|
|
ad412c |
From dd46157d3faa95a12fc6f04cd2515f200e3ca465 Mon Sep 17 00:00:00 2001
|
|
|
ad412c |
From: Frediano Ziglio <freddy77@gmail.com>
|
|
|
ad412c |
Date: Thu, 24 Sep 2020 12:13:24 +0100
|
|
|
ad412c |
Subject: [PATCH vd_agent_linux 09/17] vdagentd: Avoid calling chmod
|
|
|
ad412c |
|
|
|
ad412c |
Create the socket with the right permissions using umask.
|
|
|
ad412c |
This also prevents possible symlink exploitation in case socket
|
|
|
ad412c |
path is not secure.
|
|
|
ad412c |
|
|
|
ad412c |
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
|
|
|
ad412c |
Acked-by: Uri Lublin <uril@redhat.com>
|
|
|
ad412c |
---
|
|
|
ad412c |
src/vdagentd/vdagentd.c | 12 ++----------
|
|
|
ad412c |
1 file changed, 2 insertions(+), 10 deletions(-)
|
|
|
ad412c |
|
|
|
ad412c |
diff --git a/src/vdagentd/vdagentd.c b/src/vdagentd/vdagentd.c
|
|
|
ad412c |
index 12cbbd0..eddfcf6 100644
|
|
|
ad412c |
--- a/src/vdagentd/vdagentd.c
|
|
|
ad412c |
+++ b/src/vdagentd/vdagentd.c
|
|
|
ad412c |
@@ -1211,7 +1211,9 @@ int main(int argc, char *argv[])
|
|
|
ad412c |
/* systemd socket activation not enabled, create our own */
|
|
|
ad412c |
#endif /* WITH_SYSTEMD_SOCKET_ACTIVATION */
|
|
|
ad412c |
{
|
|
|
ad412c |
+ mode_t mode = umask(0111);
|
|
|
ad412c |
udscs_server_listen_to_address(server, vdagentd_socket, &err;;
|
|
|
ad412c |
+ umask(mode);
|
|
|
ad412c |
}
|
|
|
ad412c |
|
|
|
ad412c |
if (err) {
|
|
|
ad412c |
@@ -1222,16 +1224,6 @@ int main(int argc, char *argv[])
|
|
|
ad412c |
return 1;
|
|
|
ad412c |
}
|
|
|
ad412c |
|
|
|
ad412c |
- /* no need to set permissions on a socket that was provided by systemd */
|
|
|
ad412c |
- if (own_socket) {
|
|
|
ad412c |
- if (chmod(vdagentd_socket, 0666)) {
|
|
|
ad412c |
- syslog(LOG_CRIT, "Fatal could not change permissions on %s: %m",
|
|
|
ad412c |
- vdagentd_socket);
|
|
|
ad412c |
- udscs_destroy_server(server);
|
|
|
ad412c |
- return 1;
|
|
|
ad412c |
- }
|
|
|
ad412c |
- }
|
|
|
ad412c |
-
|
|
|
ad412c |
#ifdef WITH_STATIC_UINPUT
|
|
|
ad412c |
uinput = vdagentd_uinput_create(uinput_device, 1024, 768, NULL, 0,
|
|
|
ad412c |
debug > 1, uinput_fake);
|
|
|
ad412c |
--
|
|
|
ad412c |
2.26.2
|
|
|
ad412c |
|