From c3d197f4ffaaebbdb2f0ae022ed891b3de5c87af Mon Sep 17 00:00:00 2001 From: Shivaram Lingamneni Date: Tue, 28 Aug 2018 13:34:43 -0400 Subject: [PATCH] make unix domain socket permissions configurable --- irc/config.go | 10 ++++++---- irc/database.go | 2 +- irc/server.go | 7 +++++-- oragono.yaml | 7 ++++++- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/irc/config.go b/irc/config.go index b29713c3..18a6edb2 100644 --- a/irc/config.go +++ b/irc/config.go @@ -12,6 +12,7 @@ import ( "fmt" "io/ioutil" "log" + "os" "path/filepath" "regexp" "strings" @@ -212,6 +213,7 @@ type Config struct { Name string nameCasefolded string Listen []string + UnixBindMode os.FileMode `yaml:"unix-bind-mode"` TLSListeners map[string]*TLSListenConfig `yaml:"tls-listeners"` STS STSConfig CheckIdent bool `yaml:"check-ident"` @@ -240,9 +242,9 @@ type Config struct { Accounts AccountConfig Channels struct { - RawDefaultModes *string `yaml:"default-modes"` - defaultModes modes.Modes - Registration ChannelRegistrationConfig + DefaultModes *string `yaml:"default-modes"` + defaultModes modes.Modes + Registration ChannelRegistrationConfig } OperClasses map[string]*OperClassConfig `yaml:"oper-classes"` @@ -697,7 +699,7 @@ func LoadConfig(filename string) (config *Config, err error) { config.operators = opers // parse default channel modes - config.Channels.defaultModes = ParseDefaultChannelModes(config.Channels.RawDefaultModes) + config.Channels.defaultModes = ParseDefaultChannelModes(config.Channels.DefaultModes) if config.Server.Password != "" { config.Server.passwordBytes, err = decodeLegacyPasswordHash(config.Server.Password) diff --git a/irc/database.go b/irc/database.go index b617fe3f..d820879f 100644 --- a/irc/database.go +++ b/irc/database.go @@ -255,7 +255,7 @@ func schemaChangeV2ToV3(config *Config, tx *buntdb.Tx) error { } // explicitly store the channel modes - defaultModes := ParseDefaultChannelModes(config.Channels.RawDefaultModes) + defaultModes := config.Channels.defaultModes modeStrings := make([]string, len(defaultModes)) for i, mode := range defaultModes { modeStrings[i] = string(mode) diff --git a/irc/server.go b/irc/server.go index 2ff68cae..8c7c9328 100644 --- a/irc/server.go +++ b/irc/server.go @@ -309,7 +309,7 @@ func (server *Server) checkBans(ipaddr net.IP) (banned bool, message string) { // // createListener starts a given listener. -func (server *Server) createListener(addr string, tlsConfig *tls.Config) (*ListenerWrapper, error) { +func (server *Server) createListener(addr string, tlsConfig *tls.Config, bindMode os.FileMode) (*ListenerWrapper, error) { // make listener var listener net.Listener var err error @@ -318,6 +318,9 @@ func (server *Server) createListener(addr string, tlsConfig *tls.Config) (*Liste // https://stackoverflow.com/a/34881585 os.Remove(addr) listener, err = net.Listen("unix", addr) + if err == nil && bindMode != 0 { + os.Chmod(addr, bindMode) + } } else { listener, err = net.Listen("tcp", addr) } @@ -1033,7 +1036,7 @@ func (server *Server) setupListeners(config *Config) (err error) { if !exists { // make new listener tlsConfig := tlsListeners[newaddr] - listener, listenerErr := server.createListener(newaddr, tlsConfig) + listener, listenerErr := server.createListener(newaddr, tlsConfig, config.Server.UnixBindMode) if listenerErr != nil { server.logger.Error("rehash", "couldn't listen on", newaddr, listenerErr.Error()) err = listenerErr diff --git a/oragono.yaml b/oragono.yaml index aff1604a..5b7d8645 100644 --- a/oragono.yaml +++ b/oragono.yaml @@ -16,9 +16,14 @@ server: - "127.0.0.1:6668" - "[::1]:6668" - ":6697" # ssl port - # unix domain socket for proxying: + # Unix domain socket for proxying: # - "/tmp/oragono_sock" + # permissions for Unix listen sockets. the default of 0755 is only accessible + # by the user that owns the oragono process. change to 0777 for behavior like + # a regular TCP socket (processes owned by any user can connect to oragono): + # unix-bind-mode: 0755 + # tls listeners tls-listeners: # listener on ":6697"