fix: set IPC socket permissions to 0600 for security#133
Merged
Conversation
The Unix socket was created with default permissions, allowing any local user to potentially connect to the supervisor. Now the socket is restricted to owner read/write only (0600), preventing unauthorized local access. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
Instead of creating the socket with default permissions and then changing them (which has a brief window where an attacker could connect), set a restrictive umask (0077) before creating the socket so it's created with 0600 permissions from the start. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| #[cfg(unix)] | ||
| unsafe { | ||
| libc::umask(old_umask); | ||
| } |
There was a problem hiding this comment.
Process-wide umask affects concurrent file operations
Medium Severity
The umask system call affects the entire process, not just the current thread. In the tokio multi-threaded runtime, other async tasks (web server, interval_watch, cron_watch, signals) are already running when IpcServer::new() is called. Any file or directory creation by these concurrent tasks during the umask manipulation window will unexpectedly receive restrictive 0600/0700 permissions instead of normal permissions, potentially causing functionality issues.
Capture the result of create_tokio() before restoring umask, then propagate any error afterward. This ensures the process umask is always restored to its original value. Also added a note explaining that IpcServer::new() runs during supervisor startup before other async tasks, so the brief umask change won't affect concurrent operations. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Merged
jdx
added a commit
that referenced
this pull request
Jan 19, 2026
## 🤖 New release * `pitchfork-cli`: 0.3.0 -> 0.3.1 <details><summary><i><b>Changelog</b></i></summary><p> <blockquote> ## [0.3.1](v0.3.0...v0.3.1) - 2026-01-19 ### Added - implement daemon dependency resolution ([#135](#135)) - add restart command to CLI ([#134](#134)) ### Fixed - restart command preserves daemon dependency configuration ([#142](#142)) - add missing depends field to restart command ([#136](#136)) - set IPC socket permissions to 0600 for security ([#133](#133)) - handle shell command parsing errors instead of silently failing ([#132](#132)) ### Other - reduce unnecessary daemon cloning in loops ([#144](#144)) - use periodic log flushing instead of per-line ([#139](#139)) - refresh only tracked PIDs instead of all processes ([#141](#141)) - cache compiled regex patterns ([#143](#143)) ### Security - add rate limiting to IPC server ([#137](#137)) - canonicalize config paths to prevent symlink exploitation ([#138](#138)) - add centralized daemon ID validation ([#140](#140)) </blockquote> </p></details> --- This PR was generated with [release-plz](https://github.com/release-plz/release-plz/). <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Prepares the 0.3.1 release and updates metadata/documentation accordingly. > > - **Changelog**: Adds `0.3.1` entry detailing added dependency resolution, new `restart` command, fixes, performance tweaks, and security hardening > - **Version bumps**: Updates `version` to `0.3.1` in `Cargo.toml`, `Cargo.lock`, `docs/cli/commands.json`, `docs/cli/index.md`, and `pitchfork.usage.kdl` > - **Docs regen**: Refreshes CLI docs/spec to reflect the new version (no behavioral changes in this diff) > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9f9d386. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Merged
jdx
added a commit
that referenced
this pull request
Jan 19, 2026
## 🤖 New release * `pitchfork-cli`: 1.0.0 <details><summary><i><b>Changelog</b></i></summary><p> <blockquote> ## [1.0.0](https://github.com/jdx/pitchfork/releases/tag/v1.0.0) - 2026-01-19 ### Added - implement daemon dependency resolution ([#135](#135)) - add restart command to CLI ([#134](#134)) ### Fixed - restart command preserves daemon dependency configuration ([#142](#142)) - add missing depends field to restart command ([#136](#136)) - set IPC socket permissions to 0600 for security ([#133](#133)) - handle shell command parsing errors instead of silently failing ([#132](#132)) ### Other - bump version to 1.0.0 ([#147](#147)) - release v0.3.1 ([#121](#121)) - reduce unnecessary daemon cloning in loops ([#144](#144)) - use periodic log flushing instead of per-line ([#139](#139)) - refresh only tracked PIDs instead of all processes ([#141](#141)) - cache compiled regex patterns ([#143](#143)) ### Security - add rate limiting to IPC server ([#137](#137)) - canonicalize config paths to prevent symlink exploitation ([#138](#138)) - add centralized daemon ID validation ([#140](#140)) </blockquote> </p></details> --- This PR was generated with [release-plz](https://github.com/release-plz/release-plz/). <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Prepares the 1.0.0 release and updates `CHANGELOG.md` with the finalized notes. > > - Adds `1.0.0` section: daemon dependency resolution, new CLI `restart` command, fixes for dependency preservation and shell parsing, secure IPC socket perms, plus performance/maintenance updates > - Documents security hardening: IPC rate limiting, config path canonicalization, centralized daemon ID validation > - Retains prior `0.3.1` notes for historical context > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 4182984. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
0600(owner read/write only) after creation#[cfg(unix)]to ensure it only runs on Unix platformsSecurity
Previously, the IPC socket was created with default permissions, which could allow any local user to connect and control daemons. This change restricts access to the socket owner only.
Test plan
ls -la ~/.local/state/pitchfork/ipc/main.sock🤖 Generated with Claude Code
Note
Secures IPC socket creation on Unix by enforcing restrictive permissions at creation time.
umaskto0o077aroundListenerOptions::create_tokio()to ensure the socket is created with0600, then restores the originalumaskinto_diagnostic()libcunder[target.'cfg(unix)'.dependencies]forumaskWritten by Cursor Bugbot for commit 91ac10f. This will update automatically on new commits. Configure here.