isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add umask to user_info passed in from the front end to the plugin.

Browse Source
This commit is contained in:
Todd C. Miller
2016-11-17 16:00:06 -07:00
parent 0cde3f5de4
commit f70f595b5b
5 changed files with 48 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
doc/sudo_plugin.cat
View File

@@ -336,6 +336,10 @@ DDEESSCCRRIIPPTTIIOONN
uid=uid_t uid=uid_t
The real user ID of the user invoking ssuuddoo. The real user ID of the user invoking ssuuddoo.
umask=octal
The invoking user's file creation mask. Only available
starting with API version 1.10.
user=string user=string
The name of the user invoking ssuuddoo. The name of the user invoking ssuuddoo.
@@ -1546,8 +1550,9 @@ PPLLUUGGIINN AAPPII CCHHAANNGGEELLOOGG
The _e_x_e_c_f_d entry was added to the command_info list. The _e_x_e_c_f_d entry was added to the command_info list.
Version 1.10 (sudo 1.8.19) Version 1.10 (sudo 1.8.19)
The _i_o_l_o_g___g_r_o_u_p, _i_o_l_o_g___m_o_d_e, and _i_o_l_o_g___u_s_e_r entries were added to The _u_m_a_s_k entry was added to the user_info list. The _i_o_l_o_g___g_r_o_u_p,
the command_info list. _i_o_l_o_g___m_o_d_e, and _i_o_l_o_g___u_s_e_r entries were added to the command_info
list.
SSEEEE AALLSSOO SSEEEE AALLSSOO
sudo.conf(4), sudoers(4), sudo(1m) sudo.conf(4), sudoers(4), sudo(1m)
@@ -1578,4 +1583,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.19 November 8, 2016 Sudo 1.8.19 Sudo 1.8.19 November 17, 2016 Sudo 1.8.19

11
doc/sudo_plugin.man.in
View File

@@ -16,7 +16,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.TH "SUDO_PLUGIN" "5" "November 8, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDO_PLUGIN" "5" "November 17, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -546,6 +546,10 @@ uid=uid_t
The real user ID of the user invoking The real user ID of the user invoking
\fBsudo\fR. \fBsudo\fR.
.TP 6n .TP 6n
umask=octal
The invoking user's file creation mask.
Only available starting with API version 1.10.
.TP 6n
user=string user=string
The name of the user invoking The name of the user invoking
\fBsudo\fR. \fBsudo\fR.
@@ -2765,6 +2769,11 @@ list.
.TP 6n .TP 6n
Version 1.10 (sudo 1.8.19) Version 1.10 (sudo 1.8.19)
The The
\fIumask\fR
entry was added to the
\fRuser_info\fR
list.
The
\fIiolog_group\fR, \fIiolog_group\fR,
\fIiolog_mode\fR, \fIiolog_mode\fR,
and and

10
doc/sudo_plugin.mdoc.in
View File

@@ -14,7 +14,7 @@
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.Dd November 8, 2016 .Dd November 17, 2016
.Dt SUDO_PLUGIN @mansectform@ .Dt SUDO_PLUGIN @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -484,6 +484,9 @@ the value will be empty, as in
.It uid=uid_t .It uid=uid_t
The real user ID of the user invoking The real user ID of the user invoking
.Nm sudo . .Nm sudo .
.It umask=octal
The invoking user's file creation mask.
Only available starting with API version 1.10.
.It user=string .It user=string
The name of the user invoking The name of the user invoking
.Nm sudo . .Nm sudo .
@@ -2421,6 +2424,11 @@ entry was added to the
list. list.
.It Version 1.10 (sudo 1.8.19) .It Version 1.10 (sudo 1.8.19)
The The
.Em umask
entry was added to the
.Li user_info
list.
The
.Em iolog_group , .Em iolog_group ,
.Em iolog_mode , .Em iolog_mode ,
and and

18
plugins/sudoers/policy.c
View File

@@ -264,6 +264,7 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
#endif #endif
} }
user_umask = (mode_t)-1;
for (cur = info->user_info; *cur != NULL; cur++) { for (cur = info->user_info; *cur != NULL; cur++) {
if (MATCHES(*cur, "user=")) { if (MATCHES(*cur, "user=")) {
if ((user_name = strdup(*cur + sizeof("user=") - 1)) == NULL) if ((user_name = strdup(*cur + sizeof("user=") - 1)) == NULL)
@@ -346,6 +347,15 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
} }
continue; continue;
} }
if (MATCHES(*cur, "umask=")) {
p = *cur + sizeof("umask=") - 1;
sudo_user.umask = sudo_strtomode(p, &errstr);
if (errstr != NULL) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
}
continue;
}
} }
if ((user_runhost = strdup(remhost ? remhost : user_host)) == NULL) if ((user_runhost = strdup(remhost ? remhost : user_host)) == NULL)
goto oom; goto oom;
@@ -373,9 +383,11 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
goto bad; goto bad;
} }
/* Stash initial umask for later use. */ /* umask is only set in user_info[] for API 1.10 and above. */
user_umask = umask(SUDO_UMASK); if (user_umask == (mode_t)-1) {
umask(user_umask); user_umask = umask(0);
umask(user_umask);
}
/* Some systems support fexecve() which we use for digest matches. */ /* Some systems support fexecve() which we use for digest matches. */
cmnd_fd = -1; cmnd_fd = -1;

6
src/sudo.c
View File

@@ -487,6 +487,7 @@ get_user_info(struct user_details *ud)
{ {
char *cp, **user_info, path[PATH_MAX]; char *cp, **user_info, path[PATH_MAX];
unsigned int i = 0; unsigned int i = 0;
mode_t mask;
struct passwd *pw; struct passwd *pw;
int fd; int fd;
debug_decl(get_user_info, SUDO_DEBUG_UTIL) debug_decl(get_user_info, SUDO_DEBUG_UTIL)
@@ -552,6 +553,11 @@ get_user_info(struct user_details *ud)
if ((cp = get_user_groups(ud)) != NULL) if ((cp = get_user_groups(ud)) != NULL)
user_info[++i] = cp; user_info[++i] = cp;
mask = umask(0);
umask(mask);
if (asprintf(&user_info[++i], "umask=0%o", (unsigned int)mask) == -1)
goto oom;
if (getcwd(path, sizeof(path)) != NULL) { if (getcwd(path, sizeof(path)) != NULL) {
user_info[++i] = sudo_new_key_val("cwd", path); user_info[++i] = sudo_new_key_val("cwd", path);
if (user_info[i] == NULL) if (user_info[i] == NULL)