* Re: where to chmod socket file?
2009-11-30 22:34 0% ` Suraj Kurapati
@ 2009-12-01 0:41 0% ` Eric Wong
0 siblings, 0 replies; 5+ results
From: Eric Wong @ 2009-12-01 0:41 UTC (permalink / raw)
To: unicorn list
Suraj Kurapati <sunaku@gmail.com> wrote:
> Eric Wong wrote:
> > [PATCH] configurator: listen :umask parameter for UNIX sockets
>
> Hi Eric,
>
> I'm using Unicorn 0.95.1 and I think that the :umask option is
> behaving inversely.
>
> For example, if I specify :umask => 0600, the socket file ends up with
> s---rwxrwx (same as chmod 0077) permissions. In contrast, if I
> specify :umask => 0177, the socket file ends up with srw------- (same
> as chmod 0600) permissions.
>
> Is umask normally specified as the inverse of a desired chmod?
Hi Suraj, that's how umask works. "man 2 umask"
--
Eric Wong
^ permalink raw reply [relevance 0%]
* Re: where to chmod socket file?
2009-11-15 1:52 0% ` Suraj Kurapati
@ 2009-11-30 22:34 0% ` Suraj Kurapati
2009-12-01 0:41 0% ` Eric Wong
0 siblings, 1 reply; 5+ results
From: Suraj Kurapati @ 2009-11-30 22:34 UTC (permalink / raw)
To: unicorn list
Eric Wong wrote:
> [PATCH] configurator: listen :umask parameter for UNIX sockets
Hi Eric,
I'm using Unicorn 0.95.1 and I think that the :umask option is
behaving inversely.
For example, if I specify :umask => 0600, the socket file ends up with
s---rwxrwx (same as chmod 0077) permissions. In contrast, if I
specify :umask => 0177, the socket file ends up with srw------- (same
as chmod 0600) permissions.
Is umask normally specified as the inverse of a desired chmod?
Thanks for your consideration.
^ permalink raw reply [relevance 0%]
* [ANN] unicorn 0.95.0 - we <3 Rainbows! and ponies too
@ 2009-11-15 22:34 7% Eric Wong
0 siblings, 0 replies; 5+ results
From: Eric Wong @ 2009-11-15 22:34 UTC (permalink / raw)
To: ruby-talk ML, mongrel-unicorn; +Cc: ruby-talk
Unicorn is a HTTP server for Rack applications designed to only serve
fast clients on low-latency, high-bandwidth connections and take
advantage of features in Unix/Unix-like kernels. Slow clients should
only be served by placing a reverse proxy capable of fully buffering
both the the request and response in between Unicorn and slow clients.
* http://unicorn.bogomips.org/
* mongrel-unicorn@rubyforge.org
* git://git.bogomips.org/unicorn.git
Changes:
Mostly internal cleanups and documentation updates. Irrelevant
stacktraces from client disconnects/errors while reading
"rack.input" are now cleared to avoid unnecessary noise. If
user switching in workers is used, ownership of logs is now
preserved when reopening worker logs (send USR1 only to the the
master in this case). The timeout config no longer affects long
after_fork hooks or application startups.
New features include the addition of the :umask option for the
"listen" config directive and error reporting for non-portable
socket options.
No ponies have ever been harmed in our development.
Eric Wong (28):
unicorn.1: document RACK_ENV changes in 0.94.0
HACKING: update with "gmake" in examples
don't nuke children for long after_fork and app loads
local.mk.sample: steal some updates from Rainbows!
Load Unicorn constants when building app
tee_input: fix RDoc argument definition for tee
Add FAQ
FAQ: fix links to Configurator docs
tee_input: better premature disconnect handling
tee_input: don't shadow struct members
raise Unicorn::ClientShutdown if client aborts in TeeInput
tee_input: fix comment from an intermediate commit
FAQ: additional notes on getting HTTPS redirects right
configurator: update RDoc and comments in examples
bump version to 0.95.0pre
configurator: listen :umask parameter for UNIX sockets
preserve user/group ownership when reopening logs
old_rails/static: avoid freezing strings
old_rails: autoload Static
const: no need to freeze HTTP_EXPECT
test_server: ensure stderr is written to before reading
tee_input: expand client error handling
replace "rescue => e" with "rescue Object => e"
socket_helper: do not hide errors when setting socket options
socket_helper: RDoc for constants
ClientShutdown: RDoc
Rakefile: add raa_update task
tee_input: client_error always raises
--
Eric Wong
^ permalink raw reply [relevance 7%]
* Re: where to chmod socket file?
2009-11-15 0:24 6% ` Eric Wong
@ 2009-11-15 1:52 0% ` Suraj Kurapati
2009-11-30 22:34 0% ` Suraj Kurapati
0 siblings, 1 reply; 5+ results
From: Suraj Kurapati @ 2009-11-15 1:52 UTC (permalink / raw)
To: unicorn list
Eric Wong wrote:
> [PATCH] configurator: listen :umask parameter for UNIX sockets
Awesome! Thanks Eric.
^ permalink raw reply [relevance 0%]
* Re: where to chmod socket file?
