Create BASEDIR with 0700. Just like we already did for almost all subdirs.

Only for ~/unrealircd/lib/ we had this ommision, and for ~/unrealircd itself.
I doubt this means a change for users, as all subdirs were already 0700
so then tightening of ~/unrealircd is not very important.
And only upsides... making things safer..

Config

@@ -50,9 +50,12 @@ if [ -z "$BINDIR" -o -z "$DATADIR" -o -z "$CONFDIR" -o -z "$MODULESDIR" -o -z "$
 fi
 
 
+mkdir -p $BASEPATH
 mkdir -p $TMPDIR
-mkdir -p $PRIVATELIBDIR
 mkdir -p $CONFDIR
+chmod 0700 $BASEPATH
+chmod 0700 $TMPDIR
+chmod 0700 $CONFDIR
 
 # Do this even if we're not in advanced mode
 if [ "$ADVANCED" = "1" ] ; then

configure

@@ -7582,6 +7582,11 @@ else case e in #(
   e)
 printf "%s\n" "#define PRIVATELIBDIR \"$PRIVATELIBDIR\"" >>confdefs.h
 
+		# Create the private library directory now with restrictive permissions.
+		# This must happen here rather than in the Makefile because the bundled
+		# libraries are installed into it during configure. It must also work when
+		# configure is run directly without ./Config having created it first.
+		mkdir -p "$PRIVATELIBDIR" && chmod 0700 "$PRIVATELIBDIR"
 		LDFLAGS_PRIVATELIBS="-Wl,-rpath,$PRIVATELIBDIR"
 		LDFLAGS="$LDFLAGS $LDFLAGS_PRIVATELIBS"
 		export LDFLAGS ;;
@@ -8893,7 +8898,7 @@ $ac_cv_prog_MAKER install PREFIX=$cur_dir/extras/argon2 || exit 1
 # lead to a crash of the currently running IRCd.
 rm -f "$PRIVATELIBDIR/"libargon2*
 # Now copy the new library files:
-cp -av $cur_dir/extras/argon2/lib/* $PRIVATELIBDIR/
+cp -av $cur_dir/extras/argon2/lib/* $PRIVATELIBDIR/ || exit 1
 CFLAGS="$save_cflags"
 LDFLAGS="$save_ldflags"
 ARGON2_CFLAGS="-I$cur_dir/extras/argon2/include"

configure.ac

@@ -558,6 +558,11 @@ AS_IF([test "x$with_privatelibdir" = "xno"],
 AS_IF([test "x$PRIVATELIBDIR" = "x"],
 	[LDFLAGS_PRIVATELIBS=""],
 	[AC_DEFINE_UNQUOTED([PRIVATELIBDIR], ["$PRIVATELIBDIR"], [Define the location of private libraries])
+		# Create the private library directory now with restrictive permissions.
+		# This must happen here rather than in the Makefile because the bundled
+		# libraries are installed into it during configure. It must also work when
+		# configure is run directly without ./Config having created it first.
+		mkdir -p "$PRIVATELIBDIR" && chmod 0700 "$PRIVATELIBDIR"
 		LDFLAGS_PRIVATELIBS="-Wl,-rpath,$PRIVATELIBDIR"
 		LDFLAGS="$LDFLAGS $LDFLAGS_PRIVATELIBS"
 		export LDFLAGS])
@@ -728,7 +733,7 @@ $ac_cv_prog_MAKER install PREFIX=$cur_dir/extras/argon2 || exit 1
 # lead to a crash of the currently running IRCd.
 rm -f "$PRIVATELIBDIR/"libargon2*
 # Now copy the new library files:
-cp -av $cur_dir/extras/argon2/lib/* $PRIVATELIBDIR/
+cp -av $cur_dir/extras/argon2/lib/* $PRIVATELIBDIR/ || exit 1
 CFLAGS="$save_cflags"
 LDFLAGS="$save_ldflags"
 ARGON2_CFLAGS="-I$cur_dir/extras/argon2/include"

doc/RELEASE-NOTES.md

@@ -11,6 +11,8 @@ This is work in progress and may not always be a stable version.
   similar to what PHP has been using for years. This means very slow regexes
   will now raise a `SPAMFILTER_REGEX_ERROR` warning during execution if
   this happens (should be extremely rare).
+* The UnrealIRCd base directory (eg `~/unrealircd/`) is now created with
+  0700 permissions, just like most subdirectories were.
 
 ### Fixes:
 * Hardening of the built-in HTTPS client