Don't allow the user to specify an I/O log file mode that sudo can't

read or write to.  I/O logs must always be readable and writable
by the owner.

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 86874b65432ab619278a562789d48fb3967dea31..39752453c8161b7a0edab86c0772ebde6ed4c1f3 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1623,11 +1623,15 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
                        This setting is only supported by version 1.8.19 or
                        higher.
 
-     iolog_mode        The file permision mode to use when creating I/O log
-                       files, mode bits other than 0666 are ignored.  When
-                       creating I/O log directories, search (execute) bits are
-                       added to to match the read and write bits specified by
-                       _\bi_\bo_\bl_\bo_\bg_\b__\bm_\bo_\bd_\be.  Defaults to 0600.
+     iolog_mode        The file mode to use when creating I/O log files.  Mode
+                       bits for read and write permissions for owner, group or
+                       other are honored, everything else is ignored.  The
+                       file permissions will always include the owner read and
+                       write bits, even if they are not present in the
+                       specified mode.  When creating I/O log directories,
+                       search (execute) bits are added to to match the read
+                       and write bits specified by _\bi_\bo_\bl_\bo_\bg_\b__\bm_\bo_\bd_\be.  Defaults to
+                       0600 (read and write by user only).
 
                        This setting is only supported by version 1.8.19 or
                        higher.
@@ -2744,4 +2748,4 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
      file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.20                     March 14, 2017                     Sudo 1.8.20
+Sudo 1.8.20                     March 17, 2017                     Sudo 1.8.20

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 91a834280239ad496c9291018d1a2572527dce50..a9ff7541542a6d160b8425c4698476194befd35a 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "March 14, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "March 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3324,12 +3324,15 @@ the parent directory.
 This setting is only supported by version 1.8.19 or higher.
 .TP 18n
 iolog_mode
-The file permision mode to use when creating I/O log files,
-mode bits other than 0666 are ignored.
+The file mode to use when creating I/O log files.
+Mode bits for read and write permissions for owner, group or other
+are honored, everything else is ignored.
+The file permissions will always include the owner read and
+write bits, even if they are not present in the specified mode.
 When creating I/O log directories, search (execute) bits are added
 to to match the read and write bits specified by
 \fIiolog_mode\fR.
-Defaults to 0600.
+Defaults to 0600 (read and write by user only).
 .sp
 This setting is only supported by version 1.8.19 or higher.
 .TP 18n

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 9c72c6f37f14066db7dbe10b8a080f707cec6c61..97ac155c7126536cbea82b54cb5496ce4e3223b0 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd March 14, 2017
+.Dd March 17, 2017
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3117,12 +3117,15 @@ the parent directory.
 .Pp
 This setting is only supported by version 1.8.19 or higher.
 .It iolog_mode
-The file permision mode to use when creating I/O log files,
-mode bits other than 0666 are ignored.
+The file mode to use when creating I/O log files.
+Mode bits for read and write permissions for owner, group or other
+are honored, everything else is ignored.
+The file permissions will always include the owner read and
+write bits, even if they are not present in the specified mode.
 When creating I/O log directories, search (execute) bits are added
 to to match the read and write bits specified by
 .Em iolog_mode .
-Defaults to 0600.
+Defaults to 0600 (read and write by user only).
 .Pp
 This setting is only supported by version 1.8.19 or higher.
 .It iolog_user

diff --git a/plugins/sudoers/iolog.c b/plugins/sudoers/iolog.c
index e292036b9f3ad12b38ffec4d778a9c807ff724ea..f1ab3c406e2f62bad2efecadb3103f25ace0cad9 100644 (file)
--- a/plugins/sudoers/iolog.c
+++ b/plugins/sudoers/iolog.c
@@ -292,13 +292,14 @@ iolog_set_mode(mode_t mode)
 {
     debug_decl(iolog_set_mode, SUDOERS_DEBUG_UTIL)
 
-    /* Restrict file mode to a subset of 0666. */
-    iolog_filemode = mode & (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+    /* I/O log files must be readable and writable by owner. */
+    iolog_filemode = S_IRUSR|S_IWUSR;
+
+    /* Add in group and other read/write if specified. */
+    iolog_filemode |= mode & (S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
 
     /* For directory mode, add execute bits as needed. */
-    iolog_dirmode = iolog_filemode;
-    if (iolog_dirmode & (S_IRUSR|S_IWUSR))
-       iolog_dirmode |= S_IXUSR;
+    iolog_dirmode = iolog_filemode | S_IXUSR;
     if (iolog_dirmode & (S_IRGRP|S_IWGRP))
        iolog_dirmode |= S_IXGRP;
     if (iolog_dirmode & (S_IROTH|S_IWOTH))