sudo/sme9/sudo-1.8.6p3-loggingperms.patch

diff -up ./plugins/sudoers/logging.c.loggingperms ./plugins/sudoers/logging.c
--- ./plugins/sudoers/logging.c.loggingperms    2016-10-06 16:43:14.509092792 +0200
+++ ./plugins/sudoers/logging.c 2016-10-06 16:46:13.491679481 +0200
@@ -271,6 +271,9 @@ log_denial(int status, bool inform_user)
 
     logline = new_logline(message, 0);
 
+    /* Become root if we are not already. */
+    set_perms(PERM_ROOT|PERM_NOEXIT);
+
     if (should_mail(status))
        send_mail("%s", logline);       /* send mail based on status */
 
@@ -305,6 +308,8 @@ log_denial(int status, bool inform_user)
     if (def_logfile)
        do_logfile(logline);
 
+    restore_perms();
+
     efree(logline);
     debug_return;
 }
@@ -395,6 +400,9 @@ log_allowed(int status)
 
     logline = new_logline(NULL, 0);
 
+    /* Become root if we are not already. */
+    set_perms(PERM_ROOT|PERM_NOEXIT);
+
     if (should_mail(status))
        send_mail("%s", logline);       /* send mail based on status */
 
@@ -406,6 +414,8 @@ log_allowed(int status)
     if (def_logfile)
        do_logfile(logline);
 
+    restore_perms();
+
     efree(logline);
     debug_return;
 }
diff -up ./plugins/sudoers/set_perms.c.loggingperms ./plugins/sudoers/set_perms.c
--- ./plugins/sudoers/set_perms.c.loggingperms  2016-10-06 16:46:30.112083938 +0200
+++ ./plugins/sudoers/set_perms.c       2016-10-06 16:56:45.151045834 +0200
@@ -179,8 +179,16 @@ set_perms(int perm)
            goto bad;
        }
        state->rgid = ostate->rgid;
-       state->egid = ostate->egid;
+       state->egid = ROOT_GID;
        state->sgid = ostate->sgid;
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d, %d, %d] -> [%d, %d, %d]", __func__,
+            (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
+            (int)state->rgid, (int)state->egid, (int)state->sgid);
+        if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) {
+            strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
+            goto bad;
+        }
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        break;
@@ -481,8 +489,16 @@ set_perms(int perm)
            goto bad;
        }
        state->rgid = ostate->rgid;
-       state->egid = ostate->egid;
+       state->egid = ROOT_GID;
        state->sgid = ostate->sgid;
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d, %d, %d] -> [%d, %d, %d]", __func__,
+            (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
+            (int)state->rgid, (int)state->egid, (int)state->sgid);
+        if (GID_CHANGED && setgidx(ID_EFFECTIVE, ROOT_GID)) {
+            strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
+            goto bad;
+        }
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        break;
@@ -879,7 +895,15 @@ set_perms(int perm)
            }
        }
        state->rgid = ostate->rgid;
-       state->egid = ostate->rgid;
+        state->egid = ROOT_GID;
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
+            (int)ostate->egid, (int)state->rgid, (int)state->egid);
+        if (GID_CHANGED && setregid(ID(rgid), ID(egid))) {
+            snprintf(errbuf, sizeof(errbuf),
+                "PERM_ROOT: setregid(%d, %d)", ID(rgid), ID(egid));
+            goto bad;
+        }
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        break;
@@ -1165,7 +1189,14 @@ set_perms(int perm)
        state->ruid = ROOT_UID;
        state->euid = ROOT_UID;
        state->rgid = ostate->rgid;
-       state->egid = ostate->egid;
+        state->egid = ROOT_GID;
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
+            (int)ostate->egid, ROOT_GID, ROOT_GID);
+        if (GID_CHANGED && setegid(ROOT_GID)) {
+            strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
+            goto bad;
+        }
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        break;
@@ -1421,7 +1452,7 @@ set_perms(int perm)
 
