Skip to content
Permalink
Browse files Browse the repository at this point in the history
Use more restrictive permissions on /etc/ipmi-pass
This forces the permissions on /etc/ipmi-pass to be 0600 or RW only by
owner. This is to prevent non-owners from reading the file, even though
it is obfuscated to make it harder for ipmi passwords to leak.

Tested: change ipmi passwords and see that the /etc/ipmi-pass file has
        0600 permissions.

Change-Id: I4be0b8a65f98ced031493f7767879eb054e1ee84
Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>
  • Loading branch information
vmauery committed Apr 8, 2020
1 parent 0e2dbee commit b265455
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions user_channel/passwd_mgr.cpp
Expand Up @@ -444,8 +444,8 @@ int PasswdMgr::updatePasswdSpecialFile(const std::string& userName,
return -EIO;
}

// Set the file mode as of actual ipmi-pass file.
if (fchmod(fileno((temp)()), st.st_mode) < 0)
// Set the file mode as read-write for owner only
if (fchmod(fileno((temp)()), S_IRUSR | S_IWUSR) < 0)
{
log<level::DEBUG>("Error setting fchmod for temp file");
return -EIO;
Expand Down

0 comments on commit b265455

Please sign in to comment.