From: Aurelien Jarno <aurelien@aurel32.net>
Date: Wed, 14 Feb 2018 16:33:17 +0000 (+0100)
Subject: rsync-ssh-wrap: force the permissions of uploaded files
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=f4a8a766c3bd060ea9b2c8c8c75ae052b89df4b9;p=mirror%2Fdsa-puppet.git

rsync-ssh-wrap: force the permissions of uploaded files

dupload calls rsync with -p, causing the uploaded files to be world
readable, despite the ACL of the upload directory (see bug#876900).
This is an issue for security uploads.

This has been fixed in sid, but not yet in stretch. In the meantime
force the permissions to 0640 at the wrapper level.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---

diff --git a/modules/roles/files/ssh_upload/rsync-ssh-wrap b/modules/roles/files/ssh_upload/rsync-ssh-wrap
index bdfc6f190..f2a8917fe 100755
--- a/modules/roles/files/ssh_upload/rsync-ssh-wrap
+++ b/modules/roles/files/ssh_upload/rsync-ssh-wrap
@@ -68,7 +68,7 @@ do_rsync() {
 		allowed="${allowed_rsyncs[$cmd_idx]}"
 		if [ "$*" = "$allowed" ]; then
 			info "Running for host $remote_host: rsync $*"
-			exec rsync "$@"
+			exec rsync --chmod=F640 "$@"
 			croak "Exec failed"
 		fi
 	done