thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions
banger/internal/daemon
History
Thales Maciel b930c51990
runtime sockets: close the local-user race window around control-plane creation 
Previously the daemon socket, per-VM firecracker API socket, and vsock
socket were transiently world-exposed on hosts without XDG_RUNTIME_DIR:
the runtime directory landed in /tmp at 0755, Firecracker ran with
umask 000 (mode 0666 sockets), and only a follow-up chown/chmod in
EnsureSocketAccess tightened them. A local attacker could race into
bangerd.sock or the firecracker API socket during that window.

Three changes:

- internal/paths/paths.go: RuntimeDir is now created (and re-chmod'd if
  stale) at 0700 unconditionally. When XDG_RUNTIME_DIR is unset and we
  fall back to /tmp/banger-runtime-<uid>, Ensure() now verifies the
  parent dir is owned by the current uid and 0700 mode — refusing to
  place sockets inside a directory someone else created. Symlink swaps
  rejected via Lstat.

- internal/firecracker/client.go: launch firecracker with umask 077
  instead of umask 000 so the API socket is mode 0600 from birth. The
  chown in fcproc.EnsureSocketAccess still transfers ownership from
  root to the invoking user afterwards.

- internal/daemon/fcproc/fcproc.go: EnsureSocketDir now creates (and
  re-chmod's) the runtime socket directory at 0700.

Tests cover the tightening path — an existing 0755 RuntimeDir is
re-chmod'd on Ensure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 12:53:47 -03:00
..
dmsnap Extract opstate and dmsnap into subpackages 2026-04-15 16:02:43 -03:00
fcproc runtime sockets: close the local-user race window around control-plane creation 2026-04-20 12:53:47 -03:00
imagemgr Remove image build --from-image; doctor treats catalog images as OK 2026-04-18 15:54:29 -03:00
opstate coverage: medium batch — hostnat runner, store guest-sessions, daemon helpers 2026-04-18 18:03:37 -03:00
workspace remove vm session feature 2026-04-20 12:47:58 -03:00
ARCHITECTURE.md remove vm session feature 2026-04-20 12:47:58 -03:00
autopull_test.go vm create: auto-pull image and kernel from catalogs if missing 2026-04-18 15:10:26 -03:00
capabilities.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
capabilities_test.go Remove opencode package + vm acp command (dead code) 2026-04-18 16:54:37 -03:00
daemon.go remove vm session feature 2026-04-20 12:47:58 -03:00
daemon_test.go remove experimental web UI 2026-04-19 14:28:08 -03:00
dns_routing.go Route .vm DNS through systemd-resolved 2026-03-22 15:07:22 -03:00
dns_routing_test.go Route .vm DNS through systemd-resolved 2026-03-22 15:07:22 -03:00
doc.go remove vm session feature 2026-04-20 12:47:58 -03:00
doctor.go doctor: surface state store open failure as failing check 2026-04-19 17:35:27 -03:00
fake_firecracker_test.go remove vm session feature 2026-04-20 12:47:58 -03:00
fastpath_test.go Manage image artifacts and show VM create progress 2026-03-21 14:48:01 -03:00
guest_ssh.go remove vm session feature 2026-04-20 12:47:58 -03:00
image_seed.go guest sshd: drop DEBUG3 + StrictModes no; normalise /root perms 2026-04-19 13:40:40 -03:00
images.go Remove image build --from-image; doctor treats catalog images as OK 2026-04-18 15:54:29 -03:00
images_helpers_test.go coverage: medium batch — hostnat runner, store guest-sessions, daemon helpers 2026-04-18 18:03:37 -03:00
images_pull.go vm create: auto-pull image and kernel from catalogs if missing 2026-04-18 15:10:26 -03:00
images_pull_bundle_test.go image pull: dispatch to imagecat bundle path before OCI 2026-04-17 15:43:33 -03:00
images_pull_test.go Phase B-2: pre-inject banger guest agents into pulled rootfs 2026-04-16 18:08:56 -03:00
kernels.go Phase 4: remote catalog + banger kernel pull 2026-04-16 15:05:42 -03:00
kernels_test.go Phase 4: remote catalog + banger kernel pull 2026-04-16 15:05:42 -03:00
logger.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
logger_test.go Remove image build --from-image; doctor treats catalog images as OK 2026-04-18 15:54:29 -03:00
nat.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
nat_test.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
open_close_test.go remove vm session feature 2026-04-20 12:47:58 -03:00
ports.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
preflight.go Remove image build --from-image; doctor treats catalog images as OK 2026-04-18 15:54:29 -03:00
runtime_assets.go Remove runtime-bundle image dependencies 2026-03-21 18:34:53 -03:00
snapshot.go Extract opstate and dmsnap into subpackages 2026-04-15 16:02:43 -03:00
snapshot_test.go Harden VM stop cleanup for stale snapshots 2026-03-18 12:28:15 -03:00
ssh_client_config.go ssh: trust-on-first-use host key pinning everywhere 2026-04-19 16:46:03 -03:00
ssh_client_config_test.go ssh: trust-on-first-use host key pinning everywhere 2026-04-19 16:46:03 -03:00
sshd_config_test.go guest sshd: drop DEBUG3 + StrictModes no; normalise /root perms 2026-04-19 13:40:40 -03:00
tap_pool.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
vm.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
vm_authsync.go guest sshd: drop DEBUG3 + StrictModes no; normalise /root perms 2026-04-19 13:40:40 -03:00
vm_create.go vm create: auto-pull image and kernel from catalogs if missing 2026-04-18 15:10:26 -03:00
vm_create_ops.go Add lint targets, fix gofmt drift, broaden Makefile build inputs 2026-04-16 16:49:17 -03:00
vm_disk.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
vm_handles.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
vm_handles_test.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
vm_lifecycle.go ssh: trust-on-first-use host key pinning everywhere 2026-04-19 16:46:03 -03:00
vm_locks.go Move subsystem state/locks off Daemon into owning types 2026-04-15 15:58:33 -03:00
vm_set.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
vm_stats.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
vm_test.go vm state: split transient kernel/process handles off the durable schema 2026-04-19 14:18:13 -03:00
workspace.go remove vm session feature 2026-04-20 12:47:58 -03:00
workspace_test.go cli + daemon: move test seams off package globals onto injected structs 2026-04-19 19:03:55 -03:00