[or-cvs] r10485: Fix the fix for bug 445: set umask properly. Also use open+f (in tor/trunk: . src/common src/tools)

Mon Jun 4 15:30:41 UTC 2007

Author: nickm
Date: 2007-06-04 11:30:40 -0400 (Mon, 04 Jun 2007)
New Revision: 10485

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/src/common/crypto.c
   tor/trunk/src/common/util.c
   tor/trunk/src/tools/tor-gencert.c
Log:
 r13239 at catbus:  nickm | 2007-06-04 11:30:37 -0400
 Fix the fix for bug 445: set umask properly.  Also use open+fdopen rather than just umask+fopen, and create authority identity key with mode 400.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r13239] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/trunk/ChangeLog
===================================================================

--- tor/trunk/ChangeLog	2007-06-04 13:55:58 UTC (rev 10484)
+++ tor/trunk/ChangeLog	2007-06-04 15:30:40 UTC (rev 10485)
@@ -3,7 +3,8 @@
     - Create listener connections before we setuid to the configured User and
       Group.  This way, you can choose port values under 1024, start Tor as
       root, and have Tor bind those ports before it changes to another UID.
-    - tor-gencert creates all files visible to the file creator only.
+    - tor-gencert creates all files as readable to the file creator only, and
+      write-protects the authority identity key.
 
   o Minor bugfixes (dns):
     - Fix a crash when DNSPort is set more than once. (Patch from Robert

Modified: tor/trunk/src/common/crypto.c
===================================================================
--- tor/trunk/src/common/crypto.c	2007-06-04 13:55:58 UTC (rev 10484)
+++ tor/trunk/src/common/crypto.c	2007-06-04 15:30:40 UTC (rev 10485)
@@ -566,7 +566,6 @@
   s = tor_malloc(len+1);
   memcpy(s, cp, len);
   s[len]='\0';
-  /* XXXX020 make this file get created with mode 600. */
   r = write_str_to_file(fname, s, 0);
   BIO_free(bio);
   tor_free(s);

Modified: tor/trunk/src/common/util.c
===================================================================
--- tor/trunk/src/common/util.c	2007-06-04 13:55:58 UTC (rev 10484)
+++ tor/trunk/src/common/util.c	2007-06-04 15:30:40 UTC (rev 10485)
@@ -1371,7 +1371,9 @@
 /** Create a file named <b>fname</b> with the contents <b>str</b>.  Overwrite
  * the previous <b>fname</b> if possible.  Return 0 on success, -1 on failure.
  *
- * This function replaces the old file atomically, if possible.
+ * This function replaces the old file atomically, if possible.  This
+ * function, and all other functions in util.c that create files, create them
+ * with mode 0600.
  */
 int
 write_str_to_file(const char *fname, const char *str, int bin)

Modified: tor/trunk/src/tools/tor-gencert.c
===================================================================
--- tor/trunk/src/tools/tor-gencert.c	2007-06-04 13:55:58 UTC (rev 10484)
+++ tor/trunk/src/tools/tor-gencert.c	2007-06-04 15:30:40 UTC (rev 10485)
@@ -9,6 +9,8 @@
 
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -149,6 +151,7 @@
   FILE *f;
 
   if (make_new_id) {
+    int fd;
     RSA *key;
     if (status != FN_NOENT) {
       log_err(LD_GENERAL, "--create-identity-key was specified, but %s "
@@ -168,12 +171,19 @@
       return 1;
     }
 
-    if (!(f = fopen(identity_key_file, "w"))) {
-      log_err(LD_GENERAL, "Couldn't open %s for writing: %s",
+    if ((fd = open(identity_key_file, O_CREAT|O_EXCL|O_WRONLY, 0400))<0) {
+      log_err(LD_GENERAL, "Couldn't fdopen %s for writing: %s",
               identity_key_file, strerror(errno));
       return 1;
     }
 
+    if (!(f = fdopen(fd, "w"))) {
+      close(fd);
+      log_err(LD_GENERAL, "Couldn't fdopen %s for writing: %s",
+              identity_key_file, strerror(errno));
+      return 1;
+    }
+
     if (!PEM_write_PKCS8PrivateKey_nid(f, identity_key,
                                        NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
                                        NULL, 0, /* no password here. */
@@ -214,6 +224,7 @@
 static int
 generate_signing_key(void)
 {
+  int fd;
   FILE *f;
   RSA *key;
   log_notice(LD_GENERAL, "Generating %d-bit RSA signing key.",
@@ -229,12 +240,19 @@
     return 1;
   }
 
-  if (!(f = fopen(signing_key_file, "w"))) {
-    log_err(LD_GENERAL, "Couldn't open %s for reading: %s",
+  if ((fd = open(signing_key_file, O_CREAT|O_EXCL|O_WRONLY, 0600))<0) {
+    log_err(LD_GENERAL, "Couldn't open %s for writing: %s",
             signing_key_file, strerror(errno));
     return 1;
   }
 
+  if (!(f = fdopen(fd, "w"))) {
+    close(fd);
+    log_err(LD_GENERAL, "Couldn't open %s for writing: %s",
+            signing_key_file, strerror(errno));
+    return 1;
+  }
+
   /* Write signing key with no encryption. */
   if (!PEM_write_RSAPrivateKey(f, key, NULL, NULL, 0, NULL, NULL)) {
     crypto_log_errors(LOG_WARN, "writing signing key");
@@ -358,7 +376,7 @@
     goto done;
   }
   /* Make sure that files are made private. */
-  umask(0700);
+  umask(0077);
 
   if (parse_commandline(argc, argv))
     goto done;

