From 8c8d078f665db1a9f863c94302f6978ffecfb4f7 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Fri, 17 Mar 2017 10:56:17 -0600
Subject: [PATCH] Don't allow the user to specify an I/O log file mode that
 sudo can't read or write to.  I/O logs must always be readable and writable
 by the owner.

---
 doc/sudoers.cat         | 16 ++++++++++------
 doc/sudoers.man.in      | 11 +++++++----
 doc/sudoers.mdoc.in     | 11 +++++++----
 plugins/sudoers/iolog.c | 11 ++++++-----
 4 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 86874b654..39752453c 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1623,11 +1623,15 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                        This setting is only supported by version 1.8.19 or
                        higher.
 
-     iolog_mode        The file permision mode to use when creating I/O log
-                       files, mode bits other than 0666 are ignored.  When
-                       creating I/O log directories, search (execute) bits are
-                       added to to match the read and write bits specified by
-                       _i_o_l_o_g___m_o_d_e.  Defaults to 0600.
+     iolog_mode        The file mode to use when creating I/O log files.  Mode
+                       bits for read and write permissions for owner, group or
+                       other are honored, everything else is ignored.  The
+                       file permissions will always include the owner read and
+                       write bits, even if they are not present in the
+                       specified mode.  When creating I/O log directories,
+                       search (execute) bits are added to to match the read
+                       and write bits specified by _i_o_l_o_g___m_o_d_e.  Defaults to
+                       0600 (read and write by user only).
 
                        This setting is only supported by version 1.8.19 or
                        higher.
@@ -2744,4 +2748,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.20                     March 14, 2017                     Sudo 1.8.20
+Sudo 1.8.20                     March 17, 2017                     Sudo 1.8.20
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 91a834280..a9ff75415 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "March 14, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "March 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -3324,12 +3324,15 @@ the parent directory.
 This setting is only supported by version 1.8.19 or higher.
 .TP 18n
 iolog_mode
-The file permision mode to use when creating I/O log files,
-mode bits other than 0666 are ignored.
+The file mode to use when creating I/O log files.
+Mode bits for read and write permissions for owner, group or other
+are honored, everything else is ignored.
+The file permissions will always include the owner read and
+write bits, even if they are not present in the specified mode.
 When creating I/O log directories, search (execute) bits are added
 to to match the read and write bits specified by
 \fIiolog_mode\fR.
-Defaults to 0600.
+Defaults to 0600 (read and write by user only).
 .sp
 This setting is only supported by version 1.8.19 or higher.
 .TP 18n
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 9c72c6f37..97ac155c7 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd March 14, 2017
+.Dd March 17, 2017
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -3117,12 +3117,15 @@ the parent directory.
 .Pp
 This setting is only supported by version 1.8.19 or higher.
 .It iolog_mode
-The file permision mode to use when creating I/O log files,
-mode bits other than 0666 are ignored.
+The file mode to use when creating I/O log files.
+Mode bits for read and write permissions for owner, group or other
+are honored, everything else is ignored.
+The file permissions will always include the owner read and
+write bits, even if they are not present in the specified mode.
 When creating I/O log directories, search (execute) bits are added
 to to match the read and write bits specified by
 .Em iolog_mode .
-Defaults to 0600.
+Defaults to 0600 (read and write by user only).
 .Pp
 This setting is only supported by version 1.8.19 or higher.
 .It iolog_user
diff --git a/plugins/sudoers/iolog.c b/plugins/sudoers/iolog.c
index e292036b9..f1ab3c406 100644
--- a/plugins/sudoers/iolog.c
+++ b/plugins/sudoers/iolog.c
@@ -292,13 +292,14 @@ iolog_set_mode(mode_t mode)
 {
     debug_decl(iolog_set_mode, SUDOERS_DEBUG_UTIL)
 
-    /* Restrict file mode to a subset of 0666. */
-    iolog_filemode = mode & (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+    /* I/O log files must be readable and writable by owner. */
+    iolog_filemode = S_IRUSR|S_IWUSR;
+
+    /* Add in group and other read/write if specified. */
+    iolog_filemode |= mode & (S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
 
     /* For directory mode, add execute bits as needed. */
-    iolog_dirmode = iolog_filemode;
-    if (iolog_dirmode & (S_IRUSR|S_IWUSR))
-	iolog_dirmode |= S_IXUSR;
+    iolog_dirmode = iolog_filemode | S_IXUSR;
     if (iolog_dirmode & (S_IRGRP|S_IWGRP))
 	iolog_dirmode |= S_IXGRP;
     if (iolog_dirmode & (S_IROTH|S_IWOTH))
-- 
2.40.0