Eric Wong <[email protected]> wrote: > Suraj Kurapati <[email protected]> wrote: > > Hello, > > > > I set the socket for my app to reside in /tmp/ because my app's > > Capistrano deploy directory is NFS-mounted: > > > > listen '/tmp/my_app.sock' > > > > That socket file is being created with mode 0777 + sticky bit. I > > don't want others to accidentally delete or write to this socket file, > > so I added the following line to my before_fork() block: > > > > before_fork do |server, worker| > > File.chmod 0600, '/tmp/my_app.sock' > > # ... > > end > > > > Is there a better place to put this chmod? Or maybe tell unicorn to > > create the socket with mode 0600? > > Hi Suraj, > > That's probably the best place to put chmod for now... I could be > persuaded to add a :umask option for listen. E.g.: > > listen '/tmp/my_app.sock', :umask => 0077
Hi Suraj, just pushed this out: >From 07767ea2733ed5276ec638fa50102dccb0b2991e Mon Sep 17 00:00:00 2001 From: Eric Wong <[email protected]> Date: Sat, 14 Nov 2009 15:28:37 -0800 Subject: [PATCH] configurator: listen :umask parameter for UNIX sockets Typically UNIX domain sockets are created with more liberal file permissions than the rest of the application. By default, we create UNIX domain sockets to be readable and writable by all local users to give them the same accessibility as locally-bound TCP listeners. This only has an effect on UNIX domain sockets. This was inspired by Suraj Kurapati in [email protected] --- lib/unicorn/configurator.rb | 14 +++++++++++++- lib/unicorn/socket_helper.rb | 2 +- test/unit/test_socket_helper.rb | 14 ++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/lib/unicorn/configurator.rb b/lib/unicorn/configurator.rb index d68897b..2d92aa3 100644 --- a/lib/unicorn/configurator.rb +++ b/lib/unicorn/configurator.rb @@ -291,10 +291,22 @@ module Unicorn # +:delay+: seconds to wait between successive +tries+ # # Default: 0.5 seconds + # + # +:umask+: sets the file mode creation mask for UNIX sockets + # + # Typically UNIX domain sockets are created with more liberal + # file permissions than the rest of the application. By default, + # we create UNIX domain sockets to be readable and writable by + # all local users to give them the same accessibility as + # locally-bound TCP listeners. + # + # This has no effect on TCP listeners. + # + # Default: 0 (world read/writable) def listen(address, opt = {}) address = expand_addr(address) if String === address - [ :backlog, :sndbuf, :rcvbuf, :tries ].each do |key| + [ :umask, :backlog, :sndbuf, :rcvbuf, :tries ].each do |key| value = opt[key] or next Integer === value or raise ArgumentError, "not an integer: #{key}=#{value.inspect}" diff --git a/lib/unicorn/socket_helper.rb b/lib/unicorn/socket_helper.rb index f792562..1c56be2 100644 --- a/lib/unicorn/socket_helper.rb +++ b/lib/unicorn/socket_helper.rb @@ -88,7 +88,7 @@ module Unicorn "socket=#{address} specified but it is not a socket!" end end - old_umask = File.umask(0) + old_umask = File.umask(opt[:umask] || 0) begin UNIXServer.new(address) ensure diff --git a/test/unit/test_socket_helper.rb b/test/unit/test_socket_helper.rb index dbca69b..c35b0c2 100644 --- a/test/unit/test_socket_helper.rb +++ b/test/unit/test_socket_helper.rb @@ -63,6 +63,20 @@ class TestSocketHelper < Test::Unit::TestCase File.umask(old_umask) end + def test_bind_listen_unix_umask + old_umask = File.umask(0777) + tmp = Tempfile.new 'unix.sock' + @unix_listener_path = tmp.path + File.unlink(@unix_listener_path) + @unix_listener = bind_listen(@unix_listener_path, :umask => 077) + assert UNIXServer === @unix_listener + assert_equal @unix_listener_path, sock_name(@unix_listener) + assert_equal 0140700, File.stat(@unix_listener_path).mode + assert_equal 0777, File.umask + ensure + File.umask(old_umask) + end + def test_bind_listen_unix_idempotent test_bind_listen_unix a = bind_listen(@unix_listener) -- Eric Wong _______________________________________________ mongrel-unicorn mailing list [email protected] http://rubyforge.org/mailman/listinfo/mongrel-unicorn
