[Debian-iot-maintainers] Bug#873365: librad0: radUtilsBecomeDaemon should not set umask(0)

Kevin Locke kevin at kevinlocke.name
Sat Aug 26 23:15:38 UTC 2017

Package: librad0
Version: 2.12.0-4
Severity: normal

Dear Maintainer,

Thanks for packaging radlib!  As a wview user it's nice to see one of
its dependencies added to the official repos.

I recently realized that wview creates most files world-writable, which
is a pretty big security issue.  The cause is the radlib
radUtilsBecomeDaemon function unconditionally calling umask(0) after
fork() and none of the wview daemons call umask with a sane value after
that.  This is radlib issue #2 which was opened in 2011 and hasn't
received any comment.[1]

I was hoping you might be willing to carry a patch which removes the
umask(0) call.  Otherwise I (and presumably many other users of radlib)
will need to update all calls to radUtilsBecomeDaemon to save/restore
the umask.

Thanks for considering,

1.  https://sourceforge.net/p/radlib/bugs/2/

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.12.0-kevinoid1 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages librad0 depends on:
ii  libc6         2.24-14
ii  libsqlite3-0  3.19.3-3

librad0 recommends no packages.

Versions of packages librad0 suggests:
pn  librad0-tools  <none>

More information about the Debian-iot-maintainers mailing list