r13239@catbus: nickm | 2007-06-04 11:30:37 -0400

 Fix the fix for bug 445: set umask properly.  Also use open+fdopen rather than just umask+fopen, and create authority identity key with mode 400.


svn:r10485

ChangeLog

@@ -3,7 +3,8 @@ Changes in version 0.2.0.3-alpha - 2007-??-??
     - Create listener connections before we setuid to the configured User and
       Group.  This way, you can choose port values under 1024, start Tor as
       root, and have Tor bind those ports before it changes to another UID.
-    - tor-gencert creates all files visible to the file creator only.
+    - tor-gencert creates all files as readable to the file creator only, and
+      write-protects the authority identity key.
 
   o Minor bugfixes (dns):
     - Fix a crash when DNSPort is set more than once. (Patch from Robert

src/common/crypto.c

@@ -566,7 +566,6 @@ crypto_pk_write_private_key_to_filename(crypto_pk_env_t *env,
   s = tor_malloc(len+1);
   memcpy(s, cp, len);
   s[len]='\0';
-  /* XXXX020 make this file get created with mode 600. */
   r = write_str_to_file(fname, s, 0);
   BIO_free(bio);
   tor_free(s);

src/common/util.c

@@ -1371,7 +1371,9 @@ check_private_dir(const char *dirname, cpd_check_t check)
 /** Create a file named <b>fname</b> with the contents <b>str</b>.  Overwrite
  * the previous <b>fname</b> if possible.  Return 0 on success, -1 on failure.
  *
- * This function replaces the old file atomically, if possible.
+ * This function replaces the old file atomically, if possible.  This
+ * function, and all other functions in util.c that create files, create them
+ * with mode 0600.
  */
 int
 write_str_to_file(const char *fname, const char *str, int bin)

src/tools/tor-gencert.c

@@ -9,6 +9,8 @@
 
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
 
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@@ -149,6 +151,7 @@ load_identity_key(void)
   FILE *f;
 
   if (make_new_id) {
+    int fd;
     RSA *key;
     if (status != FN_NOENT) {
       log_err(LD_GENERAL, "--create-identity-key was specified, but %s "
@@ -168,8 +171,15 @@ load_identity_key(void)
       return 1;
     }
 
-    if (!(f = fopen(identity_key_file, "w"))) {
-      log_err(LD_GENERAL, "Couldn't open %s for writing: %s",
+    if ((fd = open(identity_key_file, O_CREAT|O_EXCL|O_WRONLY, 0400))<0) {
+      log_err(LD_GENERAL, "Couldn't fdopen %s for writing: %s",
+              identity_key_file, strerror(errno));
+      return 1;
+    }
+
+    if (!(f = fdopen(fd, "w"))) {
+      close(fd);
+      log_err(LD_GENERAL, "Couldn't fdopen %s for writing: %s",
               identity_key_file, strerror(errno));
       return 1;
     }
@@ -214,6 +224,7 @@ load_identity_key(void)
 static int
 generate_signing_key(void)
 {
+  int fd;
   FILE *f;
   RSA *key;
   log_notice(LD_GENERAL, "Generating %d-bit RSA signing key.",
@@ -229,8 +240,15 @@ generate_signing_key(void)
     return 1;
   }
 
-  if (!(f = fopen(signing_key_file, "w"))) {
-    log_err(LD_GENERAL, "Couldn't open %s for reading: %s",
+  if ((fd = open(signing_key_file, O_CREAT|O_EXCL|O_WRONLY, 0600))<0) {
+    log_err(LD_GENERAL, "Couldn't open %s for writing: %s",
+            signing_key_file, strerror(errno));
+    return 1;
+  }
+
+  if (!(f = fdopen(fd, "w"))) {
+    close(fd);
+    log_err(LD_GENERAL, "Couldn't open %s for writing: %s",
             signing_key_file, strerror(errno));
     return 1;
   }
@@ -358,7 +376,7 @@ main(int argc, char **argv)
     goto done;
   }
   /* Make sure that files are made private. */
-  umask(0700);
+  umask(0077);
 
   if (parse_commandline(argc, argv))
     goto done;