The runas user must be set before applying runas-based Defaults.

This effectively backs out changeset f738f5ac5350, which made
it possible to log the command when an invalid user was specified.
The policy plugin API doesn't supply the command until the check
function, at which point we've already denied the command due to
the invalid user.  Bug #951.

plugins/sudoers/sudoers.c

@@ -393,23 +393,6 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	}
     }
 
-    /*
-     * Set runas passwd/group entries based on command line or sudoers.
-     * Note that if runas_group was specified without runas_user we
-     * run the command as the invoking user.
-     */
-    if (sudo_user.runas_group != NULL) {
-	if (!set_runasgr(sudo_user.runas_group, false))
-	    goto done;
-	if (!set_runaspw(sudo_user.runas_user ?
-		sudo_user.runas_user : user_name, false))
-	    goto done;
-    } else {
-	if (!set_runaspw(sudo_user.runas_user ?
-		sudo_user.runas_user : def_runas_default, false))
-	    goto done;
-    }
-
     /* If given the -P option, set the "preserve_groups" flag. */
     if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
 	def_preserve_groups = true;
@@ -875,6 +858,23 @@ init_vars(char * const envp[])
 	debug_return_bool(false);
     }
 
+    /*
+     * Set runas passwd/group entries based on command line or sudoers.
+     * Note that if runas_group was specified without runas_user we
+     * run the command as the invoking user.
+     */
+    if (sudo_user.runas_group != NULL) {
+	if (!set_runasgr(sudo_user.runas_group, false))
+	    debug_return_bool(false);
+	if (!set_runaspw(sudo_user.runas_user ?
+		sudo_user.runas_user : user_name, false))
+	    debug_return_bool(false);
+    } else {
+	if (!set_runaspw(sudo_user.runas_user ?
+		sudo_user.runas_user : def_runas_default, false))
+	    debug_return_bool(false);
+    }
+
     debug_return_bool(true);
 }