feat: add configurable socket permissions

Have `pueue` set the permissions of the socket created. Previously, the permissions where unspecified and (at least for me) defaulted to `755`. As part of this change, the default settings are moving to `700` which is more restricted than the previous default. Signed-off-by: JP-Ellis <[email protected]>
Nukesor · Jul 8, 2024 · 0c77687 · 0c77687
1 parent 1a162d7
commit 0c77687
Show file tree

Hide file tree

Showing 8 changed files with 135 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -29,6 +29,7 @@ The new state design fixes this issue, which allows Pueue to do subprocess state
 - Add `--all` and `--group` to `pueue log`. [#509](https://github.com/Nukesor/pueue/issues/509)
 - Add `pueue reset --groups [group_names]` to allow resetting individual groups. [#482](https://github.com/Nukesor/pueue/issues/482) \
   This also refactors the way resets are done internally, resulting in a cleaner code architecture.
+- Ability to set the Unix socket permissions through the new `unix_socket_permissions` configuration option. [#544](https://github.com/Nukesor/pueue/pull/544)
 
 ## \[3.4.1\] - 2024-06-04
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/pueue/tests/daemon/integration/mod.rs b/pueue/tests/daemon/integration/mod.rs
@@ -16,6 +16,7 @@ mod restart;
 mod restore;
 /// Tests for shutting down the daemon.
 mod shutdown;
+mod socket_permissions;
 mod spawn;
 mod start;
 mod stashed;

diff --git a/pueue/tests/daemon/integration/socket_permissions.rs b/pueue/tests/daemon/integration/socket_permissions.rs
@@ -0,0 +1,50 @@
+use anyhow::Result;
+use std::fs;
+use std::os::unix::fs::PermissionsExt;
+
+use crate::helper::*;
+
+/// Make sure that the socket permissions are appropriately set.
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[cfg(not(target_os = "windows"))]
+async fn test_socket_permissions_default() -> Result<()> {
+    let (settings, _tempdir) = daemon_base_setup()?;
+    let mut child = standalone_daemon(&settings).await?;
+    let shared = &settings.shared;
+
+    assert_eq!(
+        fs::metadata(shared.unix_socket_path())?
+            .permissions()
+            .mode()
+            // The permissions are masked with 0o777 to only get the last 3
+            // digits.
+            & 0o777,
+        0o700
+    );
+
+    child.kill()?;
+    Ok(())
+}
+
+/// Make sure that the socket permissions can be changed
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+#[cfg(not(target_os = "windows"))]
+async fn test_socket_permissions_modified() -> Result<()> {
+    let (mut settings, _tempdir) = daemon_base_setup()?;
+    settings.shared.unix_socket_permissions = Some(0o777);
+    let mut child = standalone_daemon(&settings).await?;
+    let shared = &settings.shared;
+
+    assert_eq!(
+        fs::metadata(shared.unix_socket_path())?
+            .permissions()
+            .mode()
+            // The permissions are masked with 0o777 to only get the last 3
+            // digits.
+            & 0o777,
+        0o777
+    );
+
+    child.kill()?;
+    Ok(())
+}
diff --git a/pueue_lib/Cargo.toml b/pueue_lib/Cargo.toml
@@ -23,6 +23,7 @@ command-group = { workspace = true }
 dirs = "5.0"
 handlebars = { workspace = true }
 log = { workspace = true }
+nix = { version = "0.29.0", features = ["fs"] }
 rand = "0.8"
 rcgen = "0.13"
 rev_buf_reader = "0.3"

diff --git a/pueue_lib/src/network/socket/unix.rs b/pueue_lib/src/network/socket/unix.rs
@@ -1,10 +1,12 @@
 use std::convert::TryFrom;
+#[cfg(not(target_os = "macos"))]
+use std::os::fd::AsRawFd;
 
 use async_trait::async_trait;
 use log::info;
 use rustls::pki_types::ServerName;
 use tokio::io::{AsyncRead, AsyncWrite};
-use tokio::net::{TcpListener, TcpStream, UnixListener, UnixStream};
+use tokio::net::{TcpListener, TcpStream, UnixListener, UnixSocket, UnixStream};
 use tokio_rustls::TlsAcceptor;
 
 use crate::error::Error;
@@ -142,8 +144,54 @@ pub async fn get_listener(settings: &Shared) -> Result<GenericListener, Error> {
             })?;
         }
 
