Backport of: From f5f4506f6cb25bfd556f815565090a57296771ee Mon Sep 17 00:00:00 2001 From: Frediano Ziglio <freddy77@gmail.com> Date: Thu, 24 Sep 2020 12:13:24 +0100 Subject: [PATCH 01/10] vdagentd: Avoid calling chmod Create the socket with the right permissions using umask. This also prevents possible symlink exploitation in case socket path is not secure. Signed-off-by: Frediano Ziglio <freddy77@gmail.com> Acked-by: Uri Lublin <uril@redhat.com> --- src/vdagentd/vdagentd.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) --- a/src/vdagentd/vdagentd.c +++ b/src/vdagentd/vdagentd.c @@ -1281,9 +1281,11 @@ int main(int argc, char *argv[]) /* systemd socket activation not enabled, create our own */ #endif /* WITH_SYSTEMD_SOCKET_ACTIVATION */ { + mode_t mode = umask(0111); server = udscs_create_server(vdagentd_socket, agent_connect, agent_read_complete, agent_disconnect, debug); + umask(mode); } if (!server) { @@ -1297,16 +1299,6 @@ int main(int argc, char *argv[]) return 1; } - /* no need to set permissions on a socket that was provided by systemd */ - if (own_socket) { - if (chmod(vdagentd_socket, 0666)) { - syslog(LOG_CRIT, "Fatal could not change permissions on %s: %m", - vdagentd_socket); - udscs_destroy_server(server); - return 1; - } - } - if (do_daemonize) daemonize();