[Security] socket access granted to users outside auth-group
Placing the following in
load-module module-native-protocol-unix auth-group=pulseaudio socket=/tmp/pulseserver
and freshly logging in a user session, I find
/tmp/pulseserver to have the following permissions:
srwxrwxrwx 1 user user 0 Sep 4 15:14 pulseserver
The socket is indeed accessible by everyone on the system! Group pulseaudio exists on my system, pulseaudio is started with default config, not in system mode (there is no error in the log file associated with socket creation).
This is a security issue, I expect pulseaudio to set the right permissions when creating a socket file! The following should be done:
1). The created socket should NEVER be rwx to the world, except in the case of auth-anonymous=1
2.) Socket creation should fail if pulseaudio fails to set the appropriate permissions
Tested with pulseaudio 12.0 on Debian sid, default configuration.