Merge pull request #292 from kradalby/socket-permission

Make Unix socket permissions configurable
juanfont · Jan 29, 2022 · 853a528 · 853a528
2 parents b195c87 + cd0df1e
commit 853a528
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@
 
 **Changes**:
 
+- Make gRPC Unix Socket permissions configurable [#292](https://github.com/juanfont/headscale/pull/292)
+- Trim whitespace before reading Private Key from file [#289](https://github.com/juanfont/headscale/pull/289)
 - Add new command to generate a private key for `headscale` [#290](https://github.com/juanfont/headscale/pull/290)
 - Fixed issue where hosts deleted from control server may be written back to the database, as long as they are connected to the control server [#278](https://github.com/juanfont/headscale/pull/278)
 

diff --git a/acls.go b/acls.go
@@ -25,8 +25,11 @@ const (
 )
 
 const (
+	Base8              = 8
 	Base10             = 10
 	BitSize16          = 16
+	BitSize32          = 32
+	BitSize64          = 64
 	portRangeBegin     = 0
 	portRangeEnd       = 65535
 	expectedTokenItems = 2

diff --git a/app.go b/app.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/fs"
 	"net"
 	"net/http"
 	"net/url"
@@ -95,7 +96,8 @@ type Config struct {
 
 	DNSConfig *tailcfg.DNSConfig
 
-	UnixSocket string
+	UnixSocket           string
+	UnixSocketPermission fs.FileMode
 
 	OIDC OIDCConfig
 
@@ -426,6 +428,11 @@ func (h *Headscale) Serve() error {
 		return fmt.Errorf("failed to set up gRPC socket: %w", err)
 	}
 
+	// Change socket permissions
+	if err := os.Chmod(h.cfg.UnixSocket, h.cfg.UnixSocketPermission); err != nil {
+		return fmt.Errorf("failed change permission of gRPC socket: %w", err)
+	}
+
 	// Handle common process-killing signals so we can gracefully shut down:
 	sigc := make(chan os.Signal, 1)
 	signal.Notify(sigc, os.Interrupt, syscall.SIGTERM)

diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go
@@ -5,10 +5,12 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io/fs"
 	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"
 
@@ -23,6 +25,10 @@ import (
 	"tailscale.com/types/dnstype"
 )
 
+const (
+	PermissionFallback = 0o700
+)
+
 func LoadConfig(path string) error {
 	viper.SetConfigName("config")
 	if path == "" {
@@ -48,6 +54,7 @@ func LoadConfig(path string) error {
 	viper.SetDefault("dns_config", nil)
 
 	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
+	viper.SetDefault("unix_socket_permission", "0o770")
 
 	viper.SetDefault("cli.insecure", false)
 	viper.SetDefault("cli.timeout", "5s")
@@ -257,7 +264,8 @@ func getHeadscaleConfig() headscale.Config {
 		ACMEEmail: viper.GetString("acme_email"),
 		ACMEURL:   viper.GetString("acme_url"),
 
-		UnixSocket: viper.GetString("unix_socket"),
+		UnixSocket:           viper.GetString("unix_socket"),
+		UnixSocketPermission: GetFileMode("unix_socket_permission"),
 
 		OIDC: headscale.OIDCConfig{
 			Issuer:       viper.GetString("oidc.issuer"),
@@ -448,3 +456,14 @@ func loadOIDCMatchMap() map[string]string {
 
 	return strMap
 }
+
+func GetFileMode(key string) fs.FileMode {
+	modeStr := viper.GetString(key)
+
+	mode, err := strconv.ParseUint(modeStr, headscale.Base8, headscale.BitSize64)
+	if err != nil {
+		return PermissionFallback
+	}
+
+	return fs.FileMode(mode)
+}
diff --git a/cmd/headscale/headscale_test.go b/cmd/headscale/headscale_test.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"io/fs"
 	"io/ioutil"
 	"os"
 	"path/filepath"
@@ -60,6 +61,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
+	c.Assert(cli.GetFileMode("unix_socket_permission"), check.Equals, fs.FileMode(0o770))
 }
 
 func (*Suite) TestDNSConfigLoading(c *check.C) {

diff --git a/config-example.yaml b/config-example.yaml
@@ -149,6 +149,7 @@ dns_config:
 # Note: for local development, you probably want to change this to:
 # unix_socket: ./headscale.sock
 unix_socket: /var/run/headscale.sock
+unix_socket_permission: "0770"
 #
 # headscale supports experimental OpenID connect support,
 # it is still being tested and might have some bugs, please