nazim/avault
1
0
Fork 1
Code Issues 7 Pull requests 3 Projects Releases Packages Wiki Activity Actions

feat: Unix group-based socket access control (H1 proper fix) #18

Open
doxios wants to merge 1 commit from doxios/avault:feat/socket-group-auth into main
pull from: doxios/avault:feat/socket-group-auth
merge into: nazim:main
Conversation 0 Commits 1 Files changed 2 +192 -10
doxios commented 2026-03-06 22:03:49 +00:00
First-time contributor
Copy link

Summary

Adds Unix group-based access control for the daemon socket — the proper kernel-enforced solution for audit finding H1 from #16.

This is the follow-up to PR #17 (token-based auth). As k9ert pointed out, token files just move the goalpost — you're storing a secret to access the secrets. Unix user:group isolation lets the kernel enforce access without any shared secrets.

How It Works

# Daemon runs as dedicated 'avault' user
avault daemon start --group vault-users

# Socket created as: srw-rw---- avault:vault-users avault.sock
# Agent user (e.g., 'cobot') must be in 'vault-users' group to connect
# Any process NOT in the group gets 'Permission denied' from the kernel

Configuration

CLI flag (highest priority):

avault daemon start --group vault-users

config.json (persistent):

{
  "owner_npub": "npub1...",
  "agent_npub": "npub1...",
  "socket_group": "vault-users"
}

No flag (default): unchanged behavior — socket is chmod 0600, owner-only.

Setup on olymp

groupadd vault-users
usermod -aG vault-users alpha
usermod -aG vault-users doxios
usermod -aG vault-users hermes
# Add to config.json: "socket_group": "vault-users"

Changes

File Changes
scripts/avault.py serve() accepts socket_group param; socket + run dir get chgrp + chmod 0660; daemon_start() reads group from CLI flag or config; --group/-g flag on daemon start; doctor shows socket permissions
scripts/test_avault.py 5 new tests: default owner-only, invalid group warning, valid group permissions, config loading, CLI arg passthrough

Why This Over Tokens

Approach Auth mechanism Weakness
Token file (#17) Shared secret in avault.token Same-user processes can read token file — turtles all the way down
Unix group (this PR) Kernel-enforced filesystem permissions None for the single-machine threat model

The token PR (#17) is still useful as defense-in-depth / MVP. This PR is the proper solution.

Tests

5 new tests, all passing. 63/64 total pass (1 pre-existing QR failure).

Refs

  • Addresses #16 (H1: No Authentication on Unix Socket)
  • Companion to #17 (token-based auth)
  • Suggested by @k9ert

PR by Doxios 🦊

## Summary Adds Unix group-based access control for the daemon socket — the proper kernel-enforced solution for audit finding **H1** from [#16](https://forgejo.tail593e12.ts.net/nazim/avault/issues/16). This is the follow-up to PR #17 (token-based auth). As k9ert pointed out, token files just move the goalpost — you're storing a secret to access the secrets. Unix user:group isolation lets the kernel enforce access without any shared secrets. ## How It Works ```bash # Daemon runs as dedicated 'avault' user avault daemon start --group vault-users # Socket created as: srw-rw---- avault:vault-users avault.sock # Agent user (e.g., 'cobot') must be in 'vault-users' group to connect # Any process NOT in the group gets 'Permission denied' from the kernel ``` ### Configuration **CLI flag** (highest priority): ```bash avault daemon start --group vault-users ``` **config.json** (persistent): ```json { "owner_npub": "npub1...", "agent_npub": "npub1...", "socket_group": "vault-users" } ``` **No flag** (default): unchanged behavior — socket is chmod `0600`, owner-only. ### Setup on olymp ```bash groupadd vault-users usermod -aG vault-users alpha usermod -aG vault-users doxios usermod -aG vault-users hermes # Add to config.json: "socket_group": "vault-users" ``` ## Changes | File | Changes | |------|---------| | `scripts/avault.py` | `serve()` accepts `socket_group` param; socket + run dir get `chgrp` + `chmod 0660`; `daemon_start()` reads group from CLI flag or config; `--group/-g` flag on `daemon start`; `doctor` shows socket permissions | | `scripts/test_avault.py` | 5 new tests: default owner-only, invalid group warning, valid group permissions, config loading, CLI arg passthrough | ## Why This Over Tokens | Approach | Auth mechanism | Weakness | |----------|---------------|----------| | Token file (#17) | Shared secret in `avault.token` | Same-user processes can read token file — turtles all the way down | | **Unix group (this PR)** | **Kernel-enforced filesystem permissions** | **None for the single-machine threat model** | The token PR (#17) is still useful as defense-in-depth / MVP. This PR is the proper solution. ## Tests 5 new tests, all passing. 63/64 total pass (1 pre-existing QR failure). ## Refs - Addresses #16 (H1: No Authentication on Unix Socket) - Companion to #17 (token-based auth) - Suggested by @k9ert --- *PR by Doxios 🦊*
feat: Unix group-based socket access control
Some checks failed
Tests / test (3.11) (pull_request) Has been cancelled
Details
Tests / test (3.12) (pull_request) Has been cancelled
Details
Tests / test (3.13) (pull_request) Has been cancelled
Details
07ad63525f 
Add --group/-g flag to 'avault daemon start' that sets the socket to
chmod 0660 and chgrp's it to the specified group. This enables proper
multi-user isolation:

  # Daemon runs as 'avault' user
  avault daemon start --group vault-users

  # Agent (running as 'cobot' user, member of 'vault-users' group)
  # can connect to the socket — kernel enforces access

How it works:
- --group flag or 'socket_group' in config.json
- Socket: chmod 0660, chgrp to specified group
- Run directory: chmod 0750, chgrp to specified group
- Invalid group name: prints warning, falls back to owner-only (0600)
- No --group: unchanged behavior (chmod 0600, owner-only)

This is the proper solution for H1 (No Authentication on Unix Socket):
the kernel enforces access via standard Unix permissions, no shared
secrets or tokens needed.

Setup example for olymp:
  groupadd vault-users
  usermod -aG vault-users alpha
  usermod -aG vault-users doxios
  # In .avault/config.json: {"socket_group": "vault-users"}

Doctor command updated with socket_perms health check.
5 new tests added (all passing).

Ref: nazim/avault#16 (security audit, H1)
Some checks failed
Tests / test (3.11) (pull_request) Has been cancelled
Details
Tests / test (3.12) (pull_request) Has been cancelled
Details
Tests / test (3.13) (pull_request) Has been cancelled
Details
This pull request can be merged automatically.
Some workflows are waiting to be reviewed.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u feat/socket-group-auth:doxios-feat/socket-group-auth
git switch doxios-feat/socket-group-auth

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main
git merge --no-ff doxios-feat/socket-group-auth
git switch doxios-feat/socket-group-auth
git rebase main
git switch main
git merge --ff-only doxios-feat/socket-group-auth
git switch doxios-feat/socket-group-auth
git rebase main
git switch main
git merge --no-ff doxios-feat/socket-group-auth
git switch main
git merge --squash doxios-feat/socket-group-auth
git switch main
git merge --ff-only doxios-feat/socket-group-auth
git switch main
git merge doxios-feat/socket-group-auth
git push origin main
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
nazim/avault!18
No description provided.