lzc256
/
tailscale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ssh/tailssh: chmod the auth socket to be only user accessible 

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
pull/4492/head
Maisem Ali 2022-04-21 14:45:36 -07:00 committed by Maisem Ali
parent 337c77964b
commit 31094d557b
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ssh/tailssh/tailssh.go
View File

@ -773,10 +773,14 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) err
} }
socket := ln.Addr().String() socket := ln.Addr().String()
dir := filepath.Dir(socket) dir := filepath.Dir(socket)
// Make sure the socket is accessible by the user. // Make sure the socket is accessible only by the user.
if err := os.Chmod(socket, 0600); err != nil {
return err
}
if err := os.Chown(socket, int(uid), int(gid)); err != nil { if err := os.Chown(socket, int(uid), int(gid)); err != nil {
return err return err
} }
// Make sure the dir is also accessible.
if err := os.Chmod(dir, 0755); err != nil { if err := os.Chmod(dir, 0755); err != nil {
return err return err
} }