[security] Incorrect file permissions for ccache file

[dafanasiev]

Describe the bug Only owner can read/write ccache file (when krb5 tiket cache store as local file). Currently (at least on Linux) the generated ccache file has the wrong permissions (because of umask?).

To Reproduce

var client = new KerberosClient(new Krb5Config
{
    Defaults =
    {
        DnsLookupKdc = false,
        DefaultCCacheName = "FILE:/tmp/ccache.test",   // file not exists
    },
})
{
    CacheInMemory = false
};

var kerbCred = new KerberosPasswordCredential("[email protected]", "password", "company.corp");

client.PinKdc("company.corp", "dc.company.corp");
await client.Authenticate(kerbCred);

// see in shell: 
//
// # umask
// 0002
// # ls -la /tmp/ccache.test
// -rw-rw-r--  ......  /tmp/ccache.test

Additional context The same problem was previously fixed in nuget cli: https://github.com/NuGet/NuGet.Client/blob/dev/src/NuGet.Core/NuGet.Packaging/NuGetExtractionFileIO.cs

[SteveSyfuhs]

Why would we want to allow more than the owner to access the ticket cache for their own user?

[dafanasiev]

Why would we want to allow more than the owner to access the ticket cache for their own user?

No, we don't want that. Now (with umask=0002) any user can read (and any user in owner group can read-write) saved ticket. We need to set the unix file security attributes explicitly, regardless of the umask value.

See also: https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_file.c#L866-L873