[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [PATCH master f15-branch] crypttab should not be work-readable (#692254).

From: "Brian C. Lane" <bcl redhat com>
To: Discussion of Development and Customization of the Red Hat Linux Installer <anaconda-devel-list redhat com>
Subject: Re: [PATCH master f15-branch] crypttab should not be work-readable (#692254).
Date: Wed, 30 Mar 2011 15:28:16 -0700

On Wed, Mar 30, 2011 at 04:27:06PM -0400, Chris Lumens wrote:
> ---
>  pyanaconda/storage/__init__.py |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/pyanaconda/storage/__init__.py b/pyanaconda/storage/__init__.py
> index 472627c..90bc2b0 100644
> --- a/pyanaconda/storage/__init__.py
> +++ b/pyanaconda/storage/__init__.py
> @@ -2239,6 +2239,7 @@ class FSSet(object):
>          crypttab_path = os.path.normpath("%s/etc/crypttab" % instPath)
>          crypttab = self.crypttab()
>          open(crypttab_path, "w").write(crypttab)
> +        os.chmod(crypttab_path, 0600)
>  
>          # /etc/mdadm.conf
>          mdadm_path = os.path.normpath("%s/etc/mdadm.conf" % instPath)
> -- 
> 1.7.4.1

Under normal installer conditions this works fine, but if the storage
module ends up being used by something outside anaconda there is a race
condition for access to the file. It would probably be safer to do:

origmask = os.umask(0077)
open(crypttab_path, "w").write(crypttab)
os.umask(origmask)

so that the file never exists with world readable permissions.

-- 
Brian C. Lane | Anaconda Team | IRC: bcl #anaconda | Port Orchard, WA (PST8PDT)

Attachment: pgpeMe7QE79mv.pgp
Description: PGP signature

Follow-Ups:
- Re: [PATCH master f15-branch] crypttab should not be work-readable (#692254).
  - From: Chris Lumens

References:
- [PATCH master f15-branch] crypttab should not be work-readable (#692254).
  - From: Chris Lumens

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]