Security #8682
openunix-socket: TOCTOU race in Unix socket directory creation
Description
Reported by Sreejith Gopinath.
File: src/unix-manager.c:141–143
UnixNew() performs stat(SOCKET_PATH) followed by SCMkDir(SOCKET_PATH) with no atomic alternative. A local attacker can swap the target with a symlink in the race window; during privileged startup before privilege drop, the symlink target is opened as root. Already flagged in-source with /* coverity[toctou] */ but left unmitigated.
CWE-367. Confirmed at source level on both 7.0.15 and 8.0.4: unix-socket-high8-toctou-sequence-01 verifies the stat()/SCMkDir() sequence is still present in the check_dir block. A runtime race harness is not practical in CI given the narrow window; the test guards the vulnerable sequence until a safe primitive replaces it.
Suggested remediation: Replace stat()+SCMkDir() with an atomic mkdir() call and handle EEXIST explicitly, or use O_CREAT|O_EXCL semantics where applicable.