From 00785873ef364dcbca8765ba22a48a01bdd4fca5 Mon Sep 17 00:00:00 2001
From: Tao Liu <ltao@redhat.com>
Date: Fri, 19 Mar 2021 18:07:51 +0800
Subject: [PATCH] Fix incorrect vmcore permissions when dumped through ssh

Previously when dumping vmcore to a remote machine through ssh,
the files are created remotely and file permissions are taken
from the default umask value, which making the files accessible to
anyone on the remote machine.

This patch fixed the security issue by setting a customized umask value
before the file creation on the remote machine.

Signed-off-by: Tao Liu <ltao@redhat.com>
Acked-by: Kairui Song <kasong@redhat.com>
---
 dracut-kdump.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dracut-kdump.sh b/dracut-kdump.sh
index 3367bc5..3e65c44 100755
--- a/dracut-kdump.sh
+++ b/dracut-kdump.sh
@@ -136,7 +136,7 @@ dump_ssh()
         fi
         _exitcode=$?
     else
-        $CORE_COLLECTOR /proc/vmcore | ssh $_opt $_host "dd bs=512 of=$_dir/vmcore-incomplete"
+        $CORE_COLLECTOR /proc/vmcore | ssh $_opt $_host "umask 0077 && dd bs=512 of=$_dir/vmcore-incomplete"
         _exitcode=$?
         _vmcore="vmcore.flat"
     fi
@@ -218,7 +218,7 @@ save_vmcore_dmesg_ssh() {
     local _location=$4
 
     dinfo "saving vmcore-dmesg.txt to $_location:$_path"
-    $_dmesg_collector /proc/vmcore | ssh $_opts $_location "dd of=$_path/vmcore-dmesg-incomplete.txt"
+    $_dmesg_collector /proc/vmcore | ssh $_opts $_location "umask 0077 && dd of=$_path/vmcore-dmesg-incomplete.txt"
     _exitcode=$?
 
     if [ $_exitcode -eq 0 ]; then