ma27/hydra
0
0
Fork 0
forked from lix-project/hydra
Code Pull requests Activity

RunCommand: set umask when creating log paths

Browse source 
This uses the somewhat restrictive umask of 0027 so that people outside
the user or group cannot read the files. This also helps to inhibit
TOCTOU where someone else has a handle to our file before we chmod it
and after we close it.
This commit is contained in:
Cole Helbling 2022-01-24 11:27:09 -08:00
parent 5d3912962b
commit bb16f4fb10
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/lib/Hydra/Plugin/RunCommand.pm
View file

@ -167,12 +167,16 @@ sub buildFinished {
my $filename = constructRunCommandLogFilename(sha1_hex($command), $build->get_column('id')); my $filename = constructRunCommandLogFilename(sha1_hex($command), $build->get_column('id'));
my $logPath = constructRunCommandLogPath($filename); my $logPath = constructRunCommandLogPath($filename);
my $dir = dirname($logPath); my $dir = dirname($logPath);
my $oldUmask = umask();
mkdir($dir, oct(755)); # file: 640, dir: 750
umask(0027);
mkdir($dir);
open(my $f, '>', $logPath); open(my $f, '>', $logPath);
close($f); close($f);
chmod(oct(644), $logPath);
umask($oldUmask);
# Run the command # Run the command
system("$command 1>$logpath 2>&1") == 0 system("$command 1>$logpath 2>&1") == 0