From bc2cdd7c1830ca2d5da3438556f01ab6740ddda4 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Wed, 28 Jun 2023 17:41:03 +0200
Subject: [PATCH] src: fix permission-after-write

---
 src/etc/inc/interfaces.inc                    |  3 ++-
 src/etc/inc/plugins.inc.d/ipsec.inc           | 20 ++++++++++++-------
 src/etc/inc/plugins.inc.d/openvpn.inc         | 10 ++++------
 .../app/models/OPNsense/OpenVPN/OpenVPN.php   |  6 ++++--
 .../OPNsense/CaptivePortal/generate_certs.php |  6 ++++--
 5 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
index ba62e0f0c..ac2764bbb 100644
--- a/src/etc/inc/interfaces.inc
+++ b/src/etc/inc/interfaces.inc
@@ -1832,8 +1832,9 @@ function interface_wireless_configure($if, &$wancfg)
                                 }
                             }
                             foreach ($all_certs as $filename => $content) {
+                                @touch($filename);
+                                @chmod($filename, 0600);
                                 @file_put_contents($filename, $content);
-                                @chmod($filename, "0600");
                             }
                             break;
                     }
diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
index 76013773b..6d41484f9 100644
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -1130,18 +1130,22 @@ function ipsec_write_certs()
     global $config;
     $a_phase1 = isset($config['ipsec']['phase1']) ? $config['ipsec']['phase1'] : [];
 
-    $filenames = [];
     foreach ((new \OPNsense\IPsec\Swanctl())->getUsedCertrefs() as $certref) {
         $cert = lookup_cert($certref);
         if (empty($cert)) {
             log_msg(sprintf('Error: Invalid certificate reference for %s', $ph1ent['name']), LOG_ERR);
             continue;
         }
+
         $ph1keyfile = "/usr/local/etc/swanctl/private/{$certref}.key";
+        @touch($ph1keyfile);
+        @chmod($ph1keyfile, 0600);
         file_put_contents($ph1keyfile, base64_decode($cert['prv']));
+
         $ph1certfile = "/usr/local/etc/swanctl/x509/{$certref}.crt";
+        @touch($ph1certfile);
+        @chmod($ph1certfile, 0600);
         file_put_contents($ph1certfile, base64_decode($cert['crt']));
-        $filenames = array_merge($filenames, [$ph1keyfile, $ph1certfile]);
     }
     foreach ($a_phase1 as $ph1ent) {
         if (isset($ph1ent['disabled'])) {
@@ -1156,15 +1160,16 @@ function ipsec_write_certs()
             }
 
             $ph1keyfile = "/usr/local/etc/swanctl/private/cert-{$ph1ent['ikeid']}.key";
+            @touch($ph1keyfile);
+            @chmod($ph1keyfile, 0600);
             file_put_contents($ph1keyfile, base64_decode($cert['prv']));
+
             $ph1certfile = "/usr/local/etc/swanctl/x509/cert-{$ph1ent['ikeid']}.crt";
+            @touch($ph1certfile);
+            @chmod($ph1certfile, 0600);
             file_put_contents($ph1certfile, base64_decode($cert['crt']));
-            $filenames = array_merge($filenames, [$ph1keyfile, $ph1certfile]);
         }
     }
-    foreach ($filenames as $filename) {
-        @chmod($filename, 0600);
-    }
 }
 
 /**
@@ -1181,8 +1186,9 @@ function ipsec_write_keypairs()
         foreach ($paths as $key => $path) {
             if (!empty((string)$keyPair->$key)) {
                 $filename = "${path}/{$uuid}.pem";
-                file_put_contents($filename, (string)$keyPair->$key);
+                @touch($filename);
                 @chmod($filename, 0600);
+                file_put_contents($filename, (string)$keyPair->$key);
                 $filenames[] = $filename;
             }
         }
diff --git a/src/etc/inc/plugins.inc.d/openvpn.inc b/src/etc/inc/plugins.inc.d/openvpn.inc
index ef731ddaf..88d64987e 100644
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@@ -441,8 +441,9 @@ function openvpn_add_keyfile($data, &$conf, $mode_id, $directive, $opt = '')
     $fpath = "/var/etc/openvpn/{$mode_id}.{$directive}";
     openvpn_create_dirs();
     $data = !empty($data) ? str_replace("\r", "", base64_decode($data)) : '';
-    file_put_contents($fpath, str_replace("\n\n", "\n", $data));
+    @touch($fpath);
     @chmod($fpath, 0600);
+    file_put_contents($fpath, str_replace("\n\n", "\n", $data));
 
     $conf .= "{$directive} {$fpath} {$opt}\n";
 }
@@ -884,12 +885,9 @@ function openvpn_reconfigure($mode, $settings, $device_only = false)
 
     openvpn_add_custom($settings, $conf);
 
+    @touch("/var/etc/openvpn/{$mode_id}.conf");
+    @chmod("/var/etc/openvpn/{$mode_id}.conf", 0600);
     file_put_contents("/var/etc/openvpn/{$mode_id}.conf", $conf);
-
-    @chmod("/var/etc/openvpn/{$mode_id}.conf", 0600);
-    @chmod("/var/etc/openvpn/{$mode_id}.key", 0600);
-    @chmod("/var/etc/openvpn/{$mode_id}.tls-auth", 0600);
-    @chmod("/var/etc/openvpn/{$mode_id}.conf", 0600);
 }
 
 function openvpn_restart($mode, $settings, $carp_event = false)
diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
index 4c952dd0b..b67975b02 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
@@ -345,8 +345,9 @@ class OpenVPN extends BaseModel
                 if ($key == 'auth-user-pass') {
                     // user/passwords need to be feed using a file
                     $output .= $key . " " . $value['filename'] . "\n";
-                    file_put_contents($value['filename'], $value['content']);
+                    @touch($value['filename']);
                     @chmod($value['filename'], 0600);
+                    file_put_contents($value['filename'], $value['content']);
                 } else {
                     foreach ($value as $item) {
                         $output .= $key . " " . $item . "\n";
@@ -356,8 +357,9 @@ class OpenVPN extends BaseModel
                 $output .= $key . " " . $value . "\n";
             }
         }
-        file_put_contents($filename, $output);
+        @touch($filename);
         @chmod($filename, 0600);
+        file_put_contents($filename, $output);
     }
 
     /**
diff --git a/src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php b/src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
index 99e0338bb..442a3e2a0 100755
--- a/src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
+++ b/src/opnsense/scripts/OPNsense/CaptivePortal/generate_certs.php
@@ -44,13 +44,15 @@ if (isset($configObj->OPNsense->captiveportal->zones)) {
         // if the zone has a certificate attached, search for its contents
         if ($cert && !empty($cert['prv'])) {
             $output_pem_filename = "/var/etc/cert-cp-zone{$zone->zoneid}.pem";
-            file_put_contents($output_pem_filename, $cert['crt'] . $cert['prv']);
+            touch($output_pem_filename);
             chmod($output_pem_filename, 0600);
+            file_put_contents($output_pem_filename, $cert['crt'] . $cert['prv']);
             echo "certificate generated " . $output_pem_filename . "\n";
             if (!empty($cert['ca'])) {
                 $output_pem_filename = "/var/etc/ca-cp-zone{$zone->zoneid}.pem";
-                file_put_contents($output_pem_filename, $cert['ca']['crt']);
+                touch($output_pem_filename);
                 chmod($output_pem_filename, 0600);
+                file_put_contents($output_pem_filename, $cert['ca']['crt']);
                 echo "certificate generated " . $output_pem_filename  . "\n";
             }
         }