cacheout-app · acebytes · Jun 24, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -143,3 +143,7 @@ grep -nE "O_NOFOLLOW|O_CLOEXEC|fchmod|withUnsafeFileSystemRepresentation" <candi
 **Vulnerability:** Calling `open(2)` with raw Swift `String` paths in `StatusSocket.swift` creates an unsafe filesystem representation.
 **Learning:** Passing Swift `String` paths implicitly to C functions can result in memory issues or incorrect path resolution if the string is not null-terminated or is moved in memory.
 **Prevention:** Always use `URL(fileURLWithPath:).withUnsafeFileSystemRepresentation` to obtain the correct C-string pointer when bridging file paths to POSIX APIs.
+## 2026-05-04 - Fix fail-open POSIX permission handling
+**Vulnerability:** Ignored return values from POSIX C APIs (`fchmod`, `fchmodat`) caused fail-open behavior.
+**Learning:** While high-level Swift APIs inherently fail-closed by throwing errors, dropping down to C APIs to avoid TOCTOU introduces the risk of silently ignoring failures.
+**Prevention:** Always explicitly check the integer return codes of POSIX C APIs and securely fail-closed on error.
diff --git a/Sources/Cacheout/Headless/DaemonMode.swift b/Sources/Cacheout/Headless/DaemonMode.swift
@@ -981,7 +981,10 @@ public actor DaemonMode: StatusSocket.DataSource {
             guard let pathPtr = pathPtr else { return nil }
             let fd = open(pathPtr, O_RDONLY | O_NOFOLLOW | O_CLOEXEC)
             guard fd >= 0 else { return nil }
-            fchmod(fd, 0o600)
+            guard fchmod(fd, 0o600) == 0 else {
+                close(fd)
+                return nil
+            }
             let handle = FileHandle(fileDescriptor: fd, closeOnDealloc: true)
             return try? handle.readToEnd()
         }

diff --git a/Sources/Cacheout/Headless/StatusSocket.swift b/Sources/Cacheout/Headless/StatusSocket.swift
@@ -184,7 +184,11 @@ public final class StatusSocket: @unchecked Sendable {
         }
         if (sockStat.st_mode & 0o777) != 0o600 {
             // umask should have set 0600; defense-in-depth chmod via no-follow.
-            _ = fchmodat(AT_FDCWD, socketPath, 0o600, AT_SYMLINK_NOFOLLOW)
+            guard fchmodat(AT_FDCWD, socketPath, 0o600, AT_SYMLINK_NOFOLLOW) == 0 else {
+                close(fd)
+                unlink(socketPath)
+                throw StatusSocketError.bindFailed(errno)
+            }
         }
 
         // Listen