restrict app.sock access to www-data
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
This commit is contained in:
parent
2164ceddf0
commit
5f8de94393
|
@ -9,6 +9,7 @@ import (
|
|||
"net/http"
|
||||
"net/http/fcgi"
|
||||
"os"
|
||||
"os/exec"
|
||||
|
||||
"github.com/labstack/echo/v4"
|
||||
"github.com/labstack/echo/v4/middleware"
|
||||
|
@ -74,7 +75,8 @@ func addStaticAssets(isDev bool, e *echo.Echo) {
|
|||
}))
|
||||
}
|
||||
|
||||
func newListener(sockPath string) net.Listener {
|
||||
func newListener(cfg *config.Config) net.Listener {
|
||||
sockPath := cfg.SocketPath
|
||||
if _, err := os.Stat(sockPath); err == nil {
|
||||
err = os.Remove(sockPath)
|
||||
if err != nil {
|
||||
|
@ -85,12 +87,21 @@ func newListener(sockPath string) net.Listener {
|
|||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
// Only root should be allowed to write to the socket, otherwise
|
||||
// users could forge the X-CSC-ADFS-* headers and reset other people's
|
||||
// passwords
|
||||
err = os.Chmod(sockPath, 0600)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
if !cfg.IsDev && !cfg.NoSocketAuth {
|
||||
// Only www-data should be allowed to write to the socket, otherwise
|
||||
// users could forge the X-CSC-ADFS-* headers and reset other people's
|
||||
// passwords
|
||||
err = os.Chmod(sockPath, 0)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
cmd := exec.Command("/bin/setfacl", "-m", "u:www-data:rw", sockPath)
|
||||
cmd.Stdout = os.Stdout
|
||||
cmd.Stderr = os.Stderr
|
||||
err = cmd.Run()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
return l
|
||||
}
|
||||
|
@ -126,7 +137,7 @@ func NewAPI(cfg *config.Config, ceodSrv model.CeodService, mailSrv service.MailS
|
|||
|
||||
func Start(cfg *config.Config) {
|
||||
e := NewAPI(cfg, service.NewCeodService(cfg), service.NewMailService(cfg))
|
||||
listener := newListener(cfg.SocketPath)
|
||||
listener := newListener(cfg)
|
||||
e.Logger.Info("Listening on " + cfg.SocketPath)
|
||||
if useFCGI(cfg) {
|
||||
e.Logger.Fatal(fcgi.Serve(listener, e))
|
||||
|
|
|
@ -20,6 +20,7 @@ const (
|
|||
|
||||
type Config struct {
|
||||
SocketPath string `json:"socket_path"`
|
||||
NoSocketAuth bool `json:"no_socket_auth"`
|
||||
Krb5ConfigPath string `json:"-"`
|
||||
Krb5KeytabPath string `json:"-"`
|
||||
AppURL string `json:"app_url"`
|
||||
|
|
Loading…
Reference in New Issue