From 31094d557bdd592cdb08042535b2fc94889be7f3 Mon Sep 17 00:00:00 2001
From: Maisem Ali <maisem@tailscale.com>
Date: Thu, 21 Apr 2022 14:45:36 -0700
Subject: [PATCH] ssh/tailssh: chmod the auth socket to be only user accessible

Updates #3802

Signed-off-by: Maisem Ali <maisem@tailscale.com>
---
 ssh/tailssh/tailssh.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ssh/tailssh/tailssh.go b/ssh/tailssh/tailssh.go
index f15442e16..a153f86de 100644
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -773,10 +773,14 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) err
 	}
 	socket := ln.Addr().String()
 	dir := filepath.Dir(socket)
-	// Make sure the socket is accessible by the user.
+	// Make sure the socket is accessible only by the user.
+	if err := os.Chmod(socket, 0600); err != nil {
+		return err
+	}
 	if err := os.Chown(socket, int(uid), int(gid)); err != nil {
 		return err
 	}
+	// Make sure the dir is also accessible.
 	if err := os.Chmod(dir, 0755); err != nil {
 		return err
 	}