From d60f37e0fea66c75b96e92f96ef9171e7aeabb28 Mon Sep 17 00:00:00 2001
From: "Michael N. Lipp" <mnl@mnl.de>
Date: Mon, 19 Jun 2023 11:59:54 +0200
Subject: [PATCH] Be more restrictive with file permissions.

---
 .../vmoperator/runner/qemu/Configuration.java | 24 +++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
index dd7dd0f..d2162e9 100644
--- a/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
+++ b/org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
@@ -23,9 +23,11 @@ import java.math.BigInteger;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.nio.file.attribute.PosixFilePermission;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -322,15 +324,29 @@ class Configuration implements Dto {
 
     @SuppressWarnings("PMD.AvoidDeeplyNestedIfStmts")
     private boolean checkRuntimeDir() {
-        // Runtime directory (sockets)
+        // Runtime directory (sockets etc.)
         if (runtimeDir == null) {
+            var appDir = FsdUtils.runtimeDir(Runner.APP_NAME);
+            if (!Files.exists(appDir) && appDir.toFile().mkdirs()) {
+                try {
+                    // When appDir is derived from XDG_RUNTIME_DIR
+                    // the latter should already have these permissions,
+                    // but let's be on the safe side.
+                    Files.setPosixFilePermissions(appDir,
+                        Set.of(PosixFilePermission.OWNER_READ,
+                            PosixFilePermission.OWNER_WRITE,
+                            PosixFilePermission.OWNER_EXECUTE));
+                } catch (IOException e) {
+                    logger.warning(() -> String.format(
+                        "Cannot set permissions rwx------ on \"%s\".",
+                        runtimeDir));
+                }
+            }
             runtimeDir = FsdUtils.runtimeDir(Runner.APP_NAME).resolve(vm.name);
+            runtimeDir.toFile().mkdir();
             swtpmSocket = runtimeDir.resolve("swtpm-sock");
             monitorSocket = runtimeDir.resolve("monitor.sock");
         }
-        if (!Files.exists(runtimeDir)) {
-            runtimeDir.toFile().mkdirs();
-        }
         if (!Files.isDirectory(runtimeDir) || !Files.isWritable(runtimeDir)) {
             logger.severe(() -> String.format(
                 "Configured runtime directory \"%s\""