feat: add configurable socket permissions

Have `pueue` set the permissions of the socket created. Previously, the permissions where unspecified and (at least for me) defaulted to `755`. As part of this change, the default settings are moving to `700` which is more restricted than the previous default. Signed-off-by: JP-Ellis <[email protected]>
Nukesor · Jun 15, 2024 · fbdfab7 · fbdfab7
1 parent 30f430f
commit fbdfab7
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### Added
 
+- Ability to set the Unix socket permissions through the new `unix_socket_permissions` configuration option. [#544](https://github.com/Nukesor/pueue/pull/544)
+
 ## \[3.4.1\] - 2024-06-04
 
 ### Added

diff --git a/pueue_lib/src/network/socket/unix.rs b/pueue_lib/src/network/socket/unix.rs
@@ -1,4 +1,6 @@
 use std::convert::TryFrom;
+use std::fs;
+use std::os::unix::fs::PermissionsExt;
 
 use async_trait::async_trait;
 use log::info;
@@ -143,7 +145,14 @@ pub async fn get_listener(settings: &Shared) -> Result<GenericListener, Error> {
         }
 
         let unix_listener = UnixListener::bind(&socket_path)
-            .map_err(|err| Error::IoPathError(socket_path, "creating unix socket", err))?;
+            .map_err(|err| Error::IoPathError(socket_path.clone(), "creating unix socket", err))?;
+
+        // Adjust socket permissions
+        let mut permissions = fs::metadata(&socket_path)
+            .map_err(|err| Error::IoPathError(socket_path, "obtaining file metadata", err))?
+            .permissions();
+        permissions.set_mode(settings.unix_socket_permissions);
+
         return Ok(Box::new(unix_listener));
     }
 

diff --git a/pueue_lib/src/settings.rs b/pueue_lib/src/settings.rs
@@ -46,6 +46,12 @@ pub struct Shared {
     /// The path to the unix socket.
     #[cfg(not(target_os = "windows"))]
     pub unix_socket_path: Option<PathBuf>,
+    /// Unix socket permissions. Typically specified as an octal number and
+    /// defaults to `0o700` which grants only the current user access to the
+    /// socket. For a client to connect to the daemon, the client must have
+    /// read/write permissions.
+    #[cfg(not(target_os = "windows"))]
+    pub unix_socket_permissions: u32,
 
     /// The TCP hostname/ip address.
     #[serde(default = "default_host")]
@@ -147,6 +153,8 @@ impl Default for Shared {
             unix_socket_path: None,
             #[cfg(not(target_os = "windows"))]
             use_unix_socket: true,
+            #[cfg(not(target_os = "windows"))]
+            unix_socket_permissions: 0o777,
             host: default_host(),
             port: default_port(),
 

diff --git a/pueue_lib/tests/helper.rs b/pueue_lib/tests/helper.rs
@@ -20,6 +20,8 @@ pub fn get_shared_settings(
         use_unix_socket,
         #[cfg(not(target_os = "windows"))]
         unix_socket_path: None,
+        #[cfg(not(target_os = "windows"))]
+        unix_socket_permissions: 0o777,
         pid_path: None,
         host: "localhost".to_string(),
         port: pick_unused_port()