From ecbdd241f7e8e28f1057781c4ac2013e8d476288 Mon Sep 17 00:00:00 2001
From: Zac Medico <zmedico@gentoo.org>
Date: Wed, 19 Jan 2011 11:02:30 -0800
Subject: dispatch-conf: restrict default archive-dir perms

Also, add warnings about rcs and ci behavior in dispatch-conf.conf and
dispatch-conf.1. This will fix bug #315603.
---
 pym/portage/dispatch_conf.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'pym')

diff --git a/pym/portage/dispatch_conf.py b/pym/portage/dispatch_conf.py
index 5724d9169..228638c01 100644
--- a/pym/portage/dispatch_conf.py
+++ b/pym/portage/dispatch_conf.py
@@ -1,5 +1,5 @@
 # archive_conf.py -- functionality common to archive-conf and dispatch-conf
-# Copyright 2003-2004 Gentoo Foundation
+# Copyright 2003-2011 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 
@@ -64,6 +64,9 @@ def read_config(mandatory_opts):
 
     if not os.path.exists(opts['archive-dir']):
         os.mkdir(opts['archive-dir'])
+        # Use restrictive permissions by default, in order to protect
+        # against vulnerabilities (like bug #315603 involving rcs).
+        os.chmod(opts['archive-dir'], 0o700)
     elif not os.path.isdir(opts['archive-dir']):
         print(_('dispatch-conf: Config archive dir [%s] must exist; fatal') % (opts['archive-dir'],), file=sys.stderr)
         sys.exit(1)
-- 
cgit v1.2.3-1-g7c22