[PATCH 2/3] vhost-user-blk-test: fix Coverity mkstemp(2) umask warning

From: Stefan Hajnoczi <stefanha@redhat.com>
To: qemu-devel@nongnu.org
Cc: Laurent Vivier <lvivier@redhat.com>,
	Kevin Wolf <kwolf@redhat.com>, Thomas Huth <thuth@redhat.com>,
	qemu-block@nongnu.org, Coiby Xu <Coiby.Xu@gmail.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Stefan Hajnoczi <stefanha@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 2/3] vhost-user-blk-test: fix Coverity mkstemp(2) umask warning
Date: Wed, 26 May 2021 10:12:47 +0100	[thread overview]
Message-ID: <20210526091248.434459-3-stefanha@redhat.com> (raw)
In-Reply-To: <20210526091248.434459-1-stefanha@redhat.com>

The Linux man page for mkstemp(3) states:

  In glibc versions 2.06 and earlier, the file is created with
  permissions 0666, that is, read and write for all users.  This old
  behavior may be a security risk, especially  since other UNIX flavors
  use 0600, and somebody might overlook this detail when porting
  programs. POSIX.1-2008 adds a requirement that the file be created
  with mode 0600.

  More generally, the POSIX specification of mkstemp() does not say
  anything about file modes, so the application should make sure its
  file mode creation mask (see umask(2)) is set appropriately before
  calling mkstemp() (and mkostemp()).

glibc 2.0.6 was released in 1997 and POSIX caught up in 2008. macOS and
FreeBSD also use POSIX-compliant 0600 permissions.

At this point the Coverity warning seems archaic and no longer useful,
but go ahead and silence it.

*** CID 1453267:  Security best practices violations  (SECURE_TEMP)
/qemu/tests/qtest/vhost-user-blk-test.c: 827 in create_listen_socket()
821     {
822         int tmp_fd;
823         char *path;
824
825         /* No race because our pid makes the path unique */
826         path = g_strdup_printf("/tmp/qtest-%d-sock.XXXXXX", getpid());
>>>     CID 1453267:  Security best practices violations  (SECURE_TEMP)
>>>     Calling "mkstemp" without securely setting umask first.
827         tmp_fd = mkstemp(path);
828         g_assert_cmpint(tmp_fd, >=, 0);
829         close(tmp_fd);
830         unlink(path);
831
832         *fd = qtest_socket_server(path);

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 tests/qtest/vhost-user-blk-test.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tests/qtest/vhost-user-blk-test.c b/tests/qtest/vhost-user-blk-test.c
index 581e283a03..412e010db8 100644
--- a/tests/qtest/vhost-user-blk-test.c
+++ b/tests/qtest/vhost-user-blk-test.c
@@ -803,11 +803,16 @@ static void destroy_file(void *path)
 static char *drive_create(void)
 {
     int fd, ret;
+    mode_t old_umask;
     /** vhost-user-blk won't recognize drive located in /tmp */
     char *t_path = g_strdup("qtest.XXXXXX");
 
     /** Create a temporary raw image */
+    old_umask = umask(S_IXUSR |
+                      S_IRGRP | S_IWGRP | S_IXGRP |
+                      S_IROTH | S_IWOTH | S_IXOTH);
     fd = mkstemp(t_path);
+    umask(old_umask);
     g_assert_cmpint(fd, >=, 0);
     ret = ftruncate(fd, TEST_IMAGE_SIZE);
     g_assert_cmpint(ret, ==, 0);
@@ -821,10 +826,15 @@ static char *create_listen_socket(int *fd)
 {
     int tmp_fd;
     char *path;
+    mode_t old_umask;
 
     /* No race because our pid makes the path unique */
     path = g_strdup_printf("/tmp/qtest-%d-sock.XXXXXX", getpid());
+    old_umask = umask(S_IXUSR |
+                      S_IRGRP | S_IWGRP | S_IXGRP |
+                      S_IROTH | S_IWOTH | S_IXOTH);
     tmp_fd = mkstemp(path);
+    umask(old_umask);
     g_assert_cmpint(tmp_fd, >=, 0);
     close(tmp_fd);
     unlink(path);
-- 
2.31.1

