From a0ad4f2a4a342214acd4ab4b77cc5ccce22b35ad Mon Sep 17 00:00:00 2001
From: Petr Cech <pcech@redhat.com>
Date: Tue, 6 Oct 2015 07:57:17 -0400
Subject: UTILS: More restrictive permissions in domain_info

There are two occurances of creating temp. file under SSS_DFL_X_UMASK
permissions which enable possibility to grant executable permission.
After writting to those temp. files, they are renamed and they
get 0644 permissions. So SSS_DFL_UMASK is good enough fot this case.

Resolves:
https://fedorahosted.org/sssd/ticket/2424

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/util/domain_info_utils.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c
index 04e7d08d..baed132c 100644
--- a/src/util/domain_info_utils.c
+++ b/src/util/domain_info_utils.c
@@ -312,7 +312,7 @@ sss_write_domain_mappings(struct sss_domain_info *domain)
         goto done;
     }
 
-    old_mode = umask(SSS_DFL_X_UMASK);
+    old_mode = umask(SSS_DFL_UMASK);
     fd = mkstemp(tmp_file);
     umask(old_mode);
     if (fd < 0) {
@@ -562,7 +562,7 @@ static errno_t sss_write_krb5_localauth_snippet(const char *path)
         goto done;
     }
 
-    old_mode = umask(SSS_DFL_X_UMASK);
+    old_mode = umask(SSS_DFL_UMASK);
     fd = mkstemp(tmp_file);
     umask(old_mode);
     if (fd < 0) {
-- 
cgit