Fix up unix socket setup, add socket permission setting

2021-09-18 13:54:40 +02:00 · 2021-09-18 13:54:40 +02:00 · 2ba17c03a6
parent 8434521954
commit 2ba17c03a6
2 changed files with 25 additions and 8 deletions
--- a/config/config.go
+++ b/config/config.go
@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"os"
 	"runtime"
+	"strconv"

 	"github.com/rs/zerolog"
 	"github.com/spf13/viper"
@ -28,8 +29,11 @@ var (
 	//       These are also the paths that HellPot will respond for. Other paths will throw a warning and will serve a 404.
 	Paths []string

-	UseUnixSocket  bool
-	UnixSocketPath = ""
+	UseUnixSocket bool
+	// UnixSocketPath is defined via our toml configuration file. It is the path of the socket HellPot listens on
+	// if UseUnixSocket, also defined via our toml configuration file, is set to true.
+	UnixSocketPath        = ""
+	UnixSocketPermissions uint32
 )

 // "performance"
@ -160,10 +164,11 @@ func setDefaults() {
 		"use_date_filename": true,
 	}
 	Opt["http"] = map[string]interface{}{
-		"use_unix_socket":  false,
-		"unix_socket_path": "/var/run/hellpot",
-		"bind_addr":        "127.0.0.1",
-		"bind_port":        "8080",
+		"use_unix_socket":         false,
+		"unix_socket_path":        "/var/run/hellpot",
+		"unix_socket_permissions": "0666",
+		"bind_addr":               "127.0.0.1",
+		"bind_port":               "8080",
 		"paths": []string{
 			"wp-login.php",
 			"wp-login",
@ -265,6 +270,10 @@ func associate() {
 	}
 	if UseUnixSocket {
 		UnixSocketPath = snek.GetString("http.unix_socket_path")
+		parsedPermissions, err := strconv.ParseUint(snek.GetString("http.unix_socket_permissions"), 8, 32)
+		if err == nil {
+			UnixSocketPermissions = uint32(parsedPermissions)
+		}
 	}

 	if Debug {
--- a/http/router.go
+++ b/http/router.go
@ -4,6 +4,7 @@ import (
 	"bufio"
 	"fmt"
 	"net"
+	"os"
 	"syscall"
 	"time"

@ -65,10 +66,17 @@ func listenOnUnixSocket(addr string, r *router.Router) error {
 	unixAddr, err = net.ResolveUnixAddr("unix", addr)
 	if err == nil {
 		// Always unlink sockets before listening on them
-		syscall.Unlink(addr)
+		_ = syscall.Unlink(addr)
+		// Before we set socket permissions, we want to make sure only the user HellPot is running under
+		// has permission to the socket.
+		oldmask := syscall.Umask(0077)
 		unixListener, err = net.ListenUnix("unix", unixAddr)
+		syscall.Umask(oldmask)
 		if err == nil {
-			err = fasthttp.Serve(unixListener, r.Handler)
+			err = os.Chmod(unixAddr.Name, os.FileMode(config.UnixSocketPermissions))
+			if err == nil {
+				err = fasthttp.Serve(unixListener, r.Handler)
+			}
 		}
 	}
 	return err