[#3050] Added Umask RAII and use it

fxdupont · fxdupont · commit 84c437e30fe6 · 2024-06-27T14:47:52.000+02:00
diff --git a/src/lib/process/daemon.cc b/src/lib/process/daemon.cc
@@ -231,6 +231,9 @@ Daemon::writeConfigFile(const std::string& config_file,
         isc_throw(Unexpected, "Can't write configuration: conversion to JSON failed");
     }
 
+    // Remove rights for other from the umask.
+    Umask mask(S_IRWXO);
+
     std::ofstream out(config_file, std::ios::trunc);
     if (!out.good()) {
         isc_throw(Unexpected, "Unable to open file " + config_file + " for writing");
diff --git a/src/lib/util/filesystem.cc b/src/lib/util/filesystem.cc
@@ -19,7 +19,6 @@
 #include <string>
 
 #include <fcntl.h>
-#include <sys/stat.h>
 
 using namespace isc::util::str;
 using namespace std;
@@ -69,6 +68,14 @@ isFile(string const& path) {
     return ((statbuf.st_mode & S_IFMT) == S_IFREG);
 }
 
+Umask::Umask(mode_t mask) : orig_umask_(umask(S_IWGRP | S_IWOTH)) {
+    umask(orig_umask_ | mask);
+}
+
+Umask::~Umask() {
+    umask(orig_umask_);
+}
+
 Path::Path(string const& full_name) {
     if (!full_name.empty()) {
         bool dir_present = false;
diff --git a/src/lib/util/filesystem.h b/src/lib/util/filesystem.h
@@ -7,6 +7,7 @@
 #ifndef KEA_UTIL_FILESYSTEM_H
 #define KEA_UTIL_FILESYSTEM_H
 
+#include <sys/stat.h>
 #include <string>
 
 namespace isc {
@@ -48,6 +49,23 @@ isDir(const std::string& path);
 bool
 isFile(const std::string& path);
 
+/// \brief RAII device to limit access of created files.
+struct Umask {
+    /// \brief Constructor
+    ///
+    /// Set wanted bits in umask.
+    Umask(mode_t mask);
+
+    /// \brief Destructor.
+    ///
+    /// Restore umask.
+    ~Umask();
+
+private:
+    /// \brief Original umask.
+    mode_t orig_umask_;
+};
+
 /// \brief Paths on a filesystem
 struct Path {
     /// \brief Constructor
diff --git a/src/lib/util/tests/filesystem_unittests.cc b/src/lib/util/tests/filesystem_unittests.cc
@@ -69,6 +69,18 @@ TEST_F(FileUtilTest, isFile) {
     EXPECT_FALSE(isFile(TEST_DATA_BUILDDIR));
 }
 
+/// @brief Check Umask.
+TEST_F(FileUtilTest, umask) {
+    // Protect the test itself assuming that Umask does what we expect...
+    Umask m0(0);
+    mode_t orig = umask(0);
+    {
+        Umask m(S_IROTH);
+        EXPECT_EQ(S_IROTH, umask(S_IRWXO));
+    }
+    EXPECT_EQ(0, umask(orig));
+}
+
 /// @brief Check that the components are split correctly.
 TEST(PathTest, components) {
     // Complete name

Original file line number	Diff line number	Diff line change
`@@ -231,6 +231,9 @@ Daemon::writeConfigFile(const std::string& config_file,`
`231`	`231`	`isc_throw(Unexpected, "Can't write configuration: conversion to JSON failed");`
`232`	`232`	`}`
`233`	`233`
	`234`	`+ // Remove rights for other from the umask.`
	`235`	`+ Umask mask(S_IRWXO);`
	`236`	`+`
`234`	`237`	`std::ofstream out(config_file, std::ios::trunc);`
`235`	`238`	`if (!out.good()) {`
`236`	`239`	`isc_throw(Unexpected, "Unable to open file " + config_file + " for writing");`