chmod and chown for unix socket as listener

Feature nginx#1 - chmod: An extension to the build and run configuration options that set the permission mode for a unix socket as a listener. Configuration option: NXT_UNIX_DOMAIN_MODE=MODE Launch option: --unix-sock-mod MODE Available formats (example: MODE 7): NXT_UNIX_DOMAIN_MODE 7 | --unix-sock-mod 7 NXT_UNIX_DOMAIN_MODE 07 | --unix-sock-mod 07 NXT_UNIX_DOMAIN_MODE 007 | --unix-sock-mod 007 Default MODE value: 666 (srw-rw-rw-) Feature nginx#2 - chown: Set the user and group of the owner of the unix socket as a listener.
echolimazulu · Feb 16, 2022 · ff42939 · ff42939
1 parent 170752e
commit ff42939
Show file tree

Hide file tree

Showing 15 changed files with 93 additions and 6 deletions.
diff --git a/NOTICE b/NOTICE
@@ -2,6 +2,7 @@
    NGINX Unit.
 
    Copyright 2017-2022 NGINX, Inc.
+   Copyright 2022-2022 Evgenii Sokolov
    Copyright 2017-2022 Valentin V. Bartenev
    Copyright 2017-2022 Max Romanov
    Copyright 2017-2022 Andrei Zeliankou

diff --git a/auto/help b/auto/help
@@ -1,5 +1,6 @@
 
 # Copyright (C) Igor Sysoev
+# Copyright (C) Evgenii Sokolov
 # Copyright (C) NGINX, Inc.
 
 
@@ -29,6 +30,9 @@ cat << END
   --control=ADDRESS    set address of control API socket
                        default: "$NXT_CONTROL"
 
+  --unix-sock-mod=MODE set mode to unix socket as a listener
+                       default: "$NXT_UNIX_DOMAIN_MODE"
+
   --user=USER          set non-privileged processes to run as specified user
                        default: "$NXT_USER"
   --group=GROUP        set non-privileged processes to run as specified group

diff --git a/auto/options b/auto/options
@@ -1,6 +1,7 @@
 
 # Copyright (C) Igor Sysoev
 # Copyright (C) Valentin V. Bartenev
+# Copyright (C) Evgenii Sokolov
 # Copyright (C) NGINX, Inc.
 
 
@@ -69,6 +70,8 @@ do
 
         --control=*)                     NXT_CONTROL="$value"                ;;
 
+        --unix-sock-mod=*)               NXT_UNIX_DOMAIN_MODE="$value"       ;;
+
         --user=*)                        NXT_USER="$value"                   ;;
         --group=*)                       NXT_GROUP="$value"                  ;;
 
@@ -180,3 +183,8 @@ case "$NXT_CONTROL" in
     unix:*)   NXT_CONTROL="unix:$NXT_PREFIX${NXT_CONTROL##unix:}" ;;
     *)        ;;
 esac
+
+case "$NXT_UNIX_DOMAIN_MODE" in
+     [0-7][0-7][0-7])  ;;
+     *) NXT_UNIX_DOMAIN_MODE=$NXT_UNIX_DOMAIN_MODE ;;
+esac
diff --git a/auto/summary b/auto/summary
@@ -1,5 +1,6 @@
 
 # Copyright (C) Igor Sysoev
+# Copyright (C) Evgenii Sokolov
 # Copyright (C) NGINX, Inc.
 
 
@@ -26,6 +27,7 @@ Unit configuration summary:
 
   IPv6 support: .............. $NXT_INET6
   Unix domain sockets support: $NXT_UNIX_DOMAIN
+  Unix domain sockets mode: .. $NXT_UNIX_DOMAIN_MODE
   TLS support: ............... $NXT_OPENSSL
 
   process isolation: ......... $NXT_ISOLATION

diff --git a/configure b/configure
@@ -1,6 +1,7 @@
 #!/bin/sh
 
 # Copyright (C) Igor Sysoev
+# Copyright (C) Evgenii Sokolov
 # Copyright (C) NGINX, Inc.
 
 
@@ -42,6 +43,7 @@ NXT_TMP="tmp"
 NXT_PID="unit.pid"
 NXT_LOG="unit.log"
 NXT_CONTROL="unix:control.unit.sock"
+NXT_UNIX_DOMAIN_MODE="666"
 NXT_USER="nobody"
 NXT_GROUP=
 
@@ -93,6 +95,8 @@ cat << END >> $NXT_AUTO_CONFIG_H
 
 #define NXT_CONTROL_SOCK       "$NXT_CONTROL"
 
+#define NXT_UNIX_DOMAIN_MODE   "$NXT_UNIX_DOMAIN_MODE"
+
 #define NXT_USER               "$NXT_USER"
 #define NXT_GROUP              "$NXT_GROUP"
 

diff --git a/pkg/deb/debian.module/copyright.unit-jsc10 b/pkg/deb/debian.module/copyright.unit-jsc10
@@ -2,6 +2,7 @@
    NGINX Unit.
 
    Copyright 2017-2022 NGINX, Inc.
+   Copyright 2022-2022 Evgenii Sokolov
    Copyright 2017-2022 Valentin V. Bartenev
    Copyright 2017-2022 Max Romanov
    Copyright 2017-2022 Andrei Zeliankou

diff --git a/pkg/deb/debian.module/copyright.unit-jsc11 b/pkg/deb/debian.module/copyright.unit-jsc11
@@ -2,6 +2,7 @@
    NGINX Unit.
 
    Copyright 2017-2022 NGINX, Inc.
+   Copyright 2022-2022 Evgenii Sokolov
    Copyright 2017-2022 Valentin V. Bartenev
    Copyright 2017-2022 Max Romanov
    Copyright 2017-2022 Andrei Zeliankou

diff --git a/pkg/deb/debian.module/copyright.unit-jsc8 b/pkg/deb/debian.module/copyright.unit-jsc8
@@ -2,6 +2,7 @@
    NGINX Unit.
 
    Copyright 2017-2022 NGINX, Inc.
+   Copyright 2022-2022 Evgenii Sokolov
    Copyright 2017-2022 Valentin V. Bartenev
    Copyright 2017-2022 Max Romanov
    Copyright 2017-2022 Andrei Zeliankou

diff --git a/pkg/deb/debian/copyright b/pkg/deb/debian/copyright
@@ -2,6 +2,7 @@
    NGINX Unit.
 
    Copyright 2017-2022 NGINX, Inc.
+   Copyright 2022-2022 Evgenii Sokolov
    Copyright 2017-2022 Valentin V. Bartenev
    Copyright 2017-2022 Max Romanov
    Copyright 2017-2022 Andrei Zeliankou

diff --git a/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc10 b/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc10
@@ -2,6 +2,7 @@
    NGINX Unit.
 
    Copyright 2017-2022 NGINX, Inc.
+   Copyright 2022-2022 Evgenii Sokolov
    Copyright 2017-2022 Valentin V. Bartenev
    Copyright 2017-2022 Max Romanov
    Copyright 2017-2022 Andrei Zeliankou

diff --git a/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc11 b/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc11
@@ -2,6 +2,7 @@
    NGINX Unit.
 
    Copyright 2017-2022 NGINX, Inc.
+   Copyright 2022-2022 Evgenii Sokolov
    Copyright 2017-2022 Valentin V. Bartenev
    Copyright 2017-2022 Max Romanov
    Copyright 2017-2022 Andrei Zeliankou

diff --git a/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc8 b/pkg/rpm/rpmbuild/SOURCES/COPYRIGHT.unit-jsc8
@@ -2,6 +2,7 @@
    NGINX Unit.
 
