From 734eb7e457da8a9b2c91798d591c03285c6967ce Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Wed, 19 Feb 2020 13:47:57 -0800
Subject: Fix some file-modes races

* lisp/gnus/gnus-start.el (gnus-save-newsrc-file)
(gnus-slave-save-newsrc):
* lisp/gnus/gnus-uu.el (gnus-uu-initialize):
* lisp/gnus/mm-archive.el (mm-dissect-archive):
* lisp/gnus/mm-decode.el (mm-temp-files-delete)
(mm-display-external):
* lisp/image-dired.el (image-dired-create-thumb-1):
Use with-file-modes rather than setting the file modes later.
This fixes some race conditions where the file temporarily
has the wrong permissions.
---
 lisp/gnus/gnus-start.el | 22 ++++++++++------------
 lisp/gnus/gnus-uu.el    |  4 ++--
 lisp/gnus/mm-archive.el |  5 +++--
 lisp/gnus/mm-decode.el  | 18 +++++++++---------
 lisp/image-dired.el     |  4 ++--
 5 files changed, 26 insertions(+), 27 deletions(-)

diff --git a/lisp/gnus/gnus-start.el b/lisp/gnus/gnus-start.el
index 1fd2575ea1f..873923e6c57 100644
--- a/lisp/gnus/gnus-start.el
+++ b/lisp/gnus/gnus-start.el
@@ -2812,7 +2812,7 @@ values from `gnus-newsrc-hashtb', and write a new value of
                               (file-exists-p working-file)))
 
 		(unwind-protect
-                    (progn
+		    (with-file-modes (file-modes startup-file)
                       (gnus-with-output-to-file working-file
 			(gnus-gnus-to-quick-newsrc-format)
 			(gnus-run-hooks 'gnus-save-quick-newsrc-hook))
@@ -2822,14 +2822,12 @@ values from `gnus-newsrc-hashtb', and write a new value of
                       ;; file.
                       (let ((buffer-backed-up nil)
                             (buffer-file-name startup-file)
-                            (file-precious-flag t)
-                            (setmodes (file-modes startup-file)))
+			    (file-precious-flag t))
 			;; Backup the current version of the startup file.
 			(backup-buffer)
 
 			;; Replace the existing startup file with the temp file.
 			(rename-file working-file startup-file t)
-			(gnus-set-file-modes startup-file setmodes)
 			(setq gnus-save-newsrc-file-last-timestamp
 			      (file-attribute-modification-time
 			       (file-attributes startup-file)))))
@@ -3004,14 +3002,14 @@ SPECIFIC-VARIABLES, or those in `gnus-variable-list'."
 
 (defun gnus-slave-save-newsrc ()
   (with-current-buffer gnus-dribble-buffer
-    (let ((slave-name
-	   (make-temp-file (concat gnus-current-startup-file "-slave-")))
-	  (modes (ignore-errors
-		   (file-modes (concat gnus-current-startup-file ".eld")))))
-      (let ((coding-system-for-write gnus-ding-file-coding-system))
-	(gnus-write-buffer slave-name))
-      (when modes
-	(gnus-set-file-modes slave-name modes)))))
+    (with-file-modes (or (ignore-errors
+			   (file-modes
+			    (concat gnus-current-startup-file ".eld")))
+			 (default-file-modes))
+      (let ((slave-name
+	     (make-temp-file (concat gnus-current-startup-file "-slave-"))))
+	(let ((coding-system-for-write gnus-ding-file-coding-system))
+	  (gnus-write-buffer slave-name))))))
 
 (defun gnus-master-read-slave-newsrc ()
   (let ((slave-files
diff --git a/lisp/gnus/gnus-uu.el b/lisp/gnus/gnus-uu.el
index d40ba9cef42..4037221f496 100644
--- a/lisp/gnus/gnus-uu.el
+++ b/lisp/gnus/gnus-uu.el
@@ -1781,8 +1781,8 @@ Gnus might fail to display all of it.")
 		 gnus-uu-tmp-dir)))
 
