mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-31 06:15:37 +00:00
Don't allow the user to specify an I/O log file mode that sudo can't
read or write to. I/O logs must always be readable and writable by the owner.
This commit is contained in:
@@ -1623,11 +1623,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
|
||||
This setting is only supported by version 1.8.19 or
|
||||
higher.
|
||||
|
||||
iolog_mode The file permision mode to use when creating I/O log
|
||||
files, mode bits other than 0666 are ignored. When
|
||||
creating I/O log directories, search (execute) bits are
|
||||
added to to match the read and write bits specified by
|
||||
_i_o_l_o_g___m_o_d_e. Defaults to 0600.
|
||||
iolog_mode The file mode to use when creating I/O log files. Mode
|
||||
bits for read and write permissions for owner, group or
|
||||
other are honored, everything else is ignored. The
|
||||
file permissions will always include the owner read and
|
||||
write bits, even if they are not present in the
|
||||
specified mode. When creating I/O log directories,
|
||||
search (execute) bits are added to to match the read
|
||||
and write bits specified by _i_o_l_o_g___m_o_d_e. Defaults to
|
||||
0600 (read and write by user only).
|
||||
|
||||
This setting is only supported by version 1.8.19 or
|
||||
higher.
|
||||
@@ -2744,4 +2748,4 @@ DDIISSCCLLAAIIMMEERR
|
||||
file distributed with ssuuddoo or https://www.sudo.ws/license.html for
|
||||
complete details.
|
||||
|
||||
Sudo 1.8.20 March 14, 2017 Sudo 1.8.20
|
||||
Sudo 1.8.20 March 17, 2017 Sudo 1.8.20
|
||||
|
@@ -21,7 +21,7 @@
|
||||
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
|
||||
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
||||
.\"
|
||||
.TH "SUDOERS" "5" "March 14, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.TH "SUDOERS" "5" "March 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.nh
|
||||
.if n .ad l
|
||||
.SH "NAME"
|
||||
@@ -3324,12 +3324,15 @@ the parent directory.
|
||||
This setting is only supported by version 1.8.19 or higher.
|
||||
.TP 18n
|
||||
iolog_mode
|
||||
The file permision mode to use when creating I/O log files,
|
||||
mode bits other than 0666 are ignored.
|
||||
The file mode to use when creating I/O log files.
|
||||
Mode bits for read and write permissions for owner, group or other
|
||||
are honored, everything else is ignored.
|
||||
The file permissions will always include the owner read and
|
||||
write bits, even if they are not present in the specified mode.
|
||||
When creating I/O log directories, search (execute) bits are added
|
||||
to to match the read and write bits specified by
|
||||
\fIiolog_mode\fR.
|
||||
Defaults to 0600.
|
||||
Defaults to 0600 (read and write by user only).
|
||||
.sp
|
||||
This setting is only supported by version 1.8.19 or higher.
|
||||
.TP 18n
|
||||
|
@@ -19,7 +19,7 @@
|
||||
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
|
||||
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
||||
.\"
|
||||
.Dd March 14, 2017
|
||||
.Dd March 17, 2017
|
||||
.Dt SUDOERS @mansectform@
|
||||
.Os Sudo @PACKAGE_VERSION@
|
||||
.Sh NAME
|
||||
@@ -3117,12 +3117,15 @@ the parent directory.
|
||||
.Pp
|
||||
This setting is only supported by version 1.8.19 or higher.
|
||||
.It iolog_mode
|
||||
The file permision mode to use when creating I/O log files,
|
||||
mode bits other than 0666 are ignored.
|
||||
The file mode to use when creating I/O log files.
|
||||
Mode bits for read and write permissions for owner, group or other
|
||||
are honored, everything else is ignored.
|
||||
The file permissions will always include the owner read and
|
||||
write bits, even if they are not present in the specified mode.
|
||||
When creating I/O log directories, search (execute) bits are added
|
||||
to to match the read and write bits specified by
|
||||
.Em iolog_mode .
|
||||
Defaults to 0600.
|
||||
Defaults to 0600 (read and write by user only).
|
||||
.Pp
|
||||
This setting is only supported by version 1.8.19 or higher.
|
||||
.It iolog_user
|
||||
|
@@ -292,13 +292,14 @@ iolog_set_mode(mode_t mode)
|
||||
{
|
||||
debug_decl(iolog_set_mode, SUDOERS_DEBUG_UTIL)
|
||||
|
||||
/* Restrict file mode to a subset of 0666. */
|
||||
iolog_filemode = mode & (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
|
||||
/* I/O log files must be readable and writable by owner. */
|
||||
iolog_filemode = S_IRUSR|S_IWUSR;
|
||||
|
||||
/* Add in group and other read/write if specified. */
|
||||
iolog_filemode |= mode & (S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
|
||||
|
||||
/* For directory mode, add execute bits as needed. */
|
||||
iolog_dirmode = iolog_filemode;
|
||||
if (iolog_dirmode & (S_IRUSR|S_IWUSR))
|
||||
iolog_dirmode |= S_IXUSR;
|
||||
iolog_dirmode = iolog_filemode | S_IXUSR;
|
||||
if (iolog_dirmode & (S_IRGRP|S_IWGRP))
|
||||
iolog_dirmode |= S_IXGRP;
|
||||
if (iolog_dirmode & (S_IROTH|S_IWOTH))
|
||||
|
Reference in New Issue
Block a user