demostf/sync-rs
1
0
Fork 0
mirror of https://codeberg.org/demostf/sync.git synced 2026-06-03 08:34:08 +02:00
Code Issues Releases Wiki Activity

socket permissions

Browse source
This commit is contained in:
Robin Appelman 2025-05-10 15:59:12 +02:00
commit 74df62fe9c
2 changed files with 13 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
nix/module.nix
View file

@ -21,6 +21,12 @@ in {
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
users.users.demostf-sync = {
group = "demostf-sync";
isSystemUser = true;
};
users.groups.demostf-sync = {};
systemd.services.demostf-sync = { systemd.services.demostf-sync = {
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
environment = { environment = {
@ -28,7 +34,7 @@ in {
}; };
serviceConfig = { serviceConfig = {
DynamicUser = true; User = "demostf-sync";
ExecStart = "${cfg.package}/bin/sync"; ExecStart = "${cfg.package}/bin/sync";
Restart = "on-failure"; Restart = "on-failure";
@ -55,9 +61,11 @@ in {
ProcSubset = "pid"; ProcSubset = "pid";
ProtectProc = "invisible"; ProtectProc = "invisible";
SystemCallFilter = ["@system-service" "~@resources" "~@privileged"]; SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
UMask = "0007"; UMask = "0077";
IPAddressDeny = "any"; IPAddressDeny = "any";
RuntimeDirectory = "demostf-sync"; RuntimeDirectory = "demostf-sync";
RestrictSUIDSGID = true;
RemoveIPC = true;
}; };
}; };
}; };

4
src/main.rs
View file

@ -2,7 +2,7 @@ mod session;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use std::fmt::{Display, Formatter}; use std::fmt::{Display, Formatter};
use std::fs::remove_file; use std::fs::{remove_file, set_permissions, Permissions};
use crate::session::Session; use crate::session::Session;
use dashmap::DashMap; use dashmap::DashMap;
use futures_channel::mpsc::{channel, Sender}; use futures_channel::mpsc::{channel, Sender};
@ -12,6 +12,7 @@ use futures_util::TryStreamExt;
use main_error::MainResult; use main_error::MainResult;
use real_ip::{real_ip, IpNet}; use real_ip::{real_ip, IpNet};
use std::net::{IpAddr, Ipv4Addr, SocketAddr}; use std::net::{IpAddr, Ipv4Addr, SocketAddr};
use std::os::unix::fs::PermissionsExt;
use std::path::{Path, PathBuf}; use std::path::{Path, PathBuf};
use std::pin::pin; use std::pin::pin;
use std::sync::atomic::{AtomicU64, Ordering}; use std::sync::atomic::{AtomicU64, Ordering};
@ -284,6 +285,7 @@ async fn listen_tcp(listen_address: SocketAddr) -> impl Stream<Item=Result<(Box<
async fn listen_unix(path: &Path) -> impl Stream<Item=Result<(Box<dyn StreamTrait>, IpAddr), std::io::Error>> { async fn listen_unix(path: &Path) -> impl Stream<Item=Result<(Box<dyn StreamTrait>, IpAddr), std::io::Error>> {
let listener = UnixListener::bind(path).expect("Failed to bind"); let listener = UnixListener::bind(path).expect("Failed to bind");
set_permissions(path, Permissions::from_mode(0o660)).expect("Failed to set socket permissions");
info!("listening on: {}", path.display()); info!("listening on: {}", path.display());