From c37eb11db81dcadc0a171cdbdb0e5b0f096b4351 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 7 Aug 2025 20:36:59 -0600
Subject: [PATCH] direct_exec_allowed: don't allow for intercept or log_subcmds

---
 src/exec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/exec.c b/src/exec.c
index 39d83774c..e158f3717 100644
--- a/src/exec.c
+++ b/src/exec.c
@@ -408,8 +408,11 @@ direct_exec_allowed(const struct command_details *details)
     debug_decl(direct_exec_allowed, SUDO_DEBUG_EXEC);
 
     /* Assumes sudo_needs_pty() was already checked. */
-    if (ISSET(details->flags, CD_RBAC_ENABLED|CD_SET_TIMEOUT|CD_SUDOEDIT) ||
-	    policy_plugin.u.policy->close != NULL)
+    if (policy_plugin.u.policy->close != NULL)
+	debug_return_bool(false);
+    if (ISSET(details->flags, CD_RBAC_ENABLED|CD_SET_TIMEOUT|CD_SUDOEDIT))
+	debug_return_bool(false);
+    if (ISSET(details->flags, CD_INTERCEPT|CD_LOG_SUBCMDS))
 	debug_return_bool(false);
 
     TAILQ_FOREACH(plugin, &audit_plugins, entries) {