From 3571c9e75b5d46bf657e6422319b71c4e1276ab3 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Fri, 5 Jun 2026 17:03:33 +0200 Subject: [PATCH] Create BASEDIR with 0700. Just like we already did for almost all subdirs. Only for ~/unrealircd/lib/ we had this ommision, and for ~/unrealircd itself. I doubt this means a change for users, as all subdirs were already 0700 so then tightening of ~/unrealircd is not very important. And only upsides... making things safer.. --- Config | 5 ++++- configure | 7 ++++++- configure.ac | 7 ++++++- doc/RELEASE-NOTES.md | 2 ++ 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/Config b/Config index b0d552926..e1b9a2a4e 100755 --- a/Config +++ b/Config @@ -50,9 +50,12 @@ if [ -z "$BINDIR" -o -z "$DATADIR" -o -z "$CONFDIR" -o -z "$MODULESDIR" -o -z "$ fi +mkdir -p $BASEPATH mkdir -p $TMPDIR -mkdir -p $PRIVATELIBDIR mkdir -p $CONFDIR +chmod 0700 $BASEPATH +chmod 0700 $TMPDIR +chmod 0700 $CONFDIR # Do this even if we're not in advanced mode if [ "$ADVANCED" = "1" ] ; then diff --git a/configure b/configure index 1c413ab9a..91b5c7be2 100755 --- a/configure +++ b/configure @@ -7582,6 +7582,11 @@ else case e in #( e) printf "%s\n" "#define PRIVATELIBDIR \"$PRIVATELIBDIR\"" >>confdefs.h + # Create the private library directory now with restrictive permissions. + # This must happen here rather than in the Makefile because the bundled + # libraries are installed into it during configure. It must also work when + # configure is run directly without ./Config having created it first. + mkdir -p "$PRIVATELIBDIR" && chmod 0700 "$PRIVATELIBDIR" LDFLAGS_PRIVATELIBS="-Wl,-rpath,$PRIVATELIBDIR" LDFLAGS="$LDFLAGS $LDFLAGS_PRIVATELIBS" export LDFLAGS ;; @@ -8893,7 +8898,7 @@ $ac_cv_prog_MAKER install PREFIX=$cur_dir/extras/argon2 || exit 1 # lead to a crash of the currently running IRCd. rm -f "$PRIVATELIBDIR/"libargon2* # Now copy the new library files: -cp -av $cur_dir/extras/argon2/lib/* $PRIVATELIBDIR/ +cp -av $cur_dir/extras/argon2/lib/* $PRIVATELIBDIR/ || exit 1 CFLAGS="$save_cflags" LDFLAGS="$save_ldflags" ARGON2_CFLAGS="-I$cur_dir/extras/argon2/include" diff --git a/configure.ac b/configure.ac index 701539d0a..2236d1552 100644 --- a/configure.ac +++ b/configure.ac @@ -558,6 +558,11 @@ AS_IF([test "x$with_privatelibdir" = "xno"], AS_IF([test "x$PRIVATELIBDIR" = "x"], [LDFLAGS_PRIVATELIBS=""], [AC_DEFINE_UNQUOTED([PRIVATELIBDIR], ["$PRIVATELIBDIR"], [Define the location of private libraries]) + # Create the private library directory now with restrictive permissions. + # This must happen here rather than in the Makefile because the bundled + # libraries are installed into it during configure. It must also work when + # configure is run directly without ./Config having created it first. + mkdir -p "$PRIVATELIBDIR" && chmod 0700 "$PRIVATELIBDIR" LDFLAGS_PRIVATELIBS="-Wl,-rpath,$PRIVATELIBDIR" LDFLAGS="$LDFLAGS $LDFLAGS_PRIVATELIBS" export LDFLAGS]) @@ -728,7 +733,7 @@ $ac_cv_prog_MAKER install PREFIX=$cur_dir/extras/argon2 || exit 1 # lead to a crash of the currently running IRCd. rm -f "$PRIVATELIBDIR/"libargon2* # Now copy the new library files: -cp -av $cur_dir/extras/argon2/lib/* $PRIVATELIBDIR/ +cp -av $cur_dir/extras/argon2/lib/* $PRIVATELIBDIR/ || exit 1 CFLAGS="$save_cflags" LDFLAGS="$save_ldflags" ARGON2_CFLAGS="-I$cur_dir/extras/argon2/include" diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md index 3d66a1c20..2c2ac3ff2 100644 --- a/doc/RELEASE-NOTES.md +++ b/doc/RELEASE-NOTES.md @@ -11,6 +11,8 @@ This is work in progress and may not always be a stable version. similar to what PHP has been using for years. This means very slow regexes will now raise a `SPAMFILTER_REGEX_ERROR` warning during execution if this happens (should be extremely rare). +* The UnrealIRCd base directory (eg `~/unrealircd/`) is now created with + 0700 permissions, just like most subdirectories were. ### Fixes: * Hardening of the built-in HTTPS client