p11-kit server socket permission question
Daiki Ueno
ueno at gnu.org
Tue Jan 31 08:52:21 UTC 2023
Hello Benjamin,
Benjamin Herrenschmidt <benh at kernel.crashing.org> writes:
> I noticed p11-kit server does an unconditional umask(066) when creating
> the server socket.
>
> This means that even when specifying a group, the socket ends up
> without group read or group write permission (funnily enough it does
> have execute permission) for that group.
>
> So we do end up doing a "chown()" to set the group of the socket, but
> we still can't access it from this user or group unless it's
> explicitely chmod'd.
>
> Is this intentional ?
>
> Additionally, we do this:
>
> if (uid != -1 && gid != -1) {
> rc = chown (socket_file, uid, gid);
>
> Shouldn't this be a || instead of && ? Ie, allow to set either uid, gid
> or both ? Right now if I specify only one, we don't get a chown at all.
>
> Would this (yet untested) patch make sense ? I'll be testing it later
> this week and send a patch here or a github PR, whatever is preferred,
> but first maybe let me know if I'm completely off here ?
Thank you for the patch! The proposed change looks sensible to me. I
can trigger the CI and give it a formal review once a PR is opened.
Regards,
--
Daiki Ueno
More information about the p11-glue
mailing list