Shibd process doesn't set umask on startup. If the process starts with umask 000 then shibd creates files with world writable permissions.
Shibd should probably use "safe" defaul umask(022).
Maybe something like this:— shibboleth-sp-2.5.4.orig/shibd/shibd.cpp 2012-12-04 06:49:51.000000000 +0200+++ shibboleth-sp-2.5.4/shibd/shibd.cpp 2015-06-06 12:34:04.779279885 +0300@@ -315,6 +315,7 @@
int main(int argc, char *argv[]){+ umask(022);if (parse_args(argc, argv) != 0)usage(argv[0]);else if (shar_version) {
Shibd process doesn't set umask on startup. If the process starts with umask 000 then shibd creates files with world writable permissions.
Shibd should probably use "safe" defaul umask(022).
Maybe something like this:
— shibboleth-sp-2.5.4.orig/shibd/shibd.cpp 2012-12-04 06:49:51.000000000 +0200
+++ shibboleth-sp-2.5.4/shibd/shibd.cpp 2015-06-06 12:34:04.779279885 +0300
@@ -315,6 +315,7 @@
int main(int argc, char *argv[])
{
+ umask(022);
if (parse_args(argc, argv) != 0)
usage(argv[0]);
else if (shar_version) {