On 01 Feb 2021, at 22:11, Michael Osipov <micha...@apache.org> wrote:
>> If I’m reading this correctly this breaks Windows - the permissions on the >> UDS socket will be the same as those of the Tomcat process, which is “I can >> talk to me, but everyone else is read only, so unless you’re me I refuse to >> serve your request”. >> I think the fix is the other way around, the NioEndpoint needs to default to: >>> - file.setReadable(true, false); >>> - file.setWritable(true, false); > > That's a good point. I expect this to be consistent. A few questions arise > here: > * Did you try that on Windows? > * Do the same semantics apply to UDS on NTFS as on POSIX filesystems? > > According to [1] and [2], yes. An ideal solution is [3], but hard to > implement. > > By calling #setWritable() who in the system can gain access to the UDS? > What's worse is that the admin cannot reasonably change that. The above describes the default behaviour in the absence of any configuration, which is “allow anyone to make a request, if you want this protected (and you do) put this socket in a suitably protected directory". On a unix machine it would look like this: [root@hostname clamav-milter]# ls -al total 0 drwx--x---. 2 clamilt clamilt 60 Jan 11 13:03 . drwxr-xr-x. 39 root root 1080 Jan 11 13:06 .. srw-rw-rw-. 1 clamilt clamilt 0 Jan 11 13:03 clamav-milter.socket The socket above is rw-rw-rw, while the parent directory is “accessible to user clamilt and group clamilt only and not accessible to anyone else”, which achieves the end goal of “only people in group clamilt are allowed to make requests, everyone else gets permission denied”. Windows defaults are tricky because java recognises just two reliable concepts, the file’s owner and everyone. Limit to file’s owner is useless (and highly undesirable, as someone might believe running other applications as the same user as the tomcat user is a good idea), leaving “limit to everyone” as the only sane choice. https://docs.oracle.com/javase/7/docs/api/java/io/File.html#setWritable(boolean,%20boolean) The worst case scenario is that an admin places the accessible-to-everyone socket in an accessible-to-everyone directory, and now we’re equivalent to running tomcat on localhost, which is no worse than what we have today. Regards, Graham —
