[Xen-devel] [OSSTEST PATCH] MaxUmask: enforce a maximum umask value

[Ian Jackson <ian.jackson@xxxxxxxxxxxxx>]

On some operating systems, the default umask is not 002 as it should
be (for the sensible setup with personal groups).

If a user with an 022 or 077 umask invokes osstest in Executive mode,
they end up creating directories in $c{Logs} which are writeable only
by them, and that can stop the whole system because the service user
cannot expire them.

Prevent this from happening.

Signed-off-by: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
---
 Osstest.pm           | 8 ++++++++
 Osstest/Executive.pm | 1 +
 2 files changed, 9 insertions(+)

diff --git a/Osstest.pm b/Osstest.pm
index 34b5b6d..ceb62ca 100644
--- a/Osstest.pm
+++ b/Osstest.pm
@@ -254,6 +254,14 @@ sub readglobalconfig () {
     }
 
     $c{Stash} //= $c{Logs};
+
+    if ($c{MaxUmask}) {
+       my $bad = umask() & ~oct $c{MaxUmask};
+       die sprintf(
+ "bad umask %03o: contains bits %03o, not permitted by MaxUmask %03o\n",
+                   umask(), $bad, $c{MaxUmask})
+           if $bad;
+    }
 }
 
 sub augmentconfigdefaults {
diff --git a/Osstest/Executive.pm b/Osstest/Executive.pm
index 635e5dd..1d706df 100644
--- a/Osstest/Executive.pm
+++ b/Osstest/Executive.pm
@@ -108,6 +108,7 @@ augmentconfigdefaults(
     Repos => "$ENV{'HOME'}/repos",
     BisectionRevisonGraphSize => '600x300',
     ExecutiveDbOwningRoleRegexp => 'osstest',
+    MaxUmask => '007',
 );
 
 augmentconfigdefaults(
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel