When creating the timestamp directory, use the group of the timestamp

owner instead of inheriting the group of the parent directory.

plugins/sudoers/sudoers.c

@@ -86,6 +86,7 @@ struct sudo_user sudo_user;
 struct passwd *list_pw;
 int long_list;
 uid_t timestamp_uid;
+gid_t timestamp_gid;
 #ifdef HAVE_BSD_AUTH_H
 char *login_style;
 #endif /* HAVE_BSD_AUTH_H */
@@ -381,11 +382,13 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	    pw = sudo_getpwnam(def_timestampowner);
 	if (pw != NULL) {
 	    timestamp_uid = pw->pw_uid;
+	    timestamp_gid = pw->pw_gid;
 	    sudo_pw_delref(pw);
 	} else {
 	    log_warningx(SLOG_SEND_MAIL,
 		N_("timestamp owner (%s): No such user"), def_timestampowner);
 	    timestamp_uid = ROOT_UID;
+	    timestamp_gid = ROOT_GID;
 	}
     }
 

plugins/sudoers/sudoers.h

@@ -366,6 +366,7 @@ extern struct passwd *list_pw;
 extern int long_list;
 extern int sudo_mode;
 extern uid_t timestamp_uid;
+extern gid_t timestamp_gid;
 extern sudo_conv_t sudo_conv;
 extern sudo_printf_t sudo_printf;
 

plugins/sudoers/timestamp.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2014-2017 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -150,24 +150,24 @@ ts_find_record(int fd, struct timestamp_entry *key, struct timestamp_entry *entr
  * Returns false on failure and displays a warning to stderr.
  */
 static bool
-ts_mkdirs(char *path, uid_t owner, mode_t mode, mode_t parent_mode, bool quiet)
+ts_mkdirs(char *path, uid_t owner, gid_t group, mode_t mode,
+    mode_t parent_mode, bool quiet)
 {
-    gid_t parent_gid = (gid_t)-1;
     bool ret;
     debug_decl(ts_mkdirs, SUDOERS_DEBUG_AUTH)
 
-    ret = sudo_mkdir_parents(path, owner, &parent_gid, parent_mode, quiet); 
+    ret = sudo_mkdir_parents(path, owner, &group, parent_mode, quiet); 
     if (ret) {
 	/* Create final path component. */
 	sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
 	    "mkdir %s, mode 0%o, uid %d, gid %d", path, (int)mode,
-	    (int)owner, (int)parent_gid);
+	    (int)owner, (int)group);
 	if (mkdir(path, mode) != 0 && errno != EEXIST) {
 	    if (!quiet)
 		sudo_warn(U_("unable to mkdir %s"), path);
 	    ret = false;
 	} else {
-	    ignore_result(chown(path, owner, parent_gid));
+	    ignore_result(chown(path, owner, group));
 	}
     }
     debug_return_bool(ret);
@@ -192,7 +192,7 @@ ts_secure_dir(char *path, bool make_it, bool quiet)
 	ret = true;
 	break;
     case SUDO_PATH_MISSING:
-	if (make_it && ts_mkdirs(path, timestamp_uid, S_IRWXU,
+	if (make_it && ts_mkdirs(path, timestamp_uid, timestamp_gid, S_IRWXU,
 	    S_IRWXU|S_IXGRP|S_IXOTH, quiet)) {
 	    ret = true;
 	    break;