Bug#2953: mirror creates mode 0666 .in.* files
The .in.*. temporary files created by mirror (which are later renamed
to the proper names once the entire file is downloaded) are created
with mode 0666 thus allowing any user to write to them. Permissions
are set properly after the file has been completely downloaded, but
it may be too late...
A workaround is to specify the umask parameter to mirror (using -k
or mirror.defaults) - 07022 instead of the default 07000. But users
might be unaware of this problem - I think the default umask value
should be changed to something less insecure like (at least) 07022.
A better fix would probably be to do what cp does: create the file
using 0600 as the third open() argument (if it was written in C...),
and set original permissions only after the file is complete.