Hi Paul
I see that I was not clear what I meant with "in general" :-)
In the fix for pcs
you can see a comment that there is a change from umask(0) to umask(0x077)
It was this umask(0) (in Thin::Backends::UnixServer#connect) I was referring to as "in general".
I mean the fix is to override this more generic function that is obviously not secure enough.
Here I found how the generic source code looks like:
You can see the umask(0) there.
That is what I think is insecure, not pcs itself.
It looks like pcs code was not vulnerable because what I missed to check was whether this source code was present in buster. It was not as someone have concluded.
But I think Thin::Backends::UnixServer#connect is still insecure.
Cheers
// Ola