Skip to content

Harden permissions for pipe used in SharedServer.#127239

Draft
cincuranet wants to merge 1 commit intodotnet:mainfrom
cincuranet:tighter-perms
Draft

Harden permissions for pipe used in SharedServer.#127239
cincuranet wants to merge 1 commit intodotnet:mainfrom
cincuranet:tighter-perms

Conversation

@cincuranet
Copy link
Copy Markdown
Contributor

@cincuranet cincuranet commented Apr 21, 2026

No description provided.

@cincuranet cincuranet self-assigned this Apr 21, 2026
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens Unix named-pipe (Unix domain socket) filesystem permissions when PipeOptions.CurrentUserOnly is used, by explicitly setting the socket file’s mode to user-only (0600). This aligns the on-disk endpoint permissions with the “current user only” intent and adds a regression test.

Changes:

  • Set the Unix domain socket file mode to UserRead | UserWrite when creating a SharedServer for CurrentUserOnly.
  • Add a Unix test validating the socket file mode when CurrentUserOnly is specified.
  • Minor refactors to use PipeOptions.HasFlag(...) in a few places.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
src/libraries/System.IO.Pipes/src/System/IO/Pipes/NamedPipeServerStream.Unix.cs Applies 0600 permissions to the bound socket path for CurrentUserOnly; adds cleanup on failure; refactors option checks.
src/libraries/System.IO.Pipes/tests/NamedPipeTests/NamedPipeTest.CurrentUserOnly.Unix.cs Adds a regression test asserting the created socket path has user-only permissions.

Comment thread src/libraries/System.IO.Pipes/src/System/IO/Pipes/NamedPipeServerStream.Unix.cs Outdated
Comment thread src/libraries/System.IO.Pipes/src/System/IO/Pipes/NamedPipeServerStream.Unix.cs Outdated
Comment thread src/libraries/System.IO.Pipes/src/System/IO/Pipes/NamedPipeServerStream.Unix.cs
Comment on lines 273 to 277
else
{
// No instance exists yet for this path. Create one a new.
server = new SharedServer(path, maxCount, isFirstPipeInstance);
server = new SharedServer(path, maxCount, isFirstPipeInstance, pipeOptions.HasFlag(PipeOptions.CurrentUserOnly));
s_servers.Add(path, server);
Copy link

Copilot AI Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SharedServer stores a single listening socket per path, but CurrentUserOnly is only applied when the SharedServer is first created. If the first server for a path is created without CurrentUserOnly and a later one uses it, the file mode will remain permissive; conversely, if the first uses CurrentUserOnly, later non-CurrentUserOnly servers will inherit the restrictive mode. Consider tracking the shared server's current-user-only state and either (1) rejecting mismatched options for the same path, or (2) always enforcing the most restrictive mode (chmod to 0600 when any instance requests CurrentUserOnly, never loosening).

Copilot uses AI. Check for mistakes.
Comment thread src/libraries/System.IO.Pipes/src/System/IO/Pipes/NamedPipeServerStream.Unix.cs Outdated
@cincuranet cincuranet marked this pull request as draft April 21, 2026 19:35
This was referenced Apr 22, 2026
Open
Open
Open
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JanKrivanek JanKrivanek Awaiting requested review from JanKrivanek

At least 1 approving review is required to merge this pull request.

Assignees

@cincuranet cincuranet

Labels

area-System.IO

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cincuranet