[Pkg-gnupg-commit] [gnupg2] 65/102: Explicitly restrict socket permissions.

Fri Jun 17 00:14:55 UTC 2016

This is an automated email from the git hooks/post-receive script.

dkg pushed a commit to branch experimental
in repository gnupg2.

commit 8127043d549a5843ea1ba2dc6da4906fc2258d53
Author: Werner Koch <wk at gnupg.org>
Date:   Wed Jun 8 16:18:02 2016 +0200

    Explicitly restrict socket permissions.
    
    * agent/gpg-agent.c (create_server_socket): Call chmod before listen.
    * scd/scdaemon.c (create_server_socket): Ditto.
    * dirmngr/dirmngr.c (main): Ditto.
    --
    
    This is just in case of a improperly set umask.  Note that a connect
    requires a write permissions.
---
 agent/gpg-agent.c | 4 ++++
 common/sysutils.c | 2 +-
 dirmngr/dirmngr.c | 4 ++++
 scd/scdaemon.c    | 4 ++++
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 538ff08..90b0eaf 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -1865,6 +1865,10 @@ create_server_socket (char *name, int primary, int cygwin,
       agent_exit (2);
     }
 
+  if (gnupg_chmod (unaddr->sun_path, "-rwx"))
+    log_error (_("can't set permissions of '%s': %s\n"),
+               unaddr->sun_path, strerror (errno));
+
   if (listen (FD2INT(fd), 5 ) == -1)
     {
       log_error (_("listen() failed: %s\n"), strerror (errno));
diff --git a/common/sysutils.c b/common/sysutils.c
index d82eb8e..0f7b7f5 100644
--- a/common/sysutils.c
+++ b/common/sysutils.c
@@ -628,7 +628,7 @@ gnupg_mkdir (const char *name, const char *modestr)
 }
 
 
-/* A wrapper around mkdir which takes a string for the mode argument.
+/* A wrapper around chmod which takes a string for the mode argument.
    This makes it easier to handle the mode argument which is not
    defined on all systems.  The format of the modestring is the same
    as for gnupg_mkdir.  */
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index bc71a40..7e629db 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -1183,6 +1183,10 @@ main (int argc, char **argv)
         }
       cleanup_socket = 1;
 
+      if (gnupg_chmod (serv_addr.sun_path, "-rwx"))
+        log_error (_("can't set permissions of '%s': %s\n"),
+                   serv_addr.sun_path, strerror (errno));
+
       if (listen (FD2INT (fd), 5) == -1)
         {
           log_error (_("listen() failed: %s\n"), strerror (errno));
diff --git a/scd/scdaemon.c b/scd/scdaemon.c
index 8303acc..9c11cad 100644
--- a/scd/scdaemon.c
+++ b/scd/scdaemon.c
@@ -1112,6 +1112,10 @@ create_server_socket (const char *name, char **r_redir_name,
       scd_exit (2);
     }
 
+  if (gnupg_chmod (unaddr->sun_path, "-rwx"))
+    log_error (_("can't set permissions of '%s': %s\n"),
+               unaddr->sun_path, strerror (errno));
+
   if (listen (FD2INT(fd), 5 ) == -1)
     {
       log_error (_("listen() failed: %s\n"),

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git

