summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/providers/krb5/krb5_child.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index f896332d..032f5020 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -439,6 +439,7 @@ static errno_t handle_randomized(char *in)
char *ccname = NULL;
int ret;
int fd;
+ mode_t old_umask;
/* We only treat the FILE type case in a special way due to the history
* of storing FILE type ccache in /tmp and associated security issues */
@@ -460,7 +461,9 @@ static errno_t handle_randomized(char *in)
* something races, we mostly care only about not accidentally use
* an existing name and thus failing in the process of saving the
* cache. Malicious races can only be avoided by libkrb5 itself. */
+ old_umask = umask(077);
fd = mkstemp(ccname);
+ umask(old_umask);
if (fd == -1) {
ret = errno;
DEBUG(SSSDBG_CRIT_FAILURE, ("mkstemp(\"%s\") failed!\n", ccname));