Replace isc_fsaccess API with more secure file creation

The isc_fsaccess API was created to hide the implementation details between POSIX and Windows APIs. As we are not supporting the Windows APIs anymore, it's better to drop this API used in the DST part. Moreover, the isc_fsaccess was setting the permissions in an insecure manner - it operated on the filename, and not on the file descriptor which can lead to all kind of attacks if unpriviledged user has read (or even worse write) access to key directory. Replace the code that operates on the private keys with code that uses mkstemp(), fchmod() and atomic rename() at the end, so at no time the private key files have insecure permissions.
2025-08-31 14:35:26 +00:00 · 2023-03-30 18:00:17 +02:00
parent aca7dd3961
commit 263d232c79
10 changed files with 154 additions and 455 deletions
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -238,6 +238,16 @@ dst__mem_free(void *ptr);
 void *
 dst__mem_realloc(void *ptr, size_t size);

+/*%
+ * Secure private file handling
+ */
+FILE *
+dst_key_open(char *tmpname, mode_t mode);
+isc_result_t
+dst_key_close(char *tmpname, FILE *fp, char *filename);
+isc_result_t
+dst_key_cleanup(char *tmpname, FILE *fp);
+
 ISC_LANG_ENDDECLS

 /*! \file */