Bug 336 – Umask taken from user instead of config file

Bug 336 - Umask taken from user instead of config file


Summary:	Umask taken from user instead of config file

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.6.9
Hardware:	Other FreeBSD

Importance:	normal normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-02-20 16:13 MST by Alan Amesbury
Modified:	2009-03-12 10:09 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alan Amesbury 2009-02-20 16:13:07 MST

Recently it appears that sudo's behavior changed with respect to how it handles umasks.  It used to ignore the umask of the user invoking sudo, but it now appears to OR the user's umask with the umask setting in the sudoers file.  It does not appear to be possible to force a specific umask setting within the sudoers file; you're pretty much at the mercy of the user running sudo.  For users with umasks of 0027 (or 0077) who are expecting file modes of 0644 after 'sudo touch somefile', this is a bit of a nasty shock.

Resolution:  revert to previous behavior, which worked as expected.  Alternatively, allow for umask to be forced regardless of what the invoking user's umask happens to be.

Comment 1 Todd C. Miller 2009-02-20 16:28:58 MST

The sudo umask setting exists to prevent users from creating file with an overly permissive mask.  The change in behavior was to ensure that sudo never sets the umask to be more permissive than the user's.

This is arguably more secure but I can see how it can cause usability problems for some people.  I'll probably make the bahavior configurable in the next sudo release.

Comment 2 Todd C. Miller 2009-03-12 10:09:43 MDT

A umask_override option has been added to sudo 1.7.1.  A beta version of sudo 1.7.1 may be downloaded from http://www.sudo.ws/devel.html