Mercurial > hg > rlgwebd
comparison rlgwebd @ 208:f06f2d1a5035
Fix possibly insecure permissions on the control socket.
The server's control socket is now in a private directory.
| author | John "Elwin" Edwards |
|---|---|
| date | Sat, 28 Jan 2017 09:57:31 -0500 |
| parents | 04c2a895b679 |
| children | b04313038a0b |
comparison
equal
deleted
inserted
replaced
| 207:ffe22d88bea1 | 208:f06f2d1a5035 |
|---|---|
| 13 var pty = require("pty.js"); | 13 var pty = require("pty.js"); |
| 14 var WebSocketServer = require("websocket").server; | 14 var WebSocketServer = require("websocket").server; |
| 15 | 15 |
| 16 /* Default options */ | 16 /* Default options */ |
| 17 var rlgwebd_options = { | 17 var rlgwebd_options = { |
| 18 control_socket: "/var/run/rlgwebd.sock", | 18 control_socket: "/var/run/rlgwebd/rlgwebd.sock", |
| 19 port: 8080, | 19 port: 8080, |
| 20 chrootDir: "/var/dgl/", | 20 chrootDir: "/var/dgl/", |
| 21 username: "rodney", | 21 username: "rodney", |
| 22 static_root: "/var/www/" | 22 static_root: "/var/www/" |
| 23 }; | 23 }; |
| 1264 tls_options.cert = read_or_die(rlgwebd_options.certfile, "Certfile"); | 1264 tls_options.cert = read_or_die(rlgwebd_options.certfile, "Certfile"); |
| 1265 if ("cafile" in rlgwebd_options) | 1265 if ("cafile" in rlgwebd_options) |
| 1266 tls_options.ca = read_or_die(rlgwebd_options.cafile, "CA file"); | 1266 tls_options.ca = read_or_die(rlgwebd_options.cafile, "CA file"); |
| 1267 }; | 1267 }; |
| 1268 | 1268 |
| 1269 /* Make sure the socket directory is secure. */ | |
| 1270 var socket_dir = path.dirname(rlgwebd_options.control_socket); | |
| 1271 try { | |
| 1272 fs.mkdirSync(socket_dir, 0o700); | |
| 1273 } | |
| 1274 catch (err) { | |
| 1275 if (err.code == "EEXIST") { | |
| 1276 fs.chownSync(socket_dir, 0, 0); | |
| 1277 fs.chmodSync(socket_dir, 0o700); | |
| 1278 } | |
| 1279 else { | |
| 1280 throw err; | |
| 1281 } | |
| 1282 } | |
| 1283 | |
| 1269 /* Open the control socket before chrooting where it can't be found */ | 1284 /* Open the control socket before chrooting where it can't be found */ |
| 1270 var ctlServer = net.createServer(function (sock) { | 1285 var ctlServer = net.createServer(function (sock) { |
| 1271 sock.on('data', consoleHandler); | 1286 sock.on('data', consoleHandler); |
| 1272 }); | 1287 }); |
| 1273 ctlServer.listen(rlgwebd_options.control_socket, function () { | 1288 ctlServer.listen(rlgwebd_options.control_socket, function () { |