       (setq gnus-uu-work-dir
-	    (make-temp-file (concat gnus-uu-tmp-dir "gnus") 'dir))
-      (gnus-set-file-modes gnus-uu-work-dir 448)
+	    (with-file-modes #o700
+	      (make-temp-file (concat gnus-uu-tmp-dir "gnus") 'dir)))
       (setq gnus-uu-work-dir (file-name-as-directory gnus-uu-work-dir))
       (push (cons gnus-newsgroup-name gnus-uu-work-dir)
 	    gnus-uu-tmp-alist))))
diff --git a/lisp/gnus/mm-archive.el b/lisp/gnus/mm-archive.el
index 71676c12a46..56253afa193 100644
--- a/lisp/gnus/mm-archive.el
+++ b/lisp/gnus/mm-archive.el
@@ -42,8 +42,9 @@
 	 dir)
     (unless decoder
       (error "No decoder found for %s" type))
-    (setq dir (make-temp-file (expand-file-name "emm." mm-tmp-directory) 'dir))
-    (set-file-modes dir #o700)
+    (with-file-modes #o700
+      (setq dir (make-temp-file (expand-file-name "emm." mm-tmp-directory)
+				'dir)))
     (unwind-protect
 	(progn
 	  (mm-with-unibyte-buffer
diff --git a/lisp/gnus/mm-decode.el b/lisp/gnus/mm-decode.el
index d33bb56dc9e..2dab278b373 100644
--- a/lisp/gnus/mm-decode.el
+++ b/lisp/gnus/mm-decode.el
@@ -602,11 +602,10 @@ files left at the next time."
 	(push temp fails)))
     (if fails
 	;; Schedule the deletion of the files left at the next time.
-	(progn
+	(with-file-modes #o600
 	  (write-region (concat (mapconcat 'identity (nreverse fails) "\n")
 				"\n")
-			nil cache-file nil 'silent)
-	  (set-file-modes cache-file #o600))
+			nil cache-file nil 'silent))
       (when (file-exists-p cache-file)
 	(ignore-errors (delete-file cache-file))))
     (setq mm-temp-files-to-be-deleted nil)))
@@ -911,8 +910,10 @@ external if displayed external."
 	;; The function is a string to be executed.
 	(mm-insert-part handle)
 	(mm-add-meta-html-tag handle)
-	(let* ((dir (make-temp-file
-		     (expand-file-name "emm." mm-tmp-directory) 'dir))
+	;; We create a private sub-directory where we store our files.
+	(let* ((dir (with-file-modes #o700
+		      (make-temp-file
+		       (expand-file-name "emm." mm-tmp-directory) 'dir)))
 	       (filename (or
 			  (mail-content-type-get
 			   (mm-handle-disposition handle) 'filename)
@@ -924,8 +925,6 @@ external if displayed external."
 			      (assoc "needsterminal" mime-info)))
 	       (copiousoutput (assoc "copiousoutput" mime-info))
 	       file buffer)
-	  ;; We create a private sub-directory where we store our files.
-	  (set-file-modes dir #o700)
 	  (if filename
 	      (setq file (expand-file-name
 			  (gnus-map-function mm-file-name-rewrite-functions
@@ -941,8 +940,9 @@ external if displayed external."
 		;; `mailcap-mime-extensions'.
 		(setq suffix (car (rassoc (mm-handle-media-type handle)
 					  mailcap-mime-extensions))))
-	      (setq file (make-temp-file (expand-file-name "mm." dir)
-					 nil suffix))))
+	      (setq file (with-file-modes #o600
+			   (make-temp-file (expand-file-name "mm." dir)
+					   nil suffix)))))
 	  (let ((coding-system-for-write mm-binary-coding-system))
 	    (write-region (point-min) (point-max) file nil 'nomesg))
 	  ;; The file is deleted after the viewer exists.  If the users edits
diff --git a/lisp/image-dired.el b/lisp/image-dired.el
index 768e941490d..1cc38ba714b 100644
--- a/lisp/image-dired.el
+++ b/lisp/image-dired.el
@@ -771,8 +771,8 @@ Increase at own risk.")
          process)
     (when (not (file-exists-p thumbnail-dir))
       (message "Creating thumbnail directory")
-      (make-directory thumbnail-dir t)
-      (set-file-modes thumbnail-dir #o700))
+      (with-file-modes #o700
+	(make-directory thumbnail-dir t)))
 
     ;; Thumbnail file creation processes begin here and are marshaled
     ;; in a queue by `image-dired-create-thumb'.
-- 
cgit v1.2.1