Set socket permissions for unix domain sockets (#5760)

2019-04-25 20:06:39 -07:00 · 2019-04-25 20:06:39 -07:00 · 66153625fb
parent 4ad813aecd
commit 66153625fb
2 changed files with 38 additions and 0 deletions
--- a/plugins/inputs/socket_listener/README.md
+++ b/plugins/inputs/socket_listener/README.md
@ -25,6 +25,13 @@ This is a sample configuration for the plugin.
  # service_address = "unix:///tmp/telegraf.sock"
  # service_address = "unixgram:///tmp/telegraf.sock"

+  ## Change the file mode bits on unix sockets.  These permissions may not be
+  ## respected by some platforms, to safely restrict write permissions it is best
+  ## to place the socket into a directory that has previously been created
+  ## with the desired permissions.
+  ##   ex: socket_mode = "777"
+  # socket_mode = ""
+
  ## Maximum number of concurrent connections.
  ## Only applies to stream sockets (e.g. TCP).
  ## 0 (default) is unlimited.
--- a/plugins/inputs/socket_listener/socket_listener.go
+++ b/plugins/inputs/socket_listener/socket_listener.go
@ -8,6 +8,7 @@ import (
 	"log"
 	"net"
 	"os"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@ -165,6 +166,7 @@ type SocketListener struct {
 	ReadBufferSize  internal.Size      `toml:"read_buffer_size"`
 	ReadTimeout     *internal.Duration `toml:"read_timeout"`
 	KeepAlivePeriod *internal.Duration `toml:"keep_alive_period"`
+	SocketMode      string             `toml:"socket_mode"`
 	tlsint.ServerConfig

 	parsers.Parser
@ -190,6 +192,13 @@ func (sl *SocketListener) SampleConfig() string {
  # service_address = "unix:///tmp/telegraf.sock"
  # service_address = "unixgram:///tmp/telegraf.sock"

+  ## Change the file mode bits on unix sockets.  These permissions may not be
+  ## respected by some platforms, to safely restrict write permissions it is best
+  ## to place the socket into a directory that has previously been created
+  ## with the desired permissions.
+  ##   ex: socket_mode = "777"
+  # socket_mode = ""
+
  ## Maximum number of concurrent connections.
  ## Only applies to stream sockets (e.g. TCP).
  ## 0 (default) is unlimited.
@ -275,6 +284,17 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error {

 		log.Printf("I! [inputs.socket_listener] Listening on %s://%s", protocol, l.Addr())

+		// Set permissions on socket
+		if (spl[0] == "unix" || spl[0] == "unixpacket") && sl.SocketMode != "" {
+			// Convert from octal in string to int
+			i, err := strconv.ParseUint(sl.SocketMode, 8, 32)
+			if err != nil {
+				return err
+			}
+
+			os.Chmod(spl[1], os.FileMode(uint32(i)))
+		}
+
 		ssl := &streamSocketListener{
 			Listener:       l,
 			SocketListener: sl,
@ -289,6 +309,17 @@ func (sl *SocketListener) Start(acc telegraf.Accumulator) error {
 			return err
 		}

+		// Set permissions on socket
+		if spl[0] == "unixgram" && sl.SocketMode != "" {
+			// Convert from octal in string to int
+			i, err := strconv.ParseUint(sl.SocketMode, 8, 32)
+			if err != nil {
+				return err
+			}
+
+			os.Chmod(spl[1], os.FileMode(uint32(i)))
+		}
+
 		if sl.ReadBufferSize.Size > 0 {
 			if srb, ok := pc.(setReadBufferer); ok {
 				srb.SetReadBuffer(int(sl.ReadBufferSize.Size))