mirror of
				https://github.com/juanfont/headscale.git
				synced 2025-10-26 21:51:03 +01:00 
			
		
		
		
	Merge pull request #292 from kradalby/socket-permission
Make Unix socket permissions configurable
This commit is contained in:
		
						commit
						853a5288f1
					
				| @ -4,6 +4,8 @@ | |||||||
| 
 | 
 | ||||||
| **Changes**: | **Changes**: | ||||||
| 
 | 
 | ||||||
|  | - Make gRPC Unix Socket permissions configurable [#292](https://github.com/juanfont/headscale/pull/292) | ||||||
|  | - Trim whitespace before reading Private Key from file [#289](https://github.com/juanfont/headscale/pull/289) | ||||||
| - Add new command to generate a private key for `headscale` [#290](https://github.com/juanfont/headscale/pull/290) | - Add new command to generate a private key for `headscale` [#290](https://github.com/juanfont/headscale/pull/290) | ||||||
| - Fixed issue where hosts deleted from control server may be written back to the database, as long as they are connected to the control server [#278](https://github.com/juanfont/headscale/pull/278) | - Fixed issue where hosts deleted from control server may be written back to the database, as long as they are connected to the control server [#278](https://github.com/juanfont/headscale/pull/278) | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										3
									
								
								acls.go
									
									
									
									
									
								
							
							
						
						
									
										3
									
								
								acls.go
									
									
									
									
									
								
							| @ -25,8 +25,11 @@ const ( | |||||||
| ) | ) | ||||||
| 
 | 
 | ||||||
| const ( | const ( | ||||||
|  | 	Base8              = 8 | ||||||
| 	Base10             = 10 | 	Base10             = 10 | ||||||
| 	BitSize16          = 16 | 	BitSize16          = 16 | ||||||
|  | 	BitSize32          = 32 | ||||||
|  | 	BitSize64          = 64 | ||||||
| 	portRangeBegin     = 0 | 	portRangeBegin     = 0 | ||||||
| 	portRangeEnd       = 65535 | 	portRangeEnd       = 65535 | ||||||
| 	expectedTokenItems = 2 | 	expectedTokenItems = 2 | ||||||
|  | |||||||
							
								
								
									
										9
									
								
								app.go
									
									
									
									
									
								
							
							
						
						
									
										9
									
								
								app.go
									
									
									
									
									
								
							| @ -6,6 +6,7 @@ import ( | |||||||
| 	"errors" | 	"errors" | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"io" | 	"io" | ||||||
|  | 	"io/fs" | ||||||
| 	"net" | 	"net" | ||||||
| 	"net/http" | 	"net/http" | ||||||
| 	"net/url" | 	"net/url" | ||||||
| @ -95,7 +96,8 @@ type Config struct { | |||||||
| 
 | 
 | ||||||
| 	DNSConfig *tailcfg.DNSConfig | 	DNSConfig *tailcfg.DNSConfig | ||||||
| 
 | 
 | ||||||
| 	UnixSocket string | 	UnixSocket           string | ||||||
|  | 	UnixSocketPermission fs.FileMode | ||||||
| 
 | 
 | ||||||
| 	OIDC OIDCConfig | 	OIDC OIDCConfig | ||||||
| 
 | 
 | ||||||
| @ -426,6 +428,11 @@ func (h *Headscale) Serve() error { | |||||||
| 		return fmt.Errorf("failed to set up gRPC socket: %w", err) | 		return fmt.Errorf("failed to set up gRPC socket: %w", err) | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	// Change socket permissions | ||||||
|  | 	if err := os.Chmod(h.cfg.UnixSocket, h.cfg.UnixSocketPermission); err != nil { | ||||||
|  | 		return fmt.Errorf("failed change permission of gRPC socket: %w", err) | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	// Handle common process-killing signals so we can gracefully shut down: | 	// Handle common process-killing signals so we can gracefully shut down: | ||||||
| 	sigc := make(chan os.Signal, 1) | 	sigc := make(chan os.Signal, 1) | ||||||
| 	signal.Notify(sigc, os.Interrupt, syscall.SIGTERM) | 	signal.Notify(sigc, os.Interrupt, syscall.SIGTERM) | ||||||
|  | |||||||
| @ -5,10 +5,12 @@ import ( | |||||||
| 	"encoding/json" | 	"encoding/json" | ||||||
| 	"errors" | 	"errors" | ||||||
| 	"fmt" | 	"fmt" | ||||||
|  | 	"io/fs" | ||||||
| 	"net/url" | 	"net/url" | ||||||
| 	"os" | 	"os" | ||||||
| 	"path/filepath" | 	"path/filepath" | ||||||
| 	"regexp" | 	"regexp" | ||||||
|  | 	"strconv" | ||||||
| 	"strings" | 	"strings" | ||||||
| 	"time" | 	"time" | ||||||
| 
 | 
 | ||||||
| @ -23,6 +25,10 @@ import ( | |||||||
| 	"tailscale.com/types/dnstype" | 	"tailscale.com/types/dnstype" | ||||||
| ) | ) | ||||||
| 
 | 
 | ||||||
|  | const ( | ||||||
|  | 	PermissionFallback = 0o700 | ||||||
|  | ) | ||||||
|  | 
 | ||||||
| func LoadConfig(path string) error { | func LoadConfig(path string) error { | ||||||
| 	viper.SetConfigName("config") | 	viper.SetConfigName("config") | ||||||
| 	if path == "" { | 	if path == "" { | ||||||
| @ -48,6 +54,7 @@ func LoadConfig(path string) error { | |||||||
| 	viper.SetDefault("dns_config", nil) | 	viper.SetDefault("dns_config", nil) | ||||||
| 
 | 
 | ||||||
| 	viper.SetDefault("unix_socket", "/var/run/headscale.sock") | 	viper.SetDefault("unix_socket", "/var/run/headscale.sock") | ||||||
|  | 	viper.SetDefault("unix_socket_permission", "0o770") | ||||||
| 
 | 
 | ||||||
| 	viper.SetDefault("cli.insecure", false) | 	viper.SetDefault("cli.insecure", false) | ||||||
| 	viper.SetDefault("cli.timeout", "5s") | 	viper.SetDefault("cli.timeout", "5s") | ||||||
| @ -257,7 +264,8 @@ func getHeadscaleConfig() headscale.Config { | |||||||
| 		ACMEEmail: viper.GetString("acme_email"), | 		ACMEEmail: viper.GetString("acme_email"), | ||||||
| 		ACMEURL:   viper.GetString("acme_url"), | 		ACMEURL:   viper.GetString("acme_url"), | ||||||
| 
 | 
 | ||||||
| 		UnixSocket: viper.GetString("unix_socket"), | 		UnixSocket:           viper.GetString("unix_socket"), | ||||||
|  | 		UnixSocketPermission: GetFileMode("unix_socket_permission"), | ||||||
| 
 | 
 | ||||||
| 		OIDC: headscale.OIDCConfig{ | 		OIDC: headscale.OIDCConfig{ | ||||||
| 			Issuer:       viper.GetString("oidc.issuer"), | 			Issuer:       viper.GetString("oidc.issuer"), | ||||||
| @ -448,3 +456,14 @@ func loadOIDCMatchMap() map[string]string { | |||||||
| 
 | 
 | ||||||
| 	return strMap | 	return strMap | ||||||
| } | } | ||||||
|  | 
 | ||||||
|  | func GetFileMode(key string) fs.FileMode { | ||||||
|  | 	modeStr := viper.GetString(key) | ||||||
|  | 
 | ||||||
|  | 	mode, err := strconv.ParseUint(modeStr, headscale.Base8, headscale.BitSize64) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return PermissionFallback | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	return fs.FileMode(mode) | ||||||
|  | } | ||||||
|  | |||||||
| @ -1,6 +1,7 @@ | |||||||
| package main | package main | ||||||
| 
 | 
 | ||||||
| import ( | import ( | ||||||
|  | 	"io/fs" | ||||||
| 	"io/ioutil" | 	"io/ioutil" | ||||||
| 	"os" | 	"os" | ||||||
| 	"path/filepath" | 	"path/filepath" | ||||||
| @ -60,6 +61,7 @@ func (*Suite) TestConfigLoading(c *check.C) { | |||||||
| 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http") | 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http") | ||||||
| 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01") | 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01") | ||||||
| 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1") | 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1") | ||||||
|  | 	c.Assert(cli.GetFileMode("unix_socket_permission"), check.Equals, fs.FileMode(0o770)) | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func (*Suite) TestDNSConfigLoading(c *check.C) { | func (*Suite) TestDNSConfigLoading(c *check.C) { | ||||||
|  | |||||||
| @ -149,6 +149,7 @@ dns_config: | |||||||
| # Note: for local development, you probably want to change this to: | # Note: for local development, you probably want to change this to: | ||||||
| # unix_socket: ./headscale.sock | # unix_socket: ./headscale.sock | ||||||
| unix_socket: /var/run/headscale.sock | unix_socket: /var/run/headscale.sock | ||||||
|  | unix_socket_permission: "0770" | ||||||
| # | # | ||||||
| # headscale supports experimental OpenID connect support, | # headscale supports experimental OpenID connect support, | ||||||
| # it is still being tested and might have some bugs, please | # it is still being tested and might have some bugs, please | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user