Skip to content

Instantly share code, notes, and snippets.

@yellowcrescent

yellowcrescent/nginx_sockuser.diff

Last active April 4, 2019 23:12
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yellowcrescent/9969d48fbb00223825debdd673a0a4be to your computer and use it in GitHub Desktop.
Save yellowcrescent/9969d48fbb00223825debdd673a0a4be to your computer and use it in GitHub Desktop.
Download ZIP
add sock_user, sock_group, sock_perm options to nginx listen directive
Raw
nginx_sockuser.diff
diff -r 72d3aefc2993 src/core/ngx_connection.c
--- a/src/core/ngx_connection.c Wed Jul 26 13:13:51 2017 +0300
+++ b/src/core/ngx_connection.c Fri Jul 28 22:39:23 2017 -0400
@@ -87,6 +87,12 @@
ls->fastopen = -1;
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ ls->sock_user = -1;
+ ls->sock_group = -1;
+ ls->sock_perm = -1;
+#endif
+
return ls;
}
@@ -567,13 +573,26 @@
u_char *name;
name = ls[i].addr_text.data + sizeof("unix:") - 1;
- mode = (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+ if (ls[i].sock_perm) {
+ mode = ls[i].sock_perm;
+ } else {
+ mode = (S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+ }
if (chmod((char *) name, mode) == -1) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
"chmod() \"%s\" failed", name);
}
+ if (ls[i].sock_user >= 0 || ls[i].sock_group >= 0) {
+ ngx_set_errno(0);
+ if (chown((char *) name, (uid_t) ls[i].sock_user, (gid_t) ls[i].sock_group)) {
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+ "chown() \"%s\" failed", name);
+ return NGX_ERROR;
+ }
+ }
+
if (ngx_test_config) {
if (ngx_delete_file(name) == NGX_FILE_ERROR) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
diff -r 72d3aefc2993 src/core/ngx_connection.h
--- a/src/core/ngx_connection.h Wed Jul 26 13:13:51 2017 +0300
+++ b/src/core/ngx_connection.h Fri Jul 28 22:39:23 2017 -0400
@@ -87,6 +87,12 @@
int fastopen;
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ int sock_user;
+ int sock_group;
+ int sock_perm;
+#endif
+
};
diff -r 72d3aefc2993 src/core/ngx_string.c
--- a/src/core/ngx_string.c Wed Jul 26 13:13:51 2017 +0300
+++ b/src/core/ngx_string.c Fri Jul 28 22:39:23 2017 -0400
@@ -1104,6 +1104,36 @@
}
+ngx_int_t
+ngx_octtoi(u_char *line, size_t n) {
+ u_char ch;
+ ngx_int_t value, cutoff;
+
+ if (n == 0) {
+ return NGX_ERROR;
+ }
+
+ cutoff = 512;
+
+ for (value = 0; n--; line++) {
+ if (value > cutoff) {
+ return NGX_ERROR;
+ }
+
+ ch = *line;
+
+ if (ch >= '0' && ch <= '7') {
+ value = value * 8 + (ch - '0');
+ continue;
+ }
+
+ return NGX_ERROR;
+ }
+
+ return value;
+}
+
+
u_char *
ngx_hex_dump(u_char *dst, u_char *src, size_t len)
{
diff -r 72d3aefc2993 src/core/ngx_string.h
--- a/src/core/ngx_string.h Wed Jul 26 13:13:51 2017 +0300
+++ b/src/core/ngx_string.h Fri Jul 28 22:39:23 2017 -0400
@@ -175,6 +175,7 @@
off_t ngx_atoof(u_char *line, size_t n);
time_t ngx_atotm(u_char *line, size_t n);
ngx_int_t ngx_hextoi(u_char *line, size_t n);
+ngx_int_t ngx_octtoi(u_char *line, size_t n);
u_char *ngx_hex_dump(u_char *dst, u_char *src, size_t len);
diff -r 72d3aefc