Bug 102060

Summary: Security: PulseAudio server weakens the umask
Product: PulseAudio Reporter: Klaus Kusche <klaus.kusche>
Component: daemonAssignee: pulseaudio-bugs
Status: RESOLVED FIXED QA Contact: pulseaudio-bugs
Severity: normal    
Priority: medium CC: lennart
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Klaus Kusche 2017-08-06 18:43:23 UTC 
We have a strict umask 077 policy here, i.e. all files created under /home
must have 00 permissions for group and other.

However, in spite of its initial umask being 077, the pulseaudio daemon 
creates files with permissions 644 in $HOME/.config/pulse.

A quick look into the source found a umask(0022); in src/daemon/main.c .

It may create files with more restrictive permissions than the umask says
(e.g. with 644 if the umask is 000), but it must not ignore the initial umask
or set its umask to something weaker than the initial umask,
and it must not create files with less restricive permissions than the umask!
Comment 1 Tanu Kaskinen 2017-08-17 16:44:17 UTC 
I don't understand why we set the umask at all.

If the old umask is so strict that it prevents pulseaudio from reading or writing its own files, then that would seem to me just plain broken configuration that we don't need to work around.

If the old umask is 0077, that could prevent clients from other users communicating with the server, except that it doesn't. Connections from other users are prevented anyway in the per-user mode (all created directories, including the one where the socket is, have permissions 0700), and in the system mode all directories are created with permissions 0755 regardless of the umask. The socket file is always created with permissions 0777, so all users always have access to the system mode socket.

If the old umask is overly lenient, then so what? Pulseaudio only creates files in directories that it creates, and since in the per-user mode all directories are created with permissions 0700, other users won't have access to those files anyway.

Hmm, there's one case where there could be a problem: if pulseaudio runs in the system mode, and it's started with umask 0000, then anyone can write to the state files that pulseaudio creates. I think this could be solved by setting the umask only in the system mode (the umask() call was actually added in the commit that introduced the system mode, so the original purpose seems to be system mode related anyway). While we're at it, the umask could be tightened to 0077, since the state files can reveal some slightly privacy-sensitive information that shouldn't be readable by everyone.

Setting the umask to 0077 also in the per-user case probably wouldn't do any harm, though. What possible use case is there for users to look at each others' pulseaudio state files? Maybe we should just always set it to 0077.
Comment 2 Tanu Kaskinen 2017-08-18 03:52:47 UTC 
I sent a patch to the mailing list:
https://patchwork.freedesktop.org/patch/172255/
Comment 3 Tanu Kaskinen 2017-08-20 06:53:06 UTC 
The patch is now in the "next" branch. Closing bug.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.