b061451 SUDO: Create the socket with stricter permissions

Authored and Committed by jhrozek 9 months ago
    SUDO: Create the socket with stricter permissions
    
    This patch switches the sudo responder from being created as a public
    responder where the permissions are open and not checked by the sssd
    deaamon to a private socket. In this case, sssd creates the pipes with
    strict permissions (see the umask in the call to create_pipe_fd() in
    set_unix_socket()) and additionaly checks the permissions with every read
    via the tevent integrations (see accept_fd_handler()).
    
    Resolves:
    https://pagure.io/SSSD/sssd/issue/3766 (CVE-2018-10852)
    
    Reviewed-by: Sumit Bose <sbose@redhat.com>
    Reviewed-by: Pavel Březina <pbrezina@redhat.com>
    
        
file modified
+2 -1