Security #8682
openunix-socket: TOCTOU race in Unix socket directory creation
Description
Reported by Sreejith Gopinath.
File: src/unix-manager.c:141–143
UnixNew() performs stat(SOCKET_PATH) followed by SCMkDir(SOCKET_PATH) with no atomic alternative. A local attacker can swap the target with a symlink in the race window; during privileged startup before privilege drop, the symlink target is opened as root. Already flagged in-source with /* coverity[toctou] */ but left unmitigated.
CWE-367. Confirmed at source level on both 7.0.15 and 8.0.4: unix-socket-high8-toctou-sequence-01 verifies the stat()/SCMkDir() sequence is still present in the check_dir block. A runtime race harness is not practical in CI given the narrow window; the test guards the vulnerable sequence until a safe primitive replaces it.
Suggested remediation: Replace stat()+SCMkDir() with an atomic mkdir() call and handle EEXIST explicitly, or use O_CREAT|O_EXCL semantics where applicable.
LS Updated by Lukas Sismis 2 days ago
- Status changed from New to Triaged
- Target version changed from TBD to 9.0.0-beta1
- Affected Versions 7.0.15, 8.0.4 added
- Label Needs backport to 7.0, Needs backport to 8.0 added
OT Updated by OISF Ticketbot 2 days ago
- Subtask #8701 added
OT Updated by OISF Ticketbot 2 days ago
- Label deleted (
Needs backport to 8.0)
OT Updated by OISF Ticketbot 2 days ago
- Subtask #8702 added
OT Updated by OISF Ticketbot 2 days ago
- Label deleted (
Needs backport to 7.0)
LS Updated by Lukas Sismis 2 days ago
- Assignee set to Community Ticket