rpms / spice-vdagent

Clone
Source Code
GIT

Blame SOURCES/0009-vdagentd-Avoid-calling-chmod.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   ad412c6dbd8bd25ab57e97568cb998941ff720b4
  2.   SOURCES
  3.   0009-vdagentd-Avoid-calling-chmod.patch
Blob History Raw
ad412c 
From dd46157d3faa95a12fc6f04cd2515f200e3ca465 Mon Sep 17 00:00:00 2001
ad412c 
From: Frediano Ziglio <freddy77@gmail.com>
ad412c 
Date: Thu, 24 Sep 2020 12:13:24 +0100
ad412c 
Subject: [PATCH vd_agent_linux 09/17] vdagentd: Avoid calling chmod
ad412c
ad412c 
Create the socket with the right permissions using umask.
ad412c 
This also prevents possible symlink exploitation in case socket
ad412c 
path is not secure.
ad412c
ad412c 
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
ad412c 
Acked-by: Uri Lublin <uril@redhat.com>
ad412c 
---
ad412c 
 src/vdagentd/vdagentd.c | 12 ++----------
ad412c 
 1 file changed, 2 insertions(+), 10 deletions(-)
ad412c
ad412c 
diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c
ad412c 
index 12cbbd0..eddfcf6 100644
ad412c 
--- a/src/vdagentd/vdagentd.c
ad412c 
+++ b/src/vdagentd/vdagentd.c
ad412c 
@@ -1211,7 +1211,9 @@ int main(int argc, char *argv[])
ad412c 
     /* systemd socket activation not enabled, create our own */
ad412c 
 #endif /* WITH_SYSTEMD_SOCKET_ACTIVATION */
ad412c 
     {
ad412c 
+        mode_t mode = umask(0111);
ad412c 
         udscs_server_listen_to_address(server, vdagentd_socket, &err;;
ad412c 
+        umask(mode);
ad412c 
     }
ad412c
ad412c 
     if (err) {
ad412c 
@@ -1222,16 +1224,6 @@ int main(int argc, char *argv[])
ad412c 
         return 1;
ad412c 
     }
ad412c
ad412c 
-    /* no need to set permissions on a socket that was provided by systemd */
ad412c 
-    if (own_socket) {
ad412c 
-        if (chmod(vdagentd_socket, 0666)) {
ad412c 
-            syslog(LOG_CRIT, "Fatal could not change permissions on %s: %m",
ad412c 
-                   vdagentd_socket);
ad412c 
-            udscs_destroy_server(server);
ad412c 
-            return 1;
ad412c 
-        }
ad412c 
-    }
ad412c 
-
ad412c 
 #ifdef WITH_STATIC_UINPUT
ad412c 
     uinput = vdagentd_uinput_create(uinput_device, 1024, 768, NULL, 0,
ad412c 
                                     debug > 1, uinput_fake);
ad412c 
--
ad412c 
2.26.2
ad412c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation