Skip to content

πŸ›‘οΈ Sentinel: Enforce Unix socket peer verification#108

Open
minibota wants to merge 1 commit intomainfrom
security/nightly-2026-02-06-17519485796025406417
Open

πŸ›‘οΈ Sentinel: Enforce Unix socket peer verification#108
minibota wants to merge 1 commit intomainfrom
security/nightly-2026-02-06-17519485796025406417

Conversation

@minibota
Copy link
Copy Markdown
Contributor

@minibota minibota commented Feb 6, 2026

πŸ” Issue: cc-agent exec blindly connected to the Unix socket specified by --socket-path (or fallback). If the socket path was in a shared directory (like /tmp, which is used as a fallback or in User Mode), a local attacker could pre-create the socket and intercept execution reports containing sensitive job output (stdout/stderr).

🧠 Risk: Information Disclosure (High). An unprivileged local attacker could capture output from cron jobs running as other users.

πŸ› οΈ Fix:

  • Implemented verifySocketPeer using syscall.GetsockoptUcred (on Linux) to validate the peer's UID.
  • The connection is now rejected unless the peer UID matches the current user OR is root (allowing connection to System Mode daemon).
  • Added var getCurrentUid to allow mocking in tests.

πŸ§ͺ Tests:

  • Added cmd/security_peer_linux_test.go:
    • Verified successful connection when UIDs match.
    • Verified connection rejection when UIDs mismatch (mocked).
  • Ran go test ./cmd (All Pass).

πŸ“Ž Notes: This fix focuses on the client side (exec command). The daemon side already sets 0660 permissions, but this adds defense-in-depth against pre-creation attacks in shared directories.

PR created automatically by Jules for task 17519485796025406417 started by @minibota

@google-labs-jules @minibota
πŸ›‘οΈ Sentinel: Enforce Unix socket peer verification
2475356 
Secure `cc-agent exec` against local spoofing attacks by verifying
the socket peer's credentials (`SO_PEERCRED`).

- Implemented `verifySocketPeer` in `cmd/security_linux.go`.
- Added check in `cmd/exec.go`.
- Added verification test `cmd/security_peer_linux_test.go`.

Co-authored-by: minibota <1483356+minibota@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented Feb 6, 2026

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@minibota