[PATCH shepherd] service: fix ownership+permissions on Unix sockets

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • Ulrich Baum
Owner
unassigned
Submitted by
Ulrich Baum
Severity
normal
U
U
Ulrich Baum wrote on 17 Dec 2023 14:38
(name . guix-patches@gnu.org)(address . guix-patches@gnu.org)
656849315.83800.1702820292582@office.mailbox.org
Previously, ownership and permissions of AF_UNIX sockets created by
make-inetd-constructor and make-systemd-constructor were not set,
leaving the socket with root:root and 755 permissions.

modules/shepherd/service.scm (endpoint->listening-socket): fix chown and
chmod calls
---
modules/shepherd/service.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (15 lines)
diff --git a/modules/shepherd/service.scm b/modules/shepherd/service.scm
index 41c6248..f22aaaf 100644
--- a/modules/shepherd/service.scm
+++ b/modules/shepherd/service.scm
@@ -1867,8 +1867,8 @@ retrying to bind it in one second.")
(listen sock backlog)

(when (= AF_UNIX (sockaddr:fam address))
- (chown sock owner group)
- (chmod sock #o666))
+ (chown (sockaddr:path address) owner group)
+ (chmod (sockaddr:path address) #o666))

sock))))

--
2.43.0
L
L
Ludovic Courtès wrote on 19 Dec 2023 23:38
(name . Ulrich Baum)(address . ulrich.baum@ubaum.de)(address . 67867-done@debbugs.gnu.org)
87a5q5izr2.fsf@gnu.org
Hi Ulrich,

Ulrich Baum <ulrich.baum@ubaum.de> skribis:

Toggle quote (7 lines)
> Previously, ownership and permissions of AF_UNIX sockets created by
> make-inetd-constructor and make-systemd-constructor were not set,
> leaving the socket with root:root and 755 permissions.
>
> modules/shepherd/service.scm (endpoint->listening-socket): fix chown and
> chmod calls

[...]

Toggle quote (6 lines)
> (when (= AF_UNIX (sockaddr:fam address))
> - (chown sock owner group)
> - (chmod sock #o666))
> + (chown (sockaddr:path address) owner group)
> + (chmod (sockaddr:path address) #o666))

Good catch! I was surprised that fchown(2) and fchmod(2) silently did
nothing, but that’s how it is.

Pushed together with a test, which allowed me to find a related bug
(more serious, because it’s about permissions on the socket’s
directory):

9dfeb4e support: ‘mkdir-p’ sets permissions when directory already exists.
f5b7411 service: Really set ownership and permissions on Unix sockets.

(BTW, I have just renamed ‘master’ to ‘main’, but ‘master’ hasn’t been
deleted yet from the server; make sure to pick ‘main’ and adjust your
Git config.)

Thanks,
Ludo’.
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 67867@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 67867
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch