From 54d0d83b67a12befdc359350efb84157082a143b Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Thu, 21 Jan 2021 11:29:38 -0800 Subject: [PATCH] safesocket: on Linux, make /var/run/tailscale be 0755 Continuation of earlier two umask changes, 5611f290eb118eddc256560eaaa69f509347b4de and d6e9fb1df0fd67d08065c2277e7c4f4a82b7930f. This change mostly affects us, running tailscaled as root by hand (wit a umask of 0077), not under systemd. End users running tailscaled under systemd won't have a umask. Signed-off-by: Brad Fitzpatrick --- safesocket/unixsocket.go | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/safesocket/unixsocket.go b/safesocket/unixsocket.go index 996a274b9..31322dd3c 100644 --- a/safesocket/unixsocket.go +++ b/safesocket/unixsocket.go @@ -59,12 +59,32 @@ func listen(path string, port uint16) (ln net.Listener, _ uint16, err error) { return nil, 0, fmt.Errorf("%v: address already in use", path) } _ = os.Remove(path) - os.MkdirAll(filepath.Dir(path), 0755) // best effort + + perm := socketPermissionsForOS() + + sockDir := filepath.Dir(path) + if _, err := os.Stat(sockDir); os.IsNotExist(err) { + os.MkdirAll(sockDir, 0755) // best effort + + // If we're on a platform where we want the socket + // world-readable, open up the permissions on the + // just-created directory too, in case a umask ate + // it. This primarily affects running tailscaled by + // hand as root in a shell, as there is no umask when + // running under systemd. + if perm == 0666 { + if fi, err := os.Stat(sockDir); err == nil && fi.Mode()&0077 == 0 { + if err := os.Chmod(sockDir, 0755); err != nil { + log.Print(err) + } + } + } + } pipe, err := net.Listen("unix", path) if err != nil { return nil, 0, err } - os.Chmod(path, socketPermissionsForOS()) + os.Chmod(path, perm) return pipe, 0, err }