From: Todd C. Miller Date: Mon, 7 Nov 2016 17:19:04 +0000 (-0700) Subject: Pass iolog mode, group and user from policy plugin to I/O log plugin. X-Git-Tag: SUDO_1_8_19^2~60 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2b020c9f17b64af9538068211dd9294ec9098aa2;p=sudo Pass iolog mode, group and user from policy plugin to I/O log plugin. --- diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat index db87e412e..8cb5bf854 100644 --- a/doc/sudo_plugin.cat +++ b/doc/sudo_plugin.cat @@ -509,6 +509,21 @@ DDEESSCCRRIIPPTTIIOONN compress the log data. This is a hint to the I/O logging plugin which may choose to ignore it. + iolog_group=string + The group that will own newly created I/O log files and + directories. This is a hint to the I/O logging plugin + which may choose to ignore it. + + iolog_mode=octal + The file permision mode to use when creating I/O log + files and directories. This is a hint to the I/O + logging plugin which may choose to ignore it. + + iolog_user=string + The user that will own newly created I/O log files and + directories. This is a hint to the I/O logging plugin + which may choose to ignore it. + iolog_path=string Fully qualified path to the file or directory in which I/O log is to be stored. This is a hint to the I/O @@ -1559,4 +1574,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.18 January 20, 2016 Sudo 1.8.18 +Sudo 1.8.19 November 7, 2016 Sudo 1.8.19 diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in index 1c47fec55..398f2f91e 100644 --- a/doc/sudo_plugin.man.in +++ b/doc/sudo_plugin.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDO_PLUGIN" "5" "January 20, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO_PLUGIN" "5" "November 7, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -897,6 +897,18 @@ Set to true if the I/O logging plugins, if any, should compress the log data. This is a hint to the I/O logging plugin which may choose to ignore it. .TP 6n +iolog_group=string +The group that will own newly created I/O log files and directories. +This is a hint to the I/O logging plugin which may choose to ignore it. +.TP 6n +iolog_mode=octal +The file permision mode to use when creating I/O log files and directories. +This is a hint to the I/O logging plugin which may choose to ignore it. +.TP 6n +iolog_user=string +The user that will own newly created I/O log files and directories. +This is a hint to the I/O logging plugin which may choose to ignore it. +.TP 6n iolog_path=string Fully qualified path to the file or directory in which I/O log is to be stored. diff --git a/doc/sudo_plugin.mdoc.in b/doc/sudo_plugin.mdoc.in index d5507ba73..429b73f2a 100644 --- a/doc/sudo_plugin.mdoc.in +++ b/doc/sudo_plugin.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 20, 2016 +.Dd November 7, 2016 .Dt SUDO_PLUGIN @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -798,6 +798,15 @@ must refer to an open file descriptor. Set to true if the I/O logging plugins, if any, should compress the log data. This is a hint to the I/O logging plugin which may choose to ignore it. +.It iolog_group=string +The group that will own newly created I/O log files and directories. +This is a hint to the I/O logging plugin which may choose to ignore it. +.It iolog_mode=octal +The file permision mode to use when creating I/O log files and directories. +This is a hint to the I/O logging plugin which may choose to ignore it. +.It iolog_user=string +The user that will own newly created I/O log files and directories. +This is a hint to the I/O logging plugin which may choose to ignore it. .It iolog_path=string Fully qualified path to the file or directory in which I/O log is to be stored. diff --git a/doc/sudoers.cat b/doc/sudoers.cat index e54f463da..379a3ff89 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1552,9 +1552,10 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS higher. iolog_mode The file permision mode to use when creating I/O log - files. When creating I/O log directories, search - (execute) bits are added to to match the read and write - bits specified by _i_o_l_o_g___m_o_d_e. Defaults to 0600. + files, mode bits other than 0666 are ignored. When + creating I/O log directories, search (execute) bits are + added to to match the