From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Sat, 15 Nov 2025 16:16:33 +0000 (+0000)
Subject: Do not create world-readable directories (#2161)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2b890ca1660b747828645ebb315630dba453460;p=thirdparty%2Fsquid.git

Do not create world-readable directories (#2161)
---

diff --git a/src/fs/ufs/UFSSwapDir.cc b/src/fs/ufs/UFSSwapDir.cc
index 243c187b5e..403f71a4a6 100644
--- a/src/fs/ufs/UFSSwapDir.cc
+++ b/src/fs/ufs/UFSSwapDir.cc
@@ -614,7 +614,7 @@ Fs::Ufs::UFSSwapDir::createDirectory(const char *aPath, int should_exist)
         } else {
             fatalf("Swap directory %s is not a directory.", aPath);
         }
-    } else if (0 == mkdir(aPath, 0755)) {
+    } else if (0 == mkdir(aPath, 0750)) {
         debugs(47, (should_exist ? DBG_IMPORTANT : 3), aPath << " created");
         created = 1;
     } else {
@@ -1338,7 +1338,7 @@ Fs::Ufs::UFSSwapDir::DirClean(int swap_index)
         int xerrno = errno;
         if (xerrno == ENOENT) {
             debugs(36, DBG_CRITICAL, MYNAME << "WARNING: Creating " << p1);
-            if (mkdir(p1.c_str(), 0777) == 0)
+            if (mkdir(p1.c_str(), 0750) == 0)
                 return 0;
         }
 
diff --git a/src/security/cert_generators/file/certificate_db.cc b/src/security/cert_generators/file/certificate_db.cc
index 3493ef5c0d..62b8decbad 100644
--- a/src/security/cert_generators/file/certificate_db.cc
+++ b/src/security/cert_generators/file/certificate_db.cc
@@ -370,10 +370,10 @@ Ssl::CertificateDb::Create(std::string const & db_path) {
     std::string cert_full(db_path + "/" + cert_dir);
     std::string size_full(db_path + "/" + size_file);
 
-    if (mkdir(db_path.c_str(), 0777))
+    if (mkdir(db_path.c_str(), 0750))
         throw TextException(ToSBuf("Cannot create ", db_path), Here());
 
-    if (mkdir(cert_full.c_str(), 0777))
+    if (mkdir(cert_full.c_str(), 0750))
         throw TextException(ToSBuf("Cannot create ", cert_full), Here());
 
     std::ofstream size(size_full.c_str());