P11_CHILD_NSS: More restrictive permissions

p11_child_nss runs as root and we must be carefull about security. This patch adds more restrictive permissions on it. There is no reason for 0077, so we use 0177 umask. Resolves: https://fedorahosted.org/sssd/ticket/2424 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
author: Petr Cech <pcech@redhat.com> 2015-10-06 07:05:57 -0400
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-10-14 13:27:18 +0200
commit: ae627e216689b0a5834f36aaaa007ed584ef033d (patch)
tree: 8b7dd5b510cbbd210543e035c99cd53ea087cc99
parent: 2f6a94e30458df92fb26c3d810f613d1e4cff99b (diff)
download: sssd-ae627e216689b0a5834f36aaaa007ed584ef033d.tar.gz
sssd-ae627e216689b0a5834f36aaaa007ed584ef033d.tar.xz
sssd-ae627e216689b0a5834f36aaaa007ed584ef033d.zip
1 files changed, 5 insertions, 1 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 123b99348..8a383a044 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -481,8 +481,12 @@ int main(int argc, const char *argv[])
     /* Set debug level to invalid value so we can decide if -d 0 was used. */
     debug_level = SSSDBG_INVALID;
 
+    /*
+     * This child runs as root (setuid(0)), so we need clear environment and
+     * set permissions for security reasons.
+     */
     clearenv();
-    umask(SSS_DFL_X_UMASK);
+    umask(SSS_DFL_UMASK);
 
     pc = poptGetContext(argv[0], argc, argv, long_options, 0);
     while ((opt = poptGetNextOpt(pc)) != -1) {
author	Petr Cech <pcech@redhat.com>	2015-10-06 07:05:57 -0400
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-10-14 13:27:18 +0200
commit	ae627e216689b0a5834f36aaaa007ed584ef033d (patch)
tree	8b7dd5b510cbbd210543e035c99cd53ea087cc99
parent	2f6a94e30458df92fb26c3d810f613d1e4cff99b (diff)
download	sssd-ae627e216689b0a5834f36aaaa007ed584ef033d.tar.gz sssd-ae627e216689b0a5834f36aaaa007ed584ef033d.tar.xz sssd-ae627e216689b0a5834f36aaaa007ed584ef033d.zip