service: restrict socket permissions to 0600

Change the service socket permissions from 0666 (world-accessible)
to 0600 (owner-only) to prevent unauthorized local users from
connecting to the CRIU service socket.

Print a message informing the administrator that the socket is
restricted and that chmod should be used to widen access if needed.

Assisted-by: Claude Code (claude-opus-4-6):claude-opus-4-6@default

Generated with Claude Code (https://claude.ai/code)

Signed-off-by: Adrian Reber <areber@redhat.com>
This commit is contained in:
Adrian Reber 2026-05-21 12:35:13 +00:00 committed by Andrei Vagin
parent 341c9fa7de
commit 339db9fd46

View file

@ -1534,12 +1534,16 @@ int cr_service(bool daemon_mode)
pr_info("The service socket is bound to %s\n", server_addr.sun_path);
/* change service socket permissions, so anyone can connect to it */
if (chmod(server_addr.sun_path, 0666)) {
/* restrict service socket permissions to owner only */
if (chmod(server_addr.sun_path, 0600)) {
pr_perror("Can't change permissions of the service socket");
goto err;
}
pr_msg("Service socket %s has permissions 0600. "
"Use chmod to make it accessible to other users if needed.\n",
server_addr.sun_path);
if (listen(server_fd, 16) == -1) {
pr_perror("Can't listen for socket connections");
goto err;