Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Allow setting permission bits of created socket

See original GitHub issue

Feature Description

Following up on #686, it should be possible to set permissions for the created socket file.

As it stands, socket files created by thelounge are given default permissions:

cameron@myserver:~$ ls -l /run/thelounge/sock
srwxr-xr-x 1 thelounge thelounge 0 Dec 22 14:24 /run/thelounge/sock

This means that even if a webserver is in the thelounge group, it cannot write to the created socket, negating the usefulness of a socket file.

Please add the ability to control permission bits to socket on startup.

I have a tiny npm module that is designed to help with this. It allows configs to specify host or socket and option ports or permission bits. It also removes any existing socket file if the socket is dead. https://www.npmjs.com/package/server-starter Unfortunately this would be a breaking change to the current config.js.

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:9 (4 by maintainers)

Top GitHub Comments

1reaction

cinderblockcommented, Dec 23, 2019

There are two issues that relate to getting permissions set correctly.

The first is the owner/group of the file. That, as I understand it, uses the user’s default group unless the “sticky bit” is set on the folder which changes which group is set on file creation.

I’m using systemd’s RuntimeDirectory=thelounge option (which creates /run/thelounge on startup, owned by thelounge user, and cleaned on shutdown). I could add an ExecStartPre= script that sets the sticky bit, but that’s getting excessively confusing compared to other options, imho.

The second problem is setting the file permission bits. My system umask defaults to 0002 which should make created files have rw permissions for user & group. In practice, I need to add w permissions for group. (Not sure why there is a discrepancy there). I’d also like to remove any permissions for any other user/group.

I’m currently getting around these issues by adding nginx to the thelounge group and adding this to my systemd service configuration:

[Service]
RuntimeDirectory=thelounge
ExecStartPost=sleep 2
ExecStartPost=chmod g+w,o-rwx /run/thelounge/sock
Type=exec # This doesn't work for some reason. Separate problem, but listed here for completeness

In any case, controlling the permissions of a created socket is, imho, an expected feature of creating a socket for other programs to interact with. As long as we’re not changing the user/group of the created file, root is not necessary.

0reactions

cinderblockcommented, Mar 18, 2020

For those looking for a way to do this manually, here is my systemd service file that waits for the socket to be created and chmod’s it:

[Unit]
Description=The Lounge (IRC client)
After=network.target

[Service]
ExecStart=/usr/bin/thelounge start

ProtectSystem=yes
ProtectHome=yes
NoNewPrivileges=yes
PrivateTmp=yes

User=thelounge
Group=www-data

RuntimeDirectory=thelounge
ExecStartPost=/usr/bin/inotifywait -e create -t 2 /run/thelounge
ExecStartPost=/bin/chmod g+w,o-rwx /run/thelounge/sock

[Install]
WantedBy=multi-user.target