LibCore: Enforce correct mode when creating new passwd and shadow files

- Use umask() to prevent the parent process from tampering with the mode
  bits of replacement passwd and shadow files.
- Use fchmod() to set new shadow files to mode 0600.

1 files changed, 6 insertions, 2 deletions

diff --git a/Userland/Libraries/LibCore/Account.cpp b/Userland/Libraries/LibCore/Account.cpp
index dc1af5ad9e..1f287a7a19 100644
--- a/Userland/Libraries/LibCore/Account.cpp
+++ b/Userland/Libraries/LibCore/Account.cpp
@@ -9,6 +9,7 @@
 #include <AK/ScopeGuard.h>
 #include <LibCore/Account.h>
 #include <LibCore/System.h>
+#include <LibCore/UmaskScope.h>
 #include <errno.h>
 #include <grp.h>
 #include <pwd.h>
@@ -260,6 +261,8 @@ ErrorOr<String> Account::generate_shadow_file() const
 
 ErrorOr<void> Account::sync()
 {
+    Core::UmaskScope umask_scope(0777);
+
     auto new_passwd_file_content = TRY(generate_passwd_file());
 #ifndef AK_OS_BSD_GENERIC
     auto new_shadow_file_content = TRY(generate_shadow_file());
@@ -273,13 +276,14 @@ ErrorOr<void> Account::sync()
     {
         auto new_passwd_fd = TRY(Core::System::mkstemp(new_passwd_name));
         ScopeGuard new_passwd_fd_guard = [new_passwd_fd] { close(new_passwd_fd); };
+        TRY(Core::System::fchmod(new_passwd_fd, 0644));
+
 #ifndef AK_OS_BSD_GENERIC
         auto new_shadow_fd = TRY(Core::System::mkstemp(new_shadow_name));
         ScopeGuard new_shadow_fd_guard = [new_shadow_fd] { close(new_shadow_fd); };
+        TRY(Core::System::fchmod(new_shadow_fd, 0600));
 #endif
 
-        TRY(Core::System::fchmod(new_passwd_fd, 0644));
-
         auto nwritten = TRY(Core::System::write(new_passwd_fd, new_passwd_file_content.bytes()));
         VERIFY(static_cast<size_t>(nwritten) == new_passwd_file_content.length());