Move noexec handling to sudo front-end where it is documented as being.

plugins/sudoers/sudoers.c

@@ -433,7 +433,7 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	def_env_reset = FALSE;
 
     /* Build a new environment that avoids any nasty bits. */
-    rebuild_env(def_noexec); /* XXX - move noexec bits */
+    rebuild_env();
 
     /* Require a password if sudoers says so.  */
     if (def_authenticate) {
@@ -533,9 +533,6 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	    command_info[info_len++] = estrdup("iolog_compress=true");
     }
 
-    if (def_noexec)
-	    command_info[info_len++] = estrdup("noexec=true");
-
     log_allowed(validated);
     if (ISSET(sudo_mode, MODE_CHECK))
 	rval = display_cmnd(snl, list_pw ? list_pw : sudo_user.pw);
@@ -646,6 +643,10 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     }
     if (def_closefrom >= 0)
 	easprintf(&command_info[info_len++], "closefrom=%d", def_closefrom);
+    if (def_noexec)
+	command_info[info_len++] = estrdup("noexec=true");
+    if (def_noexec_file)
+	command_info[info_len++] = fmt_string("noexec_file", def_noexec_file);
 #ifdef HAVE_LOGIN_CAP_H
     if (lc != NULL)
 	command_info[info_len++] = fmt_string("login_class", lc->lc_class);