where to chmod socket file?

where to chmod socket file?

[Suraj Kurapati]

Hello,

I set the socket for my app to reside in /tmp/ because my app's
Capistrano deploy directory is NFS-mounted:

  listen '/tmp/my_app.sock'

That socket file is being created with mode 0777 + sticky bit.  I
don't want others to accidentally delete or write to this socket file,
so I added the following line to my before_fork() block:

  before_fork do |server, worker|
    File.chmod 0600, '/tmp/my_app.sock'
    # ...
  end

Is there a better place to put this chmod?  Or maybe tell unicorn to
create the socket with mode 0600?

Thanks for your consideration.

Re: where to chmod socket file?

[Eric Wong]

Suraj Kurapati <sunaku@gmail.com> wrote:
> Hello,
> 
> I set the socket for my app to reside in /tmp/ because my app's
> Capistrano deploy directory is NFS-mounted:
> 
>   listen '/tmp/my_app.sock'
> 
> That socket file is being created with mode 0777 + sticky bit.  I
> don't want others to accidentally delete or write to this socket file,
> so I added the following line to my before_fork() block:
> 
>   before_fork do |server, worker|
>     File.chmod 0600, '/tmp/my_app.sock'
>     # ...
>   end
> 
> Is there a better place to put this chmod?  Or maybe tell unicorn to
> create the socket with mode 0600?

Hi Suraj,

That's probably the best place to put chmod for now... I could be
persuaded to add a :umask option for listen.  E.g.:

    listen '/tmp/my_app.sock', :umask => 0077

On the other hand, I don't think it's even possible for others to
accidentally delete the socket if it's in /tmp (the directory itself
should be sticky, not the socket file).

I don't think world-read/writability is a problem for deployed apps.
Making sockets world-read/writable fits the model of localhost-bound TCP
sockets better: it's one step easier for people to port/change existing
testing/monitoring tools from the TCP ones.

Also, in my experience with FastCGI deployments, a less permissive umask
was often a source of breakage/confusion for FastCGI apps.  TCP sockets
don't have this problem, and I've seen people prefer it for that reason
alone.

-- 
Eric Wong

Re: where to chmod socket file?

[Eric Wong]

Eric Wong <normalperson@yhbt.net> wrote:
> Suraj Kurapati <sunaku@gmail.com> wrote:
> > Hello,
> > 
> > I set the socket for my app to reside in /tmp/ because my app's
> > Capistrano deploy directory is NFS-mounted:
> > 
> >   listen '/tmp/my_app.sock'
> > 
> > That socket file is being created with mode 0777 + sticky bit.  I
> > don't want others to accidentally delete or write to this socket file,
> > so I added the following line to my before_fork() block:
> > 
> >   before_fork do |server, worker|
> >     File.chmod 0600, '/tmp/my_app.sock'
> >     # ...
> >   end
> > 
> > Is there a better place to put this chmod?  Or maybe tell unicorn to
> > create the socket with mode 0600?
> 
> Hi Suraj,
> 
> That's probably the best place to put chmod for now... I could be
> persuaded to add a :umask option for listen.  E.g.:
> 
>     listen '/tmp/my_app.sock', :umask => 0077

Hi Suraj, just pushed this out:

>From 07767ea2733ed5276ec638fa50102dccb0b2991e Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Sat, 14 Nov 2009 15:28:37 -0800
Subject: [PATCH] configurator: listen :umask parameter for UNIX sockets

Typically UNIX domain sockets are created with more liberal
file permissions than the rest of the application.  By default,
we create UNIX domain sockets to be readable and writable by
all local users to give them the same accessibility as
locally-bound TCP listeners.

This only has an effect on UNIX domain sockets.

