rpms / spice-vdagent

Clone
Source Code
GIT

Blame SOURCES/0009-vdagentd-Avoid-calling-chmod.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   39f53b7569f3070cb64c6cbe66cdb0c765244496
  2.   SOURCES
  3.   0009-vdagentd-Avoid-calling-chmod.patch
Blob History Raw
39f53b 
From dd46157d3faa95a12fc6f04cd2515f200e3ca465 Mon Sep 17 00:00:00 2001
39f53b 
From: Frediano Ziglio <freddy77@gmail.com>
39f53b 
Date: Thu, 24 Sep 2020 12:13:24 +0100
39f53b 
Subject: [PATCH vd_agent_linux 09/17] vdagentd: Avoid calling chmod
39f53b
39f53b 
Create the socket with the right permissions using umask.
39f53b 
This also prevents possible symlink exploitation in case socket
39f53b 
path is not secure.
39f53b
39f53b 
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
39f53b 
Acked-by: Uri Lublin <uril@redhat.com>
39f53b 
---
39f53b 
 src/vdagentd/vdagentd.c | 12 ++----------
39f53b 
 1 file changed, 2 insertions(+), 10 deletions(-)
39f53b
39f53b 
diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c
39f53b 
index 12cbbd0..eddfcf6 100644
39f53b 
--- a/src/vdagentd/vdagentd.c
39f53b 
+++ b/src/vdagentd/vdagentd.c
39f53b 
@@ -1211,7 +1211,9 @@ int main(int argc, char *argv[])
39f53b 
     /* systemd socket activation not enabled, create our own */
39f53b 
 #endif /* WITH_SYSTEMD_SOCKET_ACTIVATION */
39f53b 
     {
39f53b 
+        mode_t mode = umask(0111);
39f53b 
         udscs_server_listen_to_address(server, vdagentd_socket, &err;;
39f53b 
+        umask(mode);
39f53b 
     }
39f53b
39f53b 
     if (err) {
39f53b 
@@ -1222,16 +1224,6 @@ int main(int argc, char *argv[])
39f53b 
         return 1;
39f53b 
     }
39f53b
39f53b 
-    /* no need to set permissions on a socket that was provided by systemd */
39f53b 
-    if (own_socket) {
39f53b 
-        if (chmod(vdagentd_socket, 0666)) {
39f53b 
-            syslog(LOG_CRIT, "Fatal could not change permissions on %s: %m",
39f53b 
-                   vdagentd_socket);
39f53b 
-            udscs_destroy_server(server);
39f53b 
-            return 1;
39f53b 
-        }
39f53b 
-    }
39f53b 
-
39f53b 
 #ifdef WITH_STATIC_UINPUT
39f53b 
     uinput = vdagentd_uinput_create(uinput_device, 1024, 768, NULL, 0,
39f53b 
                                     debug > 1, uinput_fake);
39f53b 
--
39f53b 
2.26.2
39f53b

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation