thaloco/banger
1
Fork 0
Code Pull requests Releases Packages Activity Actions
banger/internal/paths/paths.go
Thales Maciel b930c51990
runtime sockets: close the local-user race window around control-plane creation 
Previously the daemon socket, per-VM firecracker API socket, and vsock
socket were transiently world-exposed on hosts without XDG_RUNTIME_DIR:
the runtime directory landed in /tmp at 0755, Firecracker ran with
umask 000 (mode 0666 sockets), and only a follow-up chown/chmod in
EnsureSocketAccess tightened them. A local attacker could race into
bangerd.sock or the firecracker API socket during that window.

Three changes:

- internal/paths/paths.go: RuntimeDir is now created (and re-chmod'd if
  stale) at 0700 unconditionally. When XDG_RUNTIME_DIR is unset and we
  fall back to /tmp/banger-runtime-<uid>, Ensure() now verifies the
  parent dir is owned by the current uid and 0700 mode — refusing to
  place sockets inside a directory someone else created. Symlink swaps
  rejected via Lstat.

- internal/firecracker/client.go: launch firecracker with umask 077
  instead of umask 000 so the API socket is mode 0600 from birth. The
  chown in fcproc.EnsureSocketAccess still transfers ownership from
  root to the invoking user afterwards.

- internal/daemon/fcproc/fcproc.go: EnsureSocketDir now creates (and
  re-chmod's) the runtime socket directory at 0700.

Tests cover the tightening path — an existing 0755 RuntimeDir is
re-chmod'd on Ensure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-20 12:53:47 -03:00

