Fix permissions for temporary files

fixes #11212 fixes #11211
Icinga · Feb 24, 2016 · 47c5425 · 47c5425
1 parent 4c59ffa
commit 47c5425
Show file tree

Hide file tree

Showing 14 changed files with 38 additions and 29 deletions.
diff --git a/lib/base/configobject.cpp b/lib/base/configobject.cpp
@@ -483,7 +483,7 @@ void ConfigObject::DumpObjects(const String& filename, int attributeTypes)
 	    << "Dumping program state to file '" << filename << "'";
 
 	std::fstream fp;
-	String tempFilename = Utility::CreateTempFile(filename + ".XXXXXX", fp);
+	String tempFilename = Utility::CreateTempFile(filename + ".XXXXXX", 0600, fp);
 
 	if (!fp)
 		BOOST_THROW_EXCEPTION(std::runtime_error("Could not open '" + tempFilename + "' file"));

diff --git a/lib/base/scriptglobal.cpp b/lib/base/scriptglobal.cpp
@@ -66,7 +66,7 @@ void ScriptGlobal::WriteToFile(const String& filename)
 		<< "Dumping variables to file '" << filename << "'";
 
 	std::fstream fp;
-	String tempFilename = Utility::CreateTempFile(filename + ".XXXXXX", fp);
+	String tempFilename = Utility::CreateTempFile(filename + ".XXXXXX", 0600, fp);
 
 	if (!fp)
 		BOOST_THROW_EXCEPTION(std::runtime_error("Could not open '" + tempFilename + "' file"));

diff --git a/lib/base/utility.cpp b/lib/base/utility.cpp
@@ -700,10 +700,10 @@ bool Utility::GlobRecursive(const String& path, const String& pattern, const boo
 }
 
 
-void Utility::MkDir(const String& path, int flags)
+void Utility::MkDir(const String& path, int mode)
 {
 #ifndef _WIN32
-	if (mkdir(path.CStr(), flags) < 0 && errno != EEXIST) {
+	if (mkdir(path.CStr(), mode) < 0 && errno != EEXIST) {
 #else /*_ WIN32 */
 	if (mkdir(path.CStr()) < 0 && errno != EEXIST) {
 #endif /* _WIN32 */
@@ -1327,10 +1327,10 @@ Value Utility::LoadJsonFile(const String& path)
 	return JsonDecode(json);
 }
 
-void Utility::SaveJsonFile(const String& path, const Value& value)
+void Utility::SaveJsonFile(const String& path, int mode, const Value& value)
 {
 	std::fstream fp;
-	String tempFilename = Utility::CreateTempFile(path + ".XXXXXX", fp);
+	String tempFilename = Utility::CreateTempFile(path + ".XXXXXX", mode, fp);
 
 	fp.exceptions(std::ofstream::failbit | std::ofstream::badbit);
 	fp << JsonEncode(value);
@@ -1706,7 +1706,7 @@ String Utility::ValidateUTF8(const String& input)
 	return output;
 }
 
-String Utility::CreateTempFile(const String& path, std::fstream& fp)
+String Utility::CreateTempFile(const String& path, int mode, std::fstream& fp)
 {
 	std::vector<char> targetPath(path.Begin(), path.End());
 	targetPath.push_back('\0');
@@ -1734,7 +1734,16 @@ String Utility::CreateTempFile(const String& path, std::fstream& fp)
 
 	close(fd);
 
-	return String(targetPath.begin(), targetPath.end() - 1);
+	String resultPath = String(targetPath.begin(), targetPath.end() - 1);
+
+	if (chmod(resultPath.CStr(), mode) < 0) {
+		BOOST_THROW_EXCEPTION(posix_error()
+		    << boost::errinfo_api_function("chmod")
+		    << boost::errinfo_errno(errno)
+		    << boost::errinfo_file_name(resultPath));
+	}
+
+	return resultPath;
 }
 
 #ifdef _WIN32

diff --git a/lib/base/utility.hpp b/lib/base/utility.hpp
@@ -131,7 +131,7 @@ class I2_BASE_API Utility
 	static void CopyFile(const String& source, const String& target);
 
 	static Value LoadJsonFile(const String& path);
-	static void SaveJsonFile(const String& path, const Value& value);
+	static void SaveJsonFile(const String& path, int mode, const Value& value);
 
 	static String GetPlatformKernel(void);
 	static String GetPlatformKernelVersion(void);
@@ -141,7 +141,7 @@ class I2_BASE_API Utility
 
 	static String ValidateUTF8(const String& input);
 