    Copyright 2017-2022 NGINX, Inc.
+   Copyright 2022-2022 Evgenii Sokolov
    Copyright 2017-2022 Valentin V. Bartenev
    Copyright 2017-2022 Max Romanov
    Copyright 2017-2022 Andrei Zeliankou

diff --git a/src/nxt_main_process.c b/src/nxt_main_process.c
@@ -1,6 +1,7 @@
 
 /*
  * Copyright (C) Igor Sysoev
+ * Copyright (C) Evgenii Sokolov
  * Copyright (C) NGINX, Inc.
  */
 
@@ -49,7 +50,7 @@ static void nxt_main_process_cleanup(nxt_task_t *task, nxt_process_t *process);
 static void nxt_main_port_socket_handler(nxt_task_t *task,
     nxt_port_recv_msg_t *msg);
 static nxt_int_t nxt_main_listening_socket(nxt_sockaddr_t *sa,
-    nxt_listening_socket_t *ls);
+    nxt_listening_socket_t *ls, nxt_runtime_t *rt);
 static void nxt_main_port_modules_handler(nxt_task_t *task,
     nxt_port_recv_msg_t *msg);
 static int nxt_cdecl nxt_app_lang_compare(const void *v1, const void *v2);
@@ -1032,8 +1033,11 @@ nxt_main_port_socket_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg)
     nxt_sockaddr_t          *sa;
     nxt_port_msg_type_t     type;
     nxt_listening_socket_t  ls;
+    nxt_runtime_t           *rt;
     u_char                  message[2048];
 
+    rt = task->thread->runtime;
+
     port = nxt_runtime_port_find(task->thread->runtime, msg->port_msg.pid,
                                  msg->port_msg.reply_port);
     if (nxt_slow_path(port == NULL)) {
@@ -1060,7 +1064,7 @@ nxt_main_port_socket_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg)
     nxt_debug(task, "listening socket \"%*s\"",
               (size_t) sa->length, nxt_sockaddr_start(sa));
 
-    ret = nxt_main_listening_socket(sa, &ls);
+    ret = nxt_main_listening_socket(sa, &ls, rt);
 
     if (ret == NXT_OK) {
         nxt_debug(task, "socket(\"%*s\"): %d",
@@ -1092,7 +1096,7 @@ nxt_main_port_socket_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg)
 
 
 static nxt_int_t
-nxt_main_listening_socket(nxt_sockaddr_t *sa, nxt_listening_socket_t *ls)
+nxt_main_listening_socket(nxt_sockaddr_t *sa, nxt_listening_socket_t *ls, nxt_runtime_t *rt)
 {
     nxt_err_t         err;
     nxt_socket_t      s;
@@ -1188,18 +1192,39 @@ nxt_main_listening_socket(nxt_sockaddr_t *sa, nxt_listening_socket_t *ls)
 #if (NXT_HAVE_UNIX_DOMAIN)
 
     if (sa->u.sockaddr.sa_family == AF_UNIX) {
-        char     *filename;
-        mode_t   access;
+        nxt_uint_t      m_len;
+        nxt_uid_t       uid;
+        nxt_gid_t       gid;
+        mode_t          access;
+        char            *filename;
 
         filename = sa->u.sockaddr_un.sun_path;
-        access = (S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
+        m_len = nxt_strlen(rt->unix_sock_mod);
+        access = 0;
+
+        for (nxt_uint_t i = 0; i < m_len; i++) {
+            nxt_uint_t oct = (nxt_uint_t) rt->unix_sock_mod[i] - '0';
+            if (m_len == 3 && i == 0) oct *= 64;
+            if ((m_len == 3 && i == 1) || (m_len == 2 && i == 0)) oct *= 8;
+            access += oct;
+        }
 
         if (chmod(filename, access) != 0) {
             ls->end = nxt_sprintf(ls->start, ls->end,
                                   "chmod(\\\"%s\\\") failed %E",
                                   filename, nxt_errno);
             goto fail;
         }
+
+        uid = rt->user_cred.uid;
+        gid = rt->user_cred.base_gid;
+
+        if (chown(filename, uid, gid) != 0) {
+            ls->end = nxt_sprintf(ls->start, ls->end,
+                                  "chown(\\\"%s\\\") failed %E",
+                                  filename, nxt_errno);
+            goto fail;
+        }
     }
 