206 lines
6.7 KiB
Go
Raw Blame History

package paths
import (
"errors"
"fmt"
"os"
"path/filepath"
"strings"
"syscall"
)
type Layout struct {
ConfigHome string
StateHome string
CacheHome string
RuntimeHome string
ConfigDir string
StateDir string
CacheDir string
RuntimeDir string
SocketPath string
DBPath string
DaemonLog string
VMsDir string
ImagesDir string
KernelsDir string
OCICacheDir string
SSHDir string
KnownHostsPath string
// runtimeHomeFallback is true when we fabricated the RuntimeHome path
// under /tmp because XDG_RUNTIME_DIR was unset. Ensure() uses the flag
// to apply strict ownership + mode checks on the fallback parent (a
// world-writable /tmp needs us to own and lock the subtree ourselves;
// a systemd-provisioned /run/user/<uid> is already 0700 and trusted).
runtimeHomeFallback bool
}
func Resolve() (Layout, error) {
home, err := os.UserHomeDir()
if err != nil {
return Layout{}, err
}
configHome := getenvDefault("XDG_CONFIG_HOME", filepath.Join(home, ".config"))
stateHome := getenvDefault("XDG_STATE_HOME", filepath.Join(home, ".local", "state"))
cacheHome := getenvDefault("XDG_CACHE_HOME", filepath.Join(home, ".cache"))
runtimeHome := os.Getenv("XDG_RUNTIME_DIR")
runtimeFallback := false
if runtimeHome == "" {
runtimeHome = filepath.Join(os.TempDir(), fmt.Sprintf("banger-runtime-%d", os.Getuid()))
runtimeFallback = true
}
layout := Layout{
ConfigHome: configHome,
StateHome: stateHome,
CacheHome: cacheHome,
RuntimeHome: runtimeHome,
runtimeHomeFallback: runtimeFallback,
ConfigDir: filepath.Join(configHome, "banger"),
StateDir: filepath.Join(stateHome, "banger"),
CacheDir: filepath.Join(cacheHome, "banger"),
RuntimeDir: filepath.Join(runtimeHome, "banger"),
}
layout.SocketPath = filepath.Join(layout.RuntimeDir, "bangerd.sock")
layout.DBPath = filepath.Join(layout.StateDir, "state.db")
layout.DaemonLog = filepath.Join(layout.StateDir, "bangerd.log")
layout.VMsDir = filepath.Join(layout.StateDir, "vms")
layout.ImagesDir = filepath.Join(layout.StateDir, "images")
layout.KernelsDir = filepath.Join(layout.StateDir, "kernels")
layout.OCICacheDir = filepath.Join(layout.CacheDir, "oci")
layout.SSHDir = filepath.Join(layout.StateDir, "ssh")
layout.KnownHostsPath = filepath.Join(layout.SSHDir, "known_hosts")
return layout, nil
}
func Ensure(layout Layout) error {
// When we're using the /tmp fallback, we must create and own the
// runtime-home parent ourselves and reject any pre-existing directory
// that isn't 0700 + owned by the current uid. Otherwise a local
// attacker could pre-create that path and have banger's control
// sockets land inside a directory they control.
if layout.runtimeHomeFallback && strings.TrimSpace(layout.RuntimeHome) != "" {
if err := ensureSafeRuntimeHome(layout.RuntimeHome); err != nil {
return err
}
}
// RuntimeDir holds bangerd.sock + per-VM firecracker API + vsock
// sockets. Lock it to 0700 unconditionally so even if the parent
// runtime-home is traversable by others, none of our sockets are
// reachable.
if strings.TrimSpace(layout.RuntimeDir) != "" {
if err := os.MkdirAll(layout.RuntimeDir, 0o700); err != nil {
return err
}
if err := os.Chmod(layout.RuntimeDir, 0o700); err != nil {
return err
}
}
for _, dir := range []string{layout.ConfigDir, layout.StateDir, layout.CacheDir, layout.VMsDir, layout.ImagesDir, layout.KernelsDir, layout.OCICacheDir} {
if strings.TrimSpace(dir) == "" {
continue
}
if err := os.MkdirAll(dir, 0o755); err != nil {
return err
}
}
// SSH material (private key, known_hosts) — 0700 like ~/.ssh so
// strict SSH clients don't complain and no other host user can
// read it. Empty SSHDir means the caller built a Layout by hand
// (tests) and doesn't need the subdir; skip silently.
if strings.TrimSpace(layout.SSHDir) != "" {
if err := os.MkdirAll(layout.SSHDir, 0o700); err != nil {
return err
}
}
return nil
}
// ensureSafeRuntimeHome creates path at 0700 if missing, or validates
// existing ownership + mode. Returns an error describing how to remediate
// when the existing directory doesn't meet the bar.
func ensureSafeRuntimeHome(path string) error {
if err := os.MkdirAll(path, 0o700); err != nil {
return err
}
info, err := os.Lstat(path)
if err != nil {
return err
}
// Must be a real directory, not a symlink an attacker could swap.
if info.Mode()&os.ModeSymlink != 0 {
return fmt.Errorf("runtime dir %s is a symlink; refusing to place sockets there — remove it or set XDG_RUNTIME_DIR", path)
}
if !info.IsDir() {
return fmt.Errorf("runtime dir %s exists but is not a directory", path)
}
sys, ok := info.Sys().(*syscall.Stat_t)
if ok && int(sys.Uid) != os.Getuid() {
return fmt.Errorf("runtime dir %s is owned by uid %d, not %d; remove it or set XDG_RUNTIME_DIR", path, sys.Uid, os.Getuid())
}
if info.Mode().Perm() != 0o700 {
if err := os.Chmod(path, 0o700); err != nil {
return fmt.Errorf("runtime dir %s has insecure mode %#o and chmod failed: %w", path, info.Mode().Perm(), err)
}
}
return nil
}
var executablePath = os.Executable
func BangerdPath() (string, error) {
if env := os.Getenv("BANGER_DAEMON_BIN"); env != "" {
return env, nil
}
exe, err := executablePath()
if err != nil {
return "", err
}
dir := filepath.Dir(exe)
for _, candidate := range []string{
filepath.Join(dir, "bangerd"),
filepath.Join(dir, "bangerd.exe"),
} {
if _, err := os.Stat(candidate); err == nil {
return candidate, nil
}
}
return "", errors.New("bangerd binary not found next to banger; run `make build`")
}
func CompanionBinaryPath(name string) (string, error) {
envNames := []string{
"BANGER_" + strings.ToUpper(strings.NewReplacer("-", "_", ".", "_").Replace(name)) + "_BIN",
}
if trimmed, ok := strings.CutPrefix(name, "banger-"); ok {
envNames = append(envNames, "BANGER_"+strings.ToUpper(strings.NewReplacer("-", "_", ".", "_").Replace(trimmed))+"_BIN")
}
for _, envName := range envNames {
if env := strings.TrimSpace(os.Getenv(envName)); env != "" {
return env, nil
}
}
exe, err := executablePath()
if err != nil {
return "", err
}
exeDir := filepath.Dir(exe)
for _, candidate := range []string{
filepath.Join(exeDir, name),
filepath.Join(exeDir, "..", "lib", "banger", name),
filepath.Join(exeDir, "..", "libexec", "banger", name),
} {
if _, err := os.Stat(candidate); err == nil {
return candidate, nil
}
}
return "", fmt.Errorf("%s companion binary not found; run `make build` or reinstall banger", name)
}
func getenvDefault(key, fallback string) string {
if value := strings.TrimSpace(os.Getenv(key)); value != "" {
return value
}
return fallback
}
View git blame Copy permalink