From d8bad9926ca6ca6def5c09fbcecebcd6c87b68a7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 7 Nov 2025 13:42:36 +0100 Subject: [PATCH] docs: mention umask need when curl creates files for cookies, alt-svc and HSTS, command line and library Closes #19396 --- .github/scripts/pyspelling.words | 1 + docs/cmdline-opts/alt-svc.md | 3 +++ docs/cmdline-opts/cookie-jar.md | 3 +++ docs/cmdline-opts/hsts.md | 3 +++ docs/libcurl/opts/CURLOPT_ALTSVC.md | 4 ++++ docs/libcurl/opts/CURLOPT_COOKIEJAR.md | 4 ++++ docs/libcurl/opts/CURLOPT_HSTS.md | 4 ++++ 7 files changed, 22 insertions(+) diff --git a/.github/scripts/pyspelling.words b/.github/scripts/pyspelling.words index a5c2809130..f64025b2ad 100644 --- a/.github/scripts/pyspelling.words +++ b/.github/scripts/pyspelling.words @@ -889,6 +889,7 @@ UI UID UIDL Ultrix +umask Unary unassign UNC diff --git a/docs/cmdline-opts/alt-svc.md b/docs/cmdline-opts/alt-svc.md index 257f4d5b9c..a3b17d04f1 100644 --- a/docs/cmdline-opts/alt-svc.md +++ b/docs/cmdline-opts/alt-svc.md @@ -24,5 +24,8 @@ filename again if it has been modified. Specify a "" filename (zero length) to avoid loading/saving and make curl just handle the cache in memory. +You may want to restrict your umask to prevent other users on the same system +to access the created file. + If this option is used several times, curl loads contents from all the files but the last one is used for saving. diff --git a/docs/cmdline-opts/cookie-jar.md b/docs/cmdline-opts/cookie-jar.md index 103144acc3..de09fd5274 100644 --- a/docs/cmdline-opts/cookie-jar.md +++ b/docs/cmdline-opts/cookie-jar.md @@ -37,3 +37,6 @@ If the cookie jar cannot be created or written to, the whole curl operation does not fail or even report an error clearly. Using --verbose gets a warning displayed, but that is the only visible feedback you get about this possibly lethal situation. + +You may want to restrict your umask to prevent other users on the same system +to access the created file. diff --git a/docs/cmdline-opts/hsts.md b/docs/cmdline-opts/hsts.md index ca6b07e66d..f58566e95d 100644 --- a/docs/cmdline-opts/hsts.md +++ b/docs/cmdline-opts/hsts.md @@ -28,5 +28,8 @@ performed. Specify a "" filename (zero length) to avoid loading/saving and make curl just handle HSTS in memory. +You may want to restrict your umask to prevent other users on the same system +to access the created file. + If this option is used several times, curl loads contents from all the files but the last one is used for saving. diff --git a/docs/libcurl/opts/CURLOPT_ALTSVC.md b/docs/libcurl/opts/CURLOPT_ALTSVC.md index b74565790c..0b2a9cad72 100644 --- a/docs/libcurl/opts/CURLOPT_ALTSVC.md +++ b/docs/libcurl/opts/CURLOPT_ALTSVC.md @@ -47,6 +47,10 @@ libcurl cannot fully protect against attacks where an attacker has write access to the same directory where it is directed to save files. This is particularly sensitive if you save files using elevated privileges. +libcurl creates the file to store the alt-svc cache in using default file +permissions, meaning that on *nix systems you may need to restrict your umask +to prevent other users on the same system to access the file. + # DEFAULT NULL. The alt-svc cache is not read nor written to file. diff --git a/docs/libcurl/opts/CURLOPT_COOKIEJAR.md b/docs/libcurl/opts/CURLOPT_COOKIEJAR.md index 646972792e..01cf9c01c6 100644 --- a/docs/libcurl/opts/CURLOPT_COOKIEJAR.md +++ b/docs/libcurl/opts/CURLOPT_COOKIEJAR.md @@ -58,6 +58,10 @@ libcurl cannot fully protect against attacks where an attacker has write access to the same directory where it is directed to save files. This is particularly sensitive if you save files using elevated privileges. +libcurl creates the file to store cookies using default file permissions, +meaning that on *nix systems you may need to restrict your umask to prevent +other users on the same system to access the file. + # DEFAULT NULL diff --git a/docs/libcurl/opts/CURLOPT_HSTS.md b/docs/libcurl/opts/CURLOPT_HSTS.md index 79665d0a5c..667d159726 100644 --- a/docs/libcurl/opts/CURLOPT_HSTS.md +++ b/docs/libcurl/opts/CURLOPT_HSTS.md @@ -67,6 +67,10 @@ libcurl cannot fully protect against attacks where an attacker has write access to the same directory where it is directed to save files. This is particularly sensitive if you save files using elevated privileges. +libcurl creates the file to store HSTS data in using default file permissions, +meaning that on *nix systems you may need to restrict your umask to prevent +other users on the same system to access the file. + # %PROTOCOLS% # EXAMPLE -- 2.47.3