MXS-2119: Fix file permissions

The admin files are now created with 640 permissions and automatically
created directories now properly set the permissions for the group as
well. All files and directories created by avrorouter and binlogrouter
also now correctly limit the read and write permissions only to the owner
and the group.

server/core/adminusers.cc

@@ -15,12 +15,14 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <fcntl.h>
 #include <errno.h>
 #include <unistd.h>
 #include <crypt.h>
 #include <sys/stat.h>
 #include <string>
 
+#include <maxscale/alloc.h>
 #include <maxscale/users.h>
 #include <maxscale/adminusers.h>
 #include <maxscale/log_manager.h>
@@ -60,8 +62,6 @@ void admin_users_init()
 
 static bool admin_dump_users(USERS* users, const char* fname)
 {
-    char path[PATH_MAX];
-
     if (access(get_datadir(), F_OK) != 0)
     {
         if (mkdir(get_datadir(), S_IRWXU) != 0 && errno != EEXIST)
@@ -72,17 +72,40 @@ static bool admin_dump_users(USERS* users, const char* fname)
         }
     }
 
-    snprintf(path, sizeof(path), "%s/%s", get_datadir(), fname);
-    json_t* json = users_to_json(users);
-    bool rval = true;
+    bool rval = false;
+    std::string path = std::string(get_datadir()) + "/" + fname;
+    std::string tmppath = path + ".tmp";
 
-    if (json_dump_file(json, path, 0) == -1)
+    int fd = open(tmppath.c_str(), O_CREAT | O_WRONLY | O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
+
+    if (fd == -1)
     {
-        MXS_ERROR("Failed to dump admin users to file");
-        rval = false;
+        MXS_ERROR("Failed to create '%s': %d, %s", tmppath.c_str(), errno, mxs_strerror(errno));
+    }
+    else
+    {
+        json_t* json = users_to_json(users);
+        char* str = json_dumps(json, 0);
+        json_decref(json);
+
+        if (write(fd, str, strlen(str)) == -1)
+        {
+            MXS_ERROR("Failed to dump admin users to '%s': %d, %s",
+                      tmppath.c_str(), errno, mxs_strerror(errno));
+        }
+        else if (rename(tmppath.c_str(), path.c_str()) == -1)
+        {
+            MXS_ERROR("Failed to rename to '%s': %d, %s",
+                      path.c_str(), errno, mxs_strerror(errno));
+        }
+        else
+        {
+            rval = true;
         }
 
-    json_decref(json);
+        MXS_FREE(str);
+        close(fd);
+    }
 
     return rval;
 }

server/core/config.cc

@@ -3811,21 +3811,22 @@ static bool check_path_parameter(const MXS_MODULE_PARAM *params, const char *val
         }
 
         int mode = F_OK;
-        int mask = X_OK;
+        int mask = 0;
 
         if (params->options & MXS_MODULE_OPT_PATH_W_OK)
         {
-            mask |= S_IWUSR;
+            mask |= S_IWUSR | S_IWGRP;
             mode |= W_OK;
         }
         if (params->options & MXS_MODULE_OPT_PATH_R_OK)
         {
-            mask |= S_IRUSR;
+            mask |= S_IRUSR | S_IRGRP;
             mode |= R_OK;
         }
         if (params->options & MXS_MODULE_OPT_PATH_X_OK)
         {
-            mask |= S_IXUSR;
+            mask |= S_IXUSR | S_IXGRP;
+            mode |= X_OK;
         }
 
         if (access(buf, mode) == 0)

server/modules/routing/avrorouter/avro.c

@@ -1274,7 +1274,7 @@ static bool ensure_dir_ok(const char* path, int mode)
         if (rp)
         {
             /** Make sure the directory exists */
-            if (mkdir(rp, 0774) == 0 || errno == EEXIST)
+            if (mkdir(rp, 0770) == 0 || errno == EEXIST)
             {
                 if (access(rp, mode) == 0)
                 {

server/modules/routing/binlogrouter/blr_file.c

@@ -511,7 +511,7 @@ blr_file_create(ROUTER_INSTANCE *router, char *orig_file)
     // Set final file name full path
     strcat(path, file);
 
-    int fd = open(path, O_RDWR | O_CREAT, 0666);
+    int fd = open(path, O_RDWR | O_CREAT, 0660);
 
     if (fd != -1)
     {
@@ -614,7 +614,7 @@ blr_file_append(ROUTER_INSTANCE *router, char *file)
     //Add filename
     strcat(path, file);
 
-    if ((fd = open(path, flags, 0666)) == -1)
+    if ((fd = open(path, flags, 0660)) == -1)
     {
         MXS_ERROR("Failed to open binlog file %s for append.",
                   path);
@@ -937,7 +937,7 @@ blr_open_binlog(ROUTER_INSTANCE *router,
     /* Add file name */
     strcat(path, binlog);
 
-    if ((file->fd = open(path, O_RDONLY, 0666)) == -1)
+    if ((file->fd = open(path, O_RDONLY, 0660)) == -1)
     {
         MXS_ERROR("Failed to open binlog file %s", path);
         MXS_FREE(file);
@@ -1526,7 +1526,7 @@ blr_cache_response(ROUTER_INSTANCE *router, char *response, GWBUF *buf)
     strcat(path, "/");
     strcat(path, response);
 
-    if ((fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, 0666)) == -1)
+    if ((fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, 0660)) == -1)
     {
         return;
     }

server/modules/routing/binlogrouter/maxbinlogcheck.c

@@ -174,7 +174,7 @@ int main(int argc, char **argv)
         exit(EXIT_FAILURE);
     }
 
-    int fd = open(path, binlog_file.fix ? O_RDWR : O_RDONLY, 0666);
+    int fd = open(path, binlog_file.fix ? O_RDWR : O_RDONLY, 0660);
     if (fd == -1)
     {
         printf("ERROR: Failed to open binlog file %s: %s.\n",