technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Allow to set the permissions of the Unix domain control socket

Browse Source 
Several users in GitHub have asked for the ability to set the
permissions of the unitd UNIX Domain control socket.

This can of course be done externally, but can be done much cleaner by
Unit itself.

This commit adds three new options

  --control-mode	Set the mode of the socket, e.g 644

  --control-user	Set the user/owner of the socket, e.g unit

  --control-group	Set the group of the socket, e.g unit

Of course these only have an affect when using a UNIX Domain Socket for
the control socket.

Requested-by: michaelkosir <https://github.com/michaelkosir>
Requested-by: chopanovv <https://github.com/chopanovv>
Link: <https://github.com/nginx/unit/issues/254>
Link: <https://github.com/nginx/unit/issues/980>
Closes: https://github.com/nginx/unit/issues/840
Tested-by: Liam Crilly <liam.crilly@nginx.com>
Reviewed-by: Zhidao Hong <z.hong@f5.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
This commit is contained in:
Andrew Clayton
2023-11-06 18:48:51 +00:00
parent 34b3a812b1
commit b500c36d2e
3 changed files with 72 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/nxt_listen_socket.c
View File

@@ -127,13 +127,23 @@ nxt_listen_socket_create(nxt_task_t *task, nxt_mp_t *mp,
#if (NXT_HAVE_UNIX_DOMAIN) #if (NXT_HAVE_UNIX_DOMAIN)
if (family == AF_UNIX) { if (family == AF_UNIX) {
name = (nxt_file_name_t *) sa->u.sockaddr_un.sun_path; const char *user;
const char *group;
nxt_runtime_t *rt = thr->runtime;
access = (S_IRUSR | S_IWUSR); name = (nxt_file_name_t *) sa->u.sockaddr_un.sun_path;
access = rt->control_mode > 0 ? rt->control_mode : S_IRUSR | S_IWUSR;
if (nxt_file_set_access(name, access) != NXT_OK) { if (nxt_file_set_access(name, access) != NXT_OK) {
goto listen_fail; goto listen_fail;
} }
user = rt->control_user;
group = rt->control_group;
if (nxt_file_chown(name, user, group) != NXT_OK) {
goto listen_fail;
}
} }
#endif #endif

55
src/nxt_runtime.c
View File

@@ -956,6 +956,12 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt)
static const char no_control[] = static const char no_control[] =
"option \"--control\" requires socket address\n"; "option \"--control\" requires socket address\n";
static const char no_control_mode[] =
"option \"--control-mode\" requires a mode\n";
static const char no_control_user[] =
"option \"--control-user\" requires a username\n";
static const char no_control_group[] =
"option \"--control-group\" requires a group name\n";
static const char no_user[] = "option \"--user\" requires username\n"; static const char no_user[] = "option \"--user\" requires username\n";
static const char no_group[] = "option \"--group\" requires group name\n"; static const char no_group[] = "option \"--group\" requires group name\n";
static const char no_pid[] = "option \"--pid\" requires filename\n"; static const char no_pid[] = "option \"--pid\" requires filename\n";
@@ -984,6 +990,13 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt)
" --control ADDRESS set address of control API socket\n" " --control ADDRESS set address of control API socket\n"
" default: \"" NXT_CONTROL_SOCK "\"\n" " default: \"" NXT_CONTROL_SOCK "\"\n"
"\n" "\n"
" --control-mode MODE set mode of the control API socket\n"
" default: 0600\n"
"\n"
" --control-user USER set the owner of the control API socket\n"
"\n"
" --control-group GROUP set the group of the control API socket\n"
"\n"
" --pid FILE set pid filename\n" " --pid FILE set pid filename\n"
" default: \"" NXT_PID "\"\n" " default: \"" NXT_PID "\"\n"
"\n" "\n"
@@ -1032,6 +1045,48 @@ nxt_runtime_conf_read_cmd(nxt_task_t *task, nxt_runtime_t *rt)
continue; continue;
} }
if (nxt_strcmp(p, "--control-mode") == 0) {
if (*argv == NULL) {
write(STDERR_FILENO, no_control_mode,
nxt_length(no_control_mode));
return NXT_ERROR;
}
p = *argv++;
rt->control_mode = strtoul(p, NULL, 8);
continue;
}
if (nxt_strcmp(p, "--control-user") == 0) {
if (*argv == NULL) {
write(STDERR_FILENO, no_control_user,
nxt_length(no_control_user));
return NXT_ERROR;
}
p = *argv++;
rt->control_user = p;
continue;
}
if (nxt_strcmp(p, "--control-group") == 0) {
if (*argv == NULL) {
write(STDERR_FILENO, no_control_group,
nxt_length(no_control_group));
return NXT_ERROR;
}
p = *argv++;
rt->control_group = p;
continue;
}
if (nxt_strcmp(p, "--user") == 0) { if (nxt_strcmp(p, "--user") == 0) {
if (*argv == NULL) { if (*argv == NULL) {
write(STDERR_FILENO, no_user, nxt_length(no_user)); write(STDERR_FILENO, no_user, nxt_length(no_user));

6
src/nxt_runtime.h
View File

@@ -70,8 +70,12 @@ struct nxt_runtime_s {
const char *ver_tmp; const char *ver_tmp;
const char *conf; const char *conf;
const char *conf_tmp; const char *conf_tmp;
const char *control;
const char *tmp; const char *tmp;
const char *control;
mode_t control_mode;
const char *control_user;
const char *control_group;
nxt_str_t certs; nxt_str_t certs;
nxt_str_t scripts; nxt_str_t scripts;