I am recently working on a project which utilizes sudoers' "closefrom_override" option. After playing it for a while I found that "closefrom_override" doesn't work with command specific Defaults. This is verified via 3 simple tests:

In my /etc/sudoers, I tried the following Defaults entries:

- Defaults!/bin/bash !authenticate (works correctly, which indicates command-specific Defaults (i.e. "Defaults!") works well)
- Defaults:myusername closefrom_override (works correctly, which indicates the option "closefrom_override" works well)
- Defaults!/bin/bash closefrom_override (doesn't work, as sudo doesn't allow the -C option when I run sudo /bin/bash)

After inspecting the source code, I found that in plugin/sudoers/sudoers.c:

- in sudoers_policy_main(...), the check for -C override (at Line 232) happens before applying command-specific default entries (in set_cmnd(...))

I moved the -C override checking after set_cmnd, which solved my problem. I don't think this would introduce any problem, as the command will still be rejected if the user tries to specify -C override but doesn't have the right permission.

I'm not pretty sure if the -C override checking happens earlier on purpose. But I think this looks like a tiny bug :-)