Backport of:
From f5f4506f6cb25bfd556f815565090a57296771ee Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <freddy77@gmail.com>
Date: Thu, 24 Sep 2020 12:13:24 +0100
Subject: [PATCH 01/10] vdagentd: Avoid calling chmod
Create the socket with the right permissions using umask.
This also prevents possible symlink exploitation in case socket
path is not secure.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
src/vdagentd/vdagentd.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
--- a/src/vdagentd/vdagentd.c
+++ b/src/vdagentd/vdagentd.c
@@ -1281,9 +1281,11 @@ int main(int argc, char *argv[])
/* systemd socket activation not enabled, create our own */
#endif /* WITH_SYSTEMD_SOCKET_ACTIVATION */
{
+ mode_t mode = umask(0111);
server = udscs_create_server(vdagentd_socket, agent_connect,
agent_read_complete, agent_disconnect,
debug);
+ umask(mode);
}
if (!server) {
@@ -1297,16 +1299,6 @@ int main(int argc, char *argv[])
return 1;
}
- /* no need to set permissions on a socket that was provided by systemd */
- if (own_socket) {
- if (chmod(vdagentd_socket, 0666)) {
- syslog(LOG_CRIT, "Fatal could not change permissions on %s: %m",
- vdagentd_socket);
- udscs_destroy_server(server);
- return 1;
- }
- }
-
if (do_daemonize)
daemonize();
distrib
>
Mageia
>
7
>
armv7hl
>
media
>
core-updates-src
>
by-pkgid
>
e9079d0783cd29dee2d067ee653cafdd
>
files
>
9
