Add mail_badpass option

Also modify mail_always behavior to also send mail when the password is wrong

auth/sudo_auth.c

@@ -99,9 +99,10 @@ verify_user(pw, prompt)
     struct passwd *pw;
     char *prompt;
 {
-    short counter = def_ival(I_PASSWD_TRIES) + 1;
-    short success = AUTH_FAILURE;
-    short status;
+    int counter = def_ival(I_PASSWD_TRIES) + 1;
+    int success = AUTH_FAILURE;
+    int status;
+    int flags;
     char *p;
     sudo_auth *auth;
 
@@ -213,7 +214,11 @@ cleanup:
 	case AUTH_SUCCESS:
 	    return;
 	case AUTH_FAILURE:
-	    log_error(NO_MAIL, "%d incorrect password attempt%s",
+	    if (def_flag(I_MAIL_BADPASS) || def_flag(I_MAIL_ALWAYS))
+		flags = 0;
+	    else
+		flags = NO_MAIL;
+	    log_error(flags, "%d incorrect password attempt%s",
 		def_ival(I_PASSWD_TRIES) - counter,
 		(def_ival(I_PASSWD_TRIES) - counter == 1) ? "" : "s");
 	case AUTH_FATAL:

def_data.c

@@ -26,6 +26,9 @@ struct sudo_defs_types sudo_defs_table[] = {
     }, {
 	"mail_always", T_FLAG,
 	"Always send mail when sudo is run"
+    }, {
+	"mail_badpass", T_FLAG,
+	"Send mail if user authentication fails"
     }, {
 	"mail_no_user", T_FLAG,
 	"Send mail if the user is not in sudoers"
@@ -149,6 +152,9 @@ struct sudo_defs_types sudo_defs_table[] = {
     }, {
 	"editor", T_STR|T_PATH,
 	"Path to the editor for use by visudo: %s"
+    }, {
+	"env_delete", T_STR|T_BOOL,
+	"Environment variables to remove: %s"
     }, {
 	"env_keep", T_STR|T_BOOL,
 	"Environment variables to preserve: %s"

def_data.h

@@ -7,49 +7,51 @@
 #define I_LONG_OTP_PROMPT       6
 #define I_IGNORE_DOT            7
 #define I_MAIL_ALWAYS           8
-#define I_MAIL_NO_USER          9
-#define I_MAIL_NO_HOST          10
-#define I_MAIL_NO_PERMS         11
-#define I_TTY_TICKETS           12
-#define I_LECTURE               13
-#define I_AUTHENTICATE          14
-#define I_ROOT_SUDO             15
-#define I_LOG_HOST              16
-#define I_LOG_YEAR              17
-#define I_SHELL_NOARGS          18
-#define I_SET_HOME              19
-#define I_ALWAYS_SET_HOME       20
-#define I_PATH_INFO             21
-#define I_FQDN                  22
-#define I_INSULTS               23
-#define I_REQUIRETTY            24
-#define I_ENV_EDITOR            25
-#define I_ROOTPW                26
-#define I_RUNASPW               27
-#define I_TARGETPW              28
-#define I_USE_LOGINCLASS        29
-#define I_SET_LOGNAME           30
-#define I_STAY_SETUID           31
-#define I_ENV_RESET             32
-#define I_LOGLINELEN            33
-#define I_TIMESTAMP_TIMEOUT     34
-#define I_PASSWD_TIMEOUT        35
-#define I_PASSWD_TRIES          36
-#define I_UMASK                 37
-#define I_LOGFILE               38
-#define I_MAILERPATH            39
-#define I_MAILERFLAGS           40
-#define I_MAILTO                41
-#define I_MAILSUB               42
-#define I_BADPASS_MESSAGE       43
-#define I_TIMESTAMPDIR          44
-#define I_EXEMPT_GROUP          45
-#define I_PASSPROMPT            46
-#define I_RUNAS_DEFAULT         47
-#define I_SECURE_PATH           48
-#define I_EDITOR                49
-#define I_ENV_KEEP              50
-#define I_LISTPW_I              51
-#define I_VERIFYPW_I            52
-#define I_LISTPW                53
-#define I_VERIFYPW              54
+#define I_MAIL_BADPASS          9
+#define I_MAIL_NO_USER          10
+#define I_MAIL_NO_HOST          11
+#define I_MAIL_NO_PERMS         12
+#define I_TTY_TICKETS           13
+#define I_LECTURE               14
+#define I_AUTHENTICATE          15
+#define I_ROOT_SUDO             16
+#define I_LOG_HOST              17
+#define I_LOG_YEAR              18
+#define I_SHELL_NOARGS          19
+#define I_SET_HOME              20
+#define I_ALWAYS_SET_HOME       21
+#define I_PATH_INFO             22
+#define I_FQDN                  23
+#define I_INSULTS               24
+#define I_REQUIRETTY            25
+#define I_ENV_EDITOR            26
+#define I_ROOTPW                27
+#define I_RUNASPW               28
+#define I_TARGETPW              29
+#define I_USE_LOGINCLASS        30
+#define I_SET_LOGNAME           31
+#define I_STAY_SETUID           32
+#define I_ENV_RESET             33
+#define I_LOGLINELEN            34
+#define I_TIMESTAMP_TIMEOUT     35
+#define I_PASSWD_TIMEOUT        36
+#define I_PASSWD_TRIES          37
+#define I_UMASK                 38
+#define I_LOGFILE               39
+#define I_MAILERPATH            40
+#define I_MAILERFLAGS           41
+#define I_MAILTO                42
+#define I_MAILSUB               43
+#define I_BADPASS_MESSAGE       44
+#define I_TIMESTAMPDIR          45
+#define I_EXEMPT_GROUP          46
+#define I_PASSPROMPT            47
+#define I_RUNAS_DEFAULT         48
+#define I_SECURE_PATH           49
+#define I_EDITOR                50
+#define I_ENV_DELETE            51
+#define I_ENV_KEEP              52
+#define I_LISTPW_I              53
+#define I_VERIFYPW_I            54
+#define I_LISTPW                55
+#define I_VERIFYPW              56

def_data.in

@@ -33,6 +33,9 @@ ignore_dot
 mail_always
 	T_FLAG
 	"Always send mail when sudo is run"
+mail_badpass
+	T_FLAG
+	"Send mail if user authentication fails"
 mail_no_user
 	T_FLAG
 	"Send mail if the user is not in sudoers"
@@ -156,6 +159,9 @@ secure_path
 editor
 	T_STR|T_PATH
 	"Path to the editor for use by visudo: %s"
+env_delete
+	T_STR|T_BOOL
+	"Environment variables to remove: %s"
 env_keep
 	T_STR|T_BOOL
 	"Environment variables to preserve: %s"

sudoers.pod

@@ -244,6 +244,11 @@ flag is I<@ignore_dot@> by default.
 Send mail to the I<mailto> user every time a users runs B<sudo>.
 This flag is I<off> by default.
 
+=item mail_badpass
+
+Send mail to the I<mailto> user if the user running sudo does not
+enter the correct password.  This flag is I<off> by default.
+
 =item mail_no_user
 
 If set, mail will be sent to the I<mailto> user if the invoking