restrict app.sock access to www-data

web/internal/api/api.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/http/fcgi"
 	"os"
+	"os/exec"
 
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
@@ -74,7 +75,8 @@ func addStaticAssets(isDev bool, e *echo.Echo) {
 	}))
 }
 
-func newListener(sockPath string) net.Listener {
+func newListener(cfg *config.Config) net.Listener {
+	sockPath := cfg.SocketPath
 	if _, err := os.Stat(sockPath); err == nil {
 		err = os.Remove(sockPath)
 		if err != nil {
@@ -85,12 +87,21 @@ func newListener(sockPath string) net.Listener {
 	if err != nil {
 		panic(err)
 	}
-	// Only root should be allowed to write to the socket, otherwise
-	// users could forge the X-CSC-ADFS-* headers and reset other people's
-	// passwords
-	err = os.Chmod(sockPath, 0600)
-	if err != nil {
-		panic(err)
+	if !cfg.IsDev && !cfg.NoSocketAuth {
+		// Only www-data should be allowed to write to the socket, otherwise
+		// users could forge the X-CSC-ADFS-* headers and reset other people's
+		// passwords
+		err = os.Chmod(sockPath, 0)
+		if err != nil {
+			panic(err)
+		}
+		cmd := exec.Command("/bin/setfacl", "-m", "u:www-data:rw", sockPath)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		err = cmd.Run()
+		if err != nil {
+			panic(err)
+		}
 	}
 	return l
 }
@@ -126,7 +137,7 @@ func NewAPI(cfg *config.Config, ceodSrv model.CeodService, mailSrv service.MailS
 
 func Start(cfg *config.Config) {
 	e := NewAPI(cfg, service.NewCeodService(cfg), service.NewMailService(cfg))
-	listener := newListener(cfg.SocketPath)
+	listener := newListener(cfg)
 	e.Logger.Info("Listening on " + cfg.SocketPath)
 	if useFCGI(cfg) {
 		e.Logger.Fatal(fcgi.Serve(listener, e))

web/internal/config/config.go

@@ -20,6 +20,7 @@ const (
 
 type Config struct {
 	SocketPath           string `json:"socket_path"`
+	NoSocketAuth         bool   `json:"no_socket_auth"`
 	Krb5ConfigPath       string `json:"-"`
 	Krb5KeytabPath       string `json:"-"`
 	AppURL               string `json:"app_url"`