-	static String CreateTempFile(const String& path, std::fstream& fp);
+	static String CreateTempFile(const String& path, int mode, std::fstream& fp);
 
 private:
 	Utility(void);

diff --git a/lib/cli/apisetuputility.cpp b/lib/cli/apisetuputility.cpp
@@ -171,7 +171,7 @@ bool ApiSetupUtility::SetupMasterApiUser(void)
 	NodeUtility::CreateBackupFile(apiUsersPath);
 
 	std::fstream fp;
-	String tempFilename = Utility::CreateTempFile(apiUsersPath + ".XXXXXX", fp);
+	String tempFilename = Utility::CreateTempFile(apiUsersPath + ".XXXXXX", 0640, fp);
 
 	fp << "/**\n"
 	    << " * The APIUser objects are used for authentication against the API.\n"

diff --git a/lib/cli/nodesetupcommand.cpp b/lib/cli/nodesetupcommand.cpp
@@ -170,7 +170,7 @@ int NodeSetupCommand::SetupMaster(const boost::program_options::variables_map& v
 	NodeUtility::CreateBackupFile(apipath);
 
 	std::fstream fp;
-	String tempApiPath = Utility::CreateTempFile(apipath + ".XXXXXX", fp);
+	String tempApiPath = Utility::CreateTempFile(apipath + ".XXXXXX", 0640, fp);
 
 	fp << "/**\n"
 	    << " * The API listener is used for distributed monitoring setups.\n"
@@ -374,7 +374,7 @@ int NodeSetupCommand::SetupNode(const boost::program_options::variables_map& vm,
 	NodeUtility::CreateBackupFile(apipath);
 
 	std::fstream fp;
-	String tempApiPath = Utility::CreateTempFile(apipath + ".XXXXXX", fp);
+	String tempApiPath = Utility::CreateTempFile(apipath + ".XXXXXX", 0640, fp);
 
 	fp << "/**\n"
 	    << " * The API listener is used for distributed monitoring setups.\n"

diff --git a/lib/cli/nodeupdateconfigcommand.cpp b/lib/cli/nodeupdateconfigcommand.cpp
@@ -415,7 +415,7 @@ int NodeUpdateConfigCommand::Run(const boost::program_options::variables_map& vm
 
 	/* store the new inventory for next run */
 	NodeUtility::CreateRepositoryPath();
-	Utility::SaveJsonFile(inventory_path, inventory);
+	Utility::SaveJsonFile(inventory_path, 0600, inventory);
 
 	std::cout << "Make sure to reload Icinga 2 for these changes to take effect." << std::endl;
 

diff --git a/lib/cli/nodeutility.cpp b/lib/cli/nodeutility.cpp
@@ -166,7 +166,7 @@ void NodeUtility::AddNode(const String& name)
 	node->Set("repository", Empty);
 
 	CreateRepositoryPath();
-	Utility::SaveJsonFile(path, node);
+	Utility::SaveJsonFile(path, 0600, node);
 }
 
 void NodeUtility::AddNodeSettings(const String& name, const String& host,
@@ -179,7 +179,7 @@ void NodeUtility::AddNodeSettings(const String& name, const String& host,
 	settings->Set("log_duration", log_duration);
 
 	CreateRepositoryPath();
-	Utility::SaveJsonFile(GetNodeSettingsFile(name), settings);
+	Utility::SaveJsonFile(GetNodeSettingsFile(name), 0600, settings);
 }
 
 void NodeUtility::RemoveNode(const String& name)
@@ -386,7 +386,7 @@ bool NodeUtility::WriteNodeConfigObjects(const String& filename, const Array::Pt
 	}
 
 	std::fstream fp;
-	String tempFilename = Utility::CreateTempFile(filename + ".XXXXXX", fp);
+	String tempFilename = Utility::CreateTempFile(filename + ".XXXXXX", 0640, fp);
 
 	fp << "/*\n";
 	fp << " * Generated by Icinga 2 node setup commands\n";
@@ -470,7 +470,7 @@ int NodeUtility::UpdateBlackAndWhiteList(const String& type, const String& zone_
 
 	String list_path = GetBlackAndWhiteListPath(type);
 	CreateRepositoryPath();
-	Utility::SaveJsonFile(list_path, lists);
+	Utility::SaveJsonFile(list_path, 0600, lists);
 
 	return 0;
 }
@@ -515,7 +515,7 @@ int NodeUtility::RemoveBlackAndWhiteList(const String& type, const String& zone_
 
 	String list_path = GetBlackAndWhiteListPath(type);
 	CreateRepositoryPath();
-	Utility::SaveJsonFile(list_path, lists);
+	Utility::SaveJsonFile(list_path, 0600, lists);
 
 	return 0;
 }
@@ -640,7 +640,7 @@ void NodeUtility::UpdateConstant(const String& name, const String& value)
 
 	std::ifstream ifp(constantsFile.CStr());
 	std::fstream ofp;
-	String tempFile = Utility::CreateTempFile(constantsFile + ".XXXXXX", ofp);
+	String tempFile = Utility::CreateTempFile(constantsFile + ".XXXXXX", 0640, ofp);
 
 	bool found = false;
 

diff --git a/lib/cli/nodewizardcommand.cpp b/lib/cli/nodewizardcommand.cpp
@@ -413,7 +413,7 @@ int NodeWizardCommand::Run(const boost::program_options::variables_map& vm,
 		NodeUtility::CreateBackupFile(apipath);
 
