From: Lennart Poettering Date: Wed, 3 Jun 2026 10:10:49 +0000 (+0200) Subject: tree-wide: relax access mode of private Varlink sockets a bit X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=941a9ff40cabd28bdb52aee6ea339f754c050897;p=thirdparty%2Fsystemd.git tree-wide: relax access mode of private Varlink sockets a bit --- diff --git a/src/libsystemd/sd-varlink/sd-varlink.c b/src/libsystemd/sd-varlink/sd-varlink.c index 9f06f692655..048dbb47472 100644 --- a/src/libsystemd/sd-varlink/sd-varlink.c +++ b/src/libsystemd/sd-varlink/sd-varlink.c @@ -3452,6 +3452,13 @@ _public_ int sd_varlink_server_listen_fd(sd_varlink_server *s, int fd) { return 0; } +static mode_t default_listen_mode(sd_varlink_server_flags_t flags) { + /* NB: we use 0644 rather than 0600 here, because it's the "w" flag that controls connect() + * privileges, but leaving the "r" flag on allows others to read our xattrs, which is good because it + * makes our sockets recognizable as varlink, even if not connectible. */ + return (flags & (SD_VARLINK_SERVER_ROOT_ONLY|SD_VARLINK_SERVER_MYSELF_ONLY)) != 0 ? 0644 : 0666; +} + _public_ int sd_varlink_server_listen_address(sd_varlink_server *s, const char *address, mode_t m) { _cleanup_(varlink_server_socket_freep) VarlinkServerSocket *ss = NULL; union sockaddr_union sockaddr; @@ -3461,6 +3468,12 @@ _public_ int sd_varlink_server_listen_address(sd_varlink_server *s, const char * assert_return(s, -EINVAL); assert_return(address, -EINVAL); + + /* NB: we resolve m being MODE_INVALID before checking SD_VARLINK_SERVER_MODE_MKDIR_0755, since that + * flag is not defined for MODE_INVALID (if we'd check we'd see it always set...) */ + if (m == MODE_INVALID) + m = default_listen_mode(s->flags); + assert_return((m & ~(0777|SD_VARLINK_SERVER_MODE_MKDIR_0755)) == 0, -EINVAL); /* Validate that the definition of our flag doesn't collide with the official mode_t bits. Thankfully @@ -3636,7 +3649,7 @@ _public_ int sd_varlink_server_listen_auto(sd_varlink_server *s) { if (streq(e, "-")) r = sd_varlink_server_add_connection_stdio(s, /* ret= */ NULL); else - r = sd_varlink_server_listen_address(s, e, FLAGS_SET(s->flags, SD_VARLINK_SERVER_ROOT_ONLY) ? 0600 : 0666); + r = sd_varlink_server_listen_address(s, e, default_listen_mode(s->flags)); if (r < 0) return r; diff --git a/src/udev/udev-varlink.c b/src/udev/udev-varlink.c index 355e5a78605..183265fc535 100644 --- a/src/udev/udev-varlink.c +++ b/src/udev/udev-varlink.c @@ -189,7 +189,7 @@ int manager_start_varlink_server(Manager *manager, int fd) { return log_error_errno(r, "Failed to attach Varlink connection to event loop: %m"); if (fd < 0) - r = sd_varlink_server_listen_address(v, UDEV_VARLINK_ADDRESS, 0600); + r = sd_varlink_server_listen_address(v, UDEV_VARLINK_ADDRESS, 0644); else r = sd_varlink_server_listen_fd(v, fd); if (r < 0) diff --git a/src/vmspawn/vmspawn-varlink.c b/src/vmspawn/vmspawn-varlink.c index 57230c8e8f4..b75b8daa994 100644 --- a/src/vmspawn/vmspawn-varlink.c +++ b/src/vmspawn/vmspawn-varlink.c @@ -551,7 +551,7 @@ int vmspawn_varlink_setup( if (!listen_address) return log_oom(); - r = sd_varlink_server_listen_address(ctx->varlink_server, listen_address, 0600); + r = sd_varlink_server_listen_address(ctx->varlink_server, listen_address, 0644); if (r < 0) return log_error_errno(r, "Failed to listen on %s: %m", listen_address);