*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in (7831a0be) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+3 −0

Original line number	Diff line number	Diff line
		-- coding: utf-8 --
		Changes with Apache 2.5.1

		*) mod_md: Store permissions are enforced on file creation, enforcing restrictions in
		spite of umask. Fixes <https://github.com/icing/mod_md/issues/117>. [Stefan Eissing]

		*) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA failure.
		[Michael Kaufmann <mail michael-kaufmann.ch>]

+14 −9

Original line number	Diff line number	Diff line
		@@ -194,8 +194,20 @@ apr_status_t md_util_fopen(FILE *pf, const char fn, const char *mode)
		apr_status_t md_util_fcreatex(apr_file_t *pf, const char fn,
		apr_fileperms_t perms, apr_pool_t *p)
		{
		return apr_file_open(pf, fn, (APR_FOPEN_WRITE\|APR_FOPEN_CREATE\|APR_FOPEN_EXCL),
		apr_status_t rv;
		rv = apr_file_open(pf, fn, (APR_FOPEN_WRITE\|APR_FOPEN_CREATE\|APR_FOPEN_EXCL),
		perms, p);
		if (APR_SUCCESS == rv) {
		/* See <https://github.com/icing/mod_md/issues/117>
		* Some people set umask 007 to deny all world read/writability to files
		* created by apache. While this is a noble effort, we need the store files
		* to have the permissions as specified. */
		rv = apr_file_perms_set(fn, perms);
		if (APR_STATUS_IS_ENOTIMPL(rv)) {
		rv = APR_SUCCESS;
		}
		}
		return rv;
		}

		apr_status_t md_util_is_dir(const char path, apr_pool_t pool)
		@@ -312,13 +324,6 @@ apr_status_t md_text_fcreatex(const char *fpath, apr_fileperms_t perms,
		if (APR_SUCCESS == rv) {
		rv = write_text((void*)text, f, p);
		apr_file_close(f);
		/* See <https://github.com/icing/mod_md/issues/117>: when a umask
		* is set, files need to be assigned permissions explicitly.
		* Otherwise, as in the issues reported, it will break our access model. */
		rv = apr_file_perms_set(fpath, perms);
		if (APR_STATUS_IS_ENOTIMPL(rv)) {
		rv = APR_SUCCESS;
		}
		}
		return rv;
		}

+2 −2

Original line number	Diff line number	Diff line
		@@ -27,7 +27,7 @@
		* @macro
		* Version number of the md module as c string
		*/
		#define MOD_MD_VERSION "1.1.18-DEV"
		#define MOD_MD_VERSION "1.1.19-DEV"

		/**
		* @macro
		@@ -35,7 +35,7 @@
		* release. This is a 24 bit number with 8 bits for major number, 8 bits
		* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
		*/
		#define MOD_MD_VERSION_NUM 0x010112
		#define MOD_MD_VERSION_NUM 0x010113

		#define MD_ACME_DEF_URL "https://acme-v01.api.letsencrypt.org/directory"