 		std::fstream fp;
-		String tempApiPath = Utility::CreateTempFile(apipath + ".XXXXXX", fp);
+		String tempApiPath = Utility::CreateTempFile(apipath + ".XXXXXX", 0640, fp);
 
 		fp << "/**\n"
 		    << " * The API listener is used for distributed monitoring setups.\n"
@@ -538,7 +538,7 @@ int NodeWizardCommand::Run(const boost::program_options::variables_map& vm,
 
 
 		std::fstream fp;
-		String tempApiPath = Utility::CreateTempFile(apipath + ".XXXXXX", fp);
+		String tempApiPath = Utility::CreateTempFile(apipath + ".XXXXXX", 0640, fp);
 
 		fp << "/**\n"
 		    << " * The API listener is used for distributed monitoring setups.\n"

diff --git a/lib/cli/repositoryutility.cpp b/lib/cli/repositoryutility.cpp
@@ -357,7 +357,7 @@ bool RepositoryUtility::WriteObjectToRepositoryChangeLog(const String& path, con
 	CreateRepositoryPath(Utility::DirName(path));
 
 	std::fstream fp;
-	String tempFilename = Utility::CreateTempFile(path + ".XXXXXX", fp);
+	String tempFilename = Utility::CreateTempFile(path + ".XXXXXX", 0600, fp);
 
 	fp << JsonEncode(item);
 	fp.close();
@@ -497,7 +497,7 @@ bool RepositoryUtility::WriteObjectToRepository(const String& path, const String
 	CreateRepositoryPath(Utility::DirName(path));
 
 	std::fstream fp;
-	String tempFilename = Utility::CreateTempFile(path + ".XXXXXX", fp);
+	String tempFilename = Utility::CreateTempFile(path + ".XXXXXX", 0640, fp);
 
 	SerializeObject(fp, name, type, item);
 	fp << std::endl;

diff --git a/lib/compat/statusdatawriter.cpp b/lib/compat/statusdatawriter.cpp
@@ -539,7 +539,7 @@ void StatusDataWriter::UpdateObjectsCache(void)
 	String objectsPath = GetObjectsPath();
 
 	std::fstream objectfp;
-	String tempObjectsPath = Utility::CreateTempFile(objectsPath + ".XXXXXX", objectfp);
+	String tempObjectsPath = Utility::CreateTempFile(objectsPath + ".XXXXXX", 0640, objectfp);
 
 	objectfp << std::fixed;
 
@@ -785,7 +785,7 @@ void StatusDataWriter::StatusTimerHandler(void)
 	String statusPath = GetStatusPath();
 
 	std::fstream statusfp;
-	String tempStatusPath = Utility::CreateTempFile(statusPath + ".XXXXXX", statusfp);
+	String tempStatusPath = Utility::CreateTempFile(statusPath + ".XXXXXX", 0640, statusfp);
 
 	statusfp << std::fixed;
 

diff --git a/lib/config/configcompilercontext.cpp b/lib/config/configcompilercontext.cpp
@@ -37,7 +37,7 @@ void ConfigCompilerContext::OpenObjectsFile(const String& filename)
 	m_ObjectsPath = filename;
 
 	std::fstream *fp = new std::fstream();
-	m_ObjectsTempFile = Utility::CreateTempFile(filename + ".XXXXXX", *fp);
+	m_ObjectsTempFile = Utility::CreateTempFile(filename + ".XXXXXX", 0600, *fp);
 
 	if (!*fp)
 		BOOST_THROW_EXCEPTION(std::runtime_error("Could not open '" + m_ObjectsTempFile + "' file"));

diff --git a/lib/icinga/clusterevents.cpp b/lib/icinga/clusterevents.cpp
@@ -724,7 +724,7 @@ Value ClusterEvents::UpdateRepositoryAPIHandler(const MessageOrigin::Ptr& origin
 	String repositoryFile = GetRepositoryDir() + SHA256(params->Get("endpoint")) + ".repo";
 
 	std::fstream fp;
-	String tempRepositoryFile = Utility::CreateTempFile(repositoryFile + ".XXXXXX", fp);
+	String tempRepositoryFile = Utility::CreateTempFile(repositoryFile + ".XXXXXX", 0640, fp);
 
 	fp << JsonEncode(params);
 	fp.close();

diff --git a/lib/icinga/icingaapplication.cpp b/lib/icinga/icingaapplication.cpp
@@ -175,7 +175,7 @@ void IcingaApplication::DumpModifiedAttributes(void)
 	String path = GetModAttrPath();
 
 	std::fstream fp;
-	String tempFilename = Utility::CreateTempFile(path + ".XXXXXX", fp);
+	String tempFilename = Utility::CreateTempFile(path + ".XXXXXX", 0640, fp);
 
 	ConfigObject::Ptr previousObject;
 	ConfigObject::DumpModifiedAttributes(boost::bind(&PersistModAttrHelper, boost::ref(fp), boost::ref(previousObject), _1, _2, _3));