@ 2009-11-15 0:24 6% ` Eric Wong
2009-11-15 1:52 0% ` Suraj Kurapati
0 siblings, 1 reply; 5+ results
From: Eric Wong @ 2009-11-15 0:24 UTC (permalink / raw)
To: unicorn list
Eric Wong <normalperson@yhbt.net> wrote:
> Suraj Kurapati <sunaku@gmail.com> wrote:
> > Hello,
> >
> > I set the socket for my app to reside in /tmp/ because my app's
> > Capistrano deploy directory is NFS-mounted:
> >
> > listen '/tmp/my_app.sock'
> >
> > That socket file is being created with mode 0777 + sticky bit. I
> > don't want others to accidentally delete or write to this socket file,
> > so I added the following line to my before_fork() block:
> >
> > before_fork do |server, worker|
> > File.chmod 0600, '/tmp/my_app.sock'
> > # ...
> > end
> >
> > Is there a better place to put this chmod? Or maybe tell unicorn to
> > create the socket with mode 0600?
>
> Hi Suraj,
>
> That's probably the best place to put chmod for now... I could be
> persuaded to add a :umask option for listen. E.g.:
>
> listen '/tmp/my_app.sock', :umask => 0077
Hi Suraj, just pushed this out:
>From 07767ea2733ed5276ec638fa50102dccb0b2991e Mon Sep 17 00:00:00 2001
From: Eric Wong <normalperson@yhbt.net>
Date: Sat, 14 Nov 2009 15:28:37 -0800
Subject: [PATCH] configurator: listen :umask parameter for UNIX sockets
Typically UNIX domain sockets are created with more liberal
file permissions than the rest of the application. By default,
we create UNIX domain sockets to be readable and writable by
all local users to give them the same accessibility as
locally-bound TCP listeners.
This only has an effect on UNIX domain sockets.
This was inspired by Suraj Kurapati in
cfbcd2f00911121536rd0582b8u961f7f2a8c6e546a@mail.gmail.com
---
lib/unicorn/configurator.rb | 14 +++++++++++++-
lib/unicorn/socket_helper.rb | 2 +-
test/unit/test_socket_helper.rb | 14 ++++++++++++++
3 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/lib/unicorn/configurator.rb b/lib/unicorn/configurator.rb
index d68897b..2d92aa3 100644
--- a/lib/unicorn/configurator.rb
+++ b/lib/unicorn/configurator.rb
@@ -291,10 +291,22 @@ module Unicorn
# +:delay+: seconds to wait between successive +tries+
#
# Default: 0.5 seconds
+ #
+ # +:umask+: sets the file mode creation mask for UNIX sockets
+ #
+ # Typically UNIX domain sockets are created with more liberal
+ # file permissions than the rest of the application. By default,
+ # we create UNIX domain sockets to be readable and writable by
+ # all local users to give them the same accessibility as
+ # locally-bound TCP listeners.
+ #
+ # This has no effect on TCP listeners.
+ #
+ # Default: 0 (world read/writable)
def listen(address, opt = {})
address = expand_addr(address)
if String === address
- [ :backlog, :sndbuf, :rcvbuf, :tries ].each do |key|
+ [ :umask, :backlog, :sndbuf, :rcvbuf, :tries ].each do |key|
value = opt[key] or next
Integer === value or
raise ArgumentError, "not an integer: #{key}=#{value.inspect}"
diff --git a/lib/unicorn/socket_helper.rb b/lib/unicorn/socket_helper.rb
index f792562..1c56be2 100644
--- a/lib/unicorn/socket_helper.rb
+++ b/lib/unicorn/socket_helper.rb
@@ -88,7 +88,7 @@ module Unicorn
"socket=#{address} specified but it is not a socket!"
end
end
- old_umask = File.umask(0)
+ old_umask = File.umask(opt[:umask] || 0)
begin
UNIXServer.new(address)
ensure
diff --git a/test/unit/test_socket_helper.rb b/test/unit/test_socket_helper.rb
index dbca69b..c35b0c2 100644
--- a/test/unit/test_socket_helper.rb
+++ b/test/unit/test_socket_helper.rb
@@ -63,6 +63,20 @@ class TestSocketHelper < Test::Unit::TestCase
File.umask(old_umask)
end
+ def test_bind_listen_unix_umask
+ old_umask = File.umask(0777)
+ tmp = Tempfile.new 'unix.sock'
+ @unix_listener_path = tmp.path
+ File.unlink(@unix_listener_path)
+ @unix_listener = bind_listen(@unix_listener_path, :umask => 077)
+ assert UNIXServer === @unix_listener
+ assert_equal @unix_listener_path, sock_name(@unix_listener)
+ assert_equal 0140700, File.stat(@unix_listener_path).mode
+ assert_equal 0777, File.umask
+ ensure
+ File.umask(old_umask)
+ end
+
def test_bind_listen_unix_idempotent
test_bind_listen_unix
a = bind_listen(@unix_listener)
--
Eric Wong
^ permalink raw reply related [relevance 6%]
Results 1-5 of 5 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2009-11-12 23:36 where to chmod socket file? Suraj Kurapati
2009-11-13 2:03 ` Eric Wong
2009-11-15 0:24 6% ` Eric Wong
2009-11-15 1:52 0% ` Suraj Kurapati
2009-11-30 22:34 0% ` Suraj Kurapati
2009-12-01 0:41 0% ` Eric Wong
2009-11-15 22:34 7% [ANN] unicorn 0.95.0 - we <3 Rainbows! and ponies too Eric Wong
Code repositories for project(s) associated with this public inbox
https://yhbt.net/unicorn.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).