diff options
author | Laurent Bercot <ska-skaware@skarnet.org> | 2017-12-11 19:11:23 +0000 |
---|---|---|
committer | Laurent Bercot <ska-skaware@skarnet.org> | 2017-12-11 19:11:23 +0000 |
commit | 1a7a0c79040d9efa654c151d8a057f34eb9be585 (patch) | |
tree | 8874b1684780bba3713fdb59d85fdea7b5a1086a | |
parent | 6ee2e470aa4c66b3477449e7f48343b706c70ddc (diff) | |
download | s6-1a7a0c79040d9efa654c151d8a057f34eb9be585.tar.xz |
Add "-a perms" option to s6-ipcserver(-socketbinder)
-rw-r--r-- | doc/s6-ipcserver-socketbinder.html | 6 | ||||
-rw-r--r-- | doc/s6-ipcserver.html | 4 | ||||
-rw-r--r-- | src/conn-tools/s6-ipcserver-socketbinder.c | 8 | ||||
-rw-r--r-- | src/conn-tools/s6-ipcserver.c | 18 |
4 files changed, 28 insertions, 8 deletions
diff --git a/doc/s6-ipcserver-socketbinder.html b/doc/s6-ipcserver-socketbinder.html index 6a291fa..ce43d50 100644 --- a/doc/s6-ipcserver-socketbinder.html +++ b/doc/s6-ipcserver-socketbinder.html @@ -26,7 +26,7 @@ socket, then executes a program. <h2> Interface </h2> <pre> - s6-ipcserver-socketbinder [ -d | -D ] [ -b <em>backlog</em> ] [ -M | -m ] <em>path</em> <em>prog...</em> + s6-ipcserver-socketbinder [ -d | -D ] [ -b <em>backlog</em> ] [ -M | -m ] [ -a <em>perms</em> ] <em>path</em> <em>prog...</em> </pre> <ul> @@ -59,6 +59,10 @@ the default. </li> that by default SOCK_DGRAM sockets are not connection-mode, and <tt>listen()</tt> will fail - so you should always give the <tt>-b0</tt> option to s6-ipcserver-socketbinder along with <tt>-m</tt>. </li> + <li> <tt>-a <em>perms</em></tt> : create the socket with +permissions <em>perms</em>, which is an octal number from 0000 to 0777. +Default is 0777, meaning everyone can connect to it. 0700 means only processes having the +same uid as the s6-ipcserver-socketbinder process can connect to it. </li> </ul> <h2> Notes </h2> diff --git a/doc/s6-ipcserver.html b/doc/s6-ipcserver.html index 4d73db1..829febb 100644 --- a/doc/s6-ipcserver.html +++ b/doc/s6-ipcserver.html @@ -108,6 +108,10 @@ Default is 40. It is impossible to set it higher than <em>maxconn</em>. </li> <li> <tt>-b <em>backlog</em></tt> : set a maximum of <em>backlog</em> backlog connections on the socket. Extra connection attempts will rejected by the kernel. </li> + <li> <tt>-a <em>perms</em></tt> : create the socket with +permissions <em>perms</em>, which is an octal number from 0000 to 0777. +Default is 0777, meaning everyone can connect to it. 0700 means only processes having the +same uid as the s6-ipcserver process can connect to it. </li> <li> <tt>-G <em>gidlist</em></tt> : change s6-ipcserver's supplementary group list to <em>gidlist</em> after binding the socket. This is only valid when run as root. <em>gidlist</em> must be a diff --git a/src/conn-tools/s6-ipcserver-socketbinder.c b/src/conn-tools/s6-ipcserver-socketbinder.c index 8215fa2..3bc6b52 100644 --- a/src/conn-tools/s6-ipcserver-socketbinder.c +++ b/src/conn-tools/s6-ipcserver-socketbinder.c @@ -9,7 +9,7 @@ #include <skalibs/djbunix.h> #include <skalibs/webipc.h> -#define USAGE "s6-ipcserver-socketbinder [ -d | -D ] [ -b backlog ] [ -M | -m ] path prog..." +#define USAGE "s6-ipcserver-socketbinder [ -d | -D ] [ -b backlog ] [ -M | -m ] [ -a perms ] path prog..." #define dieusage() strerr_dieusage(100, USAGE) int main (int argc, char const *const *argv, char const *const *envp) @@ -17,12 +17,13 @@ int main (int argc, char const *const *argv, char const *const *envp) unsigned int backlog = SOMAXCONN ; int flagreuse = 1 ; int flagdgram = 0 ; + unsigned int perms = 0777 ; PROG = "s6-ipcserver-socketbinder" ; { subgetopt_t l = SUBGETOPT_ZERO ; for (;;) { - int opt = subgetopt_r(argc, argv, "DdMmb:", &l) ; + int opt = subgetopt_r(argc, argv, "DdMmb:a:", &l) ; if (opt == -1) break ; switch (opt) { @@ -31,6 +32,7 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'M' : flagdgram = 0 ; break ; case 'm' : flagdgram = 1 ; break ; case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; + case 'a' : if (!uint0_oscan(l.arg, &perms)) dieusage() ; break ; default : dieusage() ; } } @@ -40,7 +42,7 @@ int main (int argc, char const *const *argv, char const *const *envp) close(0) ; if (flagdgram ? ipc_datagram() : ipc_stream()) strerr_diefu1sys(111, "create socket") ; { - mode_t m = umask(0) ; + mode_t m = umask(~perms & 0777) ; if ((flagreuse ? ipc_bind_reuse(0, argv[0]) : ipc_bind(0, argv[0])) < 0) strerr_diefu2sys(111, "bind to ", argv[0]) ; umask(m) ; diff --git a/src/conn-tools/s6-ipcserver.c b/src/conn-tools/s6-ipcserver.c index f259c15..03f6eb9 100644 --- a/src/conn-tools/s6-ipcserver.c +++ b/src/conn-tools/s6-ipcserver.c @@ -8,7 +8,7 @@ #include <skalibs/djbunix.h> #include <s6/config.h> -#define USAGE "s6-ipcserver [ -q | -Q | -v ] [ -d | -D ] [ -P | -p ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] path prog..." +#define USAGE "s6-ipcserver [ -q | -Q | -v ] [ -d | -D ] [ -P | -p ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -a socketperms ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] path prog..." #define dieusage() strerr_dieusage(100, USAGE) int main (int argc, char const *const *argv, char const *const *envp) @@ -25,12 +25,13 @@ int main (int argc, char const *const *argv, char const *const *envp) unsigned int maxconn = 0 ; unsigned int localmaxconn = 0 ; unsigned int backlog = (unsigned int)-1 ; + unsigned int socketperms = 0777 ; PROG = "s6-ipcserver" ; { subgetopt_t l = SUBGETOPT_ZERO ; for (;;) { - int opt = subgetopt_r(argc, argv, "qQvDd1UPpc:C:b:u:g:G:", &l) ; + int opt = subgetopt_r(argc, argv, "qQvDd1UPpc:C:b:a:u:g:G:", &l) ; if (opt == -1) break ; switch (opt) { @@ -44,6 +45,7 @@ int main (int argc, char const *const *argv, char const *const *envp) case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; if (!maxconn) maxconn = 1 ; break ; case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; if (!localmaxconn) localmaxconn = 1 ; break ; case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; + case 'a' : if (!uint0_oscan(l.arg, &socketperms)) dieusage() ; break ; case 'u' : if (!uid0_scan(l.arg, &uid)) dieusage() ; break ; case 'g' : if (!gid0_scan(l.arg, &gid)) dieusage() ; break ; case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn) && *l.arg) dieusage() ; break ; @@ -59,8 +61,8 @@ int main (int argc, char const *const *argv, char const *const *envp) { size_t pos = 0 ; unsigned int m = 0 ; - char fmt[UINT_FMT * 3 + UID_FMT + GID_FMT * (NGROUPS_MAX+1)] ; - char const *newargv[24 + argc] ; + char fmt[UINT_FMT * 3 + 5 + UID_FMT + GID_FMT * (NGROUPS_MAX+1)] ; + char const *newargv[26 + argc] ; newargv[m++] = S6_BINPREFIX "s6-ipcserver-socketbinder" ; if (!flagreuse) newargv[m++] = "-D" ; if (backlog != (unsigned int)-1) @@ -71,6 +73,14 @@ int main (int argc, char const *const *argv, char const *const *envp) pos += uint_fmt(fmt + pos, backlog) ; fmt[pos++] = 0 ; } + if (socketperms != 0777) + { + newargv[m++] = "-a" ; + newargv[m++] = fmt + pos ; + fmt[pos++] = '0' ; + pos += uint_ofmt(fmt + pos, socketperms & 0777) ; + fmt[pos++] = 0 ; + } newargv[m++] = "--" ; newargv[m++] = *argv++ ; if (flagU || uid || gid || gidn != (size_t)-1) |