This was inspired by Suraj Kurapati in
cfbcd2f00911121536rd0582b8u961f7f2a8c6e546a@mail.gmail.com
---
 lib/unicorn/configurator.rb     |   14 +++++++++++++-
 lib/unicorn/socket_helper.rb    |    2 +-
 test/unit/test_socket_helper.rb |   14 ++++++++++++++
 3 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/lib/unicorn/configurator.rb b/lib/unicorn/configurator.rb
index d68897b..2d92aa3 100644
--- a/lib/unicorn/configurator.rb
+++ b/lib/unicorn/configurator.rb
@@ -291,10 +291,22 @@ module Unicorn
     # +:delay+: seconds to wait between successive +tries+
     #
     # Default: 0.5 seconds
+    #
+    # +:umask+: sets the file mode creation mask for UNIX sockets
+    #
+    # Typically UNIX domain sockets are created with more liberal
+    # file permissions than the rest of the application.  By default,
+    # we create UNIX domain sockets to be readable and writable by
+    # all local users to give them the same accessibility as
+    # locally-bound TCP listeners.
+    #
+    # This has no effect on TCP listeners.
+    #
+    # Default: 0 (world read/writable)
     def listen(address, opt = {})
       address = expand_addr(address)
       if String === address
-        [ :backlog, :sndbuf, :rcvbuf, :tries ].each do |key|
+        [ :umask, :backlog, :sndbuf, :rcvbuf, :tries ].each do |key|
           value = opt[key] or next
           Integer === value or
             raise ArgumentError, "not an integer: #{key}=#{value.inspect}"
diff --git a/lib/unicorn/socket_helper.rb b/lib/unicorn/socket_helper.rb
index f792562..1c56be2 100644
--- a/lib/unicorn/socket_helper.rb
+++ b/lib/unicorn/socket_helper.rb
@@ -88,7 +88,7 @@ module Unicorn
                   "socket=#{address} specified but it is not a socket!"
           end
         end
-        old_umask = File.umask(0)
+        old_umask = File.umask(opt[:umask] || 0)
         begin
           UNIXServer.new(address)
         ensure
diff --git a/test/unit/test_socket_helper.rb b/test/unit/test_socket_helper.rb
index dbca69b..c35b0c2 100644
--- a/test/unit/test_socket_helper.rb
+++ b/test/unit/test_socket_helper.rb
@@ -63,6 +63,20 @@ class TestSocketHelper < Test::Unit::TestCase
       File.umask(old_umask)
   end
 
+  def test_bind_listen_unix_umask
+    old_umask = File.umask(0777)
+    tmp = Tempfile.new 'unix.sock'
+    @unix_listener_path = tmp.path
+    File.unlink(@unix_listener_path)
+    @unix_listener = bind_listen(@unix_listener_path, :umask => 077)
+    assert UNIXServer === @unix_listener
+    assert_equal @unix_listener_path, sock_name(@unix_listener)
+    assert_equal 0140700, File.stat(@unix_listener_path).mode
+    assert_equal 0777, File.umask
+    ensure
+      File.umask(old_umask)
+  end
+
   def test_bind_listen_unix_idempotent
     test_bind_listen_unix
     a = bind_listen(@unix_listener)
-- 
Eric Wong

Re: where to chmod socket file?

[Suraj Kurapati]

Eric Wong wrote:
> [PATCH] configurator: listen :umask parameter for UNIX sockets

Awesome!  Thanks Eric.

Re: where to chmod socket file?

[Suraj Kurapati]

Eric Wong wrote:
> [PATCH] configurator: listen :umask parameter for UNIX sockets

Hi Eric,

I'm using Unicorn 0.95.1 and I think that the :umask option is
behaving inversely.

For example, if I specify :umask => 0600, the socket file ends up with
s---rwxrwx (same as chmod 0077) permissions.  In contrast, if I
specify :umask => 0177, the socket file ends up with srw------- (same
as chmod 0600) permissions.

Is umask normally specified as the inverse of a desired chmod?

Thanks for your consideration.

Re: where to chmod socket file?

[Eric Wong]

Suraj Kurapati <sunaku@gmail.com> wrote:
> Eric Wong wrote:
> > [PATCH] configurator: listen :umask parameter for UNIX sockets
> 
> Hi Eric,
> 
> I'm using Unicorn 0.95.1 and I think that the :umask option is
> behaving inversely.
> 
> For example, if I specify :umask => 0600, the socket file ends up with
> s---rwxrwx (same as chmod 0077) permissions.  In contrast, if I
> specify :umask => 0177, the socket file ends up with srw------- (same
> as chmod 0600) permissions.
> 
> Is umask normally specified as the inverse of a desired chmod?

Hi Suraj, that's how umask works.  "man 2 umask"

-- 
Eric Wong

Re: where to chmod socket file?

[Suraj Kurapati]

On Mon, Nov 30, 2009 at 4:41 PM, Eric Wong <normalperson@yhbt.net> wrote:
> Suraj Kurapati <sunaku@gmail.com> wrote:
>> Is umask normally specified as the inverse of a desired chmod?
>
> Hi Suraj, that's how umask works.  "man 2 umask"

Thanks!
_______________________________________________
mongrel-unicorn mailing list
mongrel-unicorn@rubyforge.org
http://rubyforge.org/mailman/listinfo/mongrel-unicorn