create unix sockets with 660 permissions

Realistically this is probably the permission mask you want if you are using a unix socket for LAMINAR_BIND_RPC or LAMINAR_BIND_HTTP. resolves #160
ohwgiles · Nov 12, 2021 · 549f490 · 549f490
1 parent d913d04
commit 549f490
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/UserManual.md b/UserManual.md
@@ -222,13 +222,13 @@ Then, point `laminarc` to the new location using an environment variable:
 LAMINAR_HOST=192.168.1.1:9997 laminarc queue example
 ```
 
-If you need more flexibility, consider running the communication channel as a regular unix socket and applying user and group permissions to the file. To achieve this, set
+If you need more flexibility, consider running the communication channel as a regular unix socket. Setting
 
 ```
 LAMINAR_BIND_RPC=unix:/var/run/laminar.sock
 ```
 
-or similar path in `/etc/laminar.conf`.
+or similar path in `/etc/laminar.conf` will result in a socket with group read/write permissions (`660`), so any user in the `laminar` group can queue a job.
 
 This can be securely and flexibly combined with remote triggering using `ssh`. There is no need to allow the client full shell access to the server machine, the ssh server can restrict certain users to certain commands (in this case `laminarc`). See [the authorized_keys section of the sshd man page](https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT) for further information.
 

diff --git a/src/server.cpp b/src/server.cpp
@@ -1,5 +1,5 @@
 ///
-/// Copyright 2015-2019 Oliver Giles
+/// Copyright 2015-2021 Oliver Giles
 ///
 /// This file is part of Laminar
 ///
@@ -30,6 +30,7 @@
 #include <sys/eventfd.h>
 #include <sys/inotify.h>
 #include <sys/signalfd.h>
+#include <sys/stat.h>
 
 // Size of buffer used to read from file descriptors. Should be
 // a multiple of sizeof(struct signalfd_siginfo) == 128
@@ -117,8 +118,11 @@ void Server::listenRpc(Rpc &rpc, kj::StringPtr rpcBindAddress)
     if(rpcBindAddress.startsWith("unix:"))
         unlink(rpcBindAddress.slice(strlen("unix:")).cStr());
     listeners->add(ioContext.provider->getNetwork().parseAddress(rpcBindAddress)
-              .then([this,&rpc](kj::Own<kj::NetworkAddress>&& addr) {
-        return acceptRpcClient(rpc, addr->listen());
+              .then([this,&rpc,rpcBindAddress](kj::Own<kj::NetworkAddress>&& addr) {
+        kj::Own<kj::ConnectionReceiver> listener = addr->listen();
+        if(rpcBindAddress.startsWith("unix:"))
+            chmod(rpcBindAddress.slice(strlen("unix:")).cStr(), 0660);
+        return acceptRpcClient(rpc, kj::mv(listener));
     }));
 
 }
@@ -128,8 +132,11 @@ void Server::listenHttp(Http &http, kj::StringPtr httpBindAddress)
     if(httpBindAddress.startsWith("unix:"))
         unlink(httpBindAddress.slice(strlen("unix:")).cStr());
     listeners->add(ioContext.provider->getNetwork().parseAddress(httpBindAddress)
-              .then([this,&http](kj::Own<kj::NetworkAddress>&& addr) {
-        return http.startServer(ioContext.lowLevelProvider->getTimer(), addr->listen());
+              .then([this,&http,httpBindAddress](kj::Own<kj::NetworkAddress>&& addr) {
+        kj::Own<kj::ConnectionReceiver> listener = addr->listen();
+        if(httpBindAddress.startsWith("unix:"))
+            chmod(httpBindAddress.slice(strlen("unix:")).cStr(), 0660);
+        return http.startServer(ioContext.lowLevelProvider->getTimer(), kj::mv(listener));
     }));
 }