 #endif

diff --git a/src/nxt_runtime.c b/src/nxt_runtime.c
@@ -2,6 +2,7 @@
 /*
  * Copyright (C) Igor Sysoev
  * Copyright (C) Valentin V. Bartenev
+ * Copyright (C) Evgenii Sokolov
  * Copyright (C) NGINX, Inc.
  */
 
@@ -771,6 +772,7 @@ nxt_runtime_conf_init(nxt_task_t *task, nxt_runtime_t *rt)
     rt->modules = NXT_MODULES;
     rt->state = NXT_STATE;
     rt->control = NXT_CONTROL_SOCK;
+    rt->unix_sock_mod = NXT_UNIX_DOMAIN_MODE;
     rt->tmp = NXT_TMP;
 
     nxt_memzero(&rt->capabilities, sizeof(nxt_capabilities_t));
@@ -922,6 +924,10 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt)
 
     static const char  no_control[] =
                        "option \"--control\" requires socket address\n";
+    static const char  no_unix_sock_mod[] =
+                       "option \"--unix-sock-mod\" requires socket mode\n";
+    static const char  invalid_unix_sock_mod[] =
+                        "option \"--unix-sock-mod\" invalid value specified\n";
     static const char  no_user[] = "option \"--user\" requires username\n";
     static const char  no_group[] = "option \"--group\" requires group name\n";
     static const char  no_pid[] = "option \"--pid\" requires filename\n";
@@ -942,6 +948,9 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt)
         "  --control ADDRESS    set address of control API socket\n"
         "                       default: \"" NXT_CONTROL_SOCK "\"\n"
         "\n"
+        "  --unix-sock-mod MODE set mode to unix socket as a listener\n"
+        "                       default: \"" NXT_UNIX_DOMAIN_MODE "\"\n"
+        "\n"
         "  --pid FILE           set pid filename\n"
         "                       default: \"" NXT_PID "\"\n"
         "\n"
@@ -986,6 +995,32 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt)
             continue;
         }
 
+        if (nxt_strcmp(p, "--unix-sock-mod") == 0) {
+            if (*argv == NULL) {
+                write(STDERR_FILENO, no_unix_sock_mod, nxt_length(no_unix_sock_mod));
+                return NXT_ERROR;
+            }
+
+            p = *argv++;
+            nxt_uint_t p_len = nxt_strlen(p);
+
+            if (p_len == 0 || p_len > 3) {
+                write(STDERR_FILENO, invalid_unix_sock_mod, nxt_length(invalid_unix_sock_mod));
+                return NXT_ERROR;
+            }
+            for (nxt_uint_t i = 0; i < p_len; i++) {
+                u_char digit = (u_char) p[i] - '0';
+                if (digit > 7) {
+                    write(STDERR_FILENO, invalid_unix_sock_mod, nxt_length(invalid_unix_sock_mod));
+                    return NXT_ERROR;
+                }
+            }
+
+            rt->unix_sock_mod = p;
+
+            continue;
+        }
+
         if (nxt_strcmp(p, "--user") == 0) {
             if (*argv == NULL) {
                 write(STDERR_FILENO, no_user, nxt_length(no_user));

diff --git a/src/nxt_runtime.h b/src/nxt_runtime.h
@@ -71,6 +71,7 @@ struct nxt_runtime_s {
     const char             *conf;
     const char             *conf_tmp;
     const char             *control;
+    const char             *unix_sock_mod;
     const char             *tmp;
 
     nxt_str_t              certs;