From 63b9b9e9aacb6e0a6d7f605713cb9df1a1eb8e27 Mon Sep 17 00:00:00 2001
From: Pascal Delalande <pdl35@free.fr>
Date: Tue, 5 Dec 2017 22:42:57 +0100
Subject: [PATCH] unix-socket: socket permission update

So far, the suricata socket suricata-command.socket has the rights
 rw-r----- suricata:user.
When suricata is used with restricted access, an other application
(suricatasc like) that needs to access to the command socket also
with restricted access can not write to the socket since it is not
the owner (e.g suricata within container, with an hardened value
for umask and hardened rights for users).

The socket should be set as rw-rw----. Use chmod instead of fchmod
and set it after the socket creation.
---
 src/unix-manager.c | 27 ++++++++++++++-------------
 1 file changed, 14 insertions(+), 13 deletions(-)

diff --git a/src/unix-manager.c b/src/unix-manager.c
index 91b5937886..6a91b4ed23 100644
--- a/src/unix-manager.c
+++ b/src/unix-manager.c
@@ -168,19 +168,6 @@ static int UnixNew(UnixCommand * this)
     }
     this->select_max = this->socket + 1;
 
-#if !(defined OS_FREEBSD || defined __OpenBSD__)
-    /* Set file mode: will not fully work on most system, the group
-     * permission is not changed on some Linux. *BSD won't do the
-     * chmod: it returns EINVAL when calling fchmod on sockets. */
-    ret = fchmod(this->socket, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
-    if (ret == -1) {
-        int err = errno;
-        SCLogWarning(SC_ERR_INITIALIZATION,
-                     "Unable to change permission on socket: %s (%d)",
-                     strerror(err),
-                     err);
-    }
-#endif
     /* set reuse option */
     ret = setsockopt(this->socket, SOL_SOCKET, SO_REUSEADDR,
                      (char *) &on, sizeof(on));
@@ -198,6 +185,20 @@ static int UnixNew(UnixCommand * this)
         return 0;
     }
 
+#if !(defined OS_FREEBSD || defined __OpenBSD__)
+    /* Set file mode: will not fully work on most system, the group
+     * permission is not changed on some Linux. *BSD won't do the
+     * chmod: it returns EINVAL when calling chmod on sockets. */
+    ret = chmod(sockettarget, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
+    if (ret == -1) {
+        int err = errno;
+        SCLogWarning(SC_ERR_INITIALIZATION,
+                     "Unable to change permission on socket: %s (%d)",
+                     strerror(err),
+                     err);
+    }
+#endif
+
     /* listen */
     if (listen(this->socket, 1) == -1) {
         SCLogWarning(SC_ERR_INITIALIZATION,
-- 
2.47.2