read and write bits specified by + _i_o_l_o_g___m_o_d_e. Defaults to 0600. This setting is only supported by version 1.8.19 or higher. @@ -2631,4 +2632,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.19 October 29, 2016 Sudo 1.8.19 +Sudo 1.8.19 November 7, 2016 Sudo 1.8.19 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 159d17c00..a23a61f08 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "October 29, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "5" "November 7, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -3197,7 +3197,8 @@ the parent directory. This setting is only supported by version 1.8.19 or higher. .TP 18n iolog_mode -The file permision mode to use when creating I/O log files. +The file permision mode to use when creating I/O log files, +mode bits other than 0666 are ignored. When creating I/O log directories, search (execute) bits are added to to match the read and write bits specified by \fIiolog_mode\fR. diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 2b4298ee6..e0ab8a889 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd October 29, 2016 +.Dd November 7, 2016 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -2996,7 +2996,8 @@ the parent directory. .Pp This setting is only supported by version 1.8.19 or higher. .It iolog_mode -The file permision mode to use when creating I/O log files. +The file permision mode to use when creating I/O log files, +mode bits other than 0666 are ignored. When creating I/O log directories, search (execute) bits are added to to match the read and write bits specified by .Em iolog_mode . diff --git a/plugins/sudoers/iolog.c b/plugins/sudoers/iolog.c index d6bfb2397..fc81ef984 100644 --- a/plugins/sudoers/iolog.c +++ b/plugins/sudoers/iolog.c @@ -73,6 +73,7 @@ static struct timeval last_time; static unsigned int sessid_max = SESSID_MAX; static uid_t iolog_uid = ROOT_UID; static gid_t iolog_gid = (gid_t)-1; +static mode_t iolog_filemode = S_IRUSR|S_IWUSR; static mode_t iolog_dirmode = S_IRWXU; /* sudoers_io is declared at the end of this file. */ @@ -216,21 +217,21 @@ cb_maxseq(const union sudo_defs_val *sd_un) } /* - * Sudoers callback for iolog_user Defaults setting. + * Look up I/O log user ID from user name. */ -bool -cb_iolog_user(const union sudo_defs_val *sd_un) +static bool +iolog_set_uid(const char *name) { struct passwd *pw; - debug_decl(cb_iolog_user, SUDOERS_DEBUG_UTIL) + debug_decl(iolog_set_uid, SUDOERS_DEBUG_UTIL) - if (sd_un->str != NULL) { - pw = sudo_getpwnam(sd_un->str); + if (name != NULL) { + pw = sudo_getpwnam(name); if (pw != NULL) { iolog_uid = pw->pw_uid; } else { log_warningx(SLOG_SEND_MAIL, - N_("unknown user: %s"), sd_un->str); + N_("unknown user: %s"), name); } } else { iolog_uid = ROOT_UID; @@ -240,21 +241,30 @@ cb_iolog_user(const union sudo_defs_val *sd_un) } /* - * Sudoers callback for iolog_group Defaults setting. + * Sudoers callback for iolog_user Defaults setting. */ bool -cb_iolog_group(const union sudo_defs_val *sd_un) +cb_iolog_user(const union sudo_defs_val *sd_un) +{ + return iolog_set_uid(sd_un->str); +} + +/* + * Look up I/O log group ID from group name. + */ +static bool +iolog_set_gid(const char *name) { struct group *gr; - debug_decl(cb_iolog_group, SUDOERS_DEBUG_UTIL) + debug_decl(iolog_set_gid, SUDOERS_DEBUG_UTIL) - if (sd_un->str != NULL) { - gr = sudo_getgrnam(sd_un->str); + if (name != NULL) { + gr = sudo_getgrnam(name); if (gr != NULL) { iolog_gid = gr->gr_gid; } else { log_warningx(SLOG_SEND_MAIL, - N_("unknown group: %s"), sd_un->str); + N_("unknown group: %s"), name); } } else { iolog_gid = (mode_t)-1; @@ -264,15 +274,27 @@ cb_iolog_group(const union sudo_defs_val *sd_un) } /* - * Sudoers callback for iolog_mode Defaults setting. + * Look up I/O log group ID from group name. */ bool -cb_iolog_mode(const union sudo_defs_val *sd_un) +cb_iolog_group(const union sudo_defs_val *sd_un) { - debug_decl(cb_iolog_mode, SUDOERS_DEBUG_UTIL) + return iolog_set_gid(sd_un->str); +} - /* Base directory mode on iolog_mode, adding in the X bit as needed */ - iolog_dirmode = def_iolog_mode; +/* + * Set iolog_filemode and iolog_dirmode. + */ +static bool +iolog_set_mode(mode_t mode) +{ + debug_decl(iolog_set_mode, SUDOERS_DEBUG_UTIL) + + /* Restrict