From ae627e216689b0a5834f36aaaa007ed584ef033d Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Tue, 6 Oct 2015 07:05:57 -0400
Subject: P11_CHILD_NSS: More restrictive permissions

p11_child_nss runs as root and we must be carefull about security. This
patch adds more restrictive permissions on it. There is no reason for
0077, so we use 0177 umask.

Resolves:
https://fedorahosted.org/sssd/ticket/2424

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/p11_child/p11_child_nss.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src/p11_child')

diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 123b99348..8a383a044 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -481,8 +481,12 @@ int main(int argc, const char *argv[])
     /* Set debug level to invalid value so we can decide if -d 0 was used. */
     debug_level = SSSDBG_INVALID;
 
+    /*
+     * This child runs as root (setuid(0)), so we need clear environment and
+     * set permissions for security reasons.
+     */
     clearenv();
-    umask(SSS_DFL_X_UMASK);
+    umask(SSS_DFL_UMASK);
 
     pc = poptGetContext(argv[0], argc, argv, long_options, 0);
     while ((opt = poptGetNextOpt(pc)) != -1) {
-- 
cgit