Re: [tomcat] branch master updated: Apply same UDS path perm approach in the AprEndpoint as in the NioEndpoint

Mon, 01 Feb 2021 04:42:04 -0800 

On 01 Feb 2021, at 14:12, micha...@apache.org wrote:

>    Apply same UDS path perm approach in the AprEndpoint as in the NioEndpoint
> ---
> java/org/apache/tomcat/util/net/AprEndpoint.java | 10 +++-------
> java/org/apache/tomcat/util/net/NioEndpoint.java |  3 ++-
> 2 files changed, 5 insertions(+), 8 deletions(-)
> 
> diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java 
> b/java/org/apache/tomcat/util/net/AprEndpoint.java
> index 37b1e81..9d212a1 100644
> --- a/java/org/apache/tomcat/util/net/AprEndpoint.java
> +++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
> @@ -24,6 +24,7 @@ import java.nio.ByteBuffer;
> import java.nio.channels.CompletionHandler;
> import java.nio.charset.StandardCharsets;
> import java.nio.file.Files;
> +import java.nio.file.Path;
> import java.nio.file.Paths;
> import java.nio.file.attribute.FileAttribute;
> import java.nio.file.attribute.PosixFilePermission;
> @@ -393,13 +394,8 @@ public class AprEndpoint extends 
> AbstractEndpoint<Long,Long> implements SNICallB
>                 FileAttribute<Set<PosixFilePermission>> attrs =
>                          
> PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString(
>                                  getUnixDomainSocketPathPermissions()));
> -                Files.setAttribute(Paths.get(getUnixDomainSocketPath()), 
> attrs.name(), attrs.value());
> -            }
> -            else {
> -                java.io.File file = 
> Paths.get(getUnixDomainSocketPath()).toFile();
> -                file.setReadable(true, false);
> -                file.setWritable(true, false);
> -                file.setExecutable(false, false);
> +                Path path = Paths.get(getUnixDomainSocketPath());
> +                Files.setAttribute(path, attrs.name(), attrs.value());
>             }
>         } else {
>             if (OS.IS_WIN32 || OS.IS_WIN64) {
> diff --git a/java/org/apache/tomcat/util/net/NioEndpoint.java 
> b/java/org/apache/tomcat/util/net/NioEndpoint.java
> index 5ce6398..5d16bbf 100644
> --- a/java/org/apache/tomcat/util/net/NioEndpoint.java
> +++ b/java/org/apache/tomcat/util/net/NioEndpoint.java
> @@ -209,7 +209,8 @@ public class NioEndpoint extends 
> AbstractJsseEndpoint<NioChannel,SocketChannel>
>             serverSock.bind(sa, getAcceptCount());
>             if (getUnixDomainSocketPathPermissions() != null) {
>                 FileAttribute<Set<PosixFilePermission>> attrs =
> -                        
> PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString(getUnixDomainSocketPathPermissions()));
> +                        
> PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString(
> +                                getUnixDomainSocketPathPermissions()));
>                 Path path = Paths.get(getUnixDomainSocketPath());
>                 Files.setAttribute(path, attrs.name(), attrs.value());
>             }

If I’m reading this correctly this breaks Windows - the permissions on the UDS 
socket will be the same as those of the Tomcat process, which is “I can talk to 
me, but everyone else is read only, so unless you’re me I refuse to serve your 
request”.

I think the fix is the other way around, the NioEndpoint needs to default to:

> -                file.setReadable(true, false);
> -                file.setWritable(true, false);

Regards,
Graham
—


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to