From e9d9a46d5115e5c75085f335bded4badbce05673 Mon Sep 17 00:00:00 2001
From: "Francisco Blas (klondike) Izquierdo Riera" <klondike@gentoo.org>
Date: Mon, 2 Dec 2019 19:27:29 +0100
Subject: net-firewall/nftables: Touch rules-save with right umask

The nftables ebuild contains code to ensure the rules-save
file is created so the service will start on systemd based
systems.

The current code creates the file with default permissions
644 which triggers the code for detecting misconfigured system
added to address bug #691326

Instead of just using touch, start a subshell so we can call
umask beforehand and address the issue.

Bug: https://bugs.gentoo.org/691326
Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
Package-Manager: Portage-2.3.76, Repoman-2.3.11
Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>
---
 net-firewall/nftables/nftables-0.9.0-r5.ebuild | 2 +-
 net-firewall/nftables/nftables-0.9.1-r1.ebuild | 2 +-
 net-firewall/nftables/nftables-0.9.2-r1.ebuild | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'net-firewall')

diff --git a/net-firewall/nftables/nftables-0.9.0-r5.ebuild b/net-firewall/nftables/nftables-0.9.0-r5.ebuild
index 24530d29291c..2ad8c89d4c73 100644
--- a/net-firewall/nftables/nftables-0.9.0-r5.ebuild
+++ b/net-firewall/nftables/nftables-0.9.0-r5.ebuild
@@ -84,7 +84,7 @@ pkg_postinst() {
 	# In order for the nftables-restore systemd service to start
 	# the save_file must exist.
 	if [[ ! -f "${save_file}" ]]; then
-		touch "${save_file}"
+		( umask 177; touch "${save_file}" )
 	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
 		ewarn "Your system has dangerous permissions for ${save_file}"
 		ewarn "It is probably affected by bug #691326."
diff --git a/net-firewall/nftables/nftables-0.9.1-r1.ebuild b/net-firewall/nftables/nftables-0.9.1-r1.ebuild
index 5752d73a1b96..ef662d78f716 100644
--- a/net-firewall/nftables/nftables-0.9.1-r1.ebuild
+++ b/net-firewall/nftables/nftables-0.9.1-r1.ebuild
@@ -130,7 +130,7 @@ pkg_postinst() {
 	# In order for the nftables-restore systemd service to start
 	# the save_file must exist.
 	if [[ ! -f "${save_file}" ]]; then
-		touch "${save_file}"
+		( umask 177; touch "${save_file}" )
 	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
 		ewarn "Your system has dangerous permissions for ${save_file}"
 		ewarn "It is probably affected by bug #691326."
diff --git a/net-firewall/nftables/nftables-0.9.2-r1.ebuild b/net-firewall/nftables/nftables-0.9.2-r1.ebuild
index d35797947814..f8649c46afaf 100644
--- a/net-firewall/nftables/nftables-0.9.2-r1.ebuild
+++ b/net-firewall/nftables/nftables-0.9.2-r1.ebuild
@@ -125,7 +125,7 @@ pkg_postinst() {
 	# In order for the nftables-restore systemd service to start
 	# the save_file must exist.
 	if [[ ! -f "${save_file}" ]]; then
-		touch "${save_file}"
+		( umask 177; touch "${save_file}" )
 	elif [[ $(( "$( stat --printf '%05a' "${save_file}" )" & 07177 )) -ne 0 ]]; then
 		ewarn "Your system has dangerous permissions for ${save_file}"
 		ewarn "It is probably affected by bug #691326."
-- 
cgit v1.2.3-65-gdbad