Add a new flag "allow_unknown_runas_id" to control matching of unknown IDs.

Previous, sudo would always allow unknown user or group IDs if the
sudoers entry permitted it.  This included the "ALL" alias.
With this change, the admin must explicitly enable support for unknown IDs.

plugins/sudoers/defaults.c

@@ -537,6 +537,7 @@ init_defaults(void)
     def_fdexec = digest_only;
     def_log_allowed = true;
     def_log_denied = true;
+    def_runas_allow_unknown_id = false;
 
     /* Syslog options need special care since they both strings and ints */
 #if (LOGGING & SLOG_SYSLOG)