From a8cbac240aa8050863b0a2ddfd36acd0fdec23e6 Mon Sep 17 00:00:00 2001
From: Heiko Reese <heiko.reese@kit.edu>
Date: Wed, 13 Oct 2021 15:35:10 +0200
Subject: [PATCH] Change umask to besser protect generated key files.

---
 src/libexim-encrypt-dlfunc-genkeys.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/libexim-encrypt-dlfunc-genkeys.c b/src/libexim-encrypt-dlfunc-genkeys.c
index 735b385..5d8a3e6 100644
--- a/src/libexim-encrypt-dlfunc-genkeys.c
+++ b/src/libexim-encrypt-dlfunc-genkeys.c
@@ -2,6 +2,8 @@
 #include <stdio.h>
 #include <string.h>
 #include <ctype.h>
+#include <sys/types.h>
+#include <sys/stat.h>
 #include <sodium.h>
 
 //void
@@ -77,6 +79,9 @@ write_key_files(const char *filebase, const char *varname,
 	sprintf(exim_filename, "%s_exim.conf", filebase);
 	sprintf(raw_filename, "%s.raw", filebase);
 
+    // set restrictive umask (access to user only)
+    mode_t original_umask = umask(S_IXUSR | S_IRWXG | S_IRWXO);
+
 	// open exim config snippet file
 	f = fopen(exim_filename, "w+");
 	if (f == NULL) {
@@ -103,6 +108,8 @@ write_key_files(const char *filebase, const char *varname,
 	// close raw file
 	fclose(f);
 
+    // restore original umask
+    umask(original_umask);
 }
 
 void create_cryptobox_keys(const char *filebase, const char *varname)