Explicitly restrict socket permissions.

* agent/gpg-agent.c (create_server_socket): Call chmod before listen. * scd/scdaemon.c (create_server_socket): Ditto. * dirmngr/dirmngr.c (main): Ditto. -- This is just in case of a improperly set umask. Note that a connect requires a write permissions.
author: Werner Koch <[email protected]> 2016-06-08 14:18:02 +0000
committer: Werner Koch <[email protected]> 2016-06-08 14:18:02 +0000
commit: 8127043d549a5843ea1ba2dc6da4906fc2258d53 (patch)
tree: c6b126885f2d3b1ee15b9e53009ec75f5cf86cf8
parent: w32: Fix recent build regression. (diff)
download: gnupg-8127043d549a5843ea1ba2dc6da4906fc2258d53.tar.gz
gnupg-8127043d549a5843ea1ba2dc6da4906fc2258d53.zip
4 files changed, 13 insertions, 1 deletions
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 538ff0874..90b0eaf35 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -1865,6 +1865,10 @@ create_server_socket (char *name, int primary, int cygwin,
       agent_exit (2);
     }
 
+  if (gnupg_chmod (unaddr->sun_path, "-rwx"))
+    log_error (_("can't set permissions of '%s': %s\n"),
+               unaddr->sun_path, strerror (errno));
+
   if (listen (FD2INT(fd), 5 ) == -1)
     {
       log_error (_("listen() failed: %s\n"), strerror (errno));
diff --git a/common/sysutils.c b/common/sysutils.c
index d82eb8e26..0f7b7f5cf 100644
--- a/common/sysutils.c
+++ b/common/sysutils.c
@@ -628,7 +628,7 @@ gnupg_mkdir (const char *name, const char *modestr)
 }
 
 
-/* A wrapper around mkdir which takes a string for the mode argument.
+/* A wrapper around chmod which takes a string for the mode argument.
    This makes it easier to handle the mode argument which is not
    defined on all systems.  The format of the modestring is the same
    as for gnupg_mkdir.  */
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index bc71a4072..7e629db96 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -1183,6 +1183,10 @@ main (int argc, char **argv)
         }
       cleanup_socket = 1;
 
+      if (gnupg_chmod (serv_addr.sun_path, "-rwx"))
+        log_error (_("can't set permissions of '%s': %s\n"),
+                   serv_addr.sun_path, strerror (errno));
+
       if (listen (FD2INT (fd), 5) == -1)
         {
           log_error (_("listen() failed: %s\n"), strerror (errno));
diff --git a/scd/scdaemon.c b/scd/scdaemon.c
index 8303acc3c..9c11cad46 100644
--- a/scd/scdaemon.c
+++ b/scd/scdaemon.c
@@ -1112,6 +1112,10 @@ create_server_socket (const char *name, char **r_redir_name,
       scd_exit (2);
     }
 
+  if (gnupg_chmod (unaddr->sun_path, "-rwx"))
+    log_error (_("can't set permissions of '%s': %s\n"),
+               unaddr->sun_path, strerror (errno));
+
   if (listen (FD2INT(fd), 5 ) == -1)
     {
       log_error (_("listen() failed: %s\n"),
author	Werner Koch <[email protected]>	2016-06-08 14:18:02 +0000
committer	Werner Koch <[email protected]>	2016-06-08 14:18:02 +0000
commit	8127043d549a5843ea1ba2dc6da4906fc2258d53 (patch)
tree	c6b126885f2d3b1ee15b9e53009ec75f5cf86cf8
parent	w32: Fix recent build regression. (diff)
download	gnupg-8127043d549a5843ea1ba2dc6da4906fc2258d53.tar.gz gnupg-8127043d549a5843ea1ba2dc6da4906fc2258d53.zip