summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Kling <awesomekling@gmail.com>2020-01-09 21:35:33 +0100
committerAndreas Kling <awesomekling@gmail.com>2020-01-09 21:35:33 +0100
commit7dd03b46ee8d134eb60c773700c3a558e757cd9a (patch)
treedde6cec9b209ec44c054bc5409bb18abad89de74
parentf3dad64a3b31667f4e9ea98f838a1bd934616164 (diff)
downloadserenity-7dd03b46ee8d134eb60c773700c3a558e757cd9a.zip
SystemServer: Allow specifying per-service socket file permissions
-rw-r--r--Base/usr/share/man/man5/SystemServer.md1
-rw-r--r--Servers/SystemServer/Service.cpp4
-rw-r--r--Servers/SystemServer/Service.h2
3 files changed, 6 insertions, 1 deletions
diff --git a/Base/usr/share/man/man5/SystemServer.md b/Base/usr/share/man/man5/SystemServer.md
index 9e00d07af5..024ce1bdc1 100644
--- a/Base/usr/share/man/man5/SystemServer.md
+++ b/Base/usr/share/man/man5/SystemServer.md
@@ -23,6 +23,7 @@ describing how to launch and manage this service.
* `KeepAlive` - whether the service should be restarted if it exits or crashes. For lazy services, this means the service will get respawned once a new connection is attempted on their socket after they exit or crash.
* `Lazy` - whether the service should only get spawned once a client attempts to connect to their socket.
* `Socket` - a path to a socket to create on behalf of the service. For lazy services, SystemServer will actually watch the socket for new connection attempts. An open file descriptor to this socket will be passed as fd 3 to the service.
+* `SocketPermissions` - (octal) file system permissions for the socket file. The default permissions are 0600.
* `User` - a name of the user to run the service as. This impacts what UID, GID (and extra GIDs) the service processes have. By default, services are run as root.
## Environment
diff --git a/Servers/SystemServer/Service.cpp b/Servers/SystemServer/Service.cpp
index 4191b8d4c2..d97a05e3d1 100644
--- a/Servers/SystemServer/Service.cpp
+++ b/Servers/SystemServer/Service.cpp
@@ -104,7 +104,7 @@ void Service::setup_socket()
ASSERT_NOT_REACHED();
}
- if (fchmod(m_socket_fd, 0600) < 0) {
+ if (fchmod(m_socket_fd, m_socket_permissions) < 0) {
perror("fchmod");
ASSERT_NOT_REACHED();
}
@@ -270,6 +270,8 @@ Service::Service(const CConfigFile& config, const StringView& name)
m_socket_path = config.read_entry(name, "Socket");
if (!m_socket_path.is_null()) {
+ auto socket_permissions_string = config.read_entry(name, "SocketPermissions", "0600");
+ m_socket_permissions = strtol(socket_permissions_string.characters(), nullptr, 8) & 04777;
setup_socket();
}
}
diff --git a/Servers/SystemServer/Service.h b/Servers/SystemServer/Service.h
index 7abb0444e0..3c56a9e08a 100644
--- a/Servers/SystemServer/Service.h
+++ b/Servers/SystemServer/Service.h
@@ -38,6 +38,8 @@ private:
bool m_keep_alive { false };
// Path to the socket to create and listen on on behalf of this service.
String m_socket_path;
+ // File system permissions for the socket.
+ mode_t m_socket_permissions { 0 };
// Whether we should only spawn this service once somebody connects to the socket.
bool m_lazy;
// The name of the user we should run this service as.