Bug 307 – if configured --with-umask then sudo can raise umask

Bug 307 - if configured --with-umask then sudo can raise umask


Summary:	if configured --with-umask then sudo can raise umask

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.0
Hardware:	All All

Importance:	low low
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-10-15 11:11 MDT by Vadim Zhukov
Modified:	2008-10-26 17:17 MDT (History)
CC List:	0 users

See Also:

Attachments
sudo and documentation patch (1.01 KB, patch) 2008-10-15 11:11 MDT, Vadim Zhukov	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vadim Zhukov 2008-10-15 11:11:49 MDT

Created attachment 232 [details]
sudo and documentation patch

When sudo(8) is configured with "--with-umask" option then it always change umask, even if current umask is more strict. Better solution is to logically AND old and new umask. Sample patch attached.

Usage example (I have similar setup for some not-a-human user under which a program run):

In sudoers:
user = (root) NOPASSWD: tee -- /some/dir/*

In shell:
$ umask
0002
$ echo XXX | sudo tee -- /some/dir/somefile >/dev/null
$ ls -l /some/dir/somefile
-rw-r--r--  1 root  somegroup  4 Oct 15 19:10 somefile

Comment 1 Todd C. Miller 2008-10-26 17:17:31 MDT

I think you have things backwards.  Since umask is a mask, the more bits that are set, the more restrictive it is.  So instead of bitwise AND, it should be bitwise OR.  I've made such a change in the sudo cvs tree.