On Sat, Feb 12, 2011 at 1:56 PM, Otto Moerbeek <o...@drijf.net> wrote: > On Sat, Feb 12, 2011 at 12:53:47PM -0500, Eric wrote: > >> On Sat, Feb 12, 2011 at 12:00 PM, Ted Unangst <ted.unan...@gmail.com> wrote: >> > On Sat, Feb 12, 2011 at 9:49 AM, Eric <airu...@gmail.com> wrote: >> >> I'm making some modifications to syslogd/syslog so that I can control >> access >> >> to log sockets and have a set of high integrity log files that didn't >> >> receive logs >> >> from world-writable log sockets. Briefly, this means: >> > >> > It means you put the socket into a directory with the appropriate >> > permissions. Sockets don't have permissions. >> > >> >> I just tested it: sockets have permissions on OpenBSD and they are enforced. > > Yes, originally permissions on sockets were not enforced. But creating > a socket and setting permissions on it is still subject to race > conditions. So in practice you'll need dirs. > > -Otto >
Syslogd already uses socket permissions to protect its control socket: if (ctlsock_path != NULL) { fd = unix_socket(ctlsock_path, SOCK_STREAM, 0600); if (fd != -1) { Should I patch it so that the control socket is placed in a directory with appropriate permissions?