Use more restrictive permissions on /etc/ipmi-pass This forces the permissions on /etc/ipmi-pass to be 0600 or RW only by owner. This is to prevent non-owners from reading the file, even though it is obfuscated to make it harder for ipmi passwords to leak. Tested: change ipmi passwords and see that the /etc/ipmi-pass file has 0600 permissions. Change-Id: I4be0b8a65f98ced031493f7767879eb054e1ee84 Signed-off-by: Vernon Mauery <vernon.mauery@linux.intel.com>

commit: b265455a2518ece7c004b43c144199ec980fc620 [log] [tgz]
author: Vernon Mauery <vernon.mauery@linux.intel.com> Fri Apr 03 14:28:53 2020 -0700
committer: Vernon Mauery <vernon.mauery@linux.intel.com> Wed Apr 08 16:58:55 2020 -0700
tree: 609cdc4e99ae44811cdd73a83e9b776097e13488
parent: 0e2dbee2d19ee6865d6e95b07398943b8f536336 [diff] [blame]
diff --git a/user_channel/passwd_mgr.cpp b/user_channel/passwd_mgr.cpp
index 66bdef0..5e0b30d 100644
--- a/user_channel/passwd_mgr.cpp
+++ b/user_channel/passwd_mgr.cpp

@@ -444,8 +444,8 @@
         return -EIO;
     }
 
-    // Set the file mode as of actual ipmi-pass file.
-    if (fchmod(fileno((temp)()), st.st_mode) < 0)
+    // Set the file mode as read-write for owner only
+    if (fchmod(fileno((temp)()), S_IRUSR | S_IWUSR) < 0)
     {
         log<level::DEBUG>("Error setting fchmod for temp file");
         return -EIO;
commit	b265455a2518ece7c004b43c144199ec980fc620	[log] [tgz]
author	Vernon Mauery <vernon.mauery@linux.intel.com>	Fri Apr 03 14:28:53 2020 -0700
committer	Vernon Mauery <vernon.mauery@linux.intel.com>	Wed Apr 08 16:58:55 2020 -0700
tree	609cdc4e99ae44811cdd73a83e9b776097e13488
parent	0e2dbee2d19ee6865d6e95b07398943b8f536336 [diff] [blame]