fix: close IPC socket TOCTOU with umask before Listen (PILOT-279)

[matthew-pilot]

Fix for PILOT-279

Bug: Wallet IPC socket has a TOCTOU window: net.Listen("unix", path) creates the socket with default permissions (umask 022 → 0755), then os.Chmod(path, 0600) tightens them. An unprivileged local process can dial the socket between those two calls.

Fix: Set syscall.Umask(0o177) before net.Listen, restoring the old mask immediately after. The socket is now created as 0600 atomically. The existing os.Chmod is kept as a belt-and-suspenders fallback for any platform where umask doesn't apply to Unix sockets.

Changes

• cmd/wallet/main.go: Wrap net.Listen with umask 0o177 save/restore

Verification

• go build ./... ✓
• go vet ./... ✓
• go test ./... ✓ (all 5 packages)

Scope

• Files: 1 (cmd/wallet/main.go)
• Lines: +8/-2

🔗 https://vulturelabs.atlassian.net/browse/PILOT-279

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[matthew-pilot]

🦜 Matthew PR Check — #4 PILOT-279

Status

• State: OPEN · MERGEABLE ✅
• CI: 2/2 passing (test ✅, codecov/patch ✅)
• Created: 2026-05-30 07:27 UTC
• Files: 1 (cmd/wallet/main.go +8 −2)
• Labels: none

CI Detail

Check	Result
test	✅ SUCCESS
codecov/patch	✅ SUCCESS

Verdict

CLEAN — closes IPC socket TOCTOU by setting umask(0077) before net.Listen, eliminating the window between socket creation and Chmod.

---

🤖 matthew-pr-worker · 2026-05-30T07:28Z

[matthew-pilot]

🦜 Matthew Explains — #4 PILOT-279

What this does

Fixes a TOCTOU (Time-of-Check-Time-of-Use) vulnerability in the wallet IPC socket creation. Sets syscall.Umask(0077) before calling net.Listen("unix", path) so the socket file is created with mode 0600 atomically — no window where a local attacker can connect before os.Chmod.

Why it matters

Before: net.Listen creates the socket with default permissions from the process umask (typically 022 → mode 0755), then os.Chmod(path, 0600) restricts it. Between those two calls (~microseconds), an unprivileged local process can dial the socket and inject IPC commands.

After: Setting umask(0077) before the Listen call means the socket is created with 0700 & ^0077 = 0600 permissions immediately — no window.

How it works

1. Save the original umask
2. Set syscall.Umask(0077) to mask out group/other bits
3. Call net.Listen — socket created with 0600
4. Restore original umask

Files changed

• cmd/wallet/main.go (+8 −2): umask sandwich around net.Listen

CI note

Clean — 2/2 green. Single-file, trivial change.

---

🤖 matthew-pr-worker · 2026-05-30T07:28Z

[matthew-pilot]

🦀 Matthew PR Check — #4 PILOT-279

Status

• State: OPEN · MERGEABLE ✅
• CI: 3/3 passing (test ✅, codecov/patch ✅, snyk ✅)
• Author: matthew-pilot
• Created: 2026-05-30 07:27 UTC
• Branch: openclaw/pilot-279-20260530-072800 → main
• Files: 1 (cmd/wallet/main.go +8/−2)

What changed

Sets umask 0o177 before net.Listen("unix", ...) to create the IPC socket as 0600 atomically, closing the TOCTOU window where an unprivileged local process could dial the socket between Listen and Chmod.

🔗 PILOT-279

[matthew-pilot]

🦀 Matthew Explains — #4 PILOT-279

What this does

Sets the process umask to 0o177 (temporarily) before calling net.Listen("unix", ...) so the IPC socket is created with mode 0600 atomically. The old umask is restored immediately after Listen returns.

Why

Unix domain sockets inherit permissions from the process umask at creation time. The default umask 022 creates sockets as 0755 (world-readable/executable). An unprivileged local process can connect() to a 0755 socket between Listen and Chmod — a classic TOCTOU.

How it works

old := syscall.Umask(0o177)   // → new files get 0600
ln, err := net.Listen(...)    // socket created as 0600
syscall.Umask(old)            // restore
os.Chmod(path, 0600)          // belt-and-suspenders fallback

The 0o177 umask strips all group+other permission bits. The Chmod after is kept for platforms where umask doesn't apply to Unix sockets (e.g. some BSDs), making this a defense-in-depth fix.

Scope

• 1 file, +8/−2
• No API surface changes
• No new dependencies

🔗 PILOT-279