thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions

runtime sockets: close the local-user race window around control-plane creation

Browse source 
Previously the daemon socket, per-VM firecracker API socket, and vsock
socket were transiently world-exposed on hosts without XDG_RUNTIME_DIR:
the runtime directory landed in /tmp at 0755, Firecracker ran with
umask 000 (mode 0666 sockets), and only a follow-up chown/chmod in
EnsureSocketAccess tightened them. A local attacker could race into
bangerd.sock or the firecracker API socket during that window.

Three changes:

- internal/paths/paths.go: RuntimeDir is now created (and re-chmod'd if
  stale) at 0700 unconditionally. When XDG_RUNTIME_DIR is unset and we
  fall back to /tmp/banger-runtime-<uid>, Ensure() now verifies the
  parent dir is owned by the current uid and 0700 mode — refusing to
  place sockets inside a directory someone else created. Symlink swaps
  rejected via Lstat.

- internal/firecracker/client.go: launch firecracker with umask 077
  instead of umask 000 so the API socket is mode 0600 from birth. The
  chown in fcproc.EnsureSocketAccess still transfers ownership from
  root to the invoking user afterwards.

- internal/daemon/fcproc/fcproc.go: EnsureSocketDir now creates (and
  re-chmod's) the runtime socket directory at 0700.

Tests cover the tightening path — an existing 0755 RuntimeDir is
re-chmod'd on Ensure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Thales Maciel 2026-04-20 12:53:47 -03:00
parent 2b6437d1b4
commit b930c51990
No known key found for this signature in database
GPG key ID: 33112E6833C34679
5 changed files with 119 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

9
internal/firecracker/client.go
View file

@ -184,7 +184,14 @@ func defaultDriveID(drive DriveConfig, fallback string) string {
}
func buildProcessRunner(cfg MachineConfig, logFile *os.File) *exec.Cmd {
script := "umask 000 && exec " + shellQuote(cfg.BinaryPath) +
// umask 077 so the API + vsock sockets firecracker creates are
// mode 0600 from birth (owned by root since we invoke via sudo).
// A follow-up chown in fcproc.EnsureSocketAccess transfers
// ownership to the invoking user. Without this, the sockets
// would briefly exist world-readable/writable between firecracker
// creating them and the daemon tightening the mode — a real
// window for a local attacker to hit the control plane.
script := "umask 077 && exec " + shellQuote(cfg.BinaryPath) +
" --api-sock " + shellQuote(cfg.SocketPath) +
" --id " + shellQuote(cfg.VMID)
cmd := exec.Command("sudo", "-n", "sh", "-c", script)

2
internal/firecracker/client_test.go
View file

@ -88,7 +88,7 @@ func TestBuildProcessRunnerUsesSudoShellWrapper(t *testing.T) {
if cmd.Args[1] != "-n" || cmd.Args[2] != "sh" || cmd.Args[3] != "-c" {
t.Fatalf("args = %v", cmd.Args)
}
want := "umask 000 && exec '/repo/firecracker' --api-sock '/tmp/fc.sock' --id 'vm-1'"
want := "umask 077 && exec '/repo/firecracker' --api-sock '/tmp/fc.sock' --id 'vm-1'"
if cmd.Args[4] != want {
t.Fatalf("script = %q, want %q", cmd.Args[4], want)
}