When setting the umask, use the union of the user's umask and the

default value set in sudoers so that we never lower the user's umask
when running a command.

diff --git a/sudo.c b/sudo.c
index 7e6f18f281377dd1d99ab5768180458f3f5226a7..6b91d941e666ade030923b372b746880cdf28b98 100644 (file)
--- a/sudo.c
+++ b/sudo.c
@@ -456,9 +456,16 @@ main(argc, argv, envp)
            sudo_mode == MODE_LIST)
            exit(rc);
 
-       /* Override user's umask if configured to do so. */
-       if (def_umask != 0777)
-           (void) umask(def_umask);
+       /*
+        * Override user's umask if configured to do so.
+        * If user's umask is more restrictive, OR in those bits too.
+        */
+       if (def_umask != 0777) {
+           mode_t mask = umask(def_umask);
+           mask |= def_umask;
+           if (mask != def_umask)
+               umask(mask);
+       }
 
        /* Restore coredumpsize resource limit. */
 #if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)

diff --git a/sudoers.pod b/sudoers.pod
index 671bd2a89d5089e1966bf9bb13a9e4e4ec52a19b..0322001be125ded2754d3294a8a41191b21bf30b 100644 (file)
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -803,7 +803,12 @@ own timestamps via C<sudo -v> and C<sudo -k> respectively.
 =item umask
 
 Umask to use when running the command.  Negate this option or set
-it to 0777 to preserve the user's umask.  The default is C<@sudo_umask@>.
+it to 0777 to preserve the user's umask.  The actual umask that is
+used will be the union of the user's umask and C<@sudo_umask@>.
+This guarantees that B<sudo> never lowers the umask when running a
+command.  Note on systems that use PAM, the default PAM configuration
+may specify its own umask which will override the value set in
+I<sudoers>.
 
 =back