#ifdef LOCAL_CREDS
{
int one = 1;
- setsockopt(l.sl_sd, 0, LOCAL_CREDS, &one, sizeof one);
+ setsockopt( l.sl_sd, 0, LOCAL_CREDS, &one, sizeof( one ) );
}
#endif /* LOCAL_CREDS */
- addrlen = sizeof(struct sockaddr_un);
+
+ addrlen = sizeof( struct sockaddr_un );
+
+ /* create socket with all permissions set for those systems
+ * that honor permissions on sockets (e.g. Linux); typically,
+ * only write is required. To exploit filesystem permissions,
+ * place the socket in a directory and use directory's
+ * permissions. Need write perms to the directory to
+ * create/unlink the socket; likely need exec perms to access
+ * the socket */
+ {
+ mode_t old_umask;
+
+ old_umask = umask( 0 );
+ rc = bind( l.sl_sd, *sal, addrlen );
+ umask( old_umask );
+ if ( rc ) {
+ err = sock_errno();
+ Debug( LDAP_DEBUG_ANY,
+ "daemon: bind(%ld) failed errno=%d (%s)\n",
+ (long)l.sl_sd, err, sock_errstr( err ) );
+ tcp_close( l.sl_sd );
+ sal++;
+ continue;
+ }
+ }
break;
#endif /* LDAP_PF_LOCAL */
}
- if (bind(l.sl_sd, *sal, addrlen)) {
- err = sock_errno();
- Debug( LDAP_DEBUG_ANY,
- "daemon: bind(%ld) failed errno=%d (%s)\n",
- (long) l.sl_sd, err, sock_errstr(err) );
- tcp_close( l.sl_sd );
- sal++;
- continue;
- }
-
switch ( (*sal)->sa_family ) {
#ifdef LDAP_PF_LOCAL
case AF_LOCAL: {
projects / openldap / commitdiff