From: Randy Syring <randy@syrings.us>
Date: Fri, 3 Oct 2025 19:17:50 +0000 (-0400)
Subject: Standardize log file create mode to 0640
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d269f0370c8f5f715525849205ec683497cc6a0c;p=thirdparty%2Flxc.git

Standardize log file create mode to 0640

refs: https://github.com/lxc/lxc/issues/4588
Signed-off-by: Randy Syring <randy@syrings.us>
---

diff --git a/src/lxc/log.c b/src/lxc/log.c
index 206f0227f..7f43e6d6f 100644
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -525,10 +525,10 @@ static int log_open(const char *name)
 	__do_close int fd = -EBADF;
 
 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-	fd = lxc_unpriv(open(name, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0660));
+	fd = lxc_unpriv(open(name, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0640));
 #else
 	if (!RUN_ON_OSS_FUZZ && is_in_comm("fuzz-lxc-") <= 0)
-		fd = lxc_unpriv(open(name, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0660));
+		fd = lxc_unpriv(open(name, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0640));
 #endif /* !FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
 	if (fd < 0)
 		return log_error_errno(-errno, errno, "Failed to open log file \"%s\"", name);
diff --git a/src/lxc/terminal.c b/src/lxc/terminal.c
index d94089d6b..86fe785b6 100644
--- a/src/lxc/terminal.c
+++ b/src/lxc/terminal.c
@@ -869,7 +869,7 @@ int lxc_terminal_create_log_file(struct lxc_terminal *terminal)
 	if (!terminal->log_path)
 		return 0;
 
-	terminal->log_fd = lxc_unpriv(open(terminal->log_path, O_CLOEXEC | O_RDWR | O_CREAT | O_APPEND, 0600));
+	terminal->log_fd = lxc_unpriv(open(terminal->log_path, O_CLOEXEC | O_RDWR | O_CREAT | O_APPEND, 0640));
 	if (terminal->log_fd < 0) {
 		SYSERROR("Failed to open terminal log file \"%s\"", terminal->log_path);
 		return -1;
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index d63c962d0..4d8554117 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -308,7 +308,7 @@ static int lxc_attach_create_log_file(const char *log_file)
 {
 	int fd;
 
-	fd = open(log_file, O_CLOEXEC | O_RDWR | O_CREAT | O_APPEND, 0600);
+	fd = open(log_file, O_CLOEXEC | O_RDWR | O_CREAT | O_APPEND, 0640);
 	if (fd < 0) {
 		ERROR("Failed to open log file \"%s\"", log_file);
 		return -1;