Do not create world-readable directories (#2161)

author Joshua Rogers <MegaManSec@users.noreply.github.com>

Sat, 15 Nov 2025 16:16:33 +0000 (16:16 +0000)

committer Francesco Chemolli <5175948+kinkie@users.noreply.github.com>

Tue, 18 Nov 2025 14:52:44 +0000 (14:52 +0000)
author Joshua Rogers <MegaManSec@users.noreply.github.com>
Sat, 15 Nov 2025 16:16:33 +0000 (16:16 +0000)
committer Francesco Chemolli <5175948+kinkie@users.noreply.github.com>
Tue, 18 Nov 2025 14:52:44 +0000 (14:52 +0000)
diff --git a/src/fs/ufs/UFSSwapDir.cc b/src/fs/ufs/UFSSwapDir.cc

index 243c187b5ef1217b4075386e822f0a970ed22570..403f71a4a667662681a665e4364fffef24918288 100644 (file)
--- a/src/fs/ufs/UFSSwapDir.cc
+++ b/src/fs/ufs/UFSSwapDir.cc
@@ -614,7 +614,7 @@ Fs::Ufs::UFSSwapDir::createDirectory(const char *aPath, int should_exist)
          } else {
              fatalf("Swap directory %s is not a directory.", aPath);
          }
-    } else if (0 == mkdir(aPath, 0755)) {
+    } else if (0 == mkdir(aPath, 0750)) {
          debugs(47, (should_exist ? DBG_IMPORTANT : 3), aPath << " created");
          created = 1;
      } else {
@@ -1338,7 +1338,7 @@ Fs::Ufs::UFSSwapDir::DirClean(int swap_index)
          int xerrno = errno;
          if (xerrno == ENOENT) {
              debugs(36, DBG_CRITICAL, MYNAME << "WARNING: Creating " << p1);
-            if (mkdir(p1.c_str(), 0777) == 0)
+            if (mkdir(p1.c_str(), 0750) == 0)
                  return 0;
          }
  
diff --git a/src/security/cert_generators/file/certificate_db.cc b/src/security/cert_generators/file/certificate_db.cc

index 3493ef5c0d9fdf282e22d23e4e63c96e2971f6fd..62b8decbad5a2e5137d6750b84fd6a05e6a3e812 100644 (file)
--- a/src/security/cert_generators/file/certificate_db.cc
+++ b/src/security/cert_generators/file/certificate_db.cc
@@ -370,10 +370,10 @@ Ssl::CertificateDb::Create(std::string const & db_path) {
      std::string cert_full(db_path + "/" + cert_dir);
      std::string size_full(db_path + "/" + size_file);
  
-    if (mkdir(db_path.c_str(), 0777))
+    if (mkdir(db_path.c_str(), 0750))
          throw TextException(ToSBuf("Cannot create ", db_path), Here());
  
-    if (mkdir(cert_full.c_str(), 0777))
+    if (mkdir(cert_full.c_str(), 0750))
          throw TextException(ToSBuf("Cannot create ", cert_full), Here());
  
      std::ofstream size(size_full.c_str());
author	Joshua Rogers <MegaManSec@users.noreply.github.com>
	Sat, 15 Nov 2025 16:16:33 +0000 (16:16 +0000)
committer	Francesco Chemolli <5175948+kinkie@users.noreply.github.com>
	Tue, 18 Nov 2025 14:52:44 +0000 (14:52 +0000)
src/fs/ufs/UFSSwapDir.cc		patch \| blob \| blame \| history
src/security/cert_generators/file/certificate_db.cc		patch \| blob \| blame \| history