From 339db9fd460794efc237387f9cac84baf5e47afe Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Thu, 21 May 2026 12:35:13 +0000 Subject: [PATCH] service: restrict socket permissions to 0600 Change the service socket permissions from 0666 (world-accessible) to 0600 (owner-only) to prevent unauthorized local users from connecting to the CRIU service socket. Print a message informing the administrator that the socket is restricted and that chmod should be used to widen access if needed. Assisted-by: Claude Code (claude-opus-4-6):claude-opus-4-6@default Generated with Claude Code (https://claude.ai/code) Signed-off-by: Adrian Reber --- criu/cr-service.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/criu/cr-service.c b/criu/cr-service.c index b3ba7f03f..d4c206d56 100644 --- a/criu/cr-service.c +++ b/criu/cr-service.c @@ -1534,12 +1534,16 @@ int cr_service(bool daemon_mode) pr_info("The service socket is bound to %s\n", server_addr.sun_path); - /* change service socket permissions, so anyone can connect to it */ - if (chmod(server_addr.sun_path, 0666)) { + /* restrict service socket permissions to owner only */ + if (chmod(server_addr.sun_path, 0600)) { pr_perror("Can't change permissions of the service socket"); goto err; } + pr_msg("Service socket %s has permissions 0600. " + "Use chmod to make it accessible to other users if needed.\n", + server_addr.sun_path); + if (listen(server_fd, 16) == -1) { pr_perror("Can't listen for socket connections"); goto err;