summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2015-08-05 17:25:20 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-08-13 17:45:46 +0200
commit4023fb832cc5c5122c235b713c0ef401c5d21dd0 (patch)
tree9ebfc76a0292eca7b1f98d9c68d4d29428cda04c
parent137d5dd0dba48f647e5f8b3976ddb78d65dc77a5 (diff)
downloadsssd-pk11child.zip
sssd-pk11child.tar.gz
sssd-pk11child.tar.xz
p11child: set restrictive umask and clear environmentpk11child
https://fedorahosted.org/sssd/ticket/2754 Before doing any calls, set a very restrictive umask and clear environment variables to harden p11child execution.
-rw-r--r--src/p11_child/p11_child_nss.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 6948c14..44ba667 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -481,6 +481,9 @@ int main(int argc, const char *argv[])
/* Set debug level to invalid value so we can decide if -d 0 was used. */
debug_level = SSSDBG_INVALID;
+ clearenv();
+ umask(077);
+
pc = poptGetContext(argv[0], argc, argv, long_options, 0);
while ((opt = poptGetNextOpt(pc)) != -1) {
switch(opt) {