ssh/tailssh: chmod the auth socket to be only user accessible

Updates #3802 Signed-off-by: Maisem Ali <maisem@tailscale.com>
2024-11-29 04:55:31 +00:00 · 2022-04-21 14:45:36 -07:00 · 2022-04-21 14:45:36 -07:00 · 31094d557b
commit 31094d557b
parent 337c77964b
1 changed files with 5 additions and 1 deletions
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@ -773,10 +773,14 @@ func (ss *sshSession) handleSSHAgentForwarding(s ssh.Session, lu *user.User) err
 	}
 	socket := ln.Addr().String()
 	dir := filepath.Dir(socket)
-	// Make sure the socket is accessible by the user.
+	// Make sure the socket is accessible only by the user.
+	if err := os.Chmod(socket, 0600); err != nil {
+		return err
+	}
 	if err := os.Chown(socket, int(uid), int(gid)); err != nil {
 		return err
 	}
+	// Make sure the dir is also accessible.
 	if err := os.Chmod(dir, 0755); err != nil {
 		return err
 	}