unix: Limit named pipe permissions to the current user

andyprice · andyprice · commit 64077ff3de40 · 2024-09-06T19:40:31.000+01:00
Named pipes created using the "pipe://" file access scheme should not be
world-writable or readable. Limit their access to the current user by
creating them with 0600 permissions instead of 0666.
diff --git a/drivers/unix/file_access_unix_pipe.cpp b/drivers/unix/file_access_unix_pipe.cpp
@@ -65,7 +65,7 @@ Error FileAccessUnixPipe::open_internal(const String &p_path, int p_mode_flags)
 	struct stat st = {};
 	int err = stat(path.utf8().get_data(), &st);
 	if (err) {
-		if (mkfifo(path.utf8().get_data(), 0666) != 0) {
+		if (mkfifo(path.utf8().get_data(), 0600) != 0) {
 			last_error = ERR_FILE_CANT_OPEN;
 			return last_error;
 		}

Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ Error FileAccessUnixPipe::open_internal(const String &p_path, int p_mode_flags)`
`65`	`65`	`struct stat st = {};`
`66`	`66`	`int err = stat(path.utf8().get_data(), &st);`
`67`	`67`	`if (err) {`
`68`		`- if (mkfifo(path.utf8().get_data(), 0666) != 0) {`
	`68`	`+ if (mkfifo(path.utf8().get_data(), 0600) != 0) {`
`69`	`69`	`last_error = ERR_FILE_CANT_OPEN;`
`70`	`70`	`return last_error;`
`71`	`71`	`}`