Make Unix socket permissions configurable
This commit is contained in:
parent
4d60aeae18
commit
b4f8961e44
5 changed files with 34 additions and 2 deletions
3
acls.go
3
acls.go
|
@ -25,8 +25,11 @@ const (
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
|
Base8 = 8
|
||||||
Base10 = 10
|
Base10 = 10
|
||||||
BitSize16 = 16
|
BitSize16 = 16
|
||||||
|
BitSize32 = 32
|
||||||
|
BitSize64 = 64
|
||||||
portRangeBegin = 0
|
portRangeBegin = 0
|
||||||
portRangeEnd = 65535
|
portRangeEnd = 65535
|
||||||
expectedTokenItems = 2
|
expectedTokenItems = 2
|
||||||
|
|
7
app.go
7
app.go
|
@ -6,6 +6,7 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
"io/fs"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
@ -96,6 +97,7 @@ type Config struct {
|
||||||
DNSConfig *tailcfg.DNSConfig
|
DNSConfig *tailcfg.DNSConfig
|
||||||
|
|
||||||
UnixSocket string
|
UnixSocket string
|
||||||
|
UnixSocketPermission fs.FileMode
|
||||||
|
|
||||||
OIDC OIDCConfig
|
OIDC OIDCConfig
|
||||||
|
|
||||||
|
@ -426,6 +428,11 @@ func (h *Headscale) Serve() error {
|
||||||
return fmt.Errorf("failed to set up gRPC socket: %w", err)
|
return fmt.Errorf("failed to set up gRPC socket: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Change socket permissions
|
||||||
|
if err := os.Chmod(h.cfg.UnixSocket, h.cfg.UnixSocketPermission); err != nil {
|
||||||
|
return fmt.Errorf("failed change permission of gRPC socket: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
// Handle common process-killing signals so we can gracefully shut down:
|
// Handle common process-killing signals so we can gracefully shut down:
|
||||||
sigc := make(chan os.Signal, 1)
|
sigc := make(chan os.Signal, 1)
|
||||||
signal.Notify(sigc, os.Interrupt, syscall.SIGTERM)
|
signal.Notify(sigc, os.Interrupt, syscall.SIGTERM)
|
||||||
|
|
|
@ -5,10 +5,12 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io/fs"
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"regexp"
|
"regexp"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -23,6 +25,10 @@ import (
|
||||||
"tailscale.com/types/dnstype"
|
"tailscale.com/types/dnstype"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
PermissionFallback = 0o700
|
||||||
|
)
|
||||||
|
|
||||||
func LoadConfig(path string) error {
|
func LoadConfig(path string) error {
|
||||||
viper.SetConfigName("config")
|
viper.SetConfigName("config")
|
||||||
if path == "" {
|
if path == "" {
|
||||||
|
@ -48,6 +54,7 @@ func LoadConfig(path string) error {
|
||||||
viper.SetDefault("dns_config", nil)
|
viper.SetDefault("dns_config", nil)
|
||||||
|
|
||||||
viper.SetDefault("unix_socket", "/var/run/headscale.sock")
|
viper.SetDefault("unix_socket", "/var/run/headscale.sock")
|
||||||
|
viper.SetDefault("unix_socket_permission", "0o770")
|
||||||
|
|
||||||
viper.SetDefault("cli.insecure", false)
|
viper.SetDefault("cli.insecure", false)
|
||||||
viper.SetDefault("cli.timeout", "5s")
|
viper.SetDefault("cli.timeout", "5s")
|
||||||
|
@ -258,6 +265,7 @@ func getHeadscaleConfig() headscale.Config {
|
||||||
ACMEURL: viper.GetString("acme_url"),
|
ACMEURL: viper.GetString("acme_url"),
|
||||||
|
|
||||||
UnixSocket: viper.GetString("unix_socket"),
|
UnixSocket: viper.GetString("unix_socket"),
|
||||||
|
UnixSocketPermission: GetFileMode("unix_socket_permission"),
|
||||||
|
|
||||||
OIDC: headscale.OIDCConfig{
|
OIDC: headscale.OIDCConfig{
|
||||||
Issuer: viper.GetString("oidc.issuer"),
|
Issuer: viper.GetString("oidc.issuer"),
|
||||||
|
@ -448,3 +456,14 @@ func loadOIDCMatchMap() map[string]string {
|
||||||
|
|
||||||
return strMap
|
return strMap
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func GetFileMode(key string) fs.FileMode {
|
||||||
|
modeStr := viper.GetString(key)
|
||||||
|
|
||||||
|
mode, err := strconv.ParseUint(modeStr, headscale.Base8, headscale.BitSize64)
|
||||||
|
if err != nil {
|
||||||
|
return PermissionFallback
|
||||||
|
}
|
||||||
|
|
||||||
|
return fs.FileMode(mode)
|
||||||
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"io/fs"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
@ -60,6 +61,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
|
||||||
c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
|
c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
|
||||||
c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
|
c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
|
||||||
c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
|
c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
|
||||||
|
c.Assert(cli.GetFileMode("unix_socket_permission"), check.Equals, fs.FileMode(0o770))
|
||||||
}
|
}
|
||||||
|
|
||||||
func (*Suite) TestDNSConfigLoading(c *check.C) {
|
func (*Suite) TestDNSConfigLoading(c *check.C) {
|
||||||
|
|
|
@ -149,6 +149,7 @@ dns_config:
|
||||||
# Note: for local development, you probably want to change this to:
|
# Note: for local development, you probably want to change this to:
|
||||||
# unix_socket: ./headscale.sock
|
# unix_socket: ./headscale.sock
|
||||||
unix_socket: /var/run/headscale.sock
|
unix_socket: /var/run/headscale.sock
|
||||||
|
unix_socket_permission: "0770"
|
||||||
#
|
#
|
||||||
# headscale supports experimental OpenID connect support,
|
# headscale supports experimental OpenID connect support,
|
||||||
# it is still being tested and might have some bugs, please
|
# it is still being tested and might have some bugs, please
|
||||||
|
|
Loading…
Reference in a new issue