diff --git a/common/iobuf.c b/common/iobuf.c index d6862105f..3c68ce59c 100644 --- a/common/iobuf.c +++ b/common/iobuf.c @@ -248,7 +248,7 @@ fd_cache_synchronize (const char *fname) static gnupg_fd_t -direct_open (const char *fname, const char *mode) +direct_open (const char *fname, const char *mode, int mode700) { #ifdef HAVE_W32_SYSTEM unsigned long da, cd, sm; @@ -303,7 +303,10 @@ direct_open (const char *fname, const char *mode) #else /*!HAVE_W32_SYSTEM*/ int oflag; - int cflag = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH; + int cflag = S_IRUSR | S_IWUSR; + + if (!mode700) + cflag |= S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH; /* Note, that we do not handle all mode combinations */ if (strchr (mode, '+')) @@ -420,7 +423,7 @@ fd_cache_open (const char *fname, const char *mode) } if (DBG_IOBUF) log_debug ("fd_cache_open (%s) not cached\n", fname); - return direct_open (fname, mode); + return direct_open (fname, mode, 0); } @@ -1425,10 +1428,11 @@ iobuf_sockopen (int fd, const char *mode) } /**************** - * create an iobuf for writing to a file; the file will be created. + * Create an iobuf for writing to a file; the file will be created. + * With MODE700 set the file is created with that mode (Unix only). */ iobuf_t -iobuf_create (const char *fname) +iobuf_create (const char *fname, int mode700) { iobuf_t a; gnupg_fd_t fp; @@ -1445,7 +1449,7 @@ iobuf_create (const char *fname) } else if ((fd = check_special_filename (fname)) != -1) return iobuf_fdopen (translate_file_handle (fd, 1), "wb"); - else if ((fp = direct_open (fname, "wb")) == GNUPG_INVALID_FD) + else if ((fp = direct_open (fname, "wb", mode700)) == GNUPG_INVALID_FD) return NULL; a = iobuf_alloc (2, IOBUF_BUFFER_SIZE); fcx = xmalloc (sizeof *fcx + strlen (fname)); @@ -1476,7 +1480,7 @@ iobuf_openrw (const char *fname) if (!fname) return NULL; - else if ((fp = direct_open (fname, "r+b")) == GNUPG_INVALID_FD) + else if ((fp = direct_open (fname, "r+b", 0)) == GNUPG_INVALID_FD) return NULL; a = iobuf_alloc (2, IOBUF_BUFFER_SIZE); fcx = xmalloc (sizeof *fcx + strlen (fname)); diff --git a/common/iobuf.h b/common/iobuf.h index d3f55206e..ef055477e 100644 --- a/common/iobuf.h +++ b/common/iobuf.h @@ -115,7 +115,7 @@ iobuf_t iobuf_fdopen (int fd, const char *mode); iobuf_t iobuf_fdopen_nc (int fd, const char *mode); iobuf_t iobuf_esopen (estream_t estream, const char *mode, int keep_open); iobuf_t iobuf_sockopen (int fd, const char *mode); -iobuf_t iobuf_create (const char *fname); +iobuf_t iobuf_create (const char *fname, int mode700); iobuf_t iobuf_append (const char *fname); iobuf_t iobuf_openrw (const char *fname); int iobuf_ioctl (iobuf_t a, iobuf_ioctl_t cmd, int intval, void *ptrval); diff --git a/g10/dearmor.c b/g10/dearmor.c index d84fb30de..3fdd57dae 100644 --- a/g10/dearmor.c +++ b/g10/dearmor.c @@ -64,7 +64,7 @@ dearmor_file( const char *fname ) push_armor_filter ( afx, inp ); - if( (rc = open_outfile (-1, fname, 0, &out )) ) + if( (rc = open_outfile (-1, fname, 0, 0, &out)) ) goto leave; while( (c = iobuf_get(inp)) != -1 ) @@ -110,7 +110,7 @@ enarmor_file( const char *fname ) } - if( (rc = open_outfile (-1, fname, 1, &out )) ) + if( (rc = open_outfile (-1, fname, 1, 0, &out )) ) goto leave; afx->what = 4; diff --git a/g10/encrypt.c b/g10/encrypt.c index c8e796214..5b10b73ea 100644 --- a/g10/encrypt.c +++ b/g10/encrypt.c @@ -264,7 +264,7 @@ encrypt_simple (const char *filename, int mode, int use_seskey) do_compress = 0; } - if ( rc || (rc = open_outfile (-1, filename, opt.armor? 