-
-
Notifications
You must be signed in to change notification settings - Fork 4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
core: Add optional unix socket file permissions (#4741)
* core: Add optional unix socket file permissions This commit also changes the default unix socket file permissions to `u=w,g=,o=` (octal: `0200`). It used to default to the shell's umask (usually `u=rwx,g=rx,o=rx`, octal: `0755`). `/run/caddy.sock` -> `/run/caddy.sock` with `0200` default perms `/run/caddy.sock|0222` -> `/run/caddy.sock` with `0222` perms `|` instead of `:` is used as a separator, to account for the `:` in Windows drive letters (e.g. `C:\absolute\path.sock`) Fun fact: The old unix(7) man page (pre Jun 2016) stated a socket needs both read and write perms. Turns out, only write perms are needed. Corrected in mkerrisk/man-pages@7578ea2 Despite this, most implementations still default to read+write to this date. * Add cases with Windows paths to test * Require write perms for the owning user
- Loading branch information
1 parent
7a69ae7
commit 22927e2
Showing
2 changed files
with
156 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
22927e2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This update affects listeners using abstract sockets, which prevents them from starting.
For example:
The error log is as follows:
Jun 24 14:25:39 ip-172-31-37-181 systemd[1]: journalctl -u caddy --no-pager
Jun 24 14:25:39 ip-172-31-37-181 systemd[1]: Starting Caddy...
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: {"level":"warn","ts":1687616739.6567402,"msg":"unable to determine directory for user configuration; falling back to current directory","error":"neither $XDG_CONFIG_HOME nor $HOME are defined"}
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: caddy.HomeDir=.
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: caddy.AppDataDir=./caddy
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: {"level":"warn","ts":1687616739.6830947,"msg":"unable to determine directory for user configuration; falling back to current directory","error":"neither $XDG_CONFIG_HOME nor $HOME are defined"}
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: caddy.AppConfigDir=./caddy
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: caddy.ConfigAutosavePath=caddy/autosave.json
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: caddy.Version=v2.7.0-beta.2.0.20230623204941-22927e278dc2 h1:zy15qANzKVQkmRPvQv7pu0HhwkVKYMU4jTOVmev3AIU=
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: runtime.GOOS=linux
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: runtime.GOARCH=amd64
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: runtime.Compiler=gc
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: runtime.NumCPU=1
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: runtime.GOMAXPROCS=1
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: runtime.Version=go1.20.5
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: os.Getwd=/
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: LANG=C.UTF-8
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: NOTIFY_SOCKET=/run/systemd/notify
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: LOGNAME=nobody
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: USER=nobody
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: INVOCATION_ID=686a96898e45437783ad13c3f77c4f01
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: JOURNAL_STREAM=8:211591
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: {"level":"info","ts":1687616739.6852288,"msg":"using provided configuration","config_file":"/usr/local/etc/caddy/caddy.json","config_adapter":""}
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: {"level":"info","ts":1687616739.6862564,"msg":"redirected default logger","from":"stderr","to":"/var/log/caddy/error.log"}
Jun 24 14:25:39 ip-172-31-37-181 caddy[2287]: Error: loading initial config: loading new config: http app module: start: listening on unix/@http2.sock: unable to set permissions (--w-------) on @http2.sock: chmod @http2.sock: no such file or directory
Jun 24 14:25:39 ip-172-31-37-181 systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Jun 24 14:25:39 ip-172-31-37-181 systemd[1]: caddy.service: Failed with result 'exit-code'.
Jun 24 14:25:39 ip-172-31-37-181 systemd[1]: Failed to start Caddy.
root@ip-172-31-37-181:~#
22927e2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lxhao61 could you please open an issue instead? :)
Will look into this soon (and fix it).
Thank you!