fix: guard unix socket cleanup with dev/inode identity check

On exit, only remove the forwarded unix socket if the path still refers
to the same file we created. If another process has replaced it in the
interim (e.g. a subsequent bind from a different owner), skip the
removal to avoid stealing their socket.

Recorded via os.Stat after a successful Listen; compared via
os.SameFile at cleanup time.

Author: ernie

tsshd/forward.go

@@ -168,18 +168,31 @@ func (s *sshUdpServer) handleListenEvent(stream Stream) {
 		return
 	}
 
+	var createdInfo os.FileInfo
 	if msg.Net == "unix" {
 		mode := os.FileMode(0666) &^ os.FileMode(streamLocalBindMask())
 		if err := os.Chmod(msg.Addr, mode); err != nil {
 			warning("chmod unix socket [%s] to %#o failed: %v", msg.Addr, mode, err)
 		}
+		if info, err := os.Stat(msg.Addr); err == nil {
+			createdInfo = info
+		}
 	}
 
 	addOnExitFunc(func() {
 		_ = listener.Close()
-		if msg.Net == "unix" {
-			_ = os.Remove(msg.Addr)
+		if msg.Net != "unix" || createdInfo == nil {
+			return
+		}
+		current, err := os.Stat(msg.Addr)
+		if err != nil {
+			return
+		}
+		if !os.SameFile(createdInfo, current) {
+			debug("unix socket [%s] replaced since creation; skipping unlink", msg.Addr)
+			return
 		}
+		_ = os.Remove(msg.Addr)
 	})
 	defer func() { _ = listener.Close() }()