group);
+    if (ISSET(sudo_mode, MODE_POLICY_INTERCEPTED)) {
+	if (!def_intercept_authenticate)
+	    ret = true;
+    }
+    if (def_exempt_group) {
+	if (user_in_group(sudo_user.pw, def_exempt_group))
+	    ret = true;
+    }
     debug_return_bool(ret);
 }
 

plugins/sudoers/def_data.c

@@ -589,6 +589,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"log_exit_status", T_FLAG,
 	N_("Log the exit status of commands"),
 	NULL,
+    }, {
+	"intercept_authenticate", T_FLAG,
+	N_("Subsequent commands in an intercepted session must be authenticated"),
+	NULL,
     }, {
 	NULL, 0, NULL
     }

plugins/sudoers/def_data.h

@@ -272,6 +272,8 @@
 #define def_log_children        (sudo_defs_table[I_LOG_CHILDREN].sd_un.flag)
 #define I_LOG_EXIT_STATUS       135
 #define def_log_exit_status     (sudo_defs_table[I_LOG_EXIT_STATUS].sd_un.flag)
+#define I_INTERCEPT_AUTHENTICATE 136
+#define def_intercept_authenticate (sudo_defs_table[I_INTERCEPT_AUTHENTICATE].sd_un.flag)
 
 enum def_tuple {
     never,

plugins/sudoers/def_data.in

@@ -424,3 +424,6 @@ log_children
 log_exit_status
 	T_FLAG
 	"Log the exit status of commands"
+intercept_authenticate
+	T_FLAG
+	"Subsequent commands in an intercepted session must be authenticated"

plugins/sudoers/policy.c

@@ -81,7 +81,7 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
     }
 }
 
-#define RUN_VALID_FLAGS	(MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_IMPLIED_SHELL|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_PRESERVE_GROUPS|MODE_SHELL|MODE_RUN)
+#define RUN_VALID_FLAGS	(MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME|MODE_IMPLIED_SHELL|MODE_LOGIN_SHELL|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_PRESERVE_GROUPS|MODE_SHELL|MODE_RUN|MODE_POLICY_INTERCEPTED)
 #define EDIT_VALID_FLAGS	(MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_EDIT)
 #define LIST_VALID_FLAGS	(MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_LIST|MODE_CHECK)
 #define VALIDATE_VALID_FLAGS	(MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_VALIDATE)
@@ -184,6 +184,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
     }
 
     /* Parse command line settings. */
+    sudo_mode = 0;
     user_closefrom = -1;
     for (cur = info->settings; *cur != NULL; cur++) {
 	if (MATCHES(*cur, "closefrom=")) {

plugins/sudoers/sudoers.c

@@ -383,6 +383,14 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	debug_return_int(-1);
     }
 
+    /* Was previous command was intercepted? */
+    if (def_intercept)
+	SET(sudo_mode, MODE_POLICY_INTERCEPTED);
+
+    /* Only certain mode flags are legal for intercepted commands. */
+    if (ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
+	sudo_mode &= MODE_INTERCEPT_MASK;
+
     /* Re-initialize defaults if we are called multiple times. */
     if (need_reinit) {
 	if (!sudoers_reinit_defaults())

plugins/sudoers/sudoers.h

@@ -194,6 +194,10 @@ struct sudo_user {
 #define MODE_PRESERVE_ENV	0x00400000
 #define MODE_NONINTERACTIVE	0x00800000
 #define MODE_IGNORE_TICKET	0x01000000
+#define MODE_POLICY_INTERCEPTED	0x02000000
+
+/* Mode bits allowed for intercepted commands. */
+#define MODE_INTERCEPT_MASK	(MODE_RUN|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_POLICY_INTERCEPTED)
 
 /*
  * Used with set_perms()