Browse Source

[core] server.socket-perms to set perms on unix (fixes #656)

server.socket-perms = "0770" to set perms on unix domain socket
on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..."

x-ref:
  "Feature request: add server config for setting permissions on Unix domain socket"
  https://redmine.lighttpd.net/issues/656
personal/stbuehler/mod-csrf
Glenn Strauss 5 years ago
parent
commit
d15ddcb6fa
  1. 1
      src/base.h
  2. 8
      src/configfile.c
  3. 11
      src/network.c
  4. 1
      src/server.c

1
src/base.h

@ -229,6 +229,7 @@ typedef struct {
buffer *server_tag;
buffer *dirlist_encoding;
buffer *errorfile_prefix;
buffer *socket_perms;
unsigned short high_precision_timestamps;
unsigned short max_keep_alive_requests;

8
src/configfile.c

@ -164,6 +164,7 @@ static int config_insert(server *srv) {
{ "server.max-request-field-size", NULL, T_CONFIG_INT, T_CONFIG_SCOPE_SERVER }, /* 78 */
{ "server.error-intercept", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 79 */
{ "server.syslog-facility", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 80 */
{ "server.socket-perms", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 81 */
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
};
@ -230,6 +231,9 @@ static int config_insert(server *srv) {
? buffer_init()
: buffer_init_buffer(srv->config_storage[0]->bsd_accept_filter);
#endif
s->socket_perms = (i == 0 || buffer_string_is_empty(srv->config_storage[0]->socket_perms))
? buffer_init()
: buffer_init_buffer(srv->config_storage[0]->socket_perms);
s->max_keep_alive_requests = 100;
s->max_keep_alive_idle = 5;
s->max_read_idle = 60;
@ -323,6 +327,7 @@ static int config_insert(server *srv) {
cv[76].destination = &(s->stream_request_body);
cv[77].destination = &(s->stream_response_body);
cv[79].destination = &(s->error_intercept);
cv[81].destination = s->socket_perms;
srv->config_storage[i] = s;
@ -558,6 +563,7 @@ int config_setup_connection(server *srv, connection *con) {
/*PATCH(listen_backlog);*//*(not necessary; used only at startup)*/
PATCH(stream_request_body);
PATCH(stream_response_body);
PATCH(socket_perms);
PATCH(etag_use_inode);
PATCH(etag_use_mtime);
@ -651,6 +657,8 @@ int config_patch_connection(server *srv, connection *con) {
PATCH(global_kbytes_per_second);
PATCH(global_bytes_per_second_cnt);
con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt;
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("server.socket-perms"))) {
PATCH(socket_perms);
}
}
}

11
src/network.c

@ -390,6 +390,17 @@ static int network_server_init(server *srv, buffer *host_token, size_t sidx) {
goto error_free_socket;
}
if (srv_socket->addr.plain.sa_family == AF_UNIX && !buffer_string_is_empty(s->socket_perms)) {
mode_t m = 0;
for (char *str = s->socket_perms->ptr; *str; ++str) {
m <<= 3;
m |= (*str - '0');
}
if (0 != m && -1 == chmod(host, m)) {
log_error_write(srv, __FILE__, __LINE__, "sssbss", "chmod(\"", host, "\", ", s->socket_perms, "):", strerror(errno));
}
}
if (s->ssl_enabled) {
#ifdef TCP_DEFER_ACCEPT
} else if (s->defer_accept) {

1
src/server.c

@ -361,6 +361,7 @@ static void server_free(server *srv) {
buffer_free(s->error_handler);
buffer_free(s->error_handler_404);
buffer_free(s->errorfile_prefix);
buffer_free(s->socket_perms);
array_free(s->mimetypes);
free(s);
}

Loading…
Cancel
Save