Hi all I have prepared a preliminary patch for wheezy. I have not yet been able to test it fully (it is building right now). It looks like attached. You may need to modify it for later versions.
Please comment. The principles should be ok even if I may have made some stupid copy+paste mistake. It worked fine in a little test program I made. Hope this helps // Ola On Mon, Aug 1, 2016 at 5:53 AM, Chris Lamb <la...@debian.org> wrote: > > 2) How do you plan to handle the "upgrade case" that is will you try to > > change the permission on already created history file or will you just > > handle the creation case? > > For redis, what I did was set and then unset the umask (for creation) and > chmod(2) the file afterwards to "upgrade" existing ones. > > I don't recommend a postinst approach (ie. chmod 0600 /home/*/.filename) > for > various reasons. > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` la...@debian.org / chris-lamb.co.uk > `- > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
Description: World readable dbshell log file This correction make sure the ~/.dbshell log file is not world readable. . mongodb (1:2.0.6-1deb7u1) wheezy-security; urgency=high . * Non-maintainer upload by the Long Term Security Team. * Make sure dbshell log file is not readable by others. Author: Ola Lundqvist <o...@debian.org> Origin: other Bug: https://jira.mongodb.org/browse/SERVER-25335 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832908 Forwarded: no Reviewed-By: Ola Lundqvist <o...@debian.org> Last-Update: 2016-08-01 Index: mongodb-2.0.6/third_party/linenoise/linenoise.cpp =================================================================== --- mongodb-2.0.6.orig/third_party/linenoise/linenoise.cpp 2012-06-04 13:42:54.000000000 +0000 +++ mongodb-2.0.6/third_party/linenoise/linenoise.cpp 2016-08-01 22:05:34.234826380 +0000 @@ -104,11 +104,13 @@ #include <termios.h> #include <unistd.h> +#include <fcntl.h> #include <stdlib.h> #include <stdio.h> #include <errno.h> #include <string.h> #include <stdlib.h> +#include <sys/stat.h> #include <sys/types.h> #include <sys/ioctl.h> #include <unistd.h> @@ -799,6 +801,9 @@ /* Save the history in the specified file. On success 0 is returned * otherwise -1 is returned. */ int linenoiseHistorySave(const char *filename) { + mode_t prev_mask = umask(0022); + // Make sure this file is not readable by others + umask(prev_mask | S_IROTH | S_IWOTH | S_IXOTH); FILE *fp = fopen(filename,"w"); int j; @@ -817,6 +822,16 @@ * If the file exists and the operation succeeded 0 is returned, otherwise * on error -1 is returned. */ int linenoiseHistoryLoad(const char *filename) { + struct stat fileStat; + if (stat(filename,&fileStat) < 0) return -1; + if (fileStat.st_mode & S_IROTH || + fileStat.st_mode & S_IWOTH || + fileStat.st_mode & S_IXOTH) { + // If the file is world readable, writeable or executable + // make sure it is not but keep all other permissions. + chmod(filename, fileStat.st_mode & 0777770); + } + FILE *fp = fopen(filename,"r"); char buf[LINENOISE_MAX_LINE];