src/server/command_socket.rs: do not abort loop on client errors, allow backup gid

This commit is contained in:
Dietmar Maurer 2020-05-07 08:24:48 +02:00
parent 10effc9849
commit 197de83ffa

View File

@ -18,29 +18,37 @@ where
{ {
let path: PathBuf = path.into(); let path: PathBuf = path.into();
let backup_user = crate::backup::backup_user()?;
let backup_gid = backup_user.gid.as_raw();
let mut socket = UnixListener::bind(&path)?; let mut socket = UnixListener::bind(&path)?;
let func = Arc::new(func); let func = Arc::new(func);
let control_future = async move { let control_future = async move {
loop { loop {
let (conn, _addr) = socket let (conn, _addr) = match socket.accept().await {
.accept() Ok(data) => data,
.await Err(err) => {
.map_err(|err| { eprintln!("failed to accept on control socket {:?}: {}", path, err);
format_err!("failed to accept on control socket {:?}: {}", path, err) continue;
})?;
// check permissions (same gid, or root user)
let opt = socket::sockopt::PeerCredentials {};
match socket::getsockopt(conn.as_raw_fd(), opt) {
Ok(cred) => {
let mygid = unsafe { libc::getgid() };
if !(cred.uid() == 0 || cred.gid() == mygid) {
bail!("no permissions for {:?}", cred);
}
} }
Err(e) => bail!("no permissions - unable to read peer credential - {}", e), };
let opt = socket::sockopt::PeerCredentials {};
let cred = match socket::getsockopt(conn.as_raw_fd(), opt) {
Ok(cred) => cred,
Err(err) => {
eprintln!("no permissions - unable to read peer credential - {}", err);
continue;
}
};
// check permissions (same gid, root user, or backup group)
let mygid = unsafe { libc::getgid() };
if !(cred.uid() == 0 || cred.gid() == mygid || cred.gid() == backup_gid) {
eprintln!("no permissions for {:?}", cred);
continue;
} }
let (rx, mut tx) = tokio::io::split(conn); let (rx, mut tx) = tokio::io::split(conn);
@ -94,12 +102,11 @@ where
} }
pub fn send_command<P>( pub async fn send_command<P>(
path: P, path: P,
params: Value params: Value
) -> impl Future<Output = Result<Value, Error>> ) -> Result<Value, Error>
where P: Into<PathBuf>, where P: Into<PathBuf>,
{ {
let path: PathBuf = path.into(); let path: PathBuf = path.into();
@ -131,5 +138,5 @@ pub fn send_command<P>(
bail!("unable to parse response: {}", data); bail!("unable to parse response: {}", data);
} }
} }
}) }).await
} }