Skip to content

Commit

Permalink
Merge pull request #544 from JP-Ellis/feat/socket-permissions
Browse files Browse the repository at this point in the history
feat: add configurable socket permissions
  • Loading branch information
Nukesor authored Jul 14, 2024
2 parents 57b0497 + 1fd2f64 commit 31878c4
Show file tree
Hide file tree
Showing 7 changed files with 95 additions and 4 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ The new state design fixes this issue, which allows Pueue to do subprocess state
- Add `--all` and `--group` to `pueue log`. [#509](https://github.com/Nukesor/pueue/issues/509)
- Add `pueue reset --groups [group_names]` to allow resetting individual groups. [#482](https://github.com/Nukesor/pueue/issues/482) \
This also refactors the way resets are done internally, resulting in a cleaner code architecture.
- Ability to set the Unix socket permissions through the new `unix_socket_permissions` configuration option. [#544](https://github.com/Nukesor/pueue/pull/544)

## \[3.4.1\] - 2024-06-04

Expand Down
2 changes: 1 addition & 1 deletion Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions pueue/tests/daemon/integration/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ mod restart;
mod restore;
/// Tests for shutting down the daemon.
mod shutdown;
mod socket_permissions;
mod spawn;
mod start;
mod stashed;
Expand Down
56 changes: 56 additions & 0 deletions pueue/tests/daemon/integration/socket_permissions.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
use anyhow::Result;
use std::fs;
use std::os::unix::fs::PermissionsExt;

use anyhow::Context;

use crate::helper::*;

/// Make sure that the socket permissions are appropriately set.
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
#[cfg(not(target_os = "windows"))]
async fn test_socket_permissions_default() -> Result<()> {
let (settings, _tempdir) = daemon_base_setup()?;
let shared = &settings.shared;
let mut child = standalone_daemon(shared).await?;

assert_eq!(
fs::metadata(shared.unix_socket_path())?
.permissions()
.mode()
// The permissions are masked with 0o777 to only get the last 3
// digits.
& 0o777,
0o700
);

child.kill()?;
Ok(())
}

/// Make sure that the socket permissions can be changed
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
#[cfg(not(target_os = "windows"))]
async fn test_socket_permissions_modified() -> Result<()> {
let (mut settings, _tempdir) = daemon_base_setup()?;
settings.shared.unix_socket_permissions = Some(0o777);
let shared = &settings.shared;
settings
.save(&Some(settings.shared.runtime_directory().join("pueue.yml")))
.context("Couldn't write pueue config to temporary directory")?;

let mut child = standalone_daemon(shared).await?;

assert_eq!(
fs::metadata(shared.unix_socket_path())?
.permissions()
.mode()
// The permissions are masked with 0o777 to only get the last 3
// digits.
& 0o777,
0o777
);

child.kill()?;
Ok(())
}
29 changes: 26 additions & 3 deletions pueue_lib/src/network/socket/unix.rs
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
use std::convert::TryFrom;
use std::fs::{set_permissions, Permissions};
use std::os::unix::fs::PermissionsExt;

use async_trait::async_trait;
use log::info;
use rustls::pki_types::ServerName;
use tokio::io::{AsyncRead, AsyncWrite};
use tokio::net::{TcpListener, TcpStream, UnixListener, UnixStream};
use tokio::net::{TcpListener, TcpStream, UnixListener, UnixSocket, UnixStream};
use tokio_rustls::TlsAcceptor;

use crate::error::Error;
Expand Down Expand Up @@ -142,8 +144,29 @@ pub async fn get_listener(settings: &Shared) -> Result<GenericListener, Error> {
})?;
}

let unix_listener = UnixListener::bind(&socket_path)
.map_err(|err| Error::IoPathError(socket_path, "creating unix socket", err))?;
// The various nix platforms handle socket permissions in different
// ways, but generally prevent the socket's permissions from being
// changed once it is being listened on.
let socket = UnixSocket::new_stream()
.map_err(|err| Error::IoError("creating unix socket".to_string(), err))?;
socket.bind(&socket_path).map_err(|err| {
Error::IoPathError(socket_path.clone(), "binding unix socket to path", err)
})?;

if let Some(mode) = settings.unix_socket_permissions {
set_permissions(&socket_path, Permissions::from_mode(mode)).map_err(|err| {
Error::IoPathError(
socket_path.clone(),
"setting permissions on unix socket",
err,
)
})?;
}

let unix_listener = socket.listen(1024).map_err(|err| {
Error::IoPathError(socket_path.clone(), "listening on unix socket", err)
})?;

return Ok(Box::new(unix_listener));
}

Expand Down
8 changes: 8 additions & 0 deletions pueue_lib/src/settings.rs
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ pub struct Shared {
/// The path to the unix socket.
#[cfg(not(target_os = "windows"))]
pub unix_socket_path: Option<PathBuf>,
/// Unix socket permissions. Typically specified as an octal number and
/// defaults to `0o700` which grants only the current user access to the
/// socket. For a client to connect to the daemon, the client must have
/// read/write permissions.
#[cfg(not(target_os = "windows"))]
pub unix_socket_permissions: Option<u32>,

/// The TCP hostname/ip address.
#[serde(default = "default_host")]
Expand Down Expand Up @@ -147,6 +153,8 @@ impl Default for Shared {
unix_socket_path: None,
#[cfg(not(target_os = "windows"))]
use_unix_socket: true,
#[cfg(not(target_os = "windows"))]
unix_socket_permissions: Some(0o700),
host: default_host(),
port: default_port(),

Expand Down
2 changes: 2 additions & 0 deletions pueue_lib/tests/helper.rs
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ pub fn get_shared_settings(
use_unix_socket,
#[cfg(not(target_os = "windows"))]
unix_socket_path: None,
#[cfg(not(target_os = "windows"))]
unix_socket_permissions: Some(0o700),
pid_path: None,
host: "localhost".to_string(),
port: pick_unused_port()
Expand Down

0 comments on commit 31878c4

Please sign in to comment.