Implement support for the umask and umask_override defaults

Author: bjorn3

src/common/context.rs

@@ -1,7 +1,7 @@
 use std::io;
 
 use crate::common::{HARDENED_ENUM_VALUE_0, HARDENED_ENUM_VALUE_1, HARDENED_ENUM_VALUE_2};
-use crate::exec::RunOptions;
+use crate::exec::{RunOptions, Umask};
 use crate::sudo::{SudoListOptions, SudoRunOptions, SudoValidateOptions};
 use crate::sudoers::Sudoers;
 use crate::system::{Group, Hostname, Process, User};
@@ -32,6 +32,7 @@ pub struct Context {
     // policy
     pub use_pty: bool,
     pub noexec: bool,
+    pub umask: Umask,
 }
 
 #[derive(Clone, Copy, Debug, Default, PartialEq, Eq)]
@@ -95,6 +96,7 @@ impl Context {
             process: Process::new(),
             use_pty: true,
             noexec: false,
+            umask: policy.umask(),
         })
     }
 
@@ -120,6 +122,7 @@ impl Context {
             process: Process::new(),
             use_pty: true,
             noexec: false,
+            umask: Umask::Preserve,
         })
     }
 
@@ -165,6 +168,7 @@ impl Context {
             process: Process::new(),
             use_pty: true,
             noexec: false,
+            umask: Umask::Preserve,
         })
     }
 
@@ -181,6 +185,7 @@ impl Context {
             is_login: self.launch == LaunchType::Login,
             user: &self.target_user,
             group: &self.target_group,
+            umask: self.umask,
 
             use_pty: self.use_pty,
             noexec: self.noexec,

src/defaults/mod.rs

@@ -43,6 +43,8 @@ defaults! {
 
     setenv                    = false
     apparmor_profile          = None (!= None)
+    umask                     = 0o022 (!= 0o777) {octal_mode}
+    umask_override            = false
 
     passwd_tries              = 3 [0..=1000]
 
@@ -66,6 +68,12 @@ defaults! {
                                 "PYTHONINSPECT", "PYTHONUSERBASE", "RUBYLIB", "RUBYOPT", "*=()*"] #ignored
 }
 
+fn octal_mode(input: &str) -> Option<i64> {
+    <libc::mode_t>::from_str_radix(input.strip_prefix('0')?, 8)
+        .ok()
+        .map(Into::into)
+}
+
 /// A custom parser to parse seconds as fractional "minutes", the format used by
 /// passwd_timeout and timestamp_timeout.
 fn fractional_minutes(input: &str) -> Option<i64> {

src/exec/mod.rs

@@ -18,7 +18,9 @@ use std::{
 };
 
 use crate::{
-    common::bin_serde::BinPipe,
+    common::{
+        bin_serde::BinPipe, HARDENED_ENUM_VALUE_0, HARDENED_ENUM_VALUE_1, HARDENED_ENUM_VALUE_2,
+    },
     exec::no_pty::exec_no_pty,
     log::{dev_info, dev_warn, user_error},
     system::{
@@ -47,6 +49,17 @@ impl SpawnNoexecHandler {
     fn spawn(self) {}
 }
 
+#[derive(Debug, Copy, Clone)]
+#[repr(u32)]
+pub enum Umask {
+    /// Keep the umask of the parent process.
+    Preserve = HARDENED_ENUM_VALUE_0,
+    /// Mask out more of the permission bits in the new umask.
+    Extend(libc::mode_t) = HARDENED_ENUM_VALUE_1,
+    /// Override the umask of the parent process entirely with the given umask.
+    Override(libc::mode_t) = HARDENED_ENUM_VALUE_2,
+}
+
 pub struct RunOptions<'a> {
     pub command: &'a Path,
     pub arguments: &'a [String],
@@ -55,6 +68,7 @@ pub struct RunOptions<'a> {
     pub is_login: bool,
     pub user: &'a User,
     pub group: &'a Group,
+    pub umask: Umask,
 
     pub use_pty: bool,
     pub noexec: bool,
@@ -131,6 +145,29 @@ pub fn run_command(
         }
     }
 
+    // SAFETY: Umask is async-signal-safe.
+    unsafe {
+        let umask = options.umask;
+
+        command.pre_exec(move || {
+            match umask {
+                Umask::Preserve => {}
+                Umask::Extend(umask) => {
+                    // The only options to get the existing umask are overwriting it or
+                    // parsing a /proc file. Given that this is a single-threaded context,
+                    // overwrite it with a safe value is fine and the simpler option.
+                    let existing_umask = libc::umask(0o777);
+                    libc::umask(existing_umask | umask);
+                }
+                Umask::Override(umask) => {
+                    libc::umask(umask);
+                }
+            }
+
+            Ok(())
+        });
+    }
+
     let sudo_pid = ProcessId::new(std::process::id() as i32);
 
     if options.use_pty {

src/su/context.rs

@@ -7,7 +7,7 @@ use std::{
 };
 
 use crate::common::{error::Error, resolve::CurrentUser};
-use crate::exec::RunOptions;
+use crate::exec::{RunOptions, Umask};
 use crate::log::user_warn;
 use crate::system::{Group, Process, User};
 use crate::{common::resolve::is_valid_executable, system::interface::UserId};
@@ -216,6 +216,7 @@ impl SuContext {
             is_login: self.options.login,
             user: &self.user,
             group: &self.group,
+            umask: Umask::Preserve,
 
             use_pty: true,
             noexec: false,

src/sudo/env/tests.rs

@@ -1,5 +1,6 @@
 use crate::common::resolve::CurrentUser;
 use crate::common::{CommandAndArguments, Context};
+use crate::exec::Umask;
 use crate::sudo::{
     cli::{SudoAction, SudoRunOptions},
     env::environment::{get_target_environment, Environment},
@@ -134,6 +135,7 @@ fn create_test_context(sudo_options: SudoRunOptions) -> Context {
         use_pty: true,
         noexec: false,
         bell: false,
+        umask: Umask::Preserve,
     }
 }
 

src/sudoers/mod.rs

@@ -15,6 +15,7 @@ use std::path::{Path, PathBuf};
 
 use crate::common::resolve::resolve_path;
 use crate::defaults;
+use crate::exec::Umask;
 use crate::log::auth_warn;
 use crate::system::interface::{GroupId, UnixGroup, UnixUser, UserId};
 use crate::system::{self, can_execute};
@@ -317,6 +318,24 @@ impl Sudoers {
 
         None
     }
+
+    pub(crate) fn umask(&self) -> Umask {
+        if self.settings.umask_override() {
+            Umask::Override(
+                self.settings
+                    .umask()
+                    .try_into()
+                    .expect("the umask parser should have prevented overflow"),
+            )
+        } else {
+            Umask::Extend(
+                self.settings
+                    .umask()
+                    .try_into()
+                    .expect("the umask parser should have prevented overflow"),
+            )
+        }
+    }
 }
 
 // a `take_while` variant that does not consume the first non-matching item