file mode to a subset of 0666. */ + iolog_filemode = mode & (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH); + + /* For directory mode, add execute bits as needed. */ + iolog_dirmode = iolog_filemode; if (iolog_dirmode & (S_IRUSR|S_IWUSR)) iolog_dirmode |= S_IXUSR; if (iolog_dirmode & (S_IRGRP|S_IWGRP)) @@ -283,6 +305,15 @@ cb_iolog_mode(const union sudo_defs_val *sd_un) debug_return_bool(true); } +/* + * Sudoers callback for iolog_mode Defaults setting. + */ +bool +cb_iolog_mode(const union sudo_defs_val *sd_un) +{ + return iolog_set_mode(sd_un->mode); +} + /* * Read the on-disk sequence number, set sessid to the next * number, and update the on-disk copy. @@ -318,7 +349,7 @@ io_nextid(char *iolog_dir, char *iolog_dir_fallback, char sessid[7]) log_warning(SLOG_SEND_MAIL, "%s/seq", pathbuf); goto done; } - fd = open(pathbuf, O_RDWR|O_CREAT, def_iolog_mode); + fd = open(pathbuf, O_RDWR|O_CREAT, iolog_filemode); if (fd == -1) { log_warning(SLOG_SEND_MAIL, N_("unable to open %s"), pathbuf); goto done; @@ -338,7 +369,7 @@ io_nextid(char *iolog_dir, char *iolog_dir_fallback, char sessid[7]) len = snprintf(fallback, sizeof(fallback), "%s/seq", iolog_dir_fallback); if (len > 0 && (size_t)len < sizeof(fallback)) { - int fd2 = open(fallback, O_RDWR|O_CREAT, def_iolog_mode); + int fd2 = open(fallback, O_RDWR|O_CREAT, iolog_filemode); if (fd2 != -1) { ignore_result(fchown(fd2, iolog_uid, gid)); nread = read(fd2, buf, sizeof(buf) - 1); @@ -457,7 +488,7 @@ open_io_fd(char *pathbuf, size_t len, struct io_log_file *iol, bool docompress) pathbuf[len] = '\0'; strlcat(pathbuf, iol->suffix, PATH_MAX); if (iol->enabled) { - int fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, def_iolog_mode); + int fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, iolog_filemode); if (fd != -1) { ignore_result(fchown(fd, iolog_uid, iolog_gid)); (void)fcntl(fd, F_SETFD, FD_CLOEXEC); @@ -589,6 +620,20 @@ iolog_deserialize_info(struct iolog_details *details, char * const user_info[], iolog_compress = true; /* must be global */ continue; } + if (strncmp(*cur, "iolog_mode=", sizeof("iolog_mode=") - 1) == 0) { + mode_t mode = sudo_strtomode(*cur + sizeof("iolog_mode=") - 1, &errstr); + if (errstr == NULL) + iolog_set_mode(mode); + continue; + } + if (strncmp(*cur, "iolog_group=", sizeof("iolog_group=") - 1) == 0) { + iolog_set_gid(*cur + sizeof("iolog_group=") - 1); + continue; + } + if (strncmp(*cur, "iolog_user=", sizeof("iolog_user=") - 1) == 0) { + iolog_set_uid(*cur + sizeof("iolog_user=") - 1); + continue; + } break; case 'm': if (strncmp(*cur, "maxseq=", sizeof("maxseq=") - 1) == 0) { @@ -675,7 +720,7 @@ write_info_log(char *pathbuf, size_t len, struct iolog_details *details, pathbuf[len] = '\0'; strlcat(pathbuf, "/log", PATH_MAX); - fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, def_iolog_mode); + fd = open(pathbuf, O_CREAT|O_TRUNC|O_WRONLY, iolog_filemode); if (fd == -1 || (fp = fdopen(fd, "w")) == NULL) { log_warning(SLOG_SEND_MAIL, N_("unable to create %s"), pathbuf); debug_return_bool(false); diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index 421463238..c5de6d012 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -411,7 +411,7 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, debug_decl(sudoers_policy_exec_setup, SUDOERS_DEBUG_PLUGIN) /* Increase the length of command_info as needed, it is *not* checked. */ - command_info = calloc(32, sizeof(char *)); + command_info = calloc(48, sizeof(char *)); if (command_info == NULL) goto oom; @@ -556,6 +556,18 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, if ((command_info[info_len++] = sudo_new_key_val("utmp_user", runas_pw->pw_name)) == NULL) goto oom; } + if (def_iolog_mode != (S_IRUSR|S_IWUSR)) { + if (asprintf(&command_info[info_len++], "iolog_mode=0%o", (unsigned int)def_iolog_mode) == -1) + goto oom; + } + if (def_iolog_user != NULL) { + if ((command_info[info_len++] = sudo_new_key_val("iolog_user", def_iolog_user)) == NULL) + goto oom; + } + if (def_iolog_group != NULL) { + if ((command_info[info_len++] = sudo_new_key_val("iolog_group", def_iolog_group)) == NULL) + goto oom; + } if (cmnd_umask != 0777) { if (asprintf(&command_info[info_len++], "umask=0%o", (unsigned int)cmnd_umask) == -1) goto oom;