p11-kit server socket permission question

Daiki Ueno ueno at gnu.org
Tue Jan 31 08:52:21 UTC 2023

Hello Benjamin,

Benjamin Herrenschmidt <benh at kernel.crashing.org> writes:

> I noticed p11-kit server does an unconditional umask(066) when creating
> the server socket.
> This means that even when specifying a group, the socket ends up
> without group read or group write permission (funnily enough it does
> have execute permission) for that group.
> So we do end up doing a "chown()" to set the group of the socket, but
> we still can't access it from this user or group unless it's
> explicitely chmod'd.
> Is this intentional ?
> Additionally, we do this:
> 	if (uid != -1 && gid != -1) {
> 		rc = chown (socket_file, uid, gid);
> Shouldn't this be a || instead of && ? Ie, allow to set either uid, gid
> or both ? Right now if I specify only one, we don't get a chown at all.
> Would this (yet untested) patch make sense ? I'll be testing it later
> this week and send a patch here or a github PR, whatever is preferred,
> but first maybe let me know if I'm completely off here ?

Thank you for the patch!  The proposed change looks sensible to me.  I
can trigger the CI and give it a formal review once a PR is opened.

Daiki Ueno

More information about the p11-glue mailing list