From f2aba6737431219a9ebc6ff9f3a1ffbdbeca7e9f Mon Sep 17 00:00:00 2001 From: Dexter Chua Date: Sat, 20 Jun 2020 22:37:31 +0800 Subject: [PATCH] Add option for socket permissions This allows configuring the group and mode of the unix socket after it has been created to allow reverse proxies to access it. Fixes #317. I decided to call `chown` and `chgrp` directly to change the owner and group (the former will almost definitely not be called; only root can chown a file to another user, and you are not running codimd as root. It is included for consistency). The nodejs chown/chgrp functions only accepts uid and gid, not the names of the user or group. The standard way to convert a group name into a gid is the `uid-number` package. The way this package works is that 1. It spawns a new nodejs process 2. The new nodejs process calls nodejs' setgid function, which *does* accept both the group name and gid 3. It then calls getuid to retrieve the uid of the process, and returns it to the parent process via stdout. While this *works*, it is hacky, and if we are spawning a process anyway, might as well call `chgrp` directly. This does not update the documentation because we are merging into release/2.0.x but master reworks the configuration section of the documentation, so there will be a conflict when we merge anyway. Signed-off-by: Dexter Chua --- src/lib/app.ts | 16 +++++++++++++++- src/lib/config/default.ts | 5 +++++ src/lib/config/environment.ts | 5 +++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/src/lib/app.ts b/src/lib/app.ts index d4eaa8e90..8ad68dfc8 100644 --- a/src/lib/app.ts +++ b/src/lib/app.ts @@ -6,6 +6,7 @@ import cookieParser from 'cookie-parser' import ejs from 'ejs' import express from 'express' import session from 'express-session' +import childProcess from 'child_process' import helmet from 'helmet' import http from 'http' import https from 'https' @@ -255,10 +256,23 @@ function startListen (): void { realtime.maintenance = false } + const unixCallback = function (): void { + const throwErr = function (err): void { if (err) throw err } + if (config.socket.owner !== undefined) { + childProcess.spawn('chown', [config.socket.owner, config.path]).on('error', throwErr) + } + if (config.socket.group !== undefined) { + childProcess.spawn('chgrp', [config.socket.group, config.path]).on('error', throwErr) + } + if (config.socket.mode !== undefined) { + fs.chmod(config.path, config.socket.mode, throwErr) + } + listenCallback() + } // use unix domain socket if 'path' is specified if (config.path) { address = config.path - server.listen(config.path, listenCallback) + server.listen(config.path, unixCallback) } else { address = config.host + ':' + config.port server.listen(config.port, config.host, listenCallback) diff --git a/src/lib/config/default.ts b/src/lib/config/default.ts index c30ce14d4..63a8249d9 100644 --- a/src/lib/config/default.ts +++ b/src/lib/config/default.ts @@ -8,6 +8,11 @@ export const defaultConfig: Config = { urlPath: '', host: '0.0.0.0', port: 3000, + socket: { + group: undefined, + owner: undefined, + mode: undefined + }, loglevel: 'info', urlAddPort: false, allowOrigin: ['localhost'], diff --git a/src/lib/config/environment.ts b/src/lib/config/environment.ts index 021e3ccde..c8f99a544 100644 --- a/src/lib/config/environment.ts +++ b/src/lib/config/environment.ts @@ -7,6 +7,11 @@ export const environment = { host: process.env.CMD_HOST, port: toIntegerConfig(process.env.CMD_PORT), path: process.env.CMD_PATH, + socket: { + group: process.env.CMD_SOCKET_GROUP, + owner: process.env.CMD_SOCKET_OWNER, + mode: process.env.CMD_SOCKET_MODE + }, loglevel: process.env.CMD_LOGLEVEL, urlAddPort: toBooleanConfig(process.env.CMD_URL_ADDPORT), useSSL: toBooleanConfig(process.env.CMD_USESSL),