2003-12-22 Christian Hammers <ch@lathspell.de>
* configure.ac (and everywhere a regular file is opened for
writing): use file permissions from configure rather than
compiled-in umask.
diff --git a/ChangeLog b/ChangeLog
index 02f28d4..7356ea8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2003-12-22 Christian Hammers <ch@lathspell.de>
+
+ * configure.ac (and everywhere a regular file is opened for
+ writing): use file permissions from configure rather than
+ compiled-in umask.
+
2003-12-22 Hasso Tepper <hasso@estpak.ee>
* lib/linklist.c: Revert microfix I commited while reverting
diff --git a/NEWS b/NEWS
index 0a788cf..f5a9032 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,10 @@
directory from $(sysconfdir), easing NetBSD pkgsrc hierarchy rules
compliance.
+- New configure options --enable-configfile-mask and
+ --enable-logfile-mask to set umask values for config and log
+ values. Masks default to 0600, matching previous behavior.
+
* Changes in Quagga 0.96.4
- Further fixes to ospfd, some relating to the PtP revert. Interface
diff --git a/bgpd/bgp_dump.c b/bgpd/bgp_dump.c
index 7dc64c6..9690fb5 100644
--- a/bgpd/bgp_dump.c
+++ b/bgpd/bgp_dump.c
@@ -95,6 +95,7 @@
struct tm *tm;
char fullpath[MAXPATHLEN];
char realpath[MAXPATHLEN];
+ mode_t oldumask;
time (&clock);
tm = localtime (&clock);
@@ -117,10 +118,15 @@
fclose (bgp_dump->fp);
+ oldumask = umask(0777 & ~LOGFILE_MASK);
bgp_dump->fp = fopen (realpath, "w");
if (bgp_dump->fp == NULL)
- return NULL;
+ {
+ umask(oldumask);
+ return NULL;
+ }
+ umask(oldumask);
return bgp_dump->fp;
}
diff --git a/configure.ac b/configure.ac
index b6d8829..094da52 100755
--- a/configure.ac
+++ b/configure.ac
@@ -115,6 +115,10 @@
[ --enable-group=ARG group to run Quagga suite as (default quagga)])
AC_ARG_ENABLE(vty_group,
[ --enable-vty-group=ARG set vty sockets to have specified group as owner])
+AC_ARG_ENABLE(configfile_mask,
+[ --enable-configfile-mask=ARG set mask for config files])
+AC_ARG_ENABLE(logfile_mask,
+[ --enable-logfile-mask=ARG set mask for log files])
AC_ARG_ENABLE(rtadv,
[ --disable-rtadv disable IPV6 router advertisement feature])
@@ -176,6 +180,12 @@
fi
fi
+enable_configfile_mask=${enable_configfile_mask:-0600}
+AC_DEFINE_UNQUOTED(CONFIGFILE_MASK, ${enable_configfile_mask}, Mask for config files)
+
+enable_logfile_mask=${enable_logfile_mask:-0600}
+AC_DEFINE_UNQUOTED(LOGFILE_MASK, ${enable_logfile_mask}, Mask for log files)
+
changequote(, )dnl
MULTIPATH_NUM=1
@@ -1073,6 +1083,8 @@
user to run as : ${enable_user}
group to run as : ${enable_group}
group for vty sockets : ${enable_vty_group}
+config file mask : ${enable_configfile_mask}
+log file mask : ${enable_logfile_mask}
The above user and group must have read/write access to the state file
directory and to the config files in the config file directory.
