search

Nukesor / pueue

:stars: Manage your shell commands.
MIT License
4.65k stars 127 forks source link

Socket Permissions Configuration #542

Open JP-Ellis opened 2 weeks ago

JP-Ellis commented 2 weeks ago

A detailed description of the feature you would like to see added.

I would like the ability to configure the socket permissions. For example:

shared:
  pueue_directory: /var/lib/pueue
  runtime_directory: /var/run/pueue
  use_unix_socket: true
  unix_socket_path: /var/run/pueue/pueue.socket
  unix_socket_permissions: '777'  # <-- new option

Not sure whether the permissions should be in standard octal notation, the more verbose rwxr-xr-x or even as a further dictionary:

shared:
  unix_socket_permissions:
    user: [read, write, execute]
    group: [read, execute]
    all: [read, execute]

Explain your usecase of the requested feature

I have a shared pueued instance running as a systemd service (happy to share the configuration) which I would ideally like to reach over sockets.

The pueued daemon by default creates the socket with permissions rwxr-xr-x thereby preventing anyone from writing to the socket other than the service user.

I would like to spawn this process under a special pueue:pueue user and group, and grant users of the pueue group the ability to write to the socket. This would require setting the socket's permissions to rwxrwxr-x.

Alternatives

The current alternative is to manually change the socket permissions after the process is spawned:

sudo systemctl start pueued
sudo chmod 775 /var/run/pueue/pueue.socket

This will work so long as the process keeps running, but will of course fail after the process has restarted.

Additional context

No response

Nukesor commented 2 weeks ago

Did you try ExecStartPost=chmod 775 /var/run/pueue/pueue.socket in your systemd file?

JP-Ellis commented 2 weeks ago

I had tried that, but I thought it might be better if pueue itself handled the permissions.

As to why ExecStartPost did not always work, it was generally because chmod is executed too fast and the socket may not exist yet. I know this can be fixed by inserting ExecStartPost=sleep 2 before the chmod command; but thought this solution to be somewhat inelegant.

Let me know what you think of my suggestion of adding another configuration option. I would be happy to contribute the PR myself.

Nukesor commented 2 weeks ago

Fair points :D

It's a small change as well, feel free to go ahead :)