Red Hat Bugzilla – Bug 112516
zip creates insecure temporary files
Last modified: 2007-04-18 13:00:46 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5)
Description of problem:
zip can be used with the -t switch to specify a location for the
temporary file it creates.
The man page gives the following example:
Use the specified path for the temporary zip archive. For example:
zip -b /tmp stuff *
Unfortunately, zip creates a temporary file with world readable
[not-root@host dir]$ ls -trlah /tmp/
-rw-r--r-- 1 root root 219M Dec 22 00:40 ziK2Os4N
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. zip -b /tmp/ -r something.zip folder/
2. ls -trlah /tmp/
Created attachment 96665 [details]
Change umask prior to temporary file creation
The files are created with the umask from the user's environment.
e.g. Typing "umask 0066" at the command line will alter this and all other
programs' file creation behavior.
I will include this fix for temporary file creation in the next build in
Package built; will appear in rawhide (zip-2.3-19) - waiting for
rawhide push prior to closing.
zip-2.3-20 is in rawhide. Closing.