diff --git a/lib/command.c b/lib/command.c
index 8c60fc4..43a0bb3 100644
--- a/lib/command.c
+++ b/lib/command.c
@@ -2552,6 +2552,14 @@
free (config_file_sav);
free (config_file_tmp);
+
+ if (chmod (config_file, CONFIGFILE_MASK) != 0)
+ {
+ vty_out (vty, "Can't chmod configuration file %s: %s (%d).%s",
+ config_file, strerror(errno), errno, VTY_NEWLINE);
+ return CMD_WARNING;
+ }
+
vty_out (vty, "Configuration saved to %s%s", config_file,
VTY_NEWLINE);
return CMD_SUCCESS;
diff --git a/lib/log.c b/lib/log.c
index 88e1dbf..aedab3c 100644
--- a/lib/log.c
+++ b/lib/log.c
@@ -365,6 +365,7 @@
zlog_set_file (struct zlog *zl, int flags, char *filename)
{
FILE *fp;
+ mode_t oldumask;
/* There is opend file. */
zlog_reset_file (zl);
@@ -374,9 +375,14 @@
zl = zlog_default;
/* Open file. */
+ oldumask = umask (0777 & ~LOGFILE_MASK);
fp = fopen (filename, "a");
if (fp == NULL)
- return 0;
+ {
+ umask(oldumask);
+ return 0;
+ }
+ umask(oldumask);
/* Set flags. */
zl->filename = strdup (filename);
@@ -421,9 +427,16 @@
if (zl->filename)
{
+ mode_t oldumask;
+
+ oldumask = umask (0777 & ~LOGFILE_MASK);
fp = fopen (zl->filename, "a");
if (fp == NULL)
- return -1;
+ {
+ umask(oldumask);
+ return -1;
+ }
+ umask(oldumask);
zl->fp = fp;
}
diff --git a/lib/pid_output.c b/lib/pid_output.c
index 125ca40..2d90afc 100644
--- a/lib/pid_output.c
+++ b/lib/pid_output.c
@@ -32,16 +32,20 @@
#ifndef HAVE_FCNTL
FILE *fp;
pid_t pid;
+ mask_t oldumask;
pid = getpid();
+ oldumask = umask(0777 & ~LOGFILE_MASK);
fp = fopen (path, "w");
if (fp != NULL)
{
fprintf (fp, "%d\n", (int) pid);
fclose (fp);
+ umask(oldumask);
return -1;
}
+ umask(oldumask);
return pid;
#else
return pid_output_lock(path);
@@ -57,18 +61,23 @@
pid_t pid;
char buf[16];
struct flock lock;
+ mode_t oldumask;
pid = getpid ();
- fd = open (path, O_RDWR | O_CREAT, 0644);
+ oldumask = umask(0777 & ~LOGFILE_MASK);
+ zlog_err( "old umask %d %d", oldumask, 0777 & ~LOGFILE_MASK);
+ fd = open (path, O_RDWR | O_CREAT, LOGFILE_MASK);
if (fd < 0)
{
zlog_err( "Can't creat pid lock file %s (%s), exit",
path, strerror(errno));
+ umask(oldumask);
exit (-1);
}
else
{
+ umask(oldumask);
memset (&lock, 0, sizeof(lock));
lock.l_type = F_WRLCK;
diff --git a/lib/vty.c b/lib/vty.c
index edfd99d..8ba9970 100644
--- a/lib/vty.c
+++ b/lib/vty.c
@@ -2185,6 +2185,14 @@
close (sav);
close (tmp);
+ if (chmod(fullpath_tmp, CONFIGFILE_MASK) != 0)
+ {
+ free (fullpath_sav);
+ free (fullpath_tmp);
+ unlink (fullpath_tmp);
+ return NULL;
+ }
+
if (link (fullpath_tmp, fullpath) == 0)
ret = fopen (fullpath, "r");
diff --git a/vtysh/vtysh.c b/vtysh/vtysh.c
index 74707f9..e9c784a 100644
--- a/vtysh/vtysh.c
+++ b/vtysh/vtysh.c
@@ -1287,14 +1287,10 @@
int write_config_integrated(void)
{
int ret;
- mode_t old_umask;
char line[] = "write terminal\n";
FILE *fp;
char *integrate_sav = NULL;
- /* config files have 0600 perms... */
- old_umask = umask (0077);
-
integrate_sav = malloc (strlen (integrate_default)
+ strlen (CONF_BACKUP_EXT) + 1);
strcpy (integrate_sav, integrate_default);
@@ -1312,7 +1308,6 @@
if (fp == NULL)
{
fprintf (stdout,"%% Can't open configuration file %s.\n", integrate_default);
- umask (old_umask);
return CMD_SUCCESS;
}
@@ -1329,11 +1324,17 @@
fclose (fp);
+ if (chmod (integrate_default, CONFIGFILE_MASK) != 0)
+ {
+ fprintf (stdout,"%% Can't chmod configuration file %s: %s (%d)\n",
+ integrate_default, strerror(errno), errno);
+ return CMD_WARNING;
+ }
+
fprintf(stdout,"Integrated configuration saved to %s\n",integrate_default);
fprintf (stdout,"[OK]\n");
- umask (old_umask);
return CMD_SUCCESS;
}