diff --git a/pam_yubico.c b/pam_yubico.c index cbac209..98957a5 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -814,15 +814,20 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg) else { struct stat st; + int fd; FILE *file; if(lstat(filename, &st) == 0) { if(S_ISREG(st.st_mode)) { - file = fopen(filename, "ae"); - if(file) + fd = open(filename, O_WRONLY | O_CREAT | O_APPEND | O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP); + if (fd >= 0) { - cfg->debug_file = file; + file = fdopen(fd, "a"); + if (file) + { + cfg->debug_file = file; + } } } } diff --git a/util.c b/util.c index d2cfc8d..ef332a5 100644 --- a/util.c +++ b/util.c @@ -187,8 +187,14 @@ int generate_random(void *buf, int len) { FILE *u; int res; + int fd; - u = fopen("/dev/urandom", "re"); + fd = open("/dev/urandom", O_RDONLY | O_CLOEXEC); + if (fd < 0) { + return -1; + } + + u = fdopen(fd, "r"); if (!u) { return -1; } diff --git a/ykpamcfg.c b/ykpamcfg.c index cfc4cd0..5098027 100644 --- a/ykpamcfg.c +++ b/ykpamcfg.c @@ -38,6 +38,7 @@ #include #include #include +#include #include @@ -143,6 +144,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u unsigned int response_len; char *fn; struct passwd *p; + int fd; FILE *f = NULL; struct stat st; @@ -237,11 +239,16 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u umask(077); - f = fopen (fn, "we"); - if (! f) { + fd = open (fn, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); + if (fd < 0) { fprintf (stderr, "Failed opening '%s' for writing : %s\n", fn, strerror (errno)); goto out; } + f = fdopen (fd, "w"); + if (! f) { + fprintf (stderr, "fdopen: %s\n", strerror (errno)); + goto out; + } if (! write_chalresp_state (f, &state)) goto out;