diff options
author | Frediano Ziglio <freddy77@gmail.com> | 2020-09-24 12:13:24 +0100 |
---|---|---|
committer | Frediano Ziglio <freddy77@gmail.com> | 2020-10-29 14:59:18 +0000 |
commit | ce144335ff45b16be2241c45a683cc01e0f50558 (patch) | |
tree | c6c5a2e27dfe690b78df3d97346f211eb5712d2a | |
parent | 5a2471e24ed46f2fd84241dfeb2ba68d6e4ea397 (diff) |
vdagentd: Avoid calling chmod
Create the socket with the right permissions using umask.
This also prevents possible symlink exploitation in case socket
path is not secure.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
-rw-r--r-- | src/vdagentd/vdagentd.c | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c index dca6980..a2b74bb 100644 --- a/src/vdagentd/vdagentd.c +++ b/src/vdagentd/vdagentd.c @@ -1208,7 +1208,9 @@ int main(int argc, char *argv[]) /* systemd socket activation not enabled, create our own */ #endif /* WITH_SYSTEMD_SOCKET_ACTIVATION */ { + mode_t mode = umask(0111); udscs_server_listen_to_address(server, vdagentd_socket, &err); + umask(mode); } if (err) { @@ -1219,16 +1221,6 @@ int main(int argc, char *argv[]) return 1; } - /* no need to set permissions on a socket that was provided by systemd */ - if (own_socket) { - if (chmod(vdagentd_socket, 0666)) { - syslog(LOG_CRIT, "Fatal could not change permissions on %s: %m", - vdagentd_socket); - udscs_destroy_server(server); - return 1; - } - } - #ifdef WITH_STATIC_UINPUT uinput = vdagentd_uinput_create(uinput_device, 1024, 768, NULL, 0, debug > 1, uinput_fake); |