Re: [devel] [PATCH 1/1] osaf: Set sticky bit for socket and pipe files [#2953]

2018-11-09 Thread Hans Nordebäck 
Hi Minh,

the "sticky" bit here is in fact  the "restricted deletion bit", it is 
used on directories,

e.g. the /tmp directory where several users have r/w access but when the 
't' bit is

set only the file owners may delete its files. It should not be set on 
files only directories

and I don't think it is need here. /Thanks HansN

On 11/5/18 09:56, Minh Anh Du wrote:
> There are files, sockets and pipes have world writable permission,
> but only root user and owner should be able to create/delete
> these files. Sticky bit should be set for these sockets and pipes
> for security reason.
> ---
>   src/base/daemon.c   | 2 +-
>   src/base/osaf_secutil.c | 2 +-
>   src/dtm/transport/log_server.cc | 2 +-
>   src/nid/agent/nid_ipc.c | 2 +-
>   4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/src/base/daemon.c b/src/base/daemon.c
> index cdde7fd..50ddc50 100644
> --- a/src/base/daemon.c
> +++ b/src/base/daemon.c
> @@ -162,7 +162,7 @@ static void create_fifofile(const char *fifofile)
>   
>   mask = umask(0);
>   
> - if (mkfifo(fifofile, 0666) == -1) {
> + if (mkfifo(fifofile, 01666) == -1) {
>   if (errno == EEXIST) {
>   syslog(LOG_INFO, "mkfifo already exists: %s %s",
>  fifofile, strerror(errno));
> diff --git a/src/base/osaf_secutil.c b/src/base/osaf_secutil.c
> index 0e175c9..71e512a 100644
> --- a/src/base/osaf_secutil.c
> +++ b/src/base/osaf_secutil.c
> @@ -147,7 +147,7 @@ static int server_sock_create(const char *pathname)
>   }
>   
>   /* Connecting to the socket object requires read/write permission. */
> - if (chmod(pathname, 0777) == -1) {
> + if (chmod(pathname, 01777) == -1) {
>   LOG_ER("%s: chmod failed - %s", __FUNCTION__, strerror(errno));
>   return -1;
>   }
> diff --git a/src/dtm/transport/log_server.cc b/src/dtm/transport/log_server.cc
> index bef1f07..866fe59 100644
> --- a/src/dtm/transport/log_server.cc
> +++ b/src/dtm/transport/log_server.cc
> @@ -35,7 +35,7 @@ LogServer::LogServer(int term_fd)
> max_backups_{9},
> max_file_size_{5 * 1024 * 1024},
> log_socket_{Osaflog::kServerSocketPath, 
> base::UnixSocket::kNonblocking,
> -  0777},
> +  01777},
> log_streams_{},
> current_stream_{new LogStream{kMdsLogStreamName, 1, 5 * 1024 * 1024}},
> no_of_log_streams_{1} {
> diff --git a/src/nid/agent/nid_ipc.c b/src/nid/agent/nid_ipc.c
> index 172063a..eae8de3 100644
> --- a/src/nid/agent/nid_ipc.c
> +++ b/src/nid/agent/nid_ipc.c
> @@ -66,7 +66,7 @@ uint32_t nid_create_ipc(char *strbuf)
>   mask = umask(0);
>   
>   /* Create nid fifo */
> - if (mkfifo(NID_FIFO, 0666) < 0) {
> + if (mkfifo(NID_FIFO, 01666) < 0) {
>   sprintf(strbuf, " FAILURE: Unable To Create FIFO Error:%s\n",
>   strerror(errno));
>   umask(mask);

___
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel

[devel] [PATCH 1/1] osaf: Set sticky bit for socket and pipe files [#2953]

2018-11-05 Thread Minh Anh Du 
There are files, sockets and pipes have world writable permission,
but only root user and owner should be able to create/delete
these files. Sticky bit should be set for these sockets and pipes
for security reason.
---
 src/base/daemon.c   | 2 +-
 src/base/osaf_secutil.c | 2 +-
 src/dtm/transport/log_server.cc | 2 +-
 src/nid/agent/nid_ipc.c | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/base/daemon.c b/src/base/daemon.c
index cdde7fd..50ddc50 100644
--- a/src/base/daemon.c
+++ b/src/base/daemon.c
@@ -162,7 +162,7 @@ static void create_fifofile(const char *fifofile)
 
mask = umask(0);
 
-   if (mkfifo(fifofile, 0666) == -1) {
+   if (mkfifo(fifofile, 01666) == -1) {
if (errno == EEXIST) {
syslog(LOG_INFO, "mkfifo already exists: %s %s",
   fifofile, strerror(errno));
diff --git a/src/base/osaf_secutil.c b/src/base/osaf_secutil.c
index 0e175c9..71e512a 100644
--- a/src/base/osaf_secutil.c
+++ b/src/base/osaf_secutil.c
@@ -147,7 +147,7 @@ static int server_sock_create(const char *pathname)
}
 
/* Connecting to the socket object requires read/write permission. */
-   if (chmod(pathname, 0777) == -1) {
+   if (chmod(pathname, 01777) == -1) {
LOG_ER("%s: chmod failed - %s", __FUNCTION__, strerror(errno));
return -1;
}
diff --git a/src/dtm/transport/log_server.cc b/src/dtm/transport/log_server.cc
index bef1f07..866fe59 100644
--- a/src/dtm/transport/log_server.cc
+++ b/src/dtm/transport/log_server.cc
@@ -35,7 +35,7 @@ LogServer::LogServer(int term_fd)
   max_backups_{9},
   max_file_size_{5 * 1024 * 1024},
   log_socket_{Osaflog::kServerSocketPath, base::UnixSocket::kNonblocking,
-  0777},
+  01777},
   log_streams_{},
   current_stream_{new LogStream{kMdsLogStreamName, 1, 5 * 1024 * 1024}},
   no_of_log_streams_{1} {
diff --git a/src/nid/agent/nid_ipc.c b/src/nid/agent/nid_ipc.c
index 172063a..eae8de3 100644
--- a/src/nid/agent/nid_ipc.c
+++ b/src/nid/agent/nid_ipc.c
@@ -66,7 +66,7 @@ uint32_t nid_create_ipc(char *strbuf)
mask = umask(0);
 
/* Create nid fifo */
-   if (mkfifo(NID_FIFO, 0666) < 0) {
+   if (mkfifo(NID_FIFO, 01666) < 0) {
sprintf(strbuf, " FAILURE: Unable To Create FIFO Error:%s\n",
strerror(errno));
umask(mask);
-- 
2.7.4



___
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel