sudo/sme9/sudo-1.8.6p3-loggingperms.patch

diff -up ./plugins/sudoers/logging.c.loggingperms ./plugins/sudoers/logging.c
--- ./plugins/sudoers/logging.c.loggingperms    2016-10-06 16:43:14.509092792 +0200
+++ ./plugins/sudoers/logging.c 2016-10-06 16:46:13.491679481 +0200
@@ -271,6 +271,9 @@ log_denial(int status, bool inform_user)
 
     logline = new_logline(message, 0);
 
+    /* Become root if we are not already. */
+    set_perms(PERM_ROOT|PERM_NOEXIT);
+
     if (should_mail(status))
        send_mail("%s", logline);       /* send mail based on status */
 
@@ -305,6 +308,8 @@ log_denial(int status, bool inform_user)
     if (def_logfile)
        do_logfile(logline);
 
+    restore_perms();
+
     efree(logline);
     debug_return;
 }
@@ -395,6 +400,9 @@ log_allowed(int status)
 
     logline = new_logline(NULL, 0);
 
+    /* Become root if we are not already. */
+    set_perms(PERM_ROOT|PERM_NOEXIT);
+
     if (should_mail(status))
        send_mail("%s", logline);       /* send mail based on status */
 
@@ -406,6 +414,8 @@ log_allowed(int status)
     if (def_logfile)
        do_logfile(logline);
 
+    restore_perms();
+
     efree(logline);
     debug_return;
 }
diff -up ./plugins/sudoers/set_perms.c.loggingperms ./plugins/sudoers/set_perms.c
--- ./plugins/sudoers/set_perms.c.loggingperms  2016-10-06 16:46:30.112083938 +0200
+++ ./plugins/sudoers/set_perms.c       2016-10-06 16:56:45.151045834 +0200
@@ -179,8 +179,16 @@ set_perms(int perm)
            goto bad;
        }
        state->rgid = ostate->rgid;
-       state->egid = ostate->egid;
+       state->egid = ROOT_GID;
        state->sgid = ostate->sgid;
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d, %d, %d] -> [%d, %d, %d]", __func__,
+            (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
+            (int)state->rgid, (int)state->egid, (int)state->sgid);
+        if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) {
+            strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
+            goto bad;
+        }
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        break;
@@ -481,8 +489,16 @@ set_perms(int perm)
            goto bad;
        }
        state->rgid = ostate->rgid;
-       state->egid = ostate->egid;
+       state->egid = ROOT_GID;
        state->sgid = ostate->sgid;
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d, %d, %d] -> [%d, %d, %d]", __func__,
+            (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
+            (int)state->rgid, (int)state->egid, (int)state->sgid);
+        if (GID_CHANGED && setgidx(ID_EFFECTIVE, ROOT_GID)) {
+            strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
+            goto bad;
+        }
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        break;
@@ -879,7 +895,15 @@ set_perms(int perm)
            }
        }
        state->rgid = ostate->rgid;
-       state->egid = ostate->rgid;
+        state->egid = ROOT_GID;
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
+            (int)ostate->egid, (int)state->rgid, (int)state->egid);
+        if (GID_CHANGED && setregid(ID(rgid), ID(egid))) {
+            snprintf(errbuf, sizeof(errbuf),
+                "PERM_ROOT: setregid(%d, %d)", ID(rgid), ID(egid));
+            goto bad;
+        }
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        break;
@@ -1165,7 +1189,14 @@ set_perms(int perm)
        state->ruid = ROOT_UID;
        state->euid = ROOT_UID;
        state->rgid = ostate->rgid;
-       state->egid = ostate->egid;
+        state->egid = ROOT_GID;
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
+            (int)ostate->egid, ROOT_GID, ROOT_GID);
+        if (GID_CHANGED && setegid(ROOT_GID)) {
+            strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
+            goto bad;
+        }
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        break;
@@ -1421,7 +1452,7 @@ set_perms(int perm)
 
