Narrow file permissions used when creating text files (#877) (#1020)

Use 0644 as log file permission instead of 06774
06774 adds some permissions which are unnecessary for log files. x77x makes the
log files owner/group executable - the log files are text and shouldn't be
executed. 6xxx means set user id + set group id, these bits are involved in
permission elevation and are not relevant here.
Switch to a permission 0644, which lets the owner write and others read.


(cherry picked from commit a3e392e)

Signed-off-by: Jeremi Piotrowski <[email protected]>

Author: jepio

src/adapters/mc/OsConfigResource.c

@@ -80,8 +80,8 @@ void __attribute__((destructor)) Destroy()
     CloseLog(&g_log);
 
     // When the NRP is done, allow others read-only (no write, search or execute) access to the NRP logs
-    SetFileAccess(LOG_FILE, 0, 0, 6774, NULL);
-    SetFileAccess(ROLLED_LOG_FILE, 0, 0, 6774, NULL);
+    SetFileAccess(LOG_FILE, 0, 0, 644, NULL);
+    SetFileAccess(ROLLED_LOG_FILE, 0, 0, 644, NULL);
 }
 
 static void LogOsConfigVersion(MI_Context* context)

src/common/commonutils/FileUtils.c

@@ -382,7 +382,7 @@ int RestrictFileAccessToCurrentAccountOnly(const char* fileName)
     // S_IXUSR (0100): Execute/search permission, owner
     // S_IXGRP (0010): Execute/search permission, group
 
-    return chmod(fileName, S_ISUID | S_ISGID | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IXUSR | S_IXGRP);
+    return chmod(fileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
 }
 
 static bool IsATrueFileOrDirectory(bool directory, const char* name, void* log)

src/common/logging/Logging.c

@@ -48,7 +48,7 @@ bool IsFullLoggingEnabled()
 
 static int RestrictAccessToRootOnly(const char* fileName)
 {
-    return chmod(fileName, S_ISUID | S_ISGID | S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IXUSR | S_IXGRP);
+    return chmod(fileName, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
 }
 
 OSCONFIG_LOG_HANDLE OpenLog(const char* logFileName, const char* bakLogFileName)