Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

To: Ola Lundqvist <ola@inguza.com>, 832908@bugs.debian.org
Cc: Debian LTS <debian-lts@lists.debian.org>, kpcyrd@rxv.cc, László Böszörményi <gcs@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
From: Chris Lamb <lamby@debian.org>
Date: Tue, 02 Aug 2016 19:14:48 +0200
Message-id: <[🔎] 1470158088.2374063.683937161.2562FD51@webmail.messagingengine.com>
In-reply-to: <[🔎] CABY6=0kF3ZP11r_ipMUteXHzVAOXWJcF40Pi_LUdAAkm2nuJ8g@mail.gmail.com>
References: <CABY6=0=eDKzBhT8tZ7_U9XWwE_P9AE8YJwk-F_HMCwGWwte+rw@mail.gmail.com> <[🔎] 1470023627.982933.682182961.5886488C@webmail.messagingengine.com> <[🔎] CABY6=0mA_8y6hpbobNKh4SWj9qz-2S8+MZWz5x-8wNunwO-8FA@mail.gmail.com> <[🔎] CABY6=0kLZWLpPB1+2oXu9COe8KezDWNGb7rGeZnR8akyGf4BjA@mail.gmail.com> <[🔎] CABY6=0kF3ZP11r_ipMUteXHzVAOXWJcF40Pi_LUdAAkm2nuJ8g@mail.gmail.com>

> Here is the working patch (attached).

Out of interest, why:

+    mode_t prev_mask = umask(0022);
+    // Make sure this file is not readable by others
+    umask(prev_mask | S_IROTH | S_IWOTH | S_IXOTH);
     FILE *fp = fopen(filename,"w");

.. over, say:

+    // Make sure this file is not readable by others
+    mode_t prev_mask = umask(S_IXUSR|S_IRWXG|S_IRWXO);
     FILE *fp = fopen(filename,"w");
+    umask(prev_mask);

We don't really want to change the umask for the entire process.
Or at least, we don't know the ramifications of that so better to
keep it isolated to just this bit?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Chris Lamb <lamby@debian.org>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Next by Date: Re: Redis not uploaded and timely security announcements
Previous by thread: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Next by thread: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Index(es):
- Date
- Thread