     case PERM_ROOT:
        state->ruid = ROOT_UID;
-       state->rgid = ostate->rgid;
+       state->rgid = ROOT_GID;
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
@@ -1430,11 +1461,17 @@ set_perms(int perm)
            snprintf(errbuf, sizeof(errbuf), "PERM_ROOT: setuid(%d)", ROOT_UID);
            goto bad;
        }
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
+        if (setgid(ROOT_GID)) {
+            strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
+            goto bad;
+        }
        break;
 
     case PERM_FULL_USER:
        state->rgid = user_gid;
-       sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+       sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: gid: "
            "[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
        (void) setgid(user_gid);
        state->grlist = user_group_list;
@@ -1446,7 +1483,7 @@ set_perms(int perm)
            }
        }
        state->ruid = user_uid;
-       sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
+       sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: uid: "
            "[%d] -> [%d]", __func__, (int)ostate->ruid, (int)state->ruid);
        if (setuid(user_uid)) {
            snprintf(errbuf, sizeof(errbuf),
diff -up ./plugins/sudoers/sudoers.h.loggingperms ./plugins/sudoers/sudoers.h
--- ./plugins/sudoers/sudoers.h.loggingperms    2016-10-06 16:56:55.842662731 +0200
+++ ./plugins/sudoers/sudoers.h 2016-10-06 16:59:04.615048554 +0200
@@ -208,6 +208,7 @@ struct sudo_user {
 #else
 # define ROOT_UID       0
 #endif
+#define ROOT_GID       0
 
