Add intercept_allow_setid sudoers option, disabled by default.

With this change, a shell in intercept mode cannot run a setuid or
setgid binary by default.  On most systems, the dynamic loader will
ignore LD_PRELOAD for setuid/setgid binaries such as sudo which
would effectively disable intercept mode.

plugins/sudoers/parse.h

@@ -302,6 +302,7 @@ struct cmnd_info {
     struct stat cmnd_stat;
     char *cmnd_path;
     int status;
+    bool intercepted;
 };
 
 /*