diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-08-05 17:25:20 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-08-13 17:45:46 +0200 |
commit | 4023fb832cc5c5122c235b713c0ef401c5d21dd0 (patch) | |
tree | 9ebfc76a0292eca7b1f98d9c68d4d29428cda04c /src/p11_child/p11_child_nss.c | |
parent | 137d5dd0dba48f647e5f8b3976ddb78d65dc77a5 (diff) | |
download | sssd-4023fb832cc5c5122c235b713c0ef401c5d21dd0.tar.gz sssd-4023fb832cc5c5122c235b713c0ef401c5d21dd0.tar.xz sssd-4023fb832cc5c5122c235b713c0ef401c5d21dd0.zip |
p11child: set restrictive umask and clear environmentpk11child
https://fedorahosted.org/sssd/ticket/2754
Before doing any calls, set a very restrictive umask and clear
environment variables to harden p11child execution.
Diffstat (limited to 'src/p11_child/p11_child_nss.c')
-rw-r--r-- | src/p11_child/p11_child_nss.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 6948c142a..44ba66788 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -481,6 +481,9 @@ int main(int argc, const char *argv[]) /* Set debug level to invalid value so we can decide if -d 0 was used. */ debug_level = SSSDBG_INVALID; + clearenv(); + umask(077); + pc = poptGetContext(argv[0], argc, argv, long_options, 0); while ((opt = poptGetNextOpt(pc)) != -1) { switch(opt) { |