Cert files are never updated after they are created, so remove owner write permission. As a clean-up, use a macro to define and label the certificate file mode bits.
Signed-off-by: Chuck Lever <[email protected]> --- src/libnsdb/nsdb.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-) diff --git a/src/libnsdb/nsdb.c b/src/libnsdb/nsdb.c index 7ef39d3..e5fb09a 100644 --- a/src/libnsdb/nsdb.c +++ b/src/libnsdb/nsdb.c @@ -69,6 +69,11 @@ */ #define NSDB_NCE_ENV "FEDFS_NSDB_NCE" +/** + * Permission mode to use when creating certfiles + */ +#define FEDFS_CERTFILE_MODE (S_IRUSR|S_IRGRP|S_IROTH) + /** * Stores pathname of directory containing FedFS persistent state @@ -571,7 +576,7 @@ nsdb_new_certfile(const char *certdata, const unsigned int certlen, } fd = open(pathbuf, O_WRONLY | O_SYNC | O_CREAT | O_EXCL, - S_IRUSR | S_IWUSR | S_IRGRP); + FEDFS_CERTFILE_MODE); if (fd == -1) { xlog(D_GENERAL, "%s: Failed to open %s: %m", __func__, pathbuf); _______________________________________________ fedfs-utils-devel mailing list [email protected] https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel
