Change the mask used when creating temporary files from 777 to 700, to prevent

an obscure race-condition security hole where a file may for a short time
have the wrong group.  Could have used 707 instead but that's just too weird
of a permission.  The define name used to be ACCESSPERMS but that is defined
as 777 on Linux, so changed the name to INITPERMMASK.

diff --git a/receiver.c b/receiver.c
index 378364c..d941fa2 100644 (file)
--- a/receiver.c
+++ b/receiver.c
@@ -414,12 +414,12 @@ int recv_files(int f_in,struct file_list *flist,char *local_name,int f_gen)
                   the lchown. Thanks to snabb@epipe.fi for pointing
                   this out */
                fd2 = do_open(fnametmp,O_WRONLY|O_CREAT|O_EXCL,
-                             file->mode & ACCESSPERMS);
+                             file->mode & INITPERMMASK);
 
                if (fd2 == -1 && relative_paths && errno == ENOENT && 
                    create_directory_path(fnametmp) == 0) {
                        fd2 = do_open(fnametmp,O_WRONLY|O_CREAT|O_EXCL,
-                                     file->mode & ACCESSPERMS);
+                                     file->mode & INITPERMMASK);
                }
                if (fd2 == -1) {
                        rprintf(FERROR,"cannot create %s : %s\n",fnametmp,strerror(errno));

diff --git a/rsync.c b/rsync.c
index 178dc52..1d62abc 100644 (file)
--- a/rsync.c
+++ b/rsync.c
@@ -202,7 +202,7 @@ int set_perms(char *fname,struct file_struct *file,STRUCT_STAT *st,
 #ifdef HAVE_CHMOD
        if (preserve_perms && !S_ISLNK(st->st_mode) &&
            (st->st_mode != file->mode || 
-            (updated && (file->mode & ~ACCESSPERMS)))) {
+            (updated && (file->mode & ~INITPERMMASK)))) {
                updated = 1;
                if (do_chmod(fname,file->mode) != 0) {
                        rprintf(FERROR,"failed to set permissions on %s : %s\n",
@@ -260,7 +260,7 @@ void finish_transfer(char *fname, char *fnametmp, struct file_struct *file)
                if (errno == EXDEV) {
                        /* rename failed on cross-filesystem link.  
                           Copy the file instead. */
-                       if (copy_file(fnametmp,fname, file->mode & ACCESSPERMS)) {
+                       if (copy_file(fnametmp,fname, file->mode & INITPERMMASK)) {
                                rprintf(FERROR,"copy %s -> %s : %s\n",
                                        fnametmp,fname,strerror(errno));
                        } else {

diff --git a/rsync.h b/rsync.h
index 92ba256..92823bb 100644 (file)
--- a/rsync.h
+++ b/rsync.h
@@ -462,9 +462,10 @@ extern int errno;
 
 #define IS_DEVICE(mode) (S_ISCHR(mode) || S_ISBLK(mode) || S_ISSOCK(mode) || S_ISFIFO(mode))
 
-#ifndef ACCESSPERMS
-#define ACCESSPERMS 0777
-#endif
+/* Initial mask on permissions given to temporary files.  Mask off setuid
+     bits and group access because of potential race-condition security
+     holes, and mask other access because mode 707 is bizarre */
+#define INITPERMMASK 0700
 
 /* handler for null strings in printf format */
 #define NS(s) ((s)?(s):"<NULL>")