     case PERM_ROOT:
        state->ruid = ROOT_UID;
-       state->rgid = ostate->rgid;
+       state->rgid = ROOT_GID;
        state->grlist = ostate->grlist;
        sudo_grlist_addref(state->grlist);
        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
@@ -1430,11 +1461,17 @@ set_perms(int perm)
            snprintf(errbuf, sizeof(errbuf), "PERM_ROOT: setuid(%d)", ROOT_UID);
            goto bad;
        }
+        sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+            "[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
+        if (setgid(ROOT_GID)) {
+            strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
+            goto bad;
+        }
        break;
 
     case PERM_FULL_USER:
        state->rgid = user_gid;
-       sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
+       sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: gid: "
            "[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
        (void) setgid(user_gid);
        state->grlist = user_group_list;
@@ -1446,7 +1483,7 @@ set_perms(int perm)
            }
        }
        state->ruid = user_uid;
-       sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
+       sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: uid: "
            "[%d] -> [%d]", __func__, (int)ostate->ruid, (int)state->ruid);
        if (setuid(user_uid)) {
            snprintf(errbuf, sizeof(errbuf),
diff -up ./plugins/sudoers/sudoers.h.loggingperms ./plugins/sudoers/sudoers.h
--- ./plugins/sudoers/sudoers.h.loggingperms    2016-10-06 16:56:55.842662731 +0200
+++ ./plugins/sudoers/sudoers.h 2016-10-06 16:59:04.615048554 +0200
@@ -208,6 +208,7 @@ struct sudo_user {
 #else
 # define ROOT_UID       0
 #endif
+#define ROOT_GID       0
 
