From 52aed7f6a58bd8b9e56fe8028f6b9c22c6518c1f Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 2 Feb 2005 17:58:10 +0000
Subject: [PATCH] Merge Simon's umask patch

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1937 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    | 4 +++-
 Shorewall2/firewall         | 3 +++
 Shorewall2/releasenotes.txt | 6 +++++-
 Shorewall2/zones            | 2 +-
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index 287084975..4d57c02ed 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -1,7 +1,9 @@
-Changes since 2.2.0
+Changes in 2.2.1
 
 1) Add examples to the zones and policy files.
 
+2) Simon Matter's patch for umask.
+
 Changes since 2.0.3
 
 1) Fix security vulnerability involving temporary files/directories.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 8f7e72314..892a9aa76 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -7065,6 +7065,9 @@ do_initialize() {
 
     export LC_ALL=C
 
+    # Make sure umask is sane
+    umask 177
+
     PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
     #
     # Establish termination function
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index 7051ca495..66e942969 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -5,6 +5,10 @@ Problems corrected in version 2.2.1
 
 1) The /etc/shorewall/policy file contained a misleading comment and
    both that file and the /etc/shorewall/zones file lacked examples.
+
+2) Shorewall previously used root's default umask which could cause
+   files in /var/lib/shorewall to be world-readable. Shorewall now uses
+   umask 0177.
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
 
@@ -88,7 +92,7 @@ Issues when migrating from Shorewall 2.0 to Shorewall 2.2:
     OpenVPN.
 
 -----------------------------------------------------------------------
-New Features:
+New Features in Shorewall 2.2.0:
 
 1)  ICMP packets that are in the INVALID state are now dropped by the
     Reject and Drop default actions. They do so using the new 
diff --git a/Shorewall2/zones b/Shorewall2/zones
index 334c59193..b0362ce76 100644
--- a/Shorewall2/zones
+++ b/Shorewall2/zones
@@ -11,7 +11,7 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#
+#--------------------------------------------------------------------------------
 # Example zones:
 #
 #    You have a three interface firewall with internet, local and DMZ interfaces.