journal-remote: use READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE when reading PEM secret key
It's secret data, hence use the appropriate flags.
This commit is contained in:
parent
8b3c3a4973
commit
e5de42e6f2
|
@ -897,7 +897,11 @@ static int parse_argv(int argc, char *argv[]) {
|
||||||
if (arg_key_pem)
|
if (arg_key_pem)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||||
"Key file specified twice");
|
"Key file specified twice");
|
||||||
r = read_full_file_full(AT_FDCWD, optarg, READ_FULL_FILE_CONNECT_SOCKET, NULL, &arg_key_pem, NULL);
|
r = read_full_file_full(
|
||||||
|
AT_FDCWD, optarg,
|
||||||
|
READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET,
|
||||||
|
NULL,
|
||||||
|
&arg_key_pem, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to read key file: %m");
|
return log_error_errno(r, "Failed to read key file: %m");
|
||||||
assert(arg_key_pem);
|
assert(arg_key_pem);
|
||||||
|
|
|
@ -1078,7 +1078,11 @@ static int parse_argv(int argc, char *argv[]) {
|
||||||
static int load_certificates(char **key, char **cert, char **trust) {
|
static int load_certificates(char **key, char **cert, char **trust) {
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
r = read_full_file_full(AT_FDCWD, arg_key ?: PRIV_KEY_FILE, READ_FULL_FILE_CONNECT_SOCKET, NULL, key, NULL);
|
r = read_full_file_full(
|
||||||
|
AT_FDCWD, arg_key ?: PRIV_KEY_FILE,
|
||||||
|
READ_FULL_FILE_SECURE|READ_FULL_FILE_WARN_WORLD_READABLE|READ_FULL_FILE_CONNECT_SOCKET,
|
||||||
|
NULL,
|
||||||
|
key, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to read key from file '%s': %m",
|
return log_error_errno(r, "Failed to read key from file '%s': %m",
|
||||||
arg_key ?: PRIV_KEY_FILE);
|
arg_key ?: PRIV_KEY_FILE);
|
||||||
|
|
Loading…
Reference in New Issue