From baeb03abd4406b90ca715ecd4e69ae61aed26134 Mon Sep 17 00:00:00 2001
From: Paul Rodger <paul@paulrodger.com>
Date: Mon, 16 Sep 2002 11:35:03 +0000
Subject: [PATCH] If we are running as root we setuid() to the user who owns
 the mailbox. But I forgot to make sure we create our temporary container
 directory as that user too.

---
 archivemail.py | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/archivemail.py b/archivemail.py
index ea7c5e5..0706ef5 100755
--- a/archivemail.py
+++ b/archivemail.py
@@ -943,17 +943,6 @@ def archive(mailbox_name):
                 os.path.basename(final_archive_name))
     vprint("archiving '%s' to '%s' ..." % (mailbox_name, final_archive_name))
 
-    # create a temporary directory for us to work in securely
-    old_temp_dir = tempfile.tempdir
-    tempfile.tempdir = None
-    new_temp_dir = tempfile.mktemp('archivemail')
-    assert(new_temp_dir)
-    os.mkdir(new_temp_dir)
-    _stale.temp_dir = new_temp_dir
-    tempfile.tempdir = new_temp_dir
-
-    vprint("set tempfile directory to '%s'" % new_temp_dir)
-
     # check to see if we are running as root -- if so, change our effective
     # userid and groupid to that of the original mailbox
     if (os.getuid() == 0) and os.path.exists(mailbox_name):
@@ -964,6 +953,16 @@ def archive(mailbox_name):
         vprint("changing effective user id to: %d" % mailbox_user)
         os.seteuid(mailbox_user)
 
+    # create a temporary directory for us to work in securely
+    old_temp_dir = tempfile.tempdir
+    tempfile.tempdir = None
+    new_temp_dir = tempfile.mktemp('archivemail')
+    assert(new_temp_dir)
+    os.mkdir(new_temp_dir)
+    _stale.temp_dir = new_temp_dir
+    tempfile.tempdir = new_temp_dir
+    vprint("set tempfile directory to '%s'" % new_temp_dir)
+
     if os.path.islink(mailbox_name):
         unexpected_error("'%s' is a symbolic link -- I feel nervous!" % 
             mailbox_name)
@@ -982,14 +981,16 @@ def archive(mailbox_name):
     else:
         user_error("'%s': no such file or directory" % mailbox_name)
 
+    # remove our special temp directory - hopefully empty
+    os.rmdir(new_temp_dir)
+    _stale.temp_dir = None
+    tempfile.tempdir = old_temp_dir
+
     # if we are running as root, revert the seteuid()/setegid() above
     if (os.getuid() == 0):
         vprint("changing effective groupid and userid back to root")
         os.setegid(0)
         os.seteuid(0)
-    os.rmdir(new_temp_dir)
-    _stale.temp_dir = None
-    tempfile.tempdir = old_temp_dir
 
 
 def _archive_mbox(mailbox_name, final_archive_name):