Skip to content

Comments

Server: add setuid/setgid capabilities#129

Open
picnoir wants to merge 2 commits intomainfrom
nin/cty-unix-socket
Open

Server: add setuid/setgid capabilities#129
picnoir wants to merge 2 commits intomainfrom
nin/cty-unix-socket

Conversation

@picnoir
Copy link
Collaborator

@picnoir picnoir commented Dec 21, 2022
edited by noteed
Loading

We add tree new CLI flags to cty serve:

  • --unix-socket-path: path pointing to the unix socket. Defaults to
    ./curiosity.sock
  • --user-name: name of the user we want to run curiosity for.
  • --group-name: name of the user we want to run curiosity for.

On a production setting, we often like to bind the unix sockets to
/run. You need to be root to do that. The idea is to start the
software as root, let it bind its socket in /run, then setuid/setgid
the process to its definitive user/group.

We decided not to change the state.json uid/gid. It means that we'll
have to "manually" set the appropriate permission. Likely via the
service pre-start procedure. It might be a bad idea we want to
revisit, it might be the right way to do it, only experience will
tell on that one.

We also update the curiosity systemd service to reflect this change.

@picnoir
Server: add setuid/setgid capabilities
2436300 
We add tree new CLI flags to cty serve:

- --unix-socket-path: path pointing to the unix socket. Defaults to
  ./curiosity.
- --user-name: name of the user we want to run curiosity for.
- --group-name: name of the user we want to run curiosity for.

On a production setting, we often like to bind the unix sockets to
/run. You need to be root to do that. The idea is to start the
software as root, let it bind its socket in /run, then setuid/setgid
the process to its definitive user/group.

We decided not to change the state.json uid/gid. It means that we'll
have to "manually" set the appropriate permission. Likely via the
service pre-start procedure. It might be a bad idea we want to
revisit, it might be the right way to do it, only experience will
tell on that one.
@picnoir
Curiosity systemd service: setuid/setgid + unix socket in /run
a30f215
noteed
noteed reviewed Dec 22, 2022
View reviewed changes
modules/curiosity.nix
--data-dir ${(import ../.).data} \
--scenarios-dir ${(import ../.).scenarios} \
--stdout
--unix-socket-path /run/curiosity.sock
Copy link
Member

@noteed noteed Dec 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aren't some end-of-line backslashes necessary for continuation lines ?

@noteed
Copy link
Member

noteed commented Dec 22, 2022

So, let me try to rephrase what it's doing: the process, typically cty serve, starts as root, so that it can create a UNIX-domain socket in /run. It does create the socket, changes itself its ownership to curiosity:curiosity, then sets its own uid/guid to the same thing.

So far so good.

I was thinking initially to let dynamically users of the web application start and stop the UNIX-domain socket serving thread. This is what I did for the email processing thread (it's nice to kill that thread and see that outgoing emails remain in the TODO state when the thread is not running; and in cty run, that thread is not running, so that actually processing emails can be an explicit command in the cty run script).

For the UNIX-domain thread, that's not really necessary (to kill/spawn it while the HTTP server is running). But what if I wanted that to be possible ? Once the server has change its own uid/gui, could that thread be started again and create the socket in /run ?

So as I've said, that's not really a problem.

Do you think it's elegant to change the uid/gui in a forkIO thread though ? Here too it's not a big deal if we let it that way for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@noteed noteed noteed left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@picnoir @noteed