static unsigned int sessid_max = SESSID_MAX;
static uid_t iolog_uid = ROOT_UID;
static gid_t iolog_gid = (gid_t)-1;
+static mode_t iolog_filemode = S_IRUSR|S_IWUSR;
static mode_t iolog_dirmode = S_IRWXU;
/* sudoers_io is declared at the end of this file. */
}
/*
- * Sudoers callback for iolog_user Defaults setting.
+ * Look up I/O log user ID from user name.
*/
-bool
-cb_iolog_user(const union sudo_defs_val *sd_un)
+static bool
+iolog_set_uid(const char *name)
{
struct passwd *pw;
- debug_decl(cb_iolog_user, SUDOERS_DEBUG_UTIL)
+ debug_decl(iolog_set_uid, SUDOERS_DEBUG_UTIL)
- if (sd_un->str != NULL) {
- pw = sudo_getpwnam(sd_un->str);
+ if (name != NULL) {
+ pw = sudo_getpwnam(name);
if (pw != NULL) {
iolog_uid = pw->pw_uid;
} else {
log_warningx(SLOG_SEND_MAIL,
- N_("unknown user: %s"), sd_un->str);
+ N_("unknown user: %s"), name);
}
} else {
iolog_uid = ROOT_UID;
}
/*
- * Sudoers callback for iolog_group Defaults setting.
+ * Sudoers callback for iolog_user Defaults setting.
*/
bool
-cb_iolog_group(const union sudo_defs_val *sd_un)
+cb_iolog_user(const union sudo_defs_val *sd_un)
+{
+ return iolog_set_uid(sd_un->str);
+}
+
+/*
+ * Look up I/O log group ID from group name.
+ */
+static bool
+iolog_set_gid(const char *name)
{
struct group *gr;
- debug_decl(cb_iolog_group, SUDOERS_DEBUG_UTIL)
+ debug_decl(iolog_set_gid, SUDOERS_DEBUG_UTIL)
- if (sd_un->str != NULL) {
- gr = sudo_getgrnam(sd_un->str);
+ if (name != NULL) {
+ gr = sudo_getgrnam(name);
if (gr != NULL) {
iolog_gid = gr->gr_gid;
} else {
log_warningx(SLOG_SEND_MAIL,
- N_("unknown group: %s"), sd_un->str);
+ N_("unknown group: %s"), name);
}
} else {
iolog_gid = (mode_t)-1;
}
/*
- * Sudoers callback for iolog_mode Defaults setting.
+ * Look up I/O log group ID from group name.
*/
bool
-cb_iolog_mode(const union sudo_defs_val *sd_un)
+cb_iolog_group(const union sudo_defs_val *sd_un)
{
- debug_decl(cb_iolog_mode, SUDOERS_DEBUG_UTIL)
+ return iolog_set_gid(sd_un->str);
+}
- /* Base directory mode on iolog_mode, adding in the X bit as needed */
- iolog_dirmode = def_iolog_mode;
+/*
+ * Set iolog_filemode and iolog_dirmode.
+ */
+static bool
+iolog_set_mode(mode_t mode)
+{
+ debug_decl(iolog_set_mode, SUDOERS_DEBUG_UTIL)
+
+ /* Restrict file mode to a subset of 0666. */
+ iolog_filemode = mode & (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+
+ /* For directory mode, add execute bits as needed. */
+ iolog_dirmode = iolog_filemode;
if (iolog_dirmode & (S_IRUSR|S_IWUSR))
iolog_dirmode |= S_IXUSR;
if (iolog_dirmode & (S_IRGRP|S_IWGRP))
debug_return_bool(true);
}
+/*
+ * Sudoers callback for iolog_mode Defaults setting.
+ */
+bool
+cb_iolog_mode(const union sudo_defs_val *sd_un)
+{
+ return iolog_set_mode(sd_un->mode);
+}
+
/*
* Read the on-disk sequence number, set sessid to the next
* number, and update the on-disk copy.
log_warning(SLOG_SEND_MAIL, "%s/seq", pathbuf);
goto done;
}
- fd = open(pathbuf, O_RDWR|O_CREAT, def_iolog_mode);
+ fd = open(pathbuf, O_RDWR|O_CREAT, iolog_filemode);
if (fd == -1) {
log_warning(SLOG_SEND_MAIL, N_("unable to open %s"), pathbuf);
goto done;
len = snprintf(fallback, sizeof(fallback), "%s/seq",
iolog_dir_fallback);
if (len > 0 && (size_t)len < sizeof(fallback)) {
- int fd2 = open(fallback, O_RDWR|O_CREAT, def_iolog_mode);
+ int fd2 = open(fallback, O_RDWR|O_CREAT, iolog_filemode);
if (fd2 != -1) {
ignore_result(fchown(fd2, iolog_uid, gid));
nread = read(fd2, buf, sizeof(buf) - 1);
pathbuf[len] = '\0';
strlcat(pathbuf, iol->suffix, PATH_MAX);
if (iol->enabled) {
- int fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, def_iolog_mode);
+ int fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, iolog_filemode);
if (fd != -1) {
ignore_result(fchown(fd, iolog_uid, iolog_gid));
(void)fcntl(fd, F_SETFD, FD_CLOEXEC);
iolog_compress = true; /* must be global */
continue;
}
+ if (strncmp(*cur, "iolog_mode=", sizeof("iolog_mode=") - 1) == 0) {
+ mode_t mode = sudo_strtomode(*cur + sizeof("iolog_mode=") - 1, &errstr);
+ if (errstr == NULL)
+ iolog_set_mode(mode);
+ continue;
+ }
+ if (strncmp(*cur, "iolog_group=", sizeof("iolog_group=") - 1) == 0) {
+ iolog_set_gid(*cur + sizeof("iolog_group=") - 1);
+ continue;
+ }
+ if (strncmp(*cur, "iolog_user=", sizeof("iolog_user=") - 1) == 0) {
+ iolog_set_uid(*cur + sizeof("iolog_user=") - 1);
+ continue;
+ }
break;
case 'm':
if (strncmp(*cur, "maxseq=", sizeof("maxseq=") - 1) == 0) {
pathbuf[len] = '\0';
strlcat(pathbuf, "/log", PATH_MAX);
- fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, def_iolog_mode);
+ fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, iolog_filemode);
if (fd == -1 || (fp = fdopen(fd, "w")) == NULL) {
log_warning(SLOG_SEND_MAIL, N_("unable to create %s"), pathbuf);
debug_return_bool(false);