diff options
| author | Stefan Eissing <icing@apache.org> | 2019-03-26 11:57:51 +0100 |
|---|---|---|
| committer | Stefan Eissing <icing@apache.org> | 2019-03-26 11:57:51 +0100 |
| commit | 2179d63f3dcefe991eca270ce717e3b0d7080870 (patch) | |
| tree | 60bff3974ebc9efd7c5fd3d5502d16d4ca8f6c4d /modules/md/md_util.c | |
| parent | mod_proxy: follow up to r1836588: configurable Proxy100Continue. (diff) | |
| download | apache2-2179d63f3dcefe991eca270ce717e3b0d7080870.tar.xz apache2-2179d63f3dcefe991eca270ce717e3b0d7080870.zip | |
*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1856297 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'modules/md/md_util.c')
| -rw-r--r-- | modules/md/md_util.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/modules/md/md_util.c b/modules/md/md_util.c index 12b7dd6da1..83c6a4b523 100644 --- a/modules/md/md_util.c +++ b/modules/md/md_util.c @@ -194,8 +194,20 @@ apr_status_t md_util_fopen(FILE **pf, const char *fn, const char *mode) apr_status_t md_util_fcreatex(apr_file_t **pf, const char *fn, apr_fileperms_t perms, apr_pool_t *p) { - return apr_file_open(pf, fn, (APR_FOPEN_WRITE|APR_FOPEN_CREATE|APR_FOPEN_EXCL), - perms, p); + apr_status_t rv; + rv = apr_file_open(pf, fn, (APR_FOPEN_WRITE|APR_FOPEN_CREATE|APR_FOPEN_EXCL), + perms, p); + if (APR_SUCCESS == rv) { + /* See <https://github.com/icing/mod_md/issues/117> + * Some people set umask 007 to deny all world read/writability to files + * created by apache. While this is a noble effort, we need the store files + * to have the permissions as specified. */ + rv = apr_file_perms_set(fn, perms); + if (APR_STATUS_IS_ENOTIMPL(rv)) { + rv = APR_SUCCESS; + } + } + return rv; } apr_status_t md_util_is_dir(const char *path, apr_pool_t *pool) @@ -312,13 +324,6 @@ apr_status_t md_text_fcreatex(const char *fpath, apr_fileperms_t perms, if (APR_SUCCESS == rv) { rv = write_text((void*)text, f, p); apr_file_close(f); - /* See <https://github.com/icing/mod_md/issues/117>: when a umask - * is set, files need to be assigned permissions explicitly. - * Otherwise, as in the issues reported, it will break our access model. */ - rv = apr_file_perms_set(fpath, perms); - if (APR_STATUS_IS_ENOTIMPL(rv)) { - rv = APR_SUCCESS; - } } return rv; } |