From 249d3b8c72798a8eb081b620cc94072b3e8d6351 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 6 Aug 2012 09:43:05 -0400
Subject: IPA: Securely set umask for mkstemp in subdomain provider

https://fedorahosted.org/sssd/ticket/1457
---
 src/providers/ipa/ipa_subdomains.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src')

diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c
index 9adc3fa9..98c7de34 100644
--- a/src/providers/ipa/ipa_subdomains.c
+++ b/src/providers/ipa/ipa_subdomains.c
@@ -285,6 +285,7 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain,
     const char *mapping_file;
     char *tmp_file = NULL;
     int fd = -1;
+    mode_t old_mode;
     FILE *fstream = NULL;
     size_t i;
 
@@ -304,7 +305,9 @@ ipa_subdomains_write_mappings(struct sss_domain_info *domain,
         goto done;
     }
 
+    old_mode = umask(077);
     fd = mkstemp(tmp_file);
+    umask(old_mode);
     if (fd < 0) {
         DEBUG(SSSDBG_OP_FAILURE, ("creating the temp file [%s] for domain-realm "
                                   "mappings failed.", tmp_file));
-- 
cgit