>From a5cbd37ed76c19c99c4ba7a3592797c37be95dda Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 12 Aug 2015 12:56:14 +0200 Subject: [PATCH 1/4] KRB5: Use sss_unique file in krb5_child In krb5_child, we intentionally don' set the owner of the temporary file, because we're not renaming it to a 'stable' name, but rather directly using it as the ccache. --- src/providers/krb5/krb5_child.c | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 2c5e446a0e0c3f55261a39d8d3f3bc09aded3cb9..e5f48b7133fe523df867f9ceaec1983ff30bc959 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -671,8 +671,6 @@ static errno_t handle_randomized(char *in) size_t ccname_len; char *ccname = NULL; int ret; - int fd; - mode_t old_umask; /* We only treat the FILE type case in a special way due to the history * of storing FILE type ccache in /tmp and associated security issues */ @@ -687,21 +685,18 @@ static errno_t handle_randomized(char *in) ccname_len = strlen(ccname); if (ccname_len >= 6 && strcmp(ccname + (ccname_len - 6), "XXXXXX") == 0) { /* NOTE: this call is only used to create a unique name, as later - * krb5_cc_initialize() will unlink and recreate the file. - * This is ok because this part of the code is called with - * privileges already dropped when handling user ccache, or the ccache - * is stored in a private directory. So we do not have huge issues if - * something races, we mostly care only about not accidentally use - * an existing name and thus failing in the process of saving the - * cache. Malicious races can only be avoided by libkrb5 itself. */ - old_umask = umask(077); - fd = mkstemp(ccname); - umask(old_umask); - if (fd == -1) { - ret = errno; + * krb5_cc_initialize() will unlink and recreate the file. + * This is ok because this part of the code is called with + * privileges already dropped when handling user ccache, or the ccache + * is stored in a private directory. So we do not have huge issues if + * something races, we mostly care only about not accidentally use + * an existing name and thus failing in the process of saving the + * cache. Malicious races can only be avoided by libkrb5 itself. */ + ret = sss_unique_filename(NULL, ccname); + if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, - "mkstemp(\"%s\") failed [%d]: %s!\n", - ccname, ret, strerror(ret)); + "mkstemp(\"%s\") failed [%d]: %s!\n", + ccname, ret, strerror(ret)); return ret; } } -- 2.4.3