Bug#2953: mirror creates mode 0666 .in.* files

To: debian-bugs@pixar.com
Subject: Bug#2953: mirror creates mode 0666 .in.* files
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Date: Fri, 10 May 1996 22:24:59 +0200 (MET DST)
Message-id: <[🔎] 199605102025.WAA12459@i17linuxb.ists.pwr.wroc.pl>
Reply-to: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>, debian-bugs@pixar.com

Package: mirror
Version: 2.8-3

The .in.*. temporary files created by mirror (which are later renamed
to the proper names once the entire file is downloaded) are created
with mode 0666 thus allowing any user to write to them.  Permissions
are set properly after the file has been completely downloaded, but
it may be too late...

A workaround is to specify the umask parameter to mirror (using -k
or mirror.defaults) - 07022 instead of the default 07000.  But users
might be unaware of this problem - I think the default umask value
should be changed to something less insecure like (at least) 07022.

A better fix would probably be to do what cp does: create the file
using 0600 as the third open() argument (if it was written in C...),
and set original permissions only after the file is complete.

Marek

Reply to:

Follow-Ups:
- Bug#2953: mirror creates mode 0666 .in.* files
  - From: Dirk.Eddelbuettel@qed.econ.queensu.ca

Prev by Date: Re: Another shadow question
Next by Date: Re: Incoming directory status
Previous by thread: Re: messages in the postinst
Next by thread: Bug#2953: mirror creates mode 0666 .in.* files
Index(es):
- Date
- Thread