Initially (in commit ef422fa4ae626e9638ca70d1c56f27e701dd69c2), pa_make_secure_dir followed a simple principle: "make a directory, or, if it exists, check that it is suitable". Later this evolved into "make a directory, or, if it exists, ensure that it is suitable". But the check remained. The check is now neither sufficient nor necessary. On POSIX-compliant systems, the fstat results being checked are actually post-conditions of fchmod and fchown. And on systems implementing POSIX ACLs, fstat only reflects a part of the information relevant to the security of the directory permissions, so PulseAudio could accept an existing insecure directory anyway. Also, the check still fires on non-POSIX-compliant filesystems like CIFS. As a user cannot do anything to fix it, just accept insecure permissions in this case. --- As this patch removes what used to be a security check, please double-check it. Especially on platforms that provide only a subset of fstat, fchown and fchmod. If you think it is too risky, apply the alternative with the subject "Better error messages for secure directory creation". src/pulsecore/core-util.c | 24 +++++------------------- 1 file changed, 5 insertions(+), 19 deletions(-) diff --git a/src/pulsecore/core-util.c b/src/pulsecore/core-util.c index 0d9e354..f80fdea 100644 --- a/src/pulsecore/core-util.c +++ b/src/pulsecore/core-util.c @@ -343,30 +343,16 @@ again: #endif #ifdef HAVE_FCHMOD - (void) fchmod(fd, m); + if (fchmod(fd, m) < 0) { + pa_assert_se(pa_close(fd) >= 0); + goto fail; + }; #endif pa_assert_se(pa_close(fd) >= 0); } -#endif - -#ifdef HAVE_LSTAT - if (lstat(dir, &st) < 0) -#else - if (stat(dir, &st) < 0) -#endif - goto fail; - -#ifndef OS_IS_WIN32 - if (!S_ISDIR(st.st_mode) || - (st.st_uid != uid) || - (st.st_gid != gid) || - ((st.st_mode & 0777) != m)) { - errno = EACCES; - goto fail; - } #else - pa_log_warn("Secure directory creation not supported on Win32."); + pa_log_warn("Secure directory creation not supported on this platform."); #endif return 0; -- 1.9.2