commit 0843a4ce462d9a691a3b5f38a465b129b69fdd5f
from: Sebastien marie <semarie@openbsd.org>
date: Sat Oct 31 04:54:20 2020 UTC

use fchmod(2) instead of chmod(2). it is less racy, and we just opened the descriptor.

ok naddy@ stsp@

commit - f8c474099e137ca59909ff027a093d754d222f9a
commit + 0843a4ce462d9a691a3b5f38a465b129b69fdd5f
blob - 0e60b2156e5a9ef85594f7ddccaba178ac16f667
blob + 718d9571c10a58194bf79eb95828d68e66053da6
--- lib/fetch.c
+++ lib/fetch.c
@@ -497,7 +497,11 @@ got_fetch_pack(struct got_object_id **pack_hash, struc
 		err = got_opentemp_named_fd(&tmppackpath, &packfd, path);
 		free(path);
 		if (err)
+			goto done;
+		if (fchmod(packfd, GOT_DEFAULT_FILE_MODE) != 0) {
+			err = got_error_from_errno2("fchmod", tmppackpath);
 			goto done;
+		}
 	}
 	if (list_refs_only) {
 		idxfd = got_opentempfd();
@@ -514,7 +518,11 @@ got_fetch_pack(struct got_object_id **pack_hash, struc
 		err = got_opentemp_named_fd(&tmpidxpath, &idxfd, path);
 		free(path);
 		if (err)
+			goto done;
+		if (fchmod(idxfd, GOT_DEFAULT_FILE_MODE) != 0) {
+			err = got_error_from_errno2("fchmod", tmpidxpath);
 			goto done;
+		}
 	}
 	nidxfd = dup(idxfd);
 	if (nidxfd == -1) {
@@ -800,15 +808,6 @@ got_fetch_pack(struct got_object_id **pack_hash, struc
 	free(tmpidxpath);
 	tmpidxpath = NULL;
 
-	if (chmod(packpath, GOT_DEFAULT_FILE_MODE) != 0) {
-		err = got_error_from_errno2("chmod", packpath);
-		goto done;
-	}
-	if (chmod(idxpath, GOT_DEFAULT_FILE_MODE) != 0) {
-		err = got_error_from_errno2("chmod", idxpath);
-		goto done;
-	}
-
 done:
 	if (tmppackpath && unlink(tmppackpath) == -1 && err == NULL)
 		err = got_error_from_errno2("unlink", tmppackpath);