[Mimedefang] Clamd permissions on Centos with mimedefang
Philip Prindeville
philipp_subx at redfish-solutions.com
Sun Jan 15 15:53:38 EST 2012
On 1/12/12 10:44 PM, David F. Skoll wrote:
> On Fri, 13 Jan 2012 20:18:59 -0700
> Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
>
>> - umask(077);
>> + umask(027);
>
> I don't think we want to set the umask to 027 unconditionally. But the
> new "-G" option should set the umask so that files are group-readable
> and sockets are group readable/writable, I think.
>
> Regards,
>
> David.
Quoting mkdir(2):
The argument mode specifies the permissions to use. It is modified by
the process's umask in the usual way: the permissions of the created
directory are (mode & ~umask & 0777). Other mode bits of the created
directory depend on the operating system. For Linux, see below.
So when mimedefang.c:get_fd() does:
sample_fd = open(buf, O_CREAT|O_APPEND|O_RDWR, 0640);
This results in (0640 & ~077 & 0777) or (0640 & 0700 & 0777) or (0640 & 0700) or 600... i.e. no group writability.
So the patch that I sent is correct and has been tested. Repeating the math, we get (0640 & ~0270 & 0777) or (0640 & 0750 & 0777) or (0640 & 0750) or 0640.
Quoting open(2):
O_CREAT
[...]
mode specifies the permissions to use in case a new file is cre‐
ated. This argument must be supplied when O_CREAT is specified
in flags; if O_CREAT is not specified, then mode is ignored.
The effective permissions are modified by the process's umask in
the usual way: The permissions of the created file are
(mode & ~umask). Note that this mode only applies to future
accesses of the newly created file; the open() call that creates
a read-only file may well return a read/write file descriptor.
And that's the same description (it elides the masking with 0777 since sticky-bits, etc. are legal).
-Philip
More information about the MIMEDefang
mailing list