1:0, &out ))) + if ( rc || (rc = open_outfile (-1, filename, opt.armor? 1:0, 0, &out ))) { iobuf_cancel (inp); xfree (cfx.dek); @@ -567,7 +567,7 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename, if (opt.textmode) iobuf_push_filter (inp, text_filter, &tfx); - rc = open_outfile (outputfd, filename, opt.armor? 1:0, &out); + rc = open_outfile (outputfd, filename, opt.armor? 1:0, 0, &out); if (rc) goto leave; diff --git a/g10/export.c b/g10/export.c index acf38a7b7..0aa44f337 100644 --- a/g10/export.c +++ b/g10/export.c @@ -201,7 +201,7 @@ do_export (ctrl_t ctrl, strlist_t users, int secret, unsigned int options ) memset( &zfx, 0, sizeof zfx); - rc = open_outfile (-1, NULL, 0, &out ); + rc = open_outfile (-1, NULL, 0, !!secret, &out ); if (rc) return rc; diff --git a/g10/keydb.c b/g10/keydb.c index 688c24c6f..e735b4a53 100644 --- a/g10/keydb.c +++ b/g10/keydb.c @@ -213,7 +213,7 @@ maybe_create_keyring_or_box (char *filename, int is_box, int force) gpg_err_set_errno (EPERM); } else - iobuf = iobuf_create (filename); + iobuf = iobuf_create (filename, 0); umask (oldmask); if (!iobuf) { diff --git a/g10/keygen.c b/g10/keygen.c index 54d37d01b..35c146068 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -3814,7 +3814,7 @@ do_generate_keypair (struct para_data_s *para, gpg_err_set_errno (EPERM); } else - outctrl->pub.stream = iobuf_create( outctrl->pub.fname ); + outctrl->pub.stream = iobuf_create (outctrl->pub.fname, 0); if (!outctrl->pub.stream) { log_error(_("can't create '%s': %s\n"), outctrl->pub.newfname, @@ -4442,6 +4442,9 @@ gen_card_key_with_backup (int algo, int keyno, int is_primary, (ulong)sk->keyid[0], (ulong)sk->keyid[1]); fname = make_filename (backup_dir, name_buffer, NULL); + /* Note that the umask call is not anymore needed because + iobuf_create now takes care of it. However, it does not harm + and thus we keep it. */ oldmask = umask (077); if (is_secured_filename (fname)) { @@ -4449,7 +4452,7 @@ gen_card_key_with_backup (int algo, int keyno, int is_primary, gpg_err_set_errno (EPERM); } else - fp = iobuf_create (fname); + fp = iobuf_create (fname, 1); umask (oldmask); if (!fp) { diff --git a/g10/keyring.c b/g10/keyring.c index 04f6eeb22..6f75b6a78 100644 --- a/g10/keyring.c +++ b/g10/keyring.c @@ -1197,7 +1197,9 @@ create_tmp_file (const char *template, strcpy (stpcpy(tmpfname,template), EXTSEP_S "tmp"); # endif /* Posix filename */ - /* Create the temp file with limited access */ + /* Create the temp file with limited access. Note that the umask + call is not anymore needed because iobuf_create now takes care + of it. However, it does not harm and thus we keep it. */ oldmask=umask(077); if (is_secured_filename (tmpfname)) { @@ -1205,7 +1207,7 @@ create_tmp_file (const char *template, gpg_err_set_errno (EPERM); } else - *r_fp = iobuf_create (tmpfname); + *r_fp = iobuf_create (tmpfname, 1); umask(oldmask); if (!*r_fp) { @@ -1513,7 +1515,7 @@ do_copy (int mode, const char *fname, KBNODE root, gpg_err_set_errno (EPERM); } else - newfp = iobuf_create (fname); + newfp = iobuf_create (fname, 1); umask(oldmask); if( !newfp ) { diff --git a/g10/main.h b/g10/main.h index 97c661239..ae0bc8c26 100644 --- a/g10/main.h +++ b/g10/main.h @@ -270,7 +270,8 @@ int save_unprotected_key_to_card (PKT_public_key *sk, int keyno); int overwrite_filep( const char *fname ); char *make_outfile_name( const char *iname ); char *ask_outfile_name( const char *name, size_t namelen ); -int open_outfile (int inp_fd, const