From f4a8a766c3bd060ea9b2c8c8c75ae052b89df4b9 Mon Sep 17 00:00:00 2001
From: Aurelien Jarno <aurelien@aurel32.net>
Date: Wed, 14 Feb 2018 17:33:17 +0100
Subject: [PATCH] rsync-ssh-wrap: force the permissions of uploaded files

dupload calls rsync with -p, causing the uploaded files to be world
readable, despite the ACL of the upload directory (see bug#876900).
This is an issue for security uploads.

This has been fixed in sid, but not yet in stretch. In the meantime
force the permissions to 0640 at the wrapper level.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
---
 modules/roles/files/ssh_upload/rsync-ssh-wrap | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/roles/files/ssh_upload/rsync-ssh-wrap b/modules/roles/files/ssh_upload/rsync-ssh-wrap
index bdfc6f190..f2a8917fe 100755
--- a/modules/roles/files/ssh_upload/rsync-ssh-wrap
+++ b/modules/roles/files/ssh_upload/rsync-ssh-wrap
@@ -68,7 +68,7 @@ do_rsync() {
 		allowed="${allowed_rsyncs[$cmd_idx]}"
 		if [ "$*" = "$allowed" ]; then
 			info "Running for host $remote_host: rsync $*"
-			exec rsync "$@"
+			exec rsync --chmod=F640 "$@"
 			croak "Exec failed"
 		fi
 	done
-- 
2.20.1