correct error message if mode/owner wrong and not statable by owner

but is statable by root.

diff --git a/sudo.c b/sudo.c
index 5b22873c5198a305f353b5044648ecc496f789a4..7bfeffc43e704f7ab2d5a9f0eb7da3f0117c703d 100644 (file)
--- a/sudo.c
+++ b/sudo.c
@@ -783,7 +783,7 @@ static void load_cmnd(sudo_mode)
 static int check_sudoers()
 {
     struct stat statbuf;
-    int fd = -1;
+    int fd = -1, rootstat;
     char c;
     int rtn = ALL_SYSTEMS_GO;
 
@@ -792,35 +792,39 @@ static int check_sudoers()
      * Only works if filesystem is readable/writable by root.
      */
     set_perms(PERM_ROOT, 0);
-    if (!lstat(_PATH_SUDO_SUDOERS, &statbuf) && SUDOERS_UID == statbuf.st_uid) {
-       if (SUDOERS_MODE != 0400 && (statbuf.st_mode & 0007777) == 0400) {
-           if (chmod(_PATH_SUDO_SUDOERS, SUDOERS_MODE) == 0) {
-               (void) fprintf(stderr, "%s: fixed mode on %s\n",
-                   Argv[0], _PATH_SUDO_SUDOERS);
-               if (statbuf.st_gid != SUDOERS_GID) {
-                   if (!chown(_PATH_SUDO_SUDOERS,GID_NO_CHANGE,SUDOERS_GID)) {
-                       (void) fprintf(stderr, "%s: set group on %s\n",
-                           Argv[0], _PATH_SUDO_SUDOERS);
-                       statbuf.st_gid = SUDOERS_GID;
-                   } else {
-                       (void) fprintf(stderr,"%s: Unable to set group on %s: ",
-                           Argv[0], _PATH_SUDO_SUDOERS);
-                       perror("");
-                   }
+    if ((rootstat = lstat(_PATH_SUDO_SUDOERS, &statbuf)) == 0 &&
+       SUDOERS_UID == statbuf.st_uid && SUDOERS_MODE != 0400 &&
+       (statbuf.st_mode & 0007777) == 0400) {
+
+       if (chmod(_PATH_SUDO_SUDOERS, SUDOERS_MODE) == 0) {
+           (void) fprintf(stderr, "%s: fixed mode on %s\n",
+               Argv[0], _PATH_SUDO_SUDOERS);
+           if (statbuf.st_gid != SUDOERS_GID) {
+               if (!chown(_PATH_SUDO_SUDOERS,GID_NO_CHANGE,SUDOERS_GID)) {
+                   (void) fprintf(stderr, "%s: set group on %s\n",
+                       Argv[0], _PATH_SUDO_SUDOERS);
+                   statbuf.st_gid = SUDOERS_GID;
+               } else {
+                   (void) fprintf(stderr,"%s: Unable to set group on %s: ",
+                       Argv[0], _PATH_SUDO_SUDOERS);
+                   perror("");
                }
-           } else {
-               (void) fprintf(stderr, "%s: Unable to fix mode on %s: ",
-                   Argv[0], _PATH_SUDO_SUDOERS);
-               perror("");
            }
+       } else {
+           (void) fprintf(stderr, "%s: Unable to fix mode on %s: ",
+               Argv[0], _PATH_SUDO_SUDOERS);
+           perror("");
        }
     }
 
+    /*
+     * Sanity checks on sudoers file.  Must be done as sudoers
+     * file owner.  We already did a stat as root, so use that
+     * data if we can't stat as sudoers file owner.
+     */
     set_perms(PERM_SUDOERS, 0);
 
-    if ((fd = open(_PATH_SUDO_SUDOERS, O_RDONLY)) < 0 || read(fd, &c, 1) == -1)
-       rtn = NO_SUDOERS_FILE;
-    else if (lstat(_PATH_SUDO_SUDOERS, &statbuf))
+    if (lstat(_PATH_SUDO_SUDOERS, &statbuf) != 0 && rootstat != 0)
        rtn = NO_SUDOERS_FILE;
     else if (!S_ISREG(statbuf.st_mode))
        rtn = SUDOERS_NOT_FILE;
@@ -828,6 +832,9 @@ static int check_sudoers()
        rtn = SUDOERS_WRONG_MODE;
     else if (statbuf.st_uid != SUDOERS_UID || statbuf.st_gid != SUDOERS_GID)
        rtn = SUDOERS_WRONG_OWNER;
+    else if ((fd = open(_PATH_SUDO_SUDOERS, O_RDONLY)) == -1 ||
+            read(fd, &c, 1) == -1)
+       rtn = NO_SUDOERS_FILE;
 
     if (fd != -1)
        (void) close(fd);