server: Set admin socket permissions to match user.

We create the socket before dropping privileges so that we can create it
somewhere we might not be able to write to later.  This change will make
it possible for other processes running with reduced privilege to
connect and issue administration requests.

diff --git a/server/admin.c b/server/admin.c
index c4433e4..00288f3 100644 (file)
--- a/server/admin.c
+++ b/server/admin.c
@@ -2153,13 +2153,15 @@ void a_daemon(void) { flags |= F_DAEMON; }
 /* --- @a_init@ --- *
  *
  * Arguments:  @const char *name@ = socket name to create
+ *             @uid_t u@ = user to own the socket
+ *             @gid_t g@ = group to own the socket
  *
  * Returns:    ---
  *
  * Use:                Creates the admin listening socket.
  */
 
-void a_init(const char *name)
+void a_init(const char *name, uid_t u, gid_t g)
 {
   int fd;
   int n = 5;
@@ -2215,6 +2217,11 @@ again:
     goto again;
   }
   chmod(sun.sun_path, 0600);
+  if (chown(sun.sun_path, u, g)) {
+    T( trace(T_ADMIN,
+            "admin: failed to give away socket: %s",
+            strerror(errno)); )
+  }
   fdflags(fd, O_NONBLOCK, O_NONBLOCK, FD_CLOEXEC, FD_CLOEXEC);
   if (listen(fd, 5))
     die(EXIT_FAILURE, "couldn't listen on socket: %s", strerror(errno));

diff --git a/server/tripe.8.in b/server/tripe.8.in
index edf0ea5..9c6aea8 100644 (file)
--- a/server/tripe.8.in
+++ b/server/tripe.8.in
@@ -215,7 +215,8 @@ to
 .IR user 's
 primary group, unless overridden by a
 .B \-G
-option.
+option.  The selected user (and group) will also be the owner of the
+administration socket.
 .TP
 .BI "\-G, \-\-setgid=" group
 Set gid to that of

diff --git a/server/tripe.c b/server/tripe.c
index ebd8efc..ba59dfe 100644 (file)
--- a/server/tripe.c
+++ b/server/tripe.c
@@ -288,9 +288,9 @@ int main(int argc, char *argv[])
       af |= AF_FOREGROUND;
     a_create(STDIN_FILENO, STDOUT_FILENO, af);
   }
+  a_init(csock, u, g);
   u_setugid(u, g);
   km_init(kr_priv, kr_pub, tag_priv);
-  a_init(csock);
   if (f & f_daemon) {
     if (daemonize())
       die(EXIT_FAILURE, "couldn't become a daemon: %s", strerror(errno));

diff --git a/server/tripe.h b/server/tripe.h
index d955c88..a3f04c7 100644 (file)
--- a/server/tripe.h
+++ b/server/tripe.h
@@ -899,13 +899,15 @@ extern void a_daemon(void);
 /* --- @a_init@ --- *
  *
  * Arguments:  @const char *sock@ = socket name to create
+ *             @uid_t u@ = user to own the socket
+ *             @gid_t g@ = group to own the socket
  *
  * Returns:    ---
  *
  * Use:                Creates the admin listening socket.
  */
 
-extern void a_init(const char */*sock*/);
+extern void a_init(const char */*sock*/, uid_t /*u*/, gid_t /*g*/);
 
 /*----- Mapping with addresses as keys ------------------------------------*/