From 7f7436cf627f394c8c43b42d16b6de918b4ddad8 Mon Sep 17 00:00:00 2001 From: luk3yx Date: Mon, 8 Feb 2021 18:28:38 +1300 Subject: [PATCH] Check directory permissions before making socket world-writable --- lurkcoin/api/config.go | 9 ++++++++- lurkcoin/misc.go | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/lurkcoin/api/config.go b/lurkcoin/api/config.go index 0ed2c83..62797e8 100644 --- a/lurkcoin/api/config.go +++ b/lurkcoin/api/config.go @@ -28,6 +28,7 @@ import ( "net" "net/http" "os" + "path/filepath" "strings" ) @@ -151,8 +152,14 @@ func StartServer(config *Config) { } // Remove any socket file that already exists + var changeSocketPermissions bool if networkProtocol == "unix" { os.Remove(address) + + // Only call chmod if no other users can write to the directory + if stat, err := os.Stat(filepath.Dir(address)); err == nil { + changeSocketPermissions = stat.Mode() & 022 == 0 + } } // Bind to the address @@ -163,7 +170,7 @@ func StartServer(config *Config) { } // Change permissions on the UNIX socket - if networkProtocol == "unix" { + if changeSocketPermissions { if err := os.Chmod(address, 0777); err != nil { log.Fatal(err) } diff --git a/lurkcoin/misc.go b/lurkcoin/misc.go index 2ceb064..2df3191 100644 --- a/lurkcoin/misc.go +++ b/lurkcoin/misc.go @@ -35,7 +35,7 @@ import ( ) const SYMBOL = "ยค" -const VERSION = "3.0.8" +const VERSION = "3.0.9" // Note that public source code is required by the AGPL const SOURCE_URL = "https://github.com/luk3yx/lurkcoin-core"