Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maintenance socket follow-up: better permissions #16487

Closed
kbr-scylla opened this issue Dec 20, 2023 · 0 comments · Fixed by #17113
Closed

Maintenance socket follow-up: better permissions #16487

kbr-scylla opened this issue Dec 20, 2023 · 0 comments · Fixed by #17113
Assignees
@kostja @margdoc @kbr-scylla
Labels
Backport candidate
Milestone
6.0

Comments

@kbr-scylla
Copy link
Contributor

#16172 (comment)

from @avikivity:

It enables interaction with the node through CQL protocol without authentication. It gives full-permission access. The maintenance socket is available by Unix domain socket with file permissions 755, thus it is not accessible from outside of the node and from other POSIX groups on the node. It is created before the node joins the cluster.

This will have to change; I'm okay with a follow-up. Permissions should be 660 to allow a scyllaadm's group to connect. I don't think the execute permission is required.
@kbr-scylla kbr-scylla mentioned this issue Dec 20, 2023
Merged
margdoc added a commit to margdoc/scylla that referenced this issue Feb 1, 2024
@margdoc
transport/controller: set unix_domain_socket_permissions for maintena…
7a22dfe 
…nce_socket

Set filesystem permissions for the maintenance socket to 660.

Fixes scylladb#16487
margdoc added a commit to margdoc/scylla that referenced this issue Feb 1, 2024
@margdoc
transport/controller: set unix_domain_socket_permissions for maintena…
a1fc469 
…nce_socket

Set filesystem permissions for the maintenance socket to 660.

Fixes scylladb#16487
@margdoc margdoc mentioned this issue Feb 1, 2024
Merged
margdoc added a commit to margdoc/scylla that referenced this issue Feb 1, 2024
@margdoc
transport/controller: set unix_domain_socket_permissions for maintena…
7e540ee 
…nce_socket

Set filesystem permissions for the maintenance socket to 660.

Fixes scylladb#16487
@mykaul mykaul added this to the 6.0 milestone Feb 5, 2024
margdoc added a commit to margdoc/scylla that referenced this issue Feb 5, 2024
@margdoc
transport/controller: set unix_domain_socket_permissions for maintena…
2e0f271 
…nce_socket

Set filesystem permissions for the maintenance socket to 660.

Fixes scylladb#16487
margdoc added a commit to margdoc/scylla that referenced this issue Feb 5, 2024
@margdoc
transport/controller: set unix_domain_socket_permissions for maintena…
14d25bd 
…nce_socket

Set filesystem permissions for the maintenance socket to 660.

Fixes scylladb#16487
avikivity added a commit that referenced this issue Feb 20, 2024
@avikivity
Merge 'Maintenance socket: set filesystem permissions to 660' from Mi…
93af3dd 
…kołaj Grzebieluch

Set filesystem permissions for the maintenance socket to 660 (previously it was 755) to allow a scyllaadm's group to connect.
Split the logic of creating sockets into two separate functions, one for each case: when it is a regular cql controller or used by maintenance_socket.

Fixes #16487.

Closes #17113

* github.com:scylladb/scylladb:
  maintenance_socket: add option to set owning group
  transport/controller: get rid of magic number for socket path's maximal length
  transport/controller: set unix_domain_socket_permissions for maintenance_socket
  transport/controller: pass unix_domain_socket_permissions to generic_server::listen
  transport/controller: split configuring sockets into separate functions
dgarcia360 pushed a commit to dgarcia360/scylla that referenced this issue Apr 30, 2024
@margdoc @dgarcia360
transport/controller: set unix_domain_socket_permissions for maintena…
cd256cb 
…nce_socket

Set filesystem permissions for the maintenance socket to 660.

Fixes scylladb#16487
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kostja kostja

@margdoc margdoc

@kbr-scylla kbr-scylla

Labels
Backport candidate
Projects
None yet
Milestone
6.0
Development

Successfully merging a pull request may close this issue.

Maintenance socket: set filesystem permissions to 660 margdoc/scylla
5 participants
@kostja @mykaul @scylladb-promoter @margdoc @kbr-scylla