From 1b18d6fab72ec173c0a6c4f95f4b2004aaf575b2 Mon Sep 17 00:00:00 2001
From: Laszlo Gombos <laszlo.gombos@gmail.com>
Date: Thu, 23 Feb 2023 05:58:06 +0000
Subject: [PATCH] fix(dracut-install): file created without restricting
 permissions

Resolve: https://github.com/dracutdevs/dracut/security/code-scanning/10
---
 src/install/dracut-install.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/install/dracut-install.c b/src/install/dracut-install.c
index 6bf5ce1fd7..d60584c438 100644
--- a/src/install/dracut-install.c
+++ b/src/install/dracut-install.c
@@ -682,9 +682,11 @@ void mark_hostonly(const char *path)
 
         _asprintf(&fulldstpath, "%s/lib/dracut/hostonly-files", destrootdir);
 
-        f = fopen(fulldstpath, "a");
+        int fd = open(fulldstpath, O_RDONLY | O_APPEND, 0600);
+        if (fd != -1)
+                f = fdopen(fd, "a");
 
-        if (f == NULL) {
+        if (fd == -1 || f == NULL) {
                 log_error("Could not open '%s' for writing.", fulldstpath);
                 return;
         }