From 35ba272c86f5d5cd625725c10d8494e606bfb938 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Fri, 21 Apr 2017 00:43:29 +0000
Subject: Explicitly set file mode when creating guest home directory

The fix for CVE-2017-7358 (bzr commit 2478) adjusted the guest home
directory creation to use mkdir in some instances. In those instances,
the home directory is world readable for a short amount of time before
tmpfs is mounted on top of the directory with a 700 file mode. There is
no information leak here since data isn't written to the directory
before the tmpfs mount occurs but it is best to ask mkdir to set the
file mode to 700 from the start.

Thanks to Alexander Peslyak (Solar Designer) for catching this mistake.
---
 debian/guest-account.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/guest-account.sh b/debian/guest-account.sh
index f618390b..6708de2f 100644
--- a/debian/guest-account.sh
+++ b/debian/guest-account.sh
@@ -36,7 +36,7 @@ add_account ()
   GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]')
   GUEST_USER=${GUEST_HOME#/tmp/}
   if [ "${GUEST_HOME}" != "${temp_home}" ]; then
-    mkdir "${GUEST_HOME}" || {
+    mkdir -m 700 "${GUEST_HOME}" || {
       echo "Failed to create ${GUEST_USER}'s home directory (${GUEST_HOME})"
       exit 1
     }
-- 
cgit v1.2.1