[core] server.socket-perms to set perms on unix (fixes #656)

server.socket-perms = "0770" to set perms on unix domain socket on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..." x-ref: "Feature request: add server config for setting permissions on Unix domain socket" https://redmine.lighttpd.net/issues/656
5 years ago · d15ddcb6fa
4 changed files with 21 additions and 0 deletions
--- a/src/base.h
+++ b/src/base.h
@ -229,6 +229,7 @@ typedef struct {
 	buffer *server_tag;
 	buffer *dirlist_encoding;
 	buffer *errorfile_prefix;
+	buffer *socket_perms;

 	unsigned short high_precision_timestamps;
 	unsigned short max_keep_alive_requests;
--- a/src/configfile.c
+++ b/src/configfile.c
@ -164,6 +164,7 @@ static int config_insert(server *srv) {
 		{ "server.max-request-field-size",     NULL, T_CONFIG_INT,     T_CONFIG_SCOPE_SERVER     }, /* 78 */
 		{ "server.error-intercept",            NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 79 */
 		{ "server.syslog-facility",            NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_SERVER     }, /* 80 */
+		{ "server.socket-perms",               NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_CONNECTION }, /* 81 */

 		{ NULL,                                NULL, T_CONFIG_UNSET,   T_CONFIG_SCOPE_UNSET      }
 	};
@ -230,6 +231,9 @@ static int config_insert(server *srv) {
 		  ? buffer_init()
 		  : buffer_init_buffer(srv->config_storage[0]->bsd_accept_filter);
 	      #endif
+		s->socket_perms = (i == 0 || buffer_string_is_empty(srv->config_storage[0]->socket_perms))
+		  ? buffer_init()
+		  : buffer_init_buffer(srv->config_storage[0]->socket_perms);
 		s->max_keep_alive_requests = 100;
 		s->max_keep_alive_idle = 5;
 		s->max_read_idle = 60;
@ -323,6 +327,7 @@ static int config_insert(server *srv) {
 		cv[76].destination = &(s->stream_request_body);
 		cv[77].destination = &(s->stream_response_body);
 		cv[79].destination = &(s->error_intercept);
+		cv[81].destination = s->socket_perms;

 		srv->config_storage[i] = s;

@ -558,6 +563,7 @@ int config_setup_connection(server *srv, connection *con) {
 	/*PATCH(listen_backlog);*//*(not necessary; used only at startup)*/
 	PATCH(stream_request_body);
 	PATCH(stream_response_body);
+	PATCH(socket_perms);

 	PATCH(etag_use_inode);
 	PATCH(etag_use_mtime);
@ -651,6 +657,8 @@ int config_patch_connection(server *srv, connection *con) {
 				PATCH(global_kbytes_per_second);
 				PATCH(global_bytes_per_second_cnt);
 				con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("server.socket-perms"))) {
+				PATCH(socket_perms);
 			}
 		}
 	}
--- a/src/network.c
+++ b/src/network.c
@ -390,6 +390,17 @@ static int network_server_init(server *srv, buffer *host_token, size_t sidx) {
 		goto error_free_socket;
 	}

+	if (srv_socket->addr.plain.sa_family == AF_UNIX && !buffer_string_is_empty(s->socket_perms)) {
+		mode_t m = 0;
+		for (char *str = s->socket_perms->ptr; *str; ++str) {
+			m <<= 3;
+			m |= (*str - '0');
+		}
+		if (0 != m && -1 == chmod(host, m)) {
+			log_error_write(srv, __FILE__, __LINE__, "sssbss", "chmod(\"", host, "\", ", s->socket_perms, "):", strerror(errno));
+		}
+	}
+
 	if (s->ssl_enabled) {
 #ifdef TCP_DEFER_ACCEPT
 	} else if (s->defer_accept) {
--- a/src/server.c
+++ b/src/server.c
@ -361,6 +361,7 @@ static void server_free(server *srv) {
 			buffer_free(s->error_handler);
 			buffer_free(s->error_handler_404);
 			buffer_free(s->errorfile_prefix);
+			buffer_free(s->socket_perms);
 			array_free(s->mimetypes);
 			free(s);
 		}