From c376c71618890cbc484b2862d653977c9bafc5da Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Thu, 15 Aug 2013 09:56:17 -0600
Subject: [PATCH] Move the -C (user_closefrom) check until after set_cmnd() so
 that closefrom_override can be used in a command-specific Defaults line.
 Fixes bug #610 from Mengtao Sun.

---
 plugins/sudoers/sudoers.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 023fa23da..94a62d2b0 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -227,15 +227,6 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
         goto bad;
     }    
 
-    /* Check for -C overriding def_closefrom. */
-    if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
-	if (!def_closefrom_override) {
-	    warningx(_("you are not permitted to use the -C option"));
-	    goto bad;
-	}
-	def_closefrom = user_closefrom;
-    }
-
     set_perms(PERM_INITIAL);
 
     /* Environment variables specified on the command line. */
@@ -265,9 +256,18 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
 	def_preserve_groups = true;
 
-    /* Find command in path */
+    /* Find command in path and apply per-command Defaults. */
     cmnd_status = set_cmnd();
 
+    /* Check for -C overriding def_closefrom. */
+    if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
+	if (!def_closefrom_override) {
+	    warningx(_("you are not permitted to use the -C option"));
+	    goto bad;
+	}
+	def_closefrom = user_closefrom;
+    }
+
     /*
      * Check sudoers sources, using the locale specified in sudoers.
      */
-- 
2.49.0