Merge 9d24c96 into 1c6fa66

Yubico · Jun 5, 2019 · 48dec57 · 48dec57
2 parents 1c6fa66 + 9d24c96
commit 48dec57
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 17 deletions.
diff --git a/pam_yubico.c b/pam_yubico.c
@@ -790,6 +790,9 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
 static void
 parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
 {
+  struct stat st;
+  FILE *file = NULL;
+  int fd = -1;
   int i;
 
   memset (cfg, 0, sizeof(struct cfg));
@@ -879,24 +882,15 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
             }
           else
             {
-              struct stat st;
-              int fd;
-              FILE *file;
-              if(lstat(filename, &st) == 0)
+              fd = open(filename, O_WRONLY | O_APPEND | O_CLOEXEC | O_NOFOLLOW | O_NOCTTY);
+              if (fd >= 0 && (fstat(fd, &st) == 0) && S_ISREG(st.st_mode))
                 {
-                  if(S_ISREG(st.st_mode))
+                  file = fdopen(fd, "a");
+                  if(file != NULL)
                     {
-                      fd = open(filename, O_WRONLY | O_CREAT | O_APPEND | O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP);
-                      if (fd >= 0)
-                        {
-                          file = fdopen(fd, "a");
-                          if (file)
-                            {
-                              cfg->debug_file = file;
-                            } else {
-			      close(fd);
-			    }
-                        }
+                      cfg->debug_file = file;
+                      file = NULL;
+                      fd = -1;
                     }
                 }
             }
@@ -940,6 +934,12 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
   DBG ("token_id_length=%u", cfg->token_id_length);
   DBG ("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" );
   DBG ("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)");
+
+  if (fd != -1)
+    close(fd);
+
+  if (file != NULL)
+    fclose(file);
 }
 
 PAM_EXTERN int

diff --git a/ykpamcfg.c b/ykpamcfg.c
@@ -250,7 +250,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u
 
   umask(077);
 
-  fd = open (fn, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR);
+  fd = open (fn, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC | O_NOFOLLOW | O_NOCTTY, S_IRUSR | S_IWUSR);
   if (fd < 0) {
     fprintf (stderr, "Failed to open '%s' for writing: %s\n", fn, strerror (errno));
     goto out;