On 8/22/05, Thor Lancelot Simon <tls@rek.tjls.com> wrote:
> On Sun, Aug 21, 2005 at 11:25:56PM +0200, Julio M. Merino Vidal wrote:
> > Hi all,
> >
> > while trying gamin (a file alteration monitor, like fam), I found that =
it
> > refuses to work because it detects that the local sockets it creates
> > have "too much permissions" (that is, 777).
> >
> > As I see in our code, local sockets are always created with this
> > mode, regardless of the user's umask.  Is this correct?  And if so,
> > why?
>=20
> Because that's how BSD Unix always did it.
>=20
> The portable solution for restricting access to a Unix domain socket is
> to put it in a directory with appropriate permissions.

Aha; thanks for the explanation.

In fact, gamin is doing so.  It creates a directory with 700 permissions
and then creates the socket inside it.  I don't know wtf does it barf
later on when it sees that the socket has 777 permissions, given that
it has done things right.

>  However, there
> is code floating around out there that expects sockets to be created
> with appropriate modes (respecting the umask) and I see no harm at all
> in causing our implementation to work that way.  I suggest that you do
> so.

Yeah, sounds reasonable.  But IMHO, we should explain somewhere
(bind(2) ?) that this is not how things should be done (I'll do this change
too if I commit the "fix").

--=20
Julio M. Merino Vidal <jmmv84@gmail.com>
http://www.livejournal.com/users/jmmv/
The NetBSD Project - http://www.NetBSD.org/