From a996a0fc32b89c914ba8728bf8738476e23cd4b9 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Thu, 1 Feb 2018 18:00:57 -0600 Subject: [PATCH] Security: make sure socket file and directory has configurable permissions --- program/sessionize_accounts/source/bash/sessionize_accounts.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/program/sessionize_accounts/source/bash/sessionize_accounts.sh b/program/sessionize_accounts/source/bash/sessionize_accounts.sh index a92c756..68adb79 100644 --- a/program/sessionize_accounts/source/bash/sessionize_accounts.sh +++ b/program/sessionize_accounts/source/bash/sessionize_accounts.sh @@ -30,6 +30,8 @@ main() { local path_pids="/programs/run/sessionize_accounts/" local path_socket_directory="/programs/sockets/sessionize_accounts/" local path_socket_name="sessions.socket" + local path_socket_directory_mask="u+rwx,g+rx,o-rwx" + local path_socket_name_mask="ugo+rw-x" local parameter_system=$2 local sa_systems= local i= @@ -270,7 +272,7 @@ start_command() { # guarantee that the '$process_group' has read and execute only access to the directory, deny world access. chgrp $process_group $path_socket_directory/$sa_system/ - chmod u+rwx,g+rx,o-rwx $path_socket_directory/$sa_system/ + chmod $path_socket_directory_mask $path_socket_directory/$sa_system/ # make sure no session socket already exists before starting. # this assumes that the pid file has already been checked and therefore no existing process is using the socket file (aka: assume this is a stale socket file). @@ -286,9 +288,9 @@ start_command() { result=$? fi - # make sure the socket can be written to. + # make sure the socket has the desired permissions. if [[ -e $path_socket_directory/$sa_system/$path_socket_name ]] ; then - chmod ugo+w $path_socket_directory/$sa_system/$path_socket_name + chmod $path_socket_name_mask $path_socket_directory/$sa_system/$path_socket_name fi if [[ $result -ne 0 ]] ; then -- 1.8.3.1