diff options
| author | Petr Cech <pcech@redhat.com> | 2015-10-06 07:05:57 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-10-14 13:27:18 +0200 |
| commit | ae627e216689b0a5834f36aaaa007ed584ef033d (patch) | |
| tree | 8b7dd5b510cbbd210543e035c99cd53ea087cc99 /src/p11_child | |
| parent | 2f6a94e30458df92fb26c3d810f613d1e4cff99b (diff) | |
| download | sssd-ae627e216689b0a5834f36aaaa007ed584ef033d.tar.gz sssd-ae627e216689b0a5834f36aaaa007ed584ef033d.tar.xz sssd-ae627e216689b0a5834f36aaaa007ed584ef033d.zip | |
P11_CHILD_NSS: More restrictive permissions
p11_child_nss runs as root and we must be carefull about security. This
patch adds more restrictive permissions on it. There is no reason for
0077, so we use 0177 umask.
Resolves:
https://fedorahosted.org/sssd/ticket/2424
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src/p11_child')
| -rw-r--r-- | src/p11_child/p11_child_nss.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c index 123b99348..8a383a044 100644 --- a/src/p11_child/p11_child_nss.c +++ b/src/p11_child/p11_child_nss.c @@ -481,8 +481,12 @@ int main(int argc, const char *argv[]) /* Set debug level to invalid value so we can decide if -d 0 was used. */ debug_level = SSSDBG_INVALID; + /* + * This child runs as root (setuid(0)), so we need clear environment and + * set permissions for security reasons. + */ clearenv(); - umask(SSS_DFL_X_UMASK); + umask(SSS_DFL_UMASK); pc = poptGetContext(argv[0], argc, argv, long_options, 0); while ((opt = poptGetNextOpt(pc)) != -1) { |