3 files changed, 26 insertions, 4 deletions

diff --git a/src/configuration.hpp b/src/configuration.hpp
index 25f9855..c29e133 100644
--- a/src/configuration.hpp
+++ b/src/configuration.hpp
@@ -3,6 +3,8 @@
 #include "logger.hpp"
 #include "system.hpp"
 
+#include <sys/types.h>
+
 #include <algorithm>
 #include <boost/container/flat_map.hpp>
 #include <iostream>
@@ -27,6 +29,8 @@ class Configuration
         legacy = 1,
     };
 
+    static constexpr mode_t defaultUmask = 077;
+
     struct MountPoint
     {
         static constexpr int defaultTimeout = 30;
diff --git a/src/main.cpp b/src/main.cpp
index 49dab24..a20c68a 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -4,6 +4,8 @@
 #include "system.hpp"
 
 #include <sys/mount.h>
+#include <sys/stat.h>
+#include <sys/types.h>
 
 #include <boost/asio.hpp>
 #include <boost/asio/buffer.hpp>
@@ -76,6 +78,22 @@ int main()
     if (!config.valid)
         return -1;
 
+    // setup secure ownership for newly created files (always succeeds)
+    umask(Configuration::defaultUmask);
+
+    // Create directory with limited access rights to hold sockets
+    try
+    {
+        std::filesystem::create_directories(
+            std::filesystem::temp_directory_path() / "sock");
+    }
+    catch (std::filesystem::filesystem_error& e)
+    {
+        LogMsg(Logger::Error,
+               "Cannot create secure directory for sockets: ", e.what());
+        return -1;
+    }
+
     boost::asio::io_context ioc;
     boost::asio::signal_set signals(ioc, SIGINT, SIGTERM);
     signals.async_wait(
diff --git a/virtual-media.json b/virtual-media.json
index 602ba1e..c5c53ed 100644
--- a/virtual-media.json
+++ b/virtual-media.json
@@ -5,7 +5,7 @@
             "EndpointId": "/nbd/0",
             "Mode": 0,
             "NBDDevice": "nbd0",
-            "UnixSocket": "/tmp/nbd0.sock",
+            "UnixSocket": "/tmp/sock/nbd0.sock",
             "Timeout": 30,
             "BlockSize": 512
         },
@@ -13,7 +13,7 @@
             "EndpointId": "/nbd/1",
             "Mode": 0,
             "NBDDevice": "nbd1",
-            "UnixSocket": "/tmp/nbd1.sock",
+            "UnixSocket": "/tmp/sock/nbd1.sock",
             "Timeout": 30,
             "BlockSize": 512
         },
@@ -21,7 +21,7 @@
             "EndpointId": "",
             "Mode": 1,
             "NBDDevice": "nbd2",
-            "UnixSocket": "/tmp/nbd2.sock",
+            "UnixSocket": "/tmp/sock/nbd2.sock",
             "Timeout": 90,
             "BlockSize": 512
         },
@@ -29,7 +29,7 @@
             "EndpointId": "",
             "Mode": 1,
             "NBDDevice": "nbd3",
-            "UnixSocket": "/tmp/nbd3.sock",
+            "UnixSocket": "/tmp/sock/nbd3.sock",
             "Timeout": 90,
             "BlockSize": 512
         }