picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

journal-remote: use READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE when reading PEM secret key 

It's secret data, hence use the appropriate flags.
This commit is contained in:
Lennart Poettering 2020-11-04 16:21:26 +01:00
parent 8b3c3a4973
commit e5de42e6f2
2 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/journal-remote/journal-gatewayd.c
View File

@ -897,7 +897,11 @@ static int parse_argv(int argc, char *argv[]) {
if (arg_key_pem)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Key file specified twice");
r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, NULL, &arg_key_pem, NULL);
r = read_full_file_full(
AT_FDCWD, optarg,
READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET,
NULL,
&arg_key_pem, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read key file: %m");
assert(arg_key_pem);

6
src/journal-remote/journal-remote-main.c
View File

@ -1078,7 +1078,11 @@ static int parse_argv(int argc, char *argv[]) {
static int load_certificates(char **key, char **cert, char **trust) {
int r;
r = read_full_file_full(AT_FDCWD, arg_key ?: PRIV_KEY_FILE, READ_FULL_FILE_CONNECT_SOCKET, NULL, key, NULL);
r = read_full_file_full(
AT_FDCWD, arg_key ?: PRIV_KEY_FILE,
READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET,
NULL,
key, NULL);
if (r < 0)
return log_error_errno(r, "Failed to read key from file '%s': %m",
arg_key ?: PRIV_KEY_FILE);