diff --git a/NOTICE b/NOTICE index 73274140b..0afc2a48c 100644 --- a/NOTICE +++ b/NOTICE @@ -2,6 +2,7 @@ NGINX Unit. Copyright 2017-2022 NGINX, Inc. + Copyright 2022-2022 Evgenii Sokolov Copyright 2017-2022 Valentin V. Bartenev Copyright 2017-2022 Max Romanov Copyright 2017-2022 Andrei Zeliankou diff --git a/auto/help b/auto/help index e2b81bc7b..7a24ecce8 100644 --- a/auto/help +++ b/auto/help @@ -1,5 +1,6 @@ # Copyright (C) Igor Sysoev +# Copyright (C) Evgenii Sokolov # Copyright (C) NGINX, Inc. @@ -29,6 +30,9 @@ cat << END --control=ADDRESS set address of control API socket default: "$NXT_CONTROL" + --unix-sock-mod=MODE set mode to unix socket as a listener + default: "$NXT_UNIX_DOMAIN_MODE" + --user=USER set non-privileged processes to run as specified user default: "$NXT_USER" --group=GROUP set non-privileged processes to run as specified group diff --git a/auto/options b/auto/options index 572d8a9b6..90e74542f 100644 --- a/auto/options +++ b/auto/options @@ -1,6 +1,7 @@ # Copyright (C) Igor Sysoev # Copyright (C) Valentin V. Bartenev +# Copyright (C) Evgenii Sokolov # Copyright (C) NGINX, Inc. @@ -69,6 +70,8 @@ do --control=*) NXT_CONTROL="$value" ;; + --unix-sock-mod=*) NXT_UNIX_DOMAIN_MODE="$value" ;; + --user=*) NXT_USER="$value" ;; --group=*) NXT_GROUP="$value" ;; @@ -180,3 +183,8 @@ case "$NXT_CONTROL" in unix:*) NXT_CONTROL="unix:$NXT_PREFIX${NXT_CONTROL##unix:}" ;; *) ;; esac + +case "$NXT_UNIX_DOMAIN_MODE" in + [0-7][0-7][0-7]) ;; + *) NXT_UNIX_DOMAIN_MODE=$NXT_UNIX_DOMAIN_MODE ;; +esac diff --git a/auto/summary b/auto/summary index 84bfbb7f1..d346503e4 100644 --- a/auto/summary +++ b/auto/summary @@ -1,5 +1,6 @@ # Copyright (C) Igor Sysoev +# Copyright (C) Evgenii Sokolov # Copyright (C) NGINX, Inc. @@ -26,6 +27,7 @@ Unit configuration summary: IPv6 support: .............. $NXT_INET6 Unix domain sockets support: $NXT_UNIX_DOMAIN + Unix domain sockets mode: .. $NXT_UNIX_DOMAIN_MODE TLS support: ............... $NXT_OPENSSL process isolation: ......... $NXT_ISOLATION diff --git a/configure b/configure index bc21e5792..5fd56ea35 100755 --- a/configure +++ b/configure @@ -1,6 +1,7 @@ #!/bin/sh # Copyright (C) Igor Sysoev +# Copyright (C) Evgenii Sokolov # Copyright (C) NGINX, Inc. @@ -42,6 +43,7 @@ NXT_TMP="tmp" NXT_PID="unit.pid" NXT_LOG="unit.log" NXT_CONTROL="unix:control.unit.sock" +NXT_UNIX_DOMAIN_MODE="666" NXT_USER="nobody" NXT_GROUP= @@ -93,6 +95,8 @@ cat << END >> $NXT_AUTO_CONFIG_H #define NXT_CONTROL_SOCK "$NXT_CONTROL" +#define NXT_UNIX_DOMAIN_MODE "$NXT_UNIX_DOMAIN_MODE" + #define NXT_USER "$NXT_USER" #define NXT_GROUP "$NXT_GROUP" diff --git a/pkg/deb/debian.module/copyright.unit-jsc10 b/pkg/deb/debian.module/copyright.unit-jsc10 index 42dbd3b9c..3c1c604f3 100644 --- a/pkg/deb/debian.module/copyright.unit-jsc10 +++ b/pkg/deb/debian.module/copyright.unit-jsc10 @@ -2,6 +2,7 @@ NGINX Unit. Copyright 2017-2022 NGINX, Inc. + Copyright 2022-2022 Evgenii Sokolov Copyright 2017-2022 Valentin V. Bartenev Copyright 2017-2022 Max Romanov Copyright 2017-2022 Andrei Zeliankou diff --git a/pkg/deb/debian.module/copyright.unit-jsc11 b/pkg/deb/debian.module/copyright.unit-jsc11 index b2e4a1179..a5fc9f8ac 100644 --- a/pkg/deb/debian.module/copyright.unit-jsc11 +++ b/pkg/deb/debian.module/copyright.unit-jsc11 @@ -2,6 +2,7 @@ NGINX Unit. Copyright 2017-2022 NGINX, Inc. + Copyright 2022-2022 Evgenii Sokolov Copyright 2017-2022 Valentin V. Bartenev Copyright 2017-2022 Max Romanov Copyright 2017-2022 Andrei Zeliankou diff --git a/pkg/deb/debian.module/copyright.unit-jsc8 b/pkg/deb/debian.module/copyright.unit-jsc8 index 1dab9cce5..e6c33b55a 100644 --- a/pkg/deb/debian.module/copyright.unit-jsc8 +++ b/pkg/deb/debian.module/copyright.unit-jsc8 @@ -2,6 +2,7 @@ NGINX Unit. Copyright 2017-2022 