Fixes https://fedorahosted.org/sssd/ticket/1457
The permissions are later set with chmod() to the final values after it's moved to the real filename, so this is safe.
From 8e0a9d319ffc35e724c45789facde2852fa564d6 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <sgall...@redhat.com> Date: Mon, 6 Aug 2012 09:43:05 -0400 Subject: [PATCH] IPA: Securely set umask for mkstemp in subdomain provider https://fedorahosted.org/sssd/ticket/1457 --- src/providers/ipa/ipa_subdomains.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 9adc3fa947d5d1a37eaf8e261d14ccc01d733fd2..98c7de3465f4f67e397d176f7b49906c830442c2 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -285,6 +285,7 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain, const char *mapping_file; char *tmp_file = NULL; int fd = -1; + mode_t old_mode; FILE *fstream = NULL; size_t i; @@ -304,7 +305,9 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain, goto done; } + old_mode = umask(077); fd = mkstemp(tmp_file); + umask(old_mode); if (fd < 0) { DEBUG(SSSDBG_OP_FAILURE, ("creating the temp file [%s] for domain-realm " "mappings failed.", tmp_file)); -- 1.7.11.2
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel