src/server/command_socket.rs: do not abort loop on client errors, allow backup gid
This commit is contained in:
parent
10effc9849
commit
197de83ffa
@ -18,29 +18,37 @@ where
|
|||||||
{
|
{
|
||||||
let path: PathBuf = path.into();
|
let path: PathBuf = path.into();
|
||||||
|
|
||||||
|
let backup_user = crate::backup::backup_user()?;
|
||||||
|
let backup_gid = backup_user.gid.as_raw();
|
||||||
|
|
||||||
let mut socket = UnixListener::bind(&path)?;
|
let mut socket = UnixListener::bind(&path)?;
|
||||||
|
|
||||||
let func = Arc::new(func);
|
let func = Arc::new(func);
|
||||||
|
|
||||||
let control_future = async move {
|
let control_future = async move {
|
||||||
loop {
|
loop {
|
||||||
let (conn, _addr) = socket
|
let (conn, _addr) = match socket.accept().await {
|
||||||
.accept()
|
Ok(data) => data,
|
||||||
.await
|
Err(err) => {
|
||||||
.map_err(|err| {
|
eprintln!("failed to accept on control socket {:?}: {}", path, err);
|
||||||
format_err!("failed to accept on control socket {:?}: {}", path, err)
|
continue;
|
||||||
})?;
|
|
||||||
|
|
||||||
// check permissions (same gid, or root user)
|
|
||||||
let opt = socket::sockopt::PeerCredentials {};
|
|
||||||
match socket::getsockopt(conn.as_raw_fd(), opt) {
|
|
||||||
Ok(cred) => {
|
|
||||||
let mygid = unsafe { libc::getgid() };
|
|
||||||
if !(cred.uid() == 0 || cred.gid() == mygid) {
|
|
||||||
bail!("no permissions for {:?}", cred);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
Err(e) => bail!("no permissions - unable to read peer credential - {}", e),
|
};
|
||||||
|
|
||||||
|
let opt = socket::sockopt::PeerCredentials {};
|
||||||
|
let cred = match socket::getsockopt(conn.as_raw_fd(), opt) {
|
||||||
|
Ok(cred) => cred,
|
||||||
|
Err(err) => {
|
||||||
|
eprintln!("no permissions - unable to read peer credential - {}", err);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
// check permissions (same gid, root user, or backup group)
|
||||||
|
let mygid = unsafe { libc::getgid() };
|
||||||
|
if !(cred.uid() == 0 || cred.gid() == mygid || cred.gid() == backup_gid) {
|
||||||
|
eprintln!("no permissions for {:?}", cred);
|
||||||
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
let (rx, mut tx) = tokio::io::split(conn);
|
let (rx, mut tx) = tokio::io::split(conn);
|
||||||
@ -94,12 +102,11 @@ where
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
pub fn send_command<P>(
|
pub async fn send_command<P>(
|
||||||
path: P,
|
path: P,
|
||||||
params: Value
|
params: Value
|
||||||
) -> impl Future<Output = Result<Value, Error>>
|
) -> Result<Value, Error>
|
||||||
where P: Into<PathBuf>,
|
where P: Into<PathBuf>,
|
||||||
|
|
||||||
{
|
{
|
||||||
let path: PathBuf = path.into();
|
let path: PathBuf = path.into();
|
||||||
|
|
||||||
@ -131,5 +138,5 @@ pub fn send_command<P>(
|
|||||||
bail!("unable to parse response: {}", data);
|
bail!("unable to parse response: {}", data);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
})
|
}).await
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user