[Midnightbsd-cvs] [MidnightBSD/src] 60796f: prowld: harden runtime directory and file creation...
Lucas Holt
noreply at github.com
Sun Apr 19 00:11:46 EDT 2026
Branch: refs/heads/master
Home: https://github.com/MidnightBSD/src
Commit: 60796f6ea7dee5333a1e94c5a0f803ca752bf1a2
https://github.com/MidnightBSD/src/commit/60796f6ea7dee5333a1e94c5a0f803ca752bf1a2
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-04-19 (Sun, 19 Apr 2026)
Changed paths:
M sbin/prowld/ipc.c
M sbin/prowld/prowld.c
Log Message:
-----------
prowld: harden runtime directory and file creation against hijack attacks
A local user who pre-creates /tmp/prowld before the fallback path is used
could retain directory ownership and place symlinks (prowld.pid, prowld.sock,
notify/<label>, ...) that redirect root writes to arbitrary files.
Four targeted fixes:
1. Replace make_dir() with secure_mkdir() in prowld.c.
When mkdir(2) returns EEXIST, lstat(2) (not stat) validates the existing
entry: it must be a real directory, owned by root (uid 0), and have no
group or other write bits. A symlink, non-root-owned directory, or
world-writable directory is rejected with LOG_ERR.
2. ensure_dirs() now aborts (exit(1)) if the run dir or its /tmp/prowld
fallback cannot be safely created or validated. Previously EEXIST was
silently accepted, making the fallback an easy hijack target.
3. write_pidfile() replaces fopen("w") with
open(O_WRONLY|O_CREAT|O_TRUNC|O_NOFOLLOW) so a symlink at g_pid_path
is refused rather than followed.
4. ipc_init() replaces path-based chmod()/chown() with fd-based fchmod()/
fchown() on the socket fd returned by socket(2). The path-based calls
had a TOCTOU window between bind(2) and the permission update; the
fd-based calls close that race entirely.
AI-Assisted-by: Claude Sonnet 4.6
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications
More information about the Midnightbsd-cvs
mailing list