summaryrefslogtreecommitdiffstats
path: root/src/tools/tools_util.c
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2013-01-20 20:27:05 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-01-23 15:24:43 +0100
commit4c0369c679535a2dd5a02e2c6527139582ac3c8b (patch)
tree650059a0afa98168f9c479a35c11080ce48f9a21 /src/tools/tools_util.c
parenta59248d58dddb4e46a3407e525f4f2816708e975 (diff)
downloadsssd-4c0369c679535a2dd5a02e2c6527139582ac3c8b.tar.gz
sssd-4c0369c679535a2dd5a02e2c6527139582ac3c8b.tar.xz
sssd-4c0369c679535a2dd5a02e2c6527139582ac3c8b.zip
TOOLS: Use file descriptor to avoid races when creating a home directory
When creating a home directory, the destination tree can be modified in various ways while it is being constructed because directory permissions are set before populating the directory. This can lead to file creation and permission changes outside the target directory tree, using hard links. This security problem was assigned CVE-2013-0219 https://fedorahosted.org/sssd/ticket/1782
Diffstat (limited to 'src/tools/tools_util.c')
-rw-r--r--src/tools/tools_util.c28
1 files changed, 1 insertions, 27 deletions
diff --git a/src/tools/tools_util.c b/src/tools/tools_util.c
index e87d8e8f0..c5f50e2cd 100644
--- a/src/tools/tools_util.c
+++ b/src/tools/tools_util.c
@@ -467,33 +467,7 @@ int create_homedir(const char *skeldir,
selinux_file_context(homedir);
- ret = mkdir(homedir, 0);
- if (ret != 0) {
- ret = errno;
- DEBUG(1, ("Cannot create user's home directory: [%d][%s].\n",
- ret, strerror(ret)));
- goto done;
- }
-
- ret = chown(homedir, uid, gid);
- if (ret != 0) {
- ret = errno;
- DEBUG(1, ("Cannot chown user's home directory: [%d][%s].\n",
- ret, strerror(ret)));
- goto done;
- }
-
- ret = chmod(homedir, 0777 & ~default_umask);
- if (ret != 0) {
- ret = errno;
- DEBUG(1, ("Cannot chmod user's home directory: [%d][%s].\n",
- ret, strerror(ret)));
- goto done;
- }
-
- reset_selinux_file_context();
-
- ret = copy_tree(skeldir, homedir, uid, gid);
+ ret = copy_tree(skeldir, homedir, 0777 & ~default_umask, uid, gid);
if (ret != EOK) {
DEBUG(1, ("Cannot populate user's home directory: [%d][%s].\n",
ret, strerror(ret)));
generated by cgit (git 2.34.1) at 2024-05-21 05:00:55 +0000