From a1c2f49232e8ba0efc893777c9c69185d4d604ee Mon Sep 17 00:00:00 2001
From: Jeremy Baxter <jeremy@baxters.nz>
Date: Sun, 24 Mar 2024 14:06:56 +1300
Subject: [PATCH] fs: fix security issues in mkdir and mkpath

777 is writable to anyone, 755 is only writable to the owner/group
---
 lfs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs.c b/lfs.c
index 24aba79..a242032 100644
--- a/lfs.c
+++ b/lfs.c
@@ -389,7 +389,7 @@ fs_mkpath(lua_State *L)
 	int done;
 
 	path = luaL_checkstring(L, 1);
-	mode = dir_mode = 0777;
+	mode = dir_mode = 0755;
 	slash = (char *)path;
 
 	for (;;) {
@@ -400,7 +400,7 @@ fs_mkpath(lua_State *L)
 		*slash = '\0';
 
 		if (mkdir(path, done ? mode : dir_mode) == 0) {
-			if (mode > 0777 && chmod(path, mode) == -1)
+			if (mode > 0755 && chmod(path, mode) == -1)
 				return lfail(L);
 		} else {
 			int mkdir_errno = errno;
@@ -447,7 +447,7 @@ fs_mkdir(lua_State *L)
 	int ret;
 
 	dir = strdup(luaL_checkstring(L, 1));
-	ret = mkdir(dir, 0777);
+	ret = mkdir(dir, 0755);
 	free(dir);
 
 	if (ret == 0) {