ControlSocketsGroupWritable option is not compatible with User
check_private_dir()
to ensure that ControlSocketsGroupWritable
is safe to use. Unfortunately, check_private_dir()
only checks against the currently running user… which can be root until privileges are dropped to the user and group configured by the User
config option.
The attached patch fixes the issue by adding a new effective_user
argument to check_private_dir()
and updating the callers. It might not be the best way to fix the issue, but it did in my tests.