Impersonation tokens are not bound to the creator of the token

Follow-up of h1 report #651713 with @ankelly

Impersonation tokens aren't bound to the creator of the token. This may be dangerous in case of the offboarding of admin users, as all impersonation tokens created by evil-admin (including sudo impersonation tokens of other admins) continues to be valid even after the block/deletion of the evil-admin.

This effectively creates an option for a persistent admin backdoor without any mention of this behavior in the documentation. (at least I wasn't able to find anything)

In my opinion, this should at least result in a badass red warning somewhere in docs, but I'm definitely open for a discussion in case this is working as intended.