-        let unix_listener = UnixListener::bind(&socket_path)
-            .map_err(|err| Error::IoPathError(socket_path, "creating unix socket", err))?;
+        // The various nix platforms handle socket permissions in different
+        // ways, but generally prevent the socket's permissions from being
+        // changed once it is being listened on. Ideally, we want to set the
+        // permissions on the raw file description _before_ the path is created
+        // to avoid any gap; however, macOS does not support this and requires
+        // the socket to be bound to a path first.
+        let socket = UnixSocket::new_stream()
+            .map_err(|err| Error::IoError("creating unix socket".to_string(), err))?;
+
+        #[cfg(not(target_os = "macos"))]
+        if let Some(mode) = settings.unix_socket_permissions {
+            nix::sys::stat::fchmod(
+                socket.as_raw_fd(),
+                nix::sys::stat::Mode::from_bits_truncate(mode as u16),
+            )
+            .map_err(|err| {
+                Error::IoError(
+                    "setting socket permissions".to_string(),
+                    std::io::Error::from_raw_os_error(err as i32),
+                )
+            })?;
+        }
+
+        socket
+            .bind(&socket_path)
+            .map_err(|err| Error::IoPathError(socket_path.clone(), "binding unix socket to path", err))?;
+
+        #[cfg(target_os = "macos")]
+        if let Some(mode) = settings.unix_socket_permissions {
+            nix::sys::stat::fchmodat(
+                None,
+                &socket_path,
+                nix::sys::stat::Mode::from_bits_truncate(mode as u16),
+                nix::sys::stat::FchmodatFlags::FollowSymlink,
+            )
+            .map_err(|err| {
+                Error::IoPathError(
+                    socket_path.clone(),
+                    "setting socket permissions",
+                    std::io::Error::from_raw_os_error(err as i32),
+                )
+            })?;
+        }
+
+        let unix_listener = socket.listen(1024).map_err(|err| {
+            Error::IoPathError(socket_path.clone(), "listening on unix socket", err)
+        })?;
+
         return Ok(Box::new(unix_listener));
     }
 

diff --git a/pueue_lib/src/settings.rs b/pueue_lib/src/settings.rs
@@ -46,6 +46,12 @@ pub struct Shared {
     /// The path to the unix socket.
     #[cfg(not(target_os = "windows"))]
     pub unix_socket_path: Option<PathBuf>,
+    /// Unix socket permissions. Typically specified as an octal number and
+    /// defaults to `0o700` which grants only the current user access to the
+    /// socket. For a client to connect to the daemon, the client must have
+    /// read/write permissions.
+    #[cfg(not(target_os = "windows"))]
+    pub unix_socket_permissions: Option<u32>,
 
     /// The TCP hostname/ip address.
     #[serde(default = "default_host")]
@@ -147,6 +153,8 @@ impl Default for Shared {
             unix_socket_path: None,
             #[cfg(not(target_os = "windows"))]
             use_unix_socket: true,
+            #[cfg(not(target_os = "windows"))]
+            unix_socket_permissions: Some(0o700),
             host: default_host(),
             port: default_port(),
 

diff --git a/pueue_lib/tests/helper.rs b/pueue_lib/tests/helper.rs
@@ -20,6 +20,8 @@ pub fn get_shared_settings(
         use_unix_socket,
         #[cfg(not(target_os = "windows"))]
         unix_socket_path: None,
+        #[cfg(not(target_os = "windows"))]
+        unix_socket_permissions: Some(0o700),
         pid_path: None,
         host: "localhost".to_string(),
         port: pick_unused_port()