Set umask before mkstemp() for some versions of glibc

src/child.c

@@ -73,6 +73,11 @@ _child_lock_init(void)
 {
 	char lock_file[] = "/tmp/tinyproxy.servers.lock.XXXXXX";
 
+        /* Only allow u+rw bits. This may be required for some versions
+         * of glibc so that mkstemp() doesn't make us vulnerable.
+         */
+        umask(0177);
+
 	lock_fd = mkstemp(lock_file);
 	unlink(lock_file);
 

src/daemon.c

@@ -38,7 +38,7 @@ makedaemon(void)
 		exit(0);
 
 	chdir("/");
-	umask(077);
+	umask(0177);
 
 #if NDEBUG
         /*

src/heap.c

@@ -114,6 +114,11 @@ malloc_shared_memory(size_t size)
 
 	strlcpy(buffer, shared_file, sizeof(buffer));
 
+        /* Only allow u+rw bits. This may be required for some versions
+         * of glibc so that mkstemp() doesn't make us vulnerable.
+         */
+        umask(0177);
+
 	if ((fd = mkstemp(buffer)) == -1)
 		return (void *)MAP_FAILED;
 	unlink(buffer);

src/tinyproxy.c

@@ -165,6 +165,11 @@ main(int argc, char **argv)
 	}
 #endif				/* HAVE_SETRLIMIT */
 
+        /* Only allow u+rw bits. This may be required for some versions
+         * of glibc so that mkstemp() doesn't make us vulnerable.
+         */
+        umask(0177);
+
 	/* Default configuration file location */
 	config.config_file = DEFAULT_CONF_FILE;