RunCommand: set umask when creating log paths
This uses the somewhat restrictive umask of 0027 so that people outside the user or group cannot read the files. This also helps to inhibit TOCTOU where someone else has a handle to our file before we chmod it and after we close it.
This commit is contained in:
parent
5d3912962b
commit
bb16f4fb10
|
@ -167,12 +167,16 @@ sub buildFinished {
|
||||||
my $filename = constructRunCommandLogFilename(sha1_hex($command), $build->get_column('id'));
|
my $filename = constructRunCommandLogFilename(sha1_hex($command), $build->get_column('id'));
|
||||||
my $logPath = constructRunCommandLogPath($filename);
|
my $logPath = constructRunCommandLogPath($filename);
|
||||||
my $dir = dirname($logPath);
|
my $dir = dirname($logPath);
|
||||||
|
my $oldUmask = umask();
|
||||||
|
|
||||||
mkdir($dir, oct(755));
|
# file: 640, dir: 750
|
||||||
|
umask(0027);
|
||||||
|
mkdir($dir);
|
||||||
|
|
||||||
open(my $f, '>', $logPath);
|
open(my $f, '>', $logPath);
|
||||||
close($f);
|
close($f);
|
||||||
chmod(oct(644), $logPath);
|
|
||||||
|
umask($oldUmask);
|
||||||
|
|
||||||
# Run the command
|
# Run the command
|
||||||
system("$command 1>$logpath 2>&1") == 0
|
system("$command 1>$logpath 2>&1") == 0
|
||||||
|
|
Loading…
Reference in a new issue