set unix socket permissions during binding of the UNIX-socket

Question

set unix socket permissions during binding of the UNIX-socket

socketpair opened this issue 8 years ago · 4 comments

socketpair commented 8 years ago

Unfortunatelly this is not so easy.

Safe, but (seems?) undocumented way in Linux -- is to call os.fchmod(socket.fileno()) BEFORE bind() + set umask to proper value. Since umask is not thread safe (affect all threads) that action should be done in fork()...
Portable way -- is to call os.chmod(path) after binding. But this will leave socket with wrong permissions during small amount of time.

Socket write permissions are required in order unprivileged process to connect to it.

asyd commented 7 years ago

Any news?

Answer 1 · 2017-09-02T04:09:29.000Z

Hm. I did not work on this. Someone should choose a way of solving this issue.

Answer 2 · 2017-09-04T06:47:09.000Z

@socketpair Do you have any suggestion on this? Changing the socket permission from outside can make it works but just temporarily, as long as the application is restarted the permission is lost and process like nginx (with www-data user) cannot connect anymore.

Answer 3 · 2017-09-04T10:30:21.000Z

Well.

I do not understand what you mean as "outside". Anyway, too broad permission is a security bug. If appliation is restarted, UNIX-socket is recreated (re-bound) and this code will fire again.

Variant 1 will looks like:

def do_bind(sk, addr, mode):
    pid = os.fork()
    if pid == 0:
        try:
            os.umask(~mode & 0o777)
            sk.bind(addr)
        except:
            os._exit(1)
        else:
            os._exit(0)
    (pid, status) = os.waitpid(pid, 0)
    if status:
        raise RuntimeError('Failed to bind the socket.')

Variant 2 is not atomic.

Variant 3 (since asyncio now is a port of CPython): Do that under GIL locked in C. But anyway this will affect third-party threads.