create unix sockets with 660 permissions

Realistically this is probably the permission mask you want if you are using a unix socket for LAMINAR_BIND_RPC or LAMINAR_BIND_HTTP. resolves #160
3 years ago · 549f49052a
parent d913d04c4a
commit 549f49052a
2 changed files with 14 additions and 7 deletions
--- a/UserManual.md
+++ b/UserManual.md
@ -222,13 +222,13 @@ Then, point `laminarc` to the new location using an environment variable:
 LAMINAR_HOST=192.168.1.1:9997 laminarc queue example
 ```
-If you need more flexibility, consider running the communication channel as a regular unix socket and applying user and group permissions to the file. To achieve this, set
+If you need more flexibility, consider running the communication channel as a regular unix socket. Setting
 ```
 LAMINAR_BIND_RPC=unix:/var/run/laminar.sock
 ```
-or similar path in `/etc/laminar.conf`.
+or similar path in `/etc/laminar.conf` will result in a socket with group read/write permissions (`660`), so any user in the `laminar` group can queue a job.
 This can be securely and flexibly combined with remote triggering using `ssh`. There is no need to allow the client full shell access to the server machine, the ssh server can restrict certain users to certain commands (in this case `laminarc`). See [the authorized_keys section of the sshd man page](https://man.openbsd.org/sshd#AUTHORIZED_KEYS_FILE_FORMAT) for further information.
--- a/src/server.cpp
+++ b/src/server.cpp
@ -1,5 +1,5 @@
 ///
-/// Copyright 2015-2019 Oliver Giles
+/// Copyright 2015-2021 Oliver Giles
 ///
 /// This file is part of Laminar
 ///
@ -30,6 +30,7 @@
 #include <sys/eventfd.h>
 #include <sys/inotify.h>
 #include <sys/signalfd.h>
 #include <sys/stat.h>
 // Size of buffer used to read from file descriptors. Should be
 // a multiple of sizeof(struct signalfd_siginfo) == 128
@ -117,8 +118,11 @@ void Server::listenRpc(Rpc &rpc, kj::StringPtr rpcBindAddress)
    if(rpcBindAddress.startsWith("unix:"))
        unlink(rpcBindAddress.slice(strlen("unix:")).cStr());
    listeners->add(ioContext.provider->getNetwork().parseAddress(rpcBindAddress)
-              .then([this,&rpc](kj::Own<kj::NetworkAddress>&& addr) {
+              .then([this,&rpc,rpcBindAddress](kj::Own<kj::NetworkAddress>&& addr) {
-        return acceptRpcClient(rpc, addr->listen());
+        kj::Own<kj::ConnectionReceiver> listener = addr->listen();
        if(rpcBindAddress.startsWith("unix:"))
            chmod(rpcBindAddress.slice(strlen("unix:")).cStr(), 0660);
        return acceptRpcClient(rpc, kj::mv(listener));
    }));
 }
@ -128,8 +132,11 @@ void Server::listenHttp(Http &http, kj::StringPtr httpBindAddress)
    if(httpBindAddress.startsWith("unix:"))
        unlink(httpBindAddress.slice(strlen("unix:")).cStr());
    listeners->add(ioContext.provider->getNetwork().parseAddress(httpBindAddress)
-              .then([this,&http](kj::Own<kj::NetworkAddress>&& addr) {
+              .then([this,&http,httpBindAddress](kj::Own<kj::NetworkAddress>&& addr) {
-        return http.startServer(ioContext.lowLevelProvider->getTimer(), addr->listen());
+        kj::Own<kj::ConnectionReceiver> listener = addr->listen();
        if(httpBindAddress.startsWith("unix:"))
            chmod(httpBindAddress.slice(strlen("unix:")).cStr(), 0660);
        return http.startServer(ioContext.lowLevelProvider->getTimer(), kj::mv(listener));
    }));
 }