Refactor file creation and opening functions with privilege handling

LeChatP · May 5, 2024 · 477a270 · 477a270
1 parent e8c6437
commit 477a270
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/src/mod.rs b/src/mod.rs
@@ -117,8 +117,11 @@ pub fn create_with_privileges<P: AsRef<Path>>(p: P) -> Result<File, std::io::Err
             e
         );
         dac_override_effective(true)?;
-        std::fs::File::create(p)
+        let res = std::fs::File::create(p);
+        dac_override_effective(false)?;
+        res
     })
+
 }
 
 pub fn open_with_privileges<P: AsRef<Path>>(p: P) -> Result<File, std::io::Error> {
@@ -127,7 +130,10 @@ pub fn open_with_privileges<P: AsRef<Path>>(p: P) -> Result<File, std::io::Error
             "Error creating file without privilege, trying with privileges: {}",
             e
         );
-        dac_override_effective(true)?;
-        std::fs::File::open(p)
+        read_effective(true).or(dac_override_effective(true))?;
+        let res = std::fs::File::open(p);
+        read_effective(false)?;
+        dac_override_effective(false)?;
+        res
     })
 }
diff --git a/src/sr/timeout.rs b/src/sr/timeout.rs
@@ -17,11 +17,10 @@ use serde::{Deserialize, Serialize};
 use tracing::debug;
 
 use crate::common::{
-    database::{
+    create_with_privileges, database::{
         finder::Cred,
         options::{STimeout, TimestampType},
-    },
-    open_with_privileges,
+    }, open_with_privileges
 };
 
 /// This module checks the validity of a user's credentials
@@ -149,7 +148,7 @@ fn wait_for_lockfile(lockfile_path: &Path) -> Result<(), Box<dyn Error>> {
 }
 
 fn write_lockfile(lockfile_path: &Path) {
-    let mut lockfile = File::create(lockfile_path).expect("Failed to create lockfile");
+    let mut lockfile = create_with_privileges(lockfile_path).expect("Failed to create lockfile");
     let pid_contents = nix::unistd::getpid().as_raw();
     lockfile
         .write_all(&pid_contents.to_be_bytes())
@@ -180,7 +179,7 @@ fn save_cookies(user: &Cred, cookies: &[CookieVersion]) -> Result<(), Box<dyn Er
     let lockpath = Path::new(TS_LOCATION)
         .join(&user.user.name)
         .with_extension("lock");
-    let mut file = File::create(&path)?;
+    let mut file = create_with_privileges(&path)?;
     ciborium::ser::into_writer(cookies, &mut file)?;
     if let Err(err) = fs::remove_file(lockpath) {
         debug!("Failed to remove lockfile: {}", err);