Don't allow the user to specify an I/O log file mode that sudo can't

read or write to. I/O logs must always be readable and writable by the owner.
2025-08-31 06:15:37 +00:00 · 2017-03-17 10:56:17 -06:00
parent 8b3845c1ca
commit 8c8d078f66
4 changed files with 30 additions and 19 deletions
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1623,11 +1623,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                       This setting is only supported by version 1.8.19 or
                       higher.

-     iolog_mode        The file permision mode to use when creating I/O log
-                       files, mode bits other than 0666 are ignored.  When
-                       creating I/O log directories, search (execute) bits are
-                       added to to match the read and write bits specified by
-                       _i_o_l_o_g___m_o_d_e.  Defaults to 0600.
+     iolog_mode        The file mode to use when creating I/O log files.  Mode
+                       bits for read and write permissions for owner, group or
+                       other are honored, everything else is ignored.  The
+                       file permissions will always include the owner read and
+                       write bits, even if they are not present in the
+                       specified mode.  When creating I/O log directories,
+                       search (execute) bits are added to to match the read
+                       and write bits specified by _i_o_l_o_g___m_o_d_e.  Defaults to
+                       0600 (read and write by user only).

                       This setting is only supported by version 1.8.19 or
                       higher.
@@ -2744,4 +2748,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or https://www.sudo.ws/license.html for
     complete details.

-Sudo 1.8.20                     March 14, 2017                     Sudo 1.8.20
+Sudo 1.8.20                     March 17, 2017                     Sudo 1.8.20
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "March 14, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "March 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3324,12 +3324,15 @@ the parent directory.
 This setting is only supported by version 1.8.19 or higher.
 .TP 18n
 iolog_mode
-The file permision mode to use when creating I/O log files,
-mode bits other than 0666 are ignored.
+The file mode to use when creating I/O log files.
+Mode bits for read and write permissions for owner, group or other
+are honored, everything else is ignored.
+The file permissions will always include the owner read and
+write bits, even if they are not present in the specified mode.
 When creating I/O log directories, search (execute) bits are added
 to to match the read and write bits specified by
 \fIiolog_mode\fR.
-Defaults to 0600.
+Defaults to 0600 (read and write by user only).
 .sp
 This setting is only supported by version 1.8.19 or higher.
 .TP 18n
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd March 14, 2017
+.Dd March 17, 2017
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3117,12 +3117,15 @@ the parent directory.
 .Pp
 This setting is only supported by version 1.8.19 or higher.
 .It iolog_mode
-The file permision mode to use when creating I/O log files,
-mode bits other than 0666 are ignored.
+The file mode to use when creating I/O log files.
+Mode bits for read and write permissions for owner, group or other
+are honored, everything else is ignored.
+The file permissions will always include the owner read and
+write bits, even if they are not present in the specified mode.
 When creating I/O log directories, search (execute) bits are added
 to to match the read and write bits specified by
 .Em iolog_mode .
-Defaults to 0600.
+Defaults to 0600 (read and write by user only).
 .Pp
 This setting is only supported by version 1.8.19 or higher.
 .It iolog_user
--- a/plugins/sudoers/iolog.c
+++ b/plugins/sudoers/iolog.c
@@ -292,13 +292,14 @@ iolog_set_mode(mode_t mode)
 {
    debug_decl(iolog_set_mode, SUDOERS_DEBUG_UTIL)

-    /* Restrict file mode to a subset of 0666. */
-    iolog_filemode = mode & (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+    /* I/O log files must be readable and writable by owner. */
+    iolog_filemode = S_IRUSR|S_IWUSR;
+
+    /* Add in group and other read/write if specified. */
+    iolog_filemode |= mode & (S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);

    /* For directory mode, add execute bits as needed. */
-    iolog_dirmode = iolog_filemode;
-    if (iolog_dirmode & (S_IRUSR|S_IWUSR))
-	iolog_dirmode |= S_IXUSR;
+    iolog_dirmode = iolog_filemode | S_IXUSR;
    if (iolog_dirmode & (S_IRGRP|S_IWGRP))
 	iolog_dirmode |= S_IXGRP;
    if (iolog_dirmode & (S_IROTH|S_IWOTH))