mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-31 14:25:15 +00:00
Code Issues Releases Wiki Activity

Change how the umask is handled with PAM and login.conf.

Browse Source 
If the umask is explicitly set in sudoers, use that value regardless
of what is in PAM or login.conf.  If using the default umask from
sudoers, allow PAM or login.conf to override it.  Bug #900
This commit is contained in:
Todd C. Miller
2019-10-18 06:20:27 -06:00
parent cf6c60c102
commit b02851dcf3
11 changed files with 135 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/exec.c
View File

@@ -147,8 +147,8 @@ exec_setup(struct command_details *details)
login_cap_t *lc;
/*
* We only use setusercontext() to set the nice value and rlimits
* unless this is a login shell (sudo -i).
* We only use setusercontext() to set the nice value, rlimits
* and umask unless this is a login shell (sudo -i).
*/
lc = login_getclass((char *)details->login_class);
if (!lc) {
@@ -160,9 +160,8 @@ exec_setup(struct command_details *details)
/* Set everything except user, group and login name. */
flags = LOGIN_SETALL;
CLR(flags, LOGIN_SETGROUP|LOGIN_SETLOGIN|LOGIN_SETUSER|LOGIN_SETENV|LOGIN_SETPATH);
CLR(details->flags, CD_SET_UMASK); /* LOGIN_UMASK instead */
} else {
flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY|LOGIN_SETUMASK;
}
if (setusercontext(lc, details->pw, details->pw->pw_uid, flags)) {
sudo_warn(U_("unable to set user context"));
@@ -185,8 +184,11 @@ exec_setup(struct command_details *details)
goto done;
}
}
if (ISSET(details->flags, CD_SET_UMASK))
/* Policy may override umask in PAM or login.conf. */
if (ISSET(details->flags, CD_OVERRIDE_UMASK))
(void) umask(details->umask);
if (details->chroot) {
if (chroot(details->chroot) != 0 || chdir("/") != 0) {
sudo_warn(U_("unable to change root to %s"), details->chroot);
@@ -194,7 +196,7 @@ exec_setup(struct command_details *details)
}
}
/*
/*
* Unlimit the number of processes since Linux's setuid() will
* return EAGAIN if RLIMIT_NPROC would be exceeded by the uid switch.
*/
@@ -344,7 +346,7 @@ sudo_terminated(struct command_status *cstat)
debug_return_bool(false);
}
#if SUDO_API_VERSION != SUDO_API_MKVERSION(1, 13)
#if SUDO_API_VERSION != SUDO_API_MKVERSION(1, 14)
# error "Update sudo_needs_pty() after changing the plugin API"
#endif
static bool