From 91727389c4c7c2bf4227d7a6aafbf5997751aab4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Wed, 2 Nov 2016 06:12:02 +0100
Subject: [PATCH] qubes/log: ensure logs are group writable

/var/log/qubes directory have setgid set, so all the files will be owned
by qubes group (that's ok), but there is no enforcement of creating it
group writable, which undermine group ownership (logs created by root
would not be writable by normal user)

QubesOS/qubes-issues#2412
---
 qubes/log.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/qubes/log.py b/qubes/log.py
index 3b82a69f..858086db 100644
--- a/qubes/log.py
+++ b/qubes/log.py
@@ -127,8 +127,12 @@ def get_vm_logger(vmname):
     logger = logging.getLogger('vm.' + vmname)
     if logger.handlers:
         return logger
-    handler = logging.FileHandler(
-        os.path.join(LOGPATH, 'vm-{}.log'.format(vmname)))
+    old_umask = os.umask(0o007)
+    try:
+        handler = logging.FileHandler(
+            os.path.join(LOGPATH, 'vm-{}.log'.format(vmname)))
+    finally:
+        os.umask(old_umask)
     handler.setFormatter(formatter_log)
     logger.addHandler(handler)