maride/guacamole-spice-protocol
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

GUACAMOLE-462: Create recordings/typescripts with group read permission.

Browse Source 
Previously, all recordings/typescripts were strictly readable by the
service user that created them (guacd). This prevents reading by other
services like the Guacamole web application. Instead,
recordings/typescripts should at least be group-readable.
This commit is contained in:
Michael Jumper 2022-02-17 09:25:26 -08:00
parent 29535e6cb8
commit 4d41b38a24
2 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/common/recording.c
View File

@ -84,7 +84,7 @@ static int guac_common_recording_open(const char* path,
/* Attempt to open recording */ /* Attempt to open recording */
int fd = open(basename, int fd = open(basename,
O_CREAT | O_EXCL | O_WRONLY, O_CREAT | O_EXCL | O_WRONLY,
S_IRUSR | S_IWUSR); S_IRUSR | S_IWUSR | S_IRGRP);
/* Continuously retry with alternate names on failure */ /* Continuously retry with alternate names on failure */
if (fd == -1) { if (fd == -1) {
@ -103,7 +103,7 @@ static int guac_common_recording_open(const char* path,
/* Retry with newly-suffixed filename */ /* Retry with newly-suffixed filename */
fd = open(basename, fd = open(basename,
O_CREAT | O_EXCL | O_WRONLY, O_CREAT | O_EXCL | O_WRONLY,
S_IRUSR | S_IWUSR); S_IRUSR | S_IWUSR | S_IRGRP);
} }
@ -144,7 +144,8 @@ guac_common_recording* guac_common_recording_create(guac_client* client,
/* Create path if it does not exist, fail if impossible */ /* Create path if it does not exist, fail if impossible */
#ifndef __MINGW32__ #ifndef __MINGW32__
if (create_path && mkdir(path, S_IRWXU) && errno != EEXIST) { if (create_path && mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP)
&& errno != EEXIST) {
#else #else
if (create_path && _mkdir(path) && errno != EEXIST) { if (create_path && _mkdir(path) && errno != EEXIST) {
#endif #endif

9
src/terminal/typescript.c
View File

@ -79,7 +79,7 @@ static int guac_terminal_typescript_open_data_file(const char* path,
/* Attempt to open typescript data file */ /* Attempt to open typescript data file */
int data_fd = open(basename, int data_fd = open(basename,
O_CREAT | O_EXCL | O_WRONLY, O_CREAT | O_EXCL | O_WRONLY,
S_IRUSR | S_IWUSR); S_IRUSR | S_IWUSR | S_IRGRP);
/* Continuously retry with alternate names on failure */ /* Continuously retry with alternate names on failure */
if (data_fd == -1) { if (data_fd == -1) {
@ -98,7 +98,7 @@ static int guac_terminal_typescript_open_data_file(const char* path,
/* Retry with newly-suffixed filename */ /* Retry with newly-suffixed filename */
data_fd = open(basename, data_fd = open(basename,
O_CREAT | O_EXCL | O_WRONLY, O_CREAT | O_EXCL | O_WRONLY,
S_IRUSR | S_IWUSR); S_IRUSR | S_IWUSR | S_IRGRP);
} }
@ -112,7 +112,8 @@ guac_terminal_typescript* guac_terminal_typescript_alloc(const char* path,
const char* name, int create_path) { const char* name, int create_path) {
/* Create path if it does not exist, fail if impossible */ /* Create path if it does not exist, fail if impossible */
if (create_path && mkdir(path, S_IRWXU) && errno != EEXIST) if (create_path && mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP)
&& errno != EEXIST)
return NULL; return NULL;
/* Allocate space for new typescript */ /* Allocate space for new typescript */
@ -141,7 +142,7 @@ guac_terminal_typescript* guac_terminal_typescript_alloc(const char* path,
/* Attempt to open typescript timing file */ /* Attempt to open typescript timing file */
typescript->timing_fd = open(typescript->timing_filename, typescript->timing_fd = open(typescript->timing_filename,
O_CREAT | O_EXCL | O_WRONLY, O_CREAT | O_EXCL | O_WRONLY,
S_IRUSR | S_IWUSR); S_IRUSR | S_IWUSR | S_IRGRP);
if (typescript->timing_fd == -1) { if (typescript->timing_fd == -1) {
close(typescript->data_fd); close(typescript->data_fd);
free(typescript); free(typescript);