config -e mode should match our other policies which ensure og-rwx /bsd.

pointed out by brynet

diff --git a/usr.sbin/config/exec_elf.c b/usr.sbin/config/exec_elf.c
index d682139..64c2ac5 100644 (file)
--- a/usr.sbin/config/exec_elf.c
+++ b/usr.sbin/config/exec_elf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: exec_elf.c,v 1.14 2015/09/25 03:17:02 guenther Exp $ */
+/*     $OpenBSD: exec_elf.c,v 1.15 2017/06/03 23:31:37 deraadt Exp $ */
 
 /*
  * Copyright (c) 1999 Mats O Jansson.  All rights reserved.
@@ -140,7 +140,7 @@ savekernel(char *outfile)
 {
        int fd;
 
-       if ((fd = open(outfile, O_WRONLY | O_CREAT | O_TRUNC, 0755)) < 0)
+       if ((fd = open(outfile, O_WRONLY | O_CREAT | O_TRUNC, 0700)) < 0)
                err(1, "%s", outfile);
 
        if (write(fd, elf_total, (size_t)elf_size) != elf_size)