char *iname, int mode, iobuf_t *a); +int open_outfile (int inp_fd, const char *iname, int mode, + int restrictedperm, iobuf_t *a); iobuf_t open_sigfile( const char *iname, progress_filter_context_t *pfx ); void try_make_homedir( const char *fname ); diff --git a/g10/openfile.c b/g10/openfile.c index 119c5670d..901387d31 100644 --- a/g10/openfile.c +++ b/g10/openfile.c @@ -177,10 +177,12 @@ ask_outfile_name( const char *name, size_t namelen ) * * If INP_FD is not -1 the function simply creates an IOBUF for that * file descriptor and ignorea INAME and MODE. Note that INP_FD won't - * be closed if the returned IOBUF is closed. + * be closed if the returned IOBUF is closed. With RESTRICTEDPERM a + * file will be created with mode 700 if possible. */ int -open_outfile (int inp_fd, const char *iname, int mode, iobuf_t *a) +open_outfile (int inp_fd, const char *iname, int mode, int restrictedperm, + iobuf_t *a) { int rc = 0; @@ -204,7 +206,7 @@ open_outfile (int inp_fd, const char *iname, int mode, iobuf_t *a) } else if (iobuf_is_pipe_filename (iname) && !opt.outfile) { - *a = iobuf_create(NULL); + *a = iobuf_create (NULL, 0); if ( !*a ) { rc = gpg_error_from_syserror (); @@ -284,7 +286,7 @@ open_outfile (int inp_fd, const char *iname, int mode, iobuf_t *a) gpg_err_set_errno (EPERM); } else - *a = iobuf_create (name); + *a = iobuf_create (name, restrictedperm); if (!*a) { rc = gpg_error_from_syserror (); diff --git a/g10/revoke.c b/g10/revoke.c index 46fa87082..1c52ddad7 100644 --- a/g10/revoke.c +++ b/g10/revoke.c @@ -328,7 +328,7 @@ gen_desig_revoke( const char *uname, strlist_t locusr ) if( !opt.armor ) tty_printf(_("ASCII armored output forced.\n")); - if( (rc = open_outfile (-1, NULL, 0, &out )) ) + if( (rc = open_outfile (-1, NULL, 0, 1, &out )) ) goto leave; afx->what = 1; @@ -518,7 +518,7 @@ gen_revoke (const char *uname) if (!opt.armor) tty_printf (_("ASCII armored output forced.\n")); - if ((rc = open_outfile (-1, NULL, 0, &out ))) + if ((rc = open_outfile (-1, NULL, 0, 1, &out ))) goto leave; afx->what = 1; diff --git a/g10/sign.c b/g10/sign.c index 8a878885b..907d8c517 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -871,7 +871,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, gpg_err_set_errno (EPERM); } else - out = iobuf_create( outfile ); + out = iobuf_create (outfile, 0); if( !out ) { rc = gpg_error_from_syserror (); @@ -882,7 +882,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, log_info(_("writing to '%s'\n"), outfile ); } else if( (rc = open_outfile (-1, fname, - opt.armor? 1: detached? 2:0, &out ))) + opt.armor? 1: detached? 2:0, 0, &out))) goto leave; /* prepare to calculate the MD over the input */ @@ -1188,7 +1188,7 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile ) gpg_err_set_errno (EPERM); } else - out = iobuf_create( outfile ); + out = iobuf_create (outfile, 0); if( !out ) { rc = gpg_error_from_syserror (); @@ -1198,7 +1198,7 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile ) else if( opt.verbose ) log_info(_("writing to '%s'\n"), outfile ); } - else if( (rc = open_outfile (-1, fname, 1, &out )) ) + else if ((rc = open_outfile (-1, fname, 1, 0, &out))) goto leave; iobuf_writestr(out, "-----BEGIN PGP SIGNED MESSAGE-----" LF ); @@ -1366,7 +1366,7 @@ sign_symencrypt_file (const char *fname, strlist_t locusr) cfx.dek->use_mdc=1; /* now create the outfile */ - rc = open_outfile (-1, fname, opt.armor? 1:0, &out); + rc = open_outfile (-1, fname, opt.armor? 1:0, 0, &out); if (rc) goto leave;