From 3b257c7a58fd6a7971bc3229f933339e58e91b21 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Wed, 13 Feb 2019 17:52:49 -0800
Subject: [PATCH] matrixsynapse: Fix potential exposure of private key

Setting permissions after copying the file will lead to momentary exposure of
the private key to other users on the system. Use umask instead.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 actions/matrixsynapse | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/actions/matrixsynapse b/actions/matrixsynapse
index a3b43e4be..cd17d9d78 100755
--- a/actions/matrixsynapse
+++ b/actions/matrixsynapse
@@ -86,16 +86,17 @@ def _update_tls_certificate():
     dest_certificate_path = os.path.join(dest_dir, 'homeserver.tls.crt')
     dest_private_key_path = os.path.join(dest_dir, 'homeserver.tls.key')
 
+    # Private key is only accessible to the user "matrix-synapse"
+    # Group access is prohibited since it is "nogroup"
+    old_mask = os.umask(0o133)
     shutil.copyfile(source_certificate_path, dest_certificate_path)
+    os.umask(0o177)
     shutil.copyfile(source_private_key_path, dest_private_key_path)
+    os.umask(old_mask)
 
     shutil.chown(dest_certificate_path, user='matrix-synapse', group='nogroup')
     shutil.chown(dest_private_key_path, user='matrix-synapse', group='nogroup')
 
-    # Private key is only accessible to the user "matrix-synapse"
-    # Group access is prohibited since it is "nogroup"
-    os.chmod(dest_private_key_path, 0o600)
-
 
 def subcommand_post_install(_):
     """Perform post installation configuration."""