From 13f30f69eec02d0c0aaccc7b544dee1326a5e9d4 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 5 Aug 2015 17:25:20 +0200
Subject: p11child: set restrictive umask and clear environment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://fedorahosted.org/sssd/ticket/2754

Before doing any calls, set a very restrictive umask and clear
environment variables to harden p11child execution.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/p11_child/p11_child_nss.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 6948c142a..44ba66788 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -481,6 +481,9 @@ int main(int argc, const char *argv[])
     /* Set debug level to invalid value so we can decide if -d 0 was used. */
     debug_level = SSSDBG_INVALID;
 
+    clearenv();
+    umask(077);
+
     pc = poptGetContext(argv[0], argc, argv, long_options, 0);
     while ((opt = poptGetNextOpt(pc)) != -1) {
         switch(opt) {
-- 
cgit