 /*
  * We used to use the system definition of PASS_MAX or _PASSWD_LEN,
1	diff -up ./plugins/sudoers/logging.c.loggingperms ./plugins/sudoers/logging.c
2	--- ./plugins/sudoers/logging.c.loggingperms 2016-10-06 16:43:14.509092792 +0200
3	+++ ./plugins/sudoers/logging.c 2016-10-06 16:46:13.491679481 +0200
4	@@ -271,6 +271,9 @@ log_denial(int status, bool inform_user)
5
6	logline = new_logline(message, 0);
7
8	+ /* Become root if we are not already. */
9	+ set_perms(PERM_ROOT\|PERM_NOEXIT);
10	+
11	if (should_mail(status))
12	send_mail("%s", logline); /* send mail based on status */
13
14	@@ -305,6 +308,8 @@ log_denial(int status, bool inform_user)
15	if (def_logfile)
16	do_logfile(logline);
17
18	+ restore_perms();
19	+
20	efree(logline);
21	debug_return;
22	}
23	@@ -395,6 +400,9 @@ log_allowed(int status)
24
25	logline = new_logline(NULL, 0);
26
27	+ /* Become root if we are not already. */
28	+ set_perms(PERM_ROOT\|PERM_NOEXIT);
29	+
30	if (should_mail(status))
31	send_mail("%s", logline); /* send mail based on status */
32
33	@@ -406,6 +414,8 @@ log_allowed(int status)
34	if (def_logfile)
35	do_logfile(logline);
36
37	+ restore_perms();
38	+
39	efree(logline);
40	debug_return;
41	}
42	diff -up ./plugins/sudoers/set_perms.c.loggingperms ./plugins/sudoers/set_perms.c
43	--- ./plugins/sudoers/set_perms.c.loggingperms 2016-10-06 16:46:30.112083938 +0200
44	+++ ./plugins/sudoers/set_perms.c 2016-10-06 16:56:45.151045834 +0200
45	@@ -179,8 +179,16 @@ set_perms(int perm)
46	goto bad;
47	}
48	state->rgid = ostate->rgid;
49	- state->egid = ostate->egid;
50	+ state->egid = ROOT_GID;
51	state->sgid = ostate->sgid;
52	+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
53	+ "[%d, %d, %d] -> [%d, %d, %d]", __func__,
54	+ (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
55	+ (int)state->rgid, (int)state->egid, (int)state->sgid);
56	+ if (GID_CHANGED && setresgid(ID(rgid), ID(egid), ID(sgid))) {
57	+ strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
58	+ goto bad;
59	+ }
60	state->grlist = ostate->grlist;
61	sudo_grlist_addref(state->grlist);
62	break;
63	@@ -481,8 +489,16 @@ set_perms(int perm)
64	goto bad;
65	}
66	state->rgid = ostate->rgid;
67	- state->egid = ostate->egid;
68	+ state->egid = ROOT_GID;
69	state->sgid = ostate->sgid;
70	+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
71	+ "[%d, %d, %d] -> [%d, %d, %d]", __func__,
72	+ (int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid,
73	+ (int)state->rgid, (int)state->egid, (int)state->sgid);
74	+ if (GID_CHANGED && setgidx(ID_EFFECTIVE, ROOT_GID)) {
75	+ strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
76	+ goto bad;
77	+ }
78	state->grlist = ostate->grlist;
79	sudo_grlist_addref(state->grlist);
80	break;
81	@@ -879,7 +895,15 @@ set_perms(int perm)
82	}
83	}
84	state->rgid = ostate->rgid;
85	- state->egid = ostate->rgid;
86	+ state->egid = ROOT_GID;
87	+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
88	+ "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
89	+ (int)ostate->egid, (int)state->rgid, (int)state->egid);
90	+ if (GID_CHANGED && setregid(ID(rgid), ID(egid))) {
91	+ snprintf(errbuf, sizeof(errbuf),
92	+ "PERM_ROOT: setregid(%d, %d)", ID(rgid), ID(egid));
93	+ goto bad;
94	+ }
95	state->grlist = ostate->grlist;
96	sudo_grlist_addref(state->grlist);
97	break;
98	@@ -1165,7 +1189,14 @@ set_perms(int perm)
99	state->ruid = ROOT_UID;
100	state->euid = ROOT_UID;
101	state->rgid = ostate->rgid;
102	- state->egid = ostate->egid;
103	+ state->egid = ROOT_GID;
104	+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
105	+ "[%d, %d] -> [%d, %d]", __func__, (int)ostate->rgid,
106	+ (int)ostate->egid, ROOT_GID, ROOT_GID);
107	+ if (GID_CHANGED && setegid(ROOT_GID)) {
108	+ strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
109	+ goto bad;
110	+ }
111	state->grlist = ostate->grlist;
112	sudo_grlist_addref(state->grlist);
113	break;
114	@@ -1421,7 +1452,7 @@ set_perms(int perm)
115
116	case PERM_ROOT:
117	state->ruid = ROOT_UID;
118	- state->rgid = ostate->rgid;
119	+ state->rgid = ROOT_GID;
120	state->grlist = ostate->grlist;
121	sudo_grlist_addref(state->grlist);
122	sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
123	@@ -1430,11 +1461,17 @@ set_perms(int perm)
124	snprintf(errbuf, sizeof(errbuf), "PERM_ROOT: setuid(%d)", ROOT_UID);
125	goto bad;
126	}
127	+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
128	+ "[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
129	+ if (setgid(ROOT_GID)) {
130	+ strlcpy(errbuf, _("unable to change to root gid"), sizeof(errbuf));
131	+ goto bad;
132	+ }
133	break;
134
135	case PERM_FULL_USER:
136	state->rgid = user_gid;
137	- sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: gid: "
138	+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: gid: "
139	"[%d] -> [%d]", __func__, (int)ostate->rgid, (int)state->rgid);
140	(void) setgid(user_gid);
141	state->grlist = user_group_list;
142	@@ -1446,7 +1483,7 @@ set_perms(int perm)
143	}
144	}
145	state->ruid = user_uid;
146	- sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_ROOT: uid: "
147	+ sudo_debug_printf(SUDO_DEBUG_INFO, "%s: PERM_FULL_USER: uid: "
148	"[%d] -> [%d]", __func__, (int)ostate->ruid, (int)state->ruid);
149	if (setuid(user_uid)) {
150	snprintf(errbuf, sizeof(errbuf),
151	diff -up ./plugins/sudoers/sudoers.h.loggingperms ./plugins/sudoers/sudoers.h
152	--- ./plugins/sudoers/sudoers.h.loggingperms 2016-10-06 16:56:55.842662731 +0200
153	+++ ./plugins/sudoers/sudoers.h 2016-10-06 16:59:04.615048554 +0200
154	@@ -208,6 +208,7 @@ struct sudo_user {
155	#else
156	# define ROOT_UID 0
157	#endif
158	+#define ROOT_GID 0
159
160	/*
161	* We used to use the system definition of PASS_MAX or _PASSWD_LEN,