NGINX, Inc. + Copyright 2022-2022 Evgenii Sokolov Copyright 2017-2022 Valentin V. Bartenev Copyright 2017-2022 Max Romanov Copyright 2017-2022 Andrei Zeliankou diff --git a/pkg/deb/debian/copyright b/pkg/deb/debian/copyright index 487c92c53..f8a1309d3 100644 --- a/pkg/deb/debian/copyright +++ b/pkg/deb/debian/copyright @@ -2,6 +2,7 @@ NGINX Unit. Copyright 2017-2022 NGINX, Inc. + Copyright 2022-2022 Evgenii Sokolov Copyright 2017-2022 Valentin V. Bartenev Copyright 2017-2022 Max Romanov Copyright 2017-2022 Andrei Zeliankou diff --git a/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc10 b/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc10 index c7860e4b7..82d7b8e4b 100644 --- a/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc10 +++ b/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc10 @@ -2,6 +2,7 @@ NGINX Unit. Copyright 2017-2022 NGINX, Inc. + Copyright 2022-2022 Evgenii Sokolov Copyright 2017-2022 Valentin V. Bartenev Copyright 2017-2022 Max Romanov Copyright 2017-2022 Andrei Zeliankou diff --git a/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc11 b/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc11 index b08fcc347..ea716094f 100644 --- a/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc11 +++ b/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc11 @@ -2,6 +2,7 @@ NGINX Unit. Copyright 2017-2022 NGINX, Inc. + Copyright 2022-2022 Evgenii Sokolov Copyright 2017-2022 Valentin V. Bartenev Copyright 2017-2022 Max Romanov Copyright 2017-2022 Andrei Zeliankou diff --git a/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc8 b/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc8 index 5e31863d3..ede66234c 100644 --- a/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc8 +++ b/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc8 @@ -2,6 +2,7 @@ NGINX Unit. Copyright 2017-2022 NGINX, Inc. + Copyright 2022-2022 Evgenii Sokolov Copyright 2017-2022 Valentin V. Bartenev Copyright 2017-2022 Max Romanov Copyright 2017-2022 Andrei Zeliankou diff --git a/src/nxt_main_process.c b/src/nxt_main_process.c index 9883f04c2..dafcedc90 100644 --- a/src/nxt_main_process.c +++ b/src/nxt_main_process.c @@ -1,6 +1,7 @@ /* * Copyright (C) Igor Sysoev + * Copyright (C) Evgenii Sokolov * Copyright (C) NGINX, Inc. */ @@ -49,7 +50,7 @@ static void nxt_main_process_cleanup(nxt_task_t *task, nxt_process_t *process); static void nxt_main_port_socket_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg); static nxt_int_t nxt_main_listening_socket(nxt_sockaddr_t *sa, - nxt_listening_socket_t *ls); + nxt_listening_socket_t *ls, nxt_runtime_t *rt); static void nxt_main_port_modules_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg); static int nxt_cdecl nxt_app_lang_compare(const void *v1, const void *v2); @@ -1032,8 +1033,11 @@ nxt_main_port_socket_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg) nxt_sockaddr_t *sa; nxt_port_msg_type_t type; nxt_listening_socket_t ls; + nxt_runtime_t *rt; u_char message[2048]; + rt = task->thread->runtime; + port = nxt_runtime_port_find(task->thread->runtime, msg->port_msg.pid, msg->port_msg.reply_port); if (nxt_slow_path(port == NULL)) { @@ -1060,7 +1064,7 @@ nxt_main_port_socket_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg) nxt_debug(task, "listening socket \"%*s\"", (size_t) sa->length, nxt_sockaddr_start(sa)); - ret = nxt_main_listening_socket(sa, &ls); + ret = nxt_main_listening_socket(sa, &ls, rt); if (ret == NXT_OK) { nxt_debug(task, "socket(\"%*s\"): %d", @@ -1092,7 +1096,7 @@ nxt_main_port_socket_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg) static nxt_int_t -nxt_main_listening_socket(nxt_sockaddr_t *sa, nxt_listening_socket_t *ls) +nxt_main_listening_socket(nxt_sockaddr_t *sa, nxt_listening_socket_t *ls, nxt_runtime_t *rt) { nxt_err_t err; nxt_socket_t s; @@ -1188,11 +1192,22 @@ nxt_main_listening_socket(nxt_sockaddr_t *sa, nxt_listening_socket_t *ls) #if (NXT_HAVE_UNIX_DOMAIN) if (sa->u.sockaddr.sa_family == AF_UNIX) { - char *filename; - mode_t access; + nxt_uint_t m_len; + nxt_uid_t uid; + nxt_gid_t gid; + mode_t access; + char *filename; filename = sa->u.sockaddr_un.sun_path; - access = (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); + m_len = nxt_strlen(rt->unix_sock_mod); + access = 0; + + for (nxt_uint_t i = 0; i < m_len; i++) { + nxt_uint_t oct = (nxt_uint_t) rt->unix_sock_mod[i] - '0'; + if (m_len == 3 && i == 0) oct *= 64; + if ((m_len == 3 && i == 1) || (m_len == 2 && i == 0)) oct *= 8; + access += oct; + } if (chmod(filename, access) != 0) { ls->end = nxt_sprintf(ls->start, ls->end, @@ -1200,6 +1215,16 @@ nxt_main_listening_socket(nxt_sockaddr_t *sa, nxt_listening_socket_t *ls) filename, nxt_errno); goto fail; } + + uid = rt->user_cred.uid; + gid = rt->user_cred.base_gid; + + if (chown(filename, uid, gid) != 0) { + ls->end = nxt_sprintf(ls->start, ls->end, + "chown(\\\"%s\\\") failed %E", + filename, nxt_errno); + goto fail; + } } #endif diff --git a/src/nxt_runtime.c b/src/nxt_runtime.c index 46955f1cc..5ec0b785a 100644 --- a/src/nxt_runtime.c +++ b/src/nxt_runtime.c @@ -2,6 +2,7 @@ /* * Copyright (C) Igor Sysoev * Copyright (C) Valentin V. Bartenev + * Copyright (C) Evgenii Sokolov * Copyright (C) NGINX, Inc. */ @@ -771,6 +772,7 @@ nxt_runtime_conf_init(nxt_task_t *task, nxt_runtime_t *rt) rt->modules = NXT_MODULES; rt->state = NXT_STATE; rt->control = NXT_CONTROL_SOCK; + rt->unix_sock_mod = NXT_UNIX_DOMAIN_MODE; rt->tmp = NXT_TMP; nxt_memzero(&rt->capabilities, sizeof(nxt_capabilities_t)); @@ -922,6 +924,10 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt) static const char no_control[] = "option \"--control\" requires socket address\n"; + static const char no_unix_sock_mod[] = + "option \"--unix-sock-mod\" requires socket mode\n"; + static const char invalid_unix_sock_mod[] = + "option \"--unix-sock-mod\" invalid value specified\n"; static const char no_user[] = "option \"--user\" requires username\n"; static const char no_group[] = "option \"--group\" requires group name\n"; static const char no_pid[] = "option \"--pid\" requires filename\n"; @@ -942,6 +948,9 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt) " --control ADDRESS set address of control API socket\n" " default: \"" NXT_CONTROL_SOCK "\"\n" "\n" + " --unix-sock-mod MODE set mode to unix socket as a listener\n" + " default: \"" NXT_UNIX_DOMAIN_MODE "\"\n" + "\n" " --pid FILE set pid filename\n" " default: \"" NXT_PID "\"\n" "\n" @@ -986,6 +995,32 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt) continue; } + if (nxt_strcmp(p, "--unix-sock-mod") == 0) { + if (*argv == NULL) { + write(STDERR_FILENO, no_unix_sock_mod, nxt_length(no_unix_sock_mod)); + return NXT_ERROR; + } + + p = *argv++; + nxt_uint_t p_len = nxt_strlen(p); + + if (p_len == 0 || p_len > 3) { + write(STDERR_FILENO, invalid_unix_sock_mod, nxt_length(invalid_unix_sock_mod)); + return NXT_ERROR; + } + for (nxt_uint_t i = 0; i < p_len; i++) { + u_char digit = (u_char) p[i] - '0'; + if (digit > 7) { + write(STDERR_FILENO, invalid_unix_sock_mod, nxt_length(invalid_unix_sock_mod)); + return NXT_ERROR; + } + } + + rt->unix_sock_mod = p; + + continue; + } + if (nxt_strcmp(p, "--user") == 0) { if (*argv == NULL) { write(STDERR_FILENO, no_user, nxt_length(no_user)); diff --git a/src/nxt_runtime.h b/src/nxt_runtime.h index d7fe2f384..383a636e8 100644 --- a/src/nxt_runtime.h +++ b/src/nxt_runtime.h @@ -71,6 +71,7 @@ struct nxt_runtime_s { const char *conf; const char *conf_tmp; const char *control; + const char *unix_sock_mod; const char *tmp; nxt_str_t certs;