File Audit Mode 0000 bug (#15759)

* adding file mode changes

* add changelog

* adding error

* adding fmt changes

builtin/audit/file/backend.go

@@ -78,9 +78,21 @@ func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, err
 		if err != nil {
 			return nil, err
 		}
-		if m != 0 {
+		switch m {
+		case 0:
+			// if mode is 0000, then do not modify file mode
+			if path != "stdout" && path != "discard" {
+				fileInfo, err := os.Stat(path)
+				if err != nil {
+					return nil, err
+				}
+				mode = fileInfo.Mode()
+			}
+		default:
 			mode = os.FileMode(m)
+
 		}
+
 	}
 
 	b := &Backend{

builtin/audit/file/backend_test.go

@@ -93,6 +93,46 @@ func TestAuditFile_fileModeExisting(t *testing.T) {
 	}
 }
 
+func TestAuditFile_fileMode0000(t *testing.T) {
+	f, err := ioutil.TempFile("", "test")
+	if err != nil {
+		t.Fatalf("Failure to create test file. The error is %v", err)
+	}
+	defer os.Remove(f.Name())
+
+	err = os.Chmod(f.Name(), 0o777)
+	if err != nil {
+		t.Fatalf("Failure to chmod temp file for testing. The error is %v", err)
+	}
+
+	err = f.Close()
+	if err != nil {
+		t.Fatalf("Failure to close temp file for test. The error is %v", err)
+	}
+
+	config := map[string]string{
+		"path": f.Name(),
+		"mode": "0000",
+	}
+
+	_, err = Factory(context.Background(), &audit.BackendConfig{
+		Config:     config,
+		SaltConfig: &salt.Config{},
+		SaltView:   &logical.InmemStorage{},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := os.Stat(f.Name())
+	if err != nil {
+		t.Fatalf("cannot retrieve file mode from `Stat`. The error is %v", err)
+	}
+	if info.Mode() != os.FileMode(0o777) {
+		t.Fatalf("File mode does not match.")
+	}
+}
+
 func BenchmarkAuditFile_request(b *testing.B) {
 	config := map[string]string{
 		"path": "/dev/null",

changelog/15759.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+core: Prevent changing file permissions of audit logs when mode 0000 is used.
+```