X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=blobdiff_plain;f=src%2Ftincctl.c;h=f6e60fe6f263870935657c096279010ced04bc1b;hp=4c5102b2a5cb751e3329c918281ef74a7a47422d;hb=5fca595b80f5d2a6629d74e89ca2ef46ba9ae292;hpb=ae85a020303d523f24ddf45a816e6a2ceb4fc935

diff --git a/src/tincctl.c b/src/tincctl.c
index 4c5102b2..f6e60fe6 100644
--- a/src/tincctl.c
+++ b/src/tincctl.c
@@ -227,6 +227,16 @@ static void disable_old_keys(const char *filename, const char *what) {
 
 	w = fopen(tmpfile, "w");
 
+#ifdef HAVE_FCHMOD
+	/* Let the temporary file have the same permissions as the original. */
+
+	if(w) {
+		struct stat st = {.st_mode = 0600};
+		fstat(fileno(r), &st);
+		fchmod(fileno(w), st.st_mode);
+	}
+#endif
+
 	while(fgets(buf, sizeof buf, r)) {
 		if(!block && !strncmp(buf, "-----BEGIN ", 11)) {
 			if((strstr(buf, " EC ") && strstr(what, "ECDSA")) || (strstr(buf, " RSA ") && strstr(what, "RSA"))) {
@@ -324,8 +334,6 @@ static FILE *ask_and_open(const char *filename, const char *what, const char *mo
 		filename = buf2;
 	}
 
-	umask(0077); /* Disallow everything for group and other */
-
 	disable_old_keys(filename, what);
 
 	/* Open it first to keep the inode busy */
@@ -1702,7 +1710,9 @@ static int cmd_init(int argc, char *argv[]) {
 			fprintf(stderr, "Could not create file %s: %s\n", filename, strerror(errno));
 			return 1;
 		}
-		fchmod(fileno(f), 0755);
+		mode_t mask = umask(0);
+		umask(mask);
+		fchmod(fileno(f), 0755 & ~mask);
 		fprintf(f, "#!/bin/sh\n\necho 'Unconfigured tinc-up script, please edit!'\n\n#ifconfig $INTERFACE <your vpn IP address> netmask <netmask of whole VPN>\n");
 		fclose(f);
 	}