 /*
  * We used to use the system definition of PASS_MAX or _PASSWD_LEN,
1	jpp	1.1	diff -up ./plugins/sudoers/logging.c.loggingperms ./plugins/sudoers/logging.c
2			--- ./plugins/sudoers/logging.c.loggingperms 2016-10-06 16:43:14.509092792 +0200
3			+++ ./plugins/sudoers/logging.c 2016-10-06 16:46:13.491679481 +0200
4			@@ -271,6 +271,9 @@ log_denial(int status, bool inform_user)
5
6			logline = new_logline(message, 0);
7
8			+ /* Become root if we are not already. */
9			+ set_perms(PERM_ROOT\|PERM_NOEXIT);
10			+
11			if (should_mail(status))
12			send_mail("%s", logline); /* send mail based on status */
13
14			@@ -305,6 +308,8 @@ log_denial(int status, bool inform_user)
15			if (def_logfile)
16			do_logfile(logline);
17
18			+ restore_perms();
19			+
20			efree(logline);
21			debug_return;
22			}
23			@@ -395,6 +400,9 @@ log_allowed(int status)
24
25			logline = new_logline(NULL, 0);
26
27			+ /* Become root if we are not already. */
28			+ set_perms(PERM_ROOT\|PERM_NOEXIT);
29			+
30			if (should_mail(status))
31			send_mail("%s", logline); /* send mail based on status */
32
33			@@ -406,6 +414,8 @@ log_allowed(int status)
34			if (def_logfile)
35			do_logfile(logline);
36
37			+ restore_perms();
38			+
39			efree(logline);
40			debug_return;
41			}
42			diff -up ./plugins/sudoers/set_perms.c.loggingperms ./plugins/sudoers/set_perms.c
43			--- ./plugins/sudoers/set_perms.c.loggingperms 2016-10-06 16:46:30.112083938 +0200
44			+++ ./plugins/sudoers/set_perms.c 2016-10-06 16:56:45.151045834 +0200
45			@@ -179,8 +179,16 @@ set_perms(int perm)
46			goto bad;
47			}
48			state->rgid = ostate->rgid;
49			- state->egid = ostate->egid;
50			+ state->egid = ROOT_GID;
51			state->sgid = ostate->sgid;
52			+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
53			+ "[%d, %d, %d] -> [%d, %d, %d]", __func__,
54			+ (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
55			+ (int)state->rgid, (int)state->egid, (int)state->sgid);
56			+ if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) {
57			+ strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
58			+ goto bad;
59			+ }
60			state->grlist = ostate->grlist;
61			sudo_grlist_addref(state->grlist);
62			break;
63			@@ -481,8 +489,16 @@ set_perms(int perm)
64			goto bad;
65			}
66			state->rgid = ostate->rgid;
67			- state->egid = ostate->egid;
68			+ state->egid = ROOT_GID;
69			state->sgid = ostate->sgid;
70			+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
71			+ "[%d, %d, %d] -> [%d, %d, %d]", __func__,
72			+ (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
73			+ (int)state->rgid, (int)state->egid, (int)state->sgid);
74			+ if (GID_CHANGED && setgidx(ID_EFFECTIVE, ROOT_GID)) {
75			+ strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
76			+ goto bad;
77			+ }
78			state->grlist = ostate->grlist;
79			sudo_grlist_addref(state->grlist);
80			break;
81			@@ -879,7 +895,15 @@ set_perms(int perm)
82			}
83			}
84			state->rgid = ostate->rgid;
85			- state->egid = ostate->rgid;
86			+ state->egid = ROOT_GID;
87			+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
88			+ "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
89			+ (int)ostate->egid, (int)state->rgid, (int)state->egid);
90			+ if (GID_CHANGED && setregid(ID(rgid), ID(egid))) {
91			+ snprintf(errbuf, sizeof(errbuf),
92			+ "PERM_ROOT: setregid(%d, %d)", ID(rgid), ID(egid));
93			+ goto bad;
94			+ }
95			state->grlist = ostate->grlist;
96			sudo_grlist_addref(state->grlist);
97			break;
98			@@ -1165,7 +1189,14 @@ set_perms(int perm)
99			state->ruid = ROOT_UID;
100			state->euid = ROOT_UID;
101			state->rgid = ostate->rgid;
102			- state->egid = ostate->egid;
103			+ state->egid = ROOT_GID;
104			+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
105			+ "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
106			+ (int)ostate->egid, ROOT_GID, ROOT_GID);
107			+ if (GID_CHANGED && setegid(ROOT_GID)) {
108			+ strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
109			+ goto bad;
110			+ }
111			state->grlist = ostate->grlist;
112			sudo_grlist_addref(state->grlist);
113			break;
114			@@ -1421,7 +1452,7 @@ set_perms(int perm)
115
116			case PERM_ROOT:
117			state->ruid = ROOT_UID;
118			- state->rgid = ostate->rgid;
119			+ state->rgid = ROOT_GID;
120			state->grlist = ostate->grlist;
121			sudo_grlist_addref(state->grlist);
122			sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
123			@@ -1430,11 +1461,17 @@ set_perms(int perm)
124			snprintf(errbuf, sizeof(errbuf), "PERM_ROOT: setuid(%d)", ROOT_UID);
125			goto bad;
126			}
127			+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
128			+ "[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
129			+ if (setgid(ROOT_GID)) {
130			+ strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
131			+ goto bad;
132			+ }
133			break;
134
135			case PERM_FULL_USER:
136			state->rgid = user_gid;
137			- sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
138			+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: gid: "
139			"[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
140			(void) setgid(user_gid);
141			state->grlist = user_group_list;
142			@@ -1446,7 +1483,7 @@ set_perms(int perm)
143			}
144			}
145			state->ruid = user_uid;
146			- sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
147			+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: uid: "
148			"[%d] -> [%d]", __func__, (int)ostate->ruid, (int)state->ruid);
149			if (setuid(user_uid)) {
150			snprintf(errbuf, sizeof(errbuf),
151			diff -up ./plugins/sudoers/sudoers.h.loggingperms ./plugins/sudoers/sudoers.h
152			--- ./plugins/sudoers/sudoers.h.loggingperms 2016-10-06 16:56:55.842662731 +0200
153			+++ ./plugins/sudoers/sudoers.h 2016-10-06 16:59:04.615048554 +0200
154			@@ -208,6 +208,7 @@ struct sudo_user {
155			#else
156			# define ROOT_UID 0
157			#endif
158			+#define ROOT_GID 0
159
160			/*
161			* We used to use the system definition of PASS_MAX or _PASSWD_LEN,