changeset 208:f06f2d1a5035

Fix possibly insecure permissions on the control socket. The server's control socket is now in a private directory.
author John "Elwin" Edwards
date Sat, 28 Jan 2017 09:57:31 -0500
parents ffe22d88bea1
children 2667aaad8e08
files initscript rlgwebd rlgwebd-stop rlgwebd.conf
diffstat 4 files changed, 19 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/initscript	Fri Jan 27 19:18:31 2017 -0500
+++ b/initscript	Sat Jan 28 09:57:31 2017 -0500
@@ -2,7 +2,7 @@
 
 NODE_PATH=/usr/lib/node_modules
 LOGFILE=/var/log/rlgwebd.log
-CTLSOCKET=/var/run/rlgwebd.sock
+CTLSOCKET=/var/run/rlgwebd/rlgwebd.sock
 RLGWEBDJS=/usr/local/bin/rlgwebd
 
 export NODE_PATH
--- a/rlgwebd	Fri Jan 27 19:18:31 2017 -0500
+++ b/rlgwebd	Sat Jan 28 09:57:31 2017 -0500
@@ -15,7 +15,7 @@
 
 /* Default options */
 var rlgwebd_options = { 
-  control_socket: "/var/run/rlgwebd.sock",
+  control_socket: "/var/run/rlgwebd/rlgwebd.sock",
   port: 8080,
   chrootDir: "/var/dgl/",
   username: "rodney",
@@ -1266,6 +1266,21 @@
     tls_options.ca = read_or_die(rlgwebd_options.cafile, "CA file");
 };
 
+/* Make sure the socket directory is secure. */
+var socket_dir = path.dirname(rlgwebd_options.control_socket);
+try {
+  fs.mkdirSync(socket_dir, 0o700);
+}
+catch (err) {
+  if (err.code == "EEXIST") {
+    fs.chownSync(socket_dir, 0, 0);
+    fs.chmodSync(socket_dir, 0o700);
+  }
+  else {
+    throw err;
+  }
+}
+
 /* Open the control socket before chrooting where it can't be found */
 var ctlServer = net.createServer(function (sock) {
   sock.on('data', consoleHandler);
--- a/rlgwebd-stop	Fri Jan 27 19:18:31 2017 -0500
+++ b/rlgwebd-stop	Sat Jan 28 09:57:31 2017 -0500
@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 var net = require('net');
-var sockpath = "/var/run/rlgwebd.sock";
+var sockpath = "/var/run/rlgwebd/rlgwebd.sock";
 
 var sock = new net.Socket();
 
--- a/rlgwebd.conf	Fri Jan 27 19:18:31 2017 -0500
+++ b/rlgwebd.conf	Sat Jan 28 09:57:31 2017 -0500
@@ -3,7 +3,7 @@
 
 # These values are set by default:
 # Location of the socket for start/stop commands
-#control_socket = /var/run/rlgwebd.sock
+#control_socket = /var/run/rlgwebd/rlgwebd.sock
 # Port number to bind
 #port = 8080
 # Path to the dgamelaunch installation to chroot into