3
0
mirror of https://github.com/ergochat/ergo.git synced 2024-12-25 20:22:38 +01:00

make unix domain socket permissions configurable

This commit is contained in:
Shivaram Lingamneni 2018-08-28 13:34:43 -04:00
parent 831969f1f0
commit c3d197f4ff
4 changed files with 18 additions and 8 deletions

View File

@ -12,6 +12,7 @@ import (
"fmt"
"io/ioutil"
"log"
"os"
"path/filepath"
"regexp"
"strings"
@ -212,6 +213,7 @@ type Config struct {
Name string
nameCasefolded string
Listen []string
UnixBindMode os.FileMode `yaml:"unix-bind-mode"`
TLSListeners map[string]*TLSListenConfig `yaml:"tls-listeners"`
STS STSConfig
CheckIdent bool `yaml:"check-ident"`
@ -240,9 +242,9 @@ type Config struct {
Accounts AccountConfig
Channels struct {
RawDefaultModes *string `yaml:"default-modes"`
defaultModes modes.Modes
Registration ChannelRegistrationConfig
DefaultModes *string `yaml:"default-modes"`
defaultModes modes.Modes
Registration ChannelRegistrationConfig
}
OperClasses map[string]*OperClassConfig `yaml:"oper-classes"`
@ -697,7 +699,7 @@ func LoadConfig(filename string) (config *Config, err error) {
config.operators = opers
// parse default channel modes
config.Channels.defaultModes = ParseDefaultChannelModes(config.Channels.RawDefaultModes)
config.Channels.defaultModes = ParseDefaultChannelModes(config.Channels.DefaultModes)
if config.Server.Password != "" {
config.Server.passwordBytes, err = decodeLegacyPasswordHash(config.Server.Password)

View File

@ -255,7 +255,7 @@ func schemaChangeV2ToV3(config *Config, tx *buntdb.Tx) error {
}
// explicitly store the channel modes
defaultModes := ParseDefaultChannelModes(config.Channels.RawDefaultModes)
defaultModes := config.Channels.defaultModes
modeStrings := make([]string, len(defaultModes))
for i, mode := range defaultModes {
modeStrings[i] = string(mode)

View File

@ -309,7 +309,7 @@ func (server *Server) checkBans(ipaddr net.IP) (banned bool, message string) {
//
// createListener starts a given listener.
func (server *Server) createListener(addr string, tlsConfig *tls.Config) (*ListenerWrapper, error) {
func (server *Server) createListener(addr string, tlsConfig *tls.Config, bindMode os.FileMode) (*ListenerWrapper, error) {
// make listener
var listener net.Listener
var err error
@ -318,6 +318,9 @@ func (server *Server) createListener(addr string, tlsConfig *tls.Config) (*Liste
// https://stackoverflow.com/a/34881585
os.Remove(addr)
listener, err = net.Listen("unix", addr)
if err == nil && bindMode != 0 {
os.Chmod(addr, bindMode)
}
} else {
listener, err = net.Listen("tcp", addr)
}
@ -1033,7 +1036,7 @@ func (server *Server) setupListeners(config *Config) (err error) {
if !exists {
// make new listener
tlsConfig := tlsListeners[newaddr]
listener, listenerErr := server.createListener(newaddr, tlsConfig)
listener, listenerErr := server.createListener(newaddr, tlsConfig, config.Server.UnixBindMode)
if listenerErr != nil {
server.logger.Error("rehash", "couldn't listen on", newaddr, listenerErr.Error())
err = listenerErr

View File

@ -16,9 +16,14 @@ server:
- "127.0.0.1:6668"
- "[::1]:6668"
- ":6697" # ssl port
# unix domain socket for proxying:
# Unix domain socket for proxying:
# - "/tmp/oragono_sock"
# permissions for Unix listen sockets. the default of 0755 is only accessible
# by the user that owns the oragono process. change to 0777 for behavior like
# a regular TCP socket (processes owned by any user can connect to oragono):
# unix-bind-mode: 0755
# tls listeners
tls-listeners:
# listener on ":6697"