From 80e4e34c3329bfd7a7efbb72a7d2ee8eb2712335 Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Sat, 30 May 2026 07:27:03 +0000
Subject: [PATCH] fix: set umask 0o177 before Unix socket Listen to close
 TOCTOU window (PILOT-279)

---
 cmd/wallet/main.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/cmd/wallet/main.go b/cmd/wallet/main.go
index 5712b49..b114b91 100644
--- a/cmd/wallet/main.go
+++ b/cmd/wallet/main.go
@@ -150,12 +150,18 @@ func run(ctx context.Context, args []string) error {
 	if err := os.MkdirAll(filepath.Dir(*sockPath), 0o700); err != nil {
 		return fmt.Errorf("socket dir: %w", err)
 	}
+	// Set umask to 0o177 before Listen so the unix-domain socket
+	// is created as 0o600 atomically — no TOCTOU window between
+	// socket creation and a post-hoc Chmod.
+	oldMask := syscall.Umask(0o177)
 	listener, err := net.Listen("unix", *sockPath)
+	syscall.Umask(oldMask)
 	if err != nil {
 		return fmt.Errorf("listen %s: %w", *sockPath, err)
 	}
-	// Limit who can open the socket. 0600 means only the owning user can
-	// dial — same threat model as the identity file.
+	// Chmod is a belt-and-suspenders backup; the umask above covers
+	// the primary case. On the off-chance a platform doesn't apply
+	// umask to unix sockets, the explicit chmod is the fallback.
 	if err := os.Chmod(*sockPath, 0o600); err != nil {
 		logger.Printf("chmod socket: %v", err)
 	}