From dbbc8c8e2847e80c9b0713cb977a03c2d279011e Mon Sep 17 00:00:00 2001
From: "Daniel A. Wozniak" <daniel.wozniak@broadcom.com>
Date: Tue, 13 Aug 2024 15:46:22 -0700
Subject: [PATCH] Fix master pull socket permissions

---
 salt/transport/base.py   |  1 +
 salt/transport/tcp.py    | 10 +++++++++-
 salt/transport/ws.py     | 14 ++++++++++++--
 salt/transport/zeromq.py |  8 ++++++--
 4 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/salt/transport/base.py b/salt/transport/base.py
index 4a491d87ce54..83f821281743 100644
--- a/salt/transport/base.py
+++ b/salt/transport/base.py
@@ -198,6 +198,7 @@ def ipc_publish_client(node, opts, io_loop):
         if node == "master":
             kwargs.update(
                 path=os.path.join(opts["sock_dir"], "master_event_pub.ipc"),
+                pub_path_perms=0o660,
             )
         else:
             id_hash = _minion_hash(
diff --git a/salt/transport/tcp.py b/salt/transport/tcp.py
index 3b8bba58195f..820535c5ea37 100644
--- a/salt/transport/tcp.py
+++ b/salt/transport/tcp.py
@@ -10,6 +10,7 @@
 import errno
 import logging
 import multiprocessing
+import os
 import queue
 import select
 import socket
@@ -1327,6 +1328,8 @@ def __init__(
         pull_host=None,
         pull_port=None,
         pull_path=None,
+        pull_path_perms=0o600,
+        pub_path_perms=0o600,
         ssl=None,
     ):
         self.opts = opts
@@ -1337,6 +1340,8 @@ def __init__(
         self.pull_host = pull_host
         self.pull_port = pull_port
         self.pull_path = pull_path
+        self.pull_path_prems = pull_path_perms
+        self.pub_path_prems = pub_path_perms
         self.ssl = ssl
 
     @property
@@ -1406,7 +1411,9 @@ async def publisher(
             log.debug(
                 "Publish server binding pub to %s ssl=%r", self.pub_path, self.ssl
             )
-            sock = tornado.netutil.bind_unix_socket(self.pub_path)
+            with salt.utils.files.set_umask(0o177):
+                sock = tornado.netutil.bind_unix_socket(self.pub_path)
+                os.chmod(self.pub_path, self.pub_path_perms)
         else:
             log.debug(
                 "Publish server binding pub to %s:%s ssl=%r",
@@ -1446,6 +1453,7 @@ async def publisher(
         # Securely create socket
         with salt.utils.files.set_umask(0o177):
             self.pull_sock.start()
+            os.chmod(self.pull_path, self.pull_path_perms)
 
     def pre_fork(self, process_manager):
         """
diff --git a/salt/transport/ws.py b/salt/transport/ws.py
index 8a842e18d296..b8891e0dc480 100644
--- a/salt/transport/ws.py
+++ b/salt/transport/ws.py
@@ -1,6 +1,7 @@
 import asyncio
 import logging
 import multiprocessing
+import os
 import socket
 import time
 import warnings
@@ -259,6 +260,8 @@ def __init__(
         pull_host=None,
         pull_port=None,
         pull_path=None,
+        pull_path_perms=0o600,
+        pub_path_perms=0o600,
         ssl=None,
     ):
         self.opts = opts
@@ -268,6 +271,8 @@ def __init__(
         self.pull_host = pull_host
         self.pull_port = pull_port
         self.pull_path = pull_path
+        self.pull_path_perms = pull_path_perms
+        self.pub_path_perms = pub_path_perms
         self.ssl = ssl
         self.clients = set()
         self._run = None
@@ -291,6 +296,8 @@ def __getstate__(self):
             "pull_host": self.pull_host,
             "pull_port": self.pull_port,
             "pull_path": self.pull_path,
+            "pull_path_perms": self.pull_path_perms,
+            "pub_path_perms": self.pub_path_perms,
         }
 
     def publish_daemon(
@@ -338,8 +345,10 @@ async def publisher(
             server = aiohttp.web.Server(self.handle_request)
             runner = aiohttp.web.ServerRunner(server)
             await runner.setup()
-            site = aiohttp.web.UnixSite(runner, self.pub_path, ssl_context=ctx)
-            log.info("Publisher binding to socket %s", self.pub_path)
+            with salt.utils.files.set_umask(0o177):
+                log.info("Publisher binding to socket %s", self.pub_path)
+                site = aiohttp.web.UnixSite(runner, self.pub_path, ssl_context=ctx)
+                os.chmod(self.pub_path, self.pub_path_perms)
         else:
             sock = _get_socket(self.opts)
             sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
@@ -360,6 +369,7 @@ async def publisher(
                 self.puller = await asyncio.start_unix_server(
                     self.pull_handler, self.pull_path
                 )
+                os.chmod(self.pull_path, self.pull_path_perms)
         else:
             self.puller = await asyncio.start_server(
                 self.pull_handler, self.pull_host, self.pull_port
diff --git a/salt/transport/zeromq.py b/salt/transport/zeromq.py
index 478057232fad..fe61cb8808f5 100644
--- a/salt/transport/zeromq.py
+++ b/salt/transport/zeromq.py
@@ -852,6 +852,8 @@ def __init__(
         pull_host=None,
         pull_port=None,
         pull_path=None,
+        pull_path_perms=0o600,
+        pub_path_perms=0o600,
     ):
         self.opts = opts
         self.pub_host = pub_host
@@ -864,6 +866,8 @@ def __init__(
         self.pull_host = pull_host
         self.pull_port = pull_port
         self.pull_path = pull_path
+        self.pub_path_perms = pub_path_perms
+        self.pull_path_perms = pull_path_perms
         if pull_path:
             self.pull_uri = f"ipc://{pull_path}"
         else:
@@ -930,14 +934,14 @@ def _get_sockets(self, context, ioloop):
             if self.pub_path:
                 os.chmod(  # nosec
                     self.pub_path,
-                    0o600,
+                    self.pub_path_perms,
                 )
             log.info("Starting the Salt Puller on %s", self.pull_uri)
             pull_sock.bind(self.pull_uri)
             if self.pull_path:
                 os.chmod(  # nosec
                     self.pull_path,
-                    0o600,
+                    self.pull_path_perms,
                 )
         return pull_sock, pub_sock, monitor