From d15ddcb6facc74936935e57020c666a29776fb8e Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Mon, 12 Jun 2017 23:40:31 -0400 Subject: [PATCH] [core] server.socket-perms to set perms on unix (fixes #656) server.socket-perms = "0770" to set perms on unix domain socket on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..." x-ref: "Feature request: add server config for setting permissions on Unix domain socket" https://redmine.lighttpd.net/issues/656 --- src/base.h | 1 + src/configfile.c | 8 ++++++++ src/network.c | 11 +++++++++++ src/server.c | 1 + 4 files changed, 21 insertions(+) diff --git a/src/base.h b/src/base.h index 2ef0a03d..b13208b0 100644 --- a/src/base.h +++ b/src/base.h @@ -229,6 +229,7 @@ typedef struct { buffer *server_tag; buffer *dirlist_encoding; buffer *errorfile_prefix; + buffer *socket_perms; unsigned short high_precision_timestamps; unsigned short max_keep_alive_requests; diff --git a/src/configfile.c b/src/configfile.c index 23442b0c..041c54f8 100644 --- a/src/configfile.c +++ b/src/configfile.c @@ -164,6 +164,7 @@ static int config_insert(server *srv) { { "server.max-request-field-size", NULL, T_CONFIG_INT, T_CONFIG_SCOPE_SERVER }, /* 78 */ { "server.error-intercept", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 79 */ { "server.syslog-facility", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_SERVER }, /* 80 */ + { "server.socket-perms", NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION }, /* 81 */ { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } }; @@ -230,6 +231,9 @@ static int config_insert(server *srv) { ? buffer_init() : buffer_init_buffer(srv->config_storage[0]->bsd_accept_filter); #endif + s->socket_perms = (i == 0 || buffer_string_is_empty(srv->config_storage[0]->socket_perms)) + ? buffer_init() + : buffer_init_buffer(srv->config_storage[0]->socket_perms); s->max_keep_alive_requests = 100; s->max_keep_alive_idle = 5; s->max_read_idle = 60; @@ -323,6 +327,7 @@ static int config_insert(server *srv) { cv[76].destination = &(s->stream_request_body); cv[77].destination = &(s->stream_response_body); cv[79].destination = &(s->error_intercept); + cv[81].destination = s->socket_perms; srv->config_storage[i] = s; @@ -558,6 +563,7 @@ int config_setup_connection(server *srv, connection *con) { /*PATCH(listen_backlog);*//*(not necessary; used only at startup)*/ PATCH(stream_request_body); PATCH(stream_response_body); + PATCH(socket_perms); PATCH(etag_use_inode); PATCH(etag_use_mtime); @@ -651,6 +657,8 @@ int config_patch_connection(server *srv, connection *con) { PATCH(global_kbytes_per_second); PATCH(global_bytes_per_second_cnt); con->conf.global_bytes_per_second_cnt_ptr = &s->global_bytes_per_second_cnt; + } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("server.socket-perms"))) { + PATCH(socket_perms); } } } diff --git a/src/network.c b/src/network.c index 9177a4f6..ff584bf2 100644 --- a/src/network.c +++ b/src/network.c @@ -390,6 +390,17 @@ static int network_server_init(server *srv, buffer *host_token, size_t sidx) { goto error_free_socket; } + if (srv_socket->addr.plain.sa_family == AF_UNIX && !buffer_string_is_empty(s->socket_perms)) { + mode_t m = 0; + for (char *str = s->socket_perms->ptr; *str; ++str) { + m <<= 3; + m |= (*str - '0'); + } + if (0 != m && -1 == chmod(host, m)) { + log_error_write(srv, __FILE__, __LINE__, "sssbss", "chmod(\"", host, "\", ", s->socket_perms, "):", strerror(errno)); + } + } + if (s->ssl_enabled) { #ifdef TCP_DEFER_ACCEPT } else if (s->defer_accept) { diff --git a/src/server.c b/src/server.c index 4e511e31..d2857030 100644 --- a/src/server.c +++ b/src/server.c @@ -361,6 +361,7 @@ static void server_free(server *srv) { buffer_free(s->error_handler); buffer_free(s->error_handler_404); buffer_free(s->errorfile_prefix); + buffer_free(s->socket_perms); array_free(s->mimetypes); free(s); }