From 41c576e0cf6359f1d30e7c2b98d7948dae0ea826 Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Fri, 8 Jun 2012 10:45:59 +0200
Subject: [PATCH] replace fopen with open+fdopen to set more restrictive bits

---
 pam_yubico.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/pam_yubico.c b/pam_yubico.c
index de05e17..5853ac5 100644
--- a/pam_yubico.c
+++ b/pam_yubico.c
@@ -605,9 +605,17 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
   strcpy(tmpfile, userfile);
   strcat(tmpfile, ".tmp");
 
-  f = fopen(tmpfile, "w");
-  if (! f)
+  fd = open(tmpfile, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
+  if (fd < 0) {
+      DBG (("Cannot open file: %s (%s)", tmpfile, strerror(errno)));
+      goto out;
+  }
+
+  f = fdopen(fd, "w");
+  if (! f) {
+    close(fd);
     goto out;
+  }
 
   errstr = "Error updating Yubikey challenge, please check syslog or contact your system administrator";
   if (! write_chalresp_state (f, &state))