From a3b03d1b5af5112bc94b448879a2f401043b42ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B8rn=20Forsman?= <bjorn.forsman@gmail.com>
Date: Wed, 28 Jun 2023 10:22:07 +0200
Subject: Use umask for race-free permission setting

Without using umask there's a small time window where paths are world
readable. That is a bad idea to do for secret files (e.g. the dovecot
code path).
---
 mail-server/dovecot.nix | 6 +++---
 mail-server/systemd.nix | 2 ++
 mail-server/users.nix   | 3 +++
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix
index c683a8a..771dedd 100644
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@@ -104,6 +104,9 @@ let
       chmod 755 "${passwdDir}"
     fi
 
+    # Prevent world-readable password files, even temporarily.
+    umask 077
+
     for f in ${builtins.toString (lib.mapAttrsToList (name: value: passwordFiles."${name}") cfg.loginAccounts)}; do
       if [ ! -f "$f" ]; then
         echo "Expected password hash file $f does not exist!"
@@ -125,9 +128,6 @@ let
               else "")
     ) cfg.loginAccounts)}
     EOF
-
-    chmod 600 ${passwdFile}
-    chmod 600 ${userdbFile}
   '';
 
   junkMailboxes = builtins.attrNames (lib.filterAttrs (n: v: v ? "specialUse" && v.specialUse == "Junk") cfg.mailboxes);
diff --git a/mail-server/systemd.nix b/mail-server/systemd.nix
index 0fdcf90..2c7f8ee 100644
--- a/mail-server/systemd.nix
+++ b/mail-server/systemd.nix
@@ -64,6 +64,8 @@ in
       in ''
         # Create mail directory and set permissions. See
         # <http://wiki2.dovecot.org/SharedMailboxes/Permissions>.
+        # Prevent world-readable paths, even temporarily.
+        umask 007
         mkdir -p ${directories}
         chgrp "${vmailGroupName}" ${directories}
         chmod 02770 ${directories}
diff --git a/mail-server/users.nix b/mail-server/users.nix
index 916ec0c..17196fc 100644
--- a/mail-server/users.nix
+++ b/mail-server/users.nix
@@ -34,6 +34,9 @@ let
 
     set -euo pipefail
 
+    # Prevent world-readable paths, even temporarily.
+    umask 007
+
     # Create directory to store user sieve scripts if it doesn't exist
     if (! test -d "${sieveDirectory}"); then
       mkdir "${sieveDirectory}"
-- 
cgit v1.2.3