From: Stefan Eissing <icing@apache.org>
Date: Tue, 26 Mar 2019 10:57:51 +0000 (+0000)
Subject:   *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
X-Git-Tag: 2.5.0-alpha2-ci-test-only~2089
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2179d63f3dcefe991eca270ce717e3b0d7080870;p=thirdparty%2Fapache%2Fhttpd.git

  *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
     spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1856297 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 7553b451712..314fa2bfd64 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.5.1
 
+  *) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
+     spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
+     
   *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
      [Michael Kaufmann <mail michael-kaufmann.ch>]
 
diff --git a/modules/md/md_util.c b/modules/md/md_util.c
index 12b7dd6da17..83c6a4b5231 100644
--- a/modules/md/md_util.c
+++ b/modules/md/md_util.c
@@ -194,8 +194,20 @@ apr_status_t md_util_fopen(FILE **pf, const char *fn, const char *mode)
 apr_status_t md_util_fcreatex(apr_file_t **pf, const char *fn, 
                               apr_fileperms_t perms, apr_pool_t *p)
 {
-    return apr_file_open(pf, fn, (APR_FOPEN_WRITE|APR_FOPEN_CREATE|APR_FOPEN_EXCL),
-                         perms, p);
+    apr_status_t rv;
+    rv = apr_file_open(pf, fn, (APR_FOPEN_WRITE|APR_FOPEN_CREATE|APR_FOPEN_EXCL),
+                       perms, p);
+    if (APR_SUCCESS == rv) {
+        /* See <https://github.com/icing/mod_md/issues/117>
+         * Some people set umask 007 to deny all world read/writability to files
+         * created by apache. While this is a noble effort, we need the store files
+         * to have the permissions as specified. */
+        rv = apr_file_perms_set(fn, perms);
+        if (APR_STATUS_IS_ENOTIMPL(rv)) {
+            rv = APR_SUCCESS;
+        }
+    }
+    return rv;
 }
 
 apr_status_t md_util_is_dir(const char *path, apr_pool_t *pool)
@@ -312,13 +324,6 @@ apr_status_t md_text_fcreatex(const char *fpath, apr_fileperms_t perms,
     if (APR_SUCCESS == rv) {
         rv = write_text((void*)text, f, p);
         apr_file_close(f);
-        /* See <https://github.com/icing/mod_md/issues/117>: when a umask
-         * is set, files need to be assigned permissions explicitly.
-         * Otherwise, as in the issues reported, it will break our access model. */
-        rv = apr_file_perms_set(fpath, perms);
-        if (APR_STATUS_IS_ENOTIMPL(rv)) {
-            rv = APR_SUCCESS;
-        }
     }
     return rv;
 }
diff --git a/modules/md/md_version.h b/modules/md/md_version.h
index 58a4afc1b5d..45c1d2e0e24 100644
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@@ -27,7 +27,7 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "1.1.18-DEV"
+#define MOD_MD_VERSION "1.1.19-DEV"
 
 /**
  * @macro
@@ -35,7 +35,7 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x010112
+#define MOD_MD_VERSION_NUM 0x010113
 
 #define MD_ACME_DEF_URL    "https://acme-v01.api.letsencrypt.org/directory"