Blame SOURCES/0058-p11child-set-restrictive-umask-and-clear-environment.patch
|
 |
6cf099 |
From 5845a325b10e48b1e4c21976b0856ad1d012bbb4 Mon Sep 17 00:00:00 2001
|
|
|
6cf099 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
6cf099 |
Date: Wed, 5 Aug 2015 17:25:20 +0200
|
|
|
6cf099 |
Subject: [PATCH 58/59] p11child: set restrictive umask and clear environment
|
|
|
6cf099 |
MIME-Version: 1.0
|
|
|
6cf099 |
Content-Type: text/plain; charset=UTF-8
|
|
|
6cf099 |
Content-Transfer-Encoding: 8bit
|
|
|
6cf099 |
|
|
|
6cf099 |
https://fedorahosted.org/sssd/ticket/2754
|
|
|
6cf099 |
|
|
|
6cf099 |
Before doing any calls, set a very restrictive umask and clear
|
|
|
6cf099 |
environment variables to harden p11child execution.
|
|
|
6cf099 |
|
|
|
6cf099 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
6cf099 |
---
|
|
|
6cf099 |
src/p11_child/p11_child_nss.c | 3 +++
|
|
|
6cf099 |
1 file changed, 3 insertions(+)
|
|
|
6cf099 |
|
|
|
6cf099 |
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
|
|
|
6cf099 |
index 6948c142aa7843cda5ff6d18f5853b10c387c224..44ba6678893408dbfc0c6c7cfd5edcdaa789f518 100644
|
|
|
6cf099 |
--- a/src/p11_child/p11_child_nss.c
|
|
|
6cf099 |
+++ b/src/p11_child/p11_child_nss.c
|
|
|
6cf099 |
@@ -481,6 +481,9 @@ int main(int argc, const char *argv[])
|
|
|
6cf099 |
/* Set debug level to invalid value so we can decide if -d 0 was used. */
|
|
|
6cf099 |
debug_level = SSSDBG_INVALID;
|
|
|
6cf099 |
|
|
|
6cf099 |
+ clearenv();
|
|
|
6cf099 |
+ umask(077);
|
|
|
6cf099 |
+
|
|
|
6cf099 |
pc = poptGetContext(argv[0], argc, argv, long_options, 0);
|
|
|
6cf099 |
while ((opt = poptGetNextOpt(pc)) != -1) {
|
|
|
6cf099 |
switch(opt) {
|
|
|
6cf099 |
--
|
|
|
6cf099 |
2.4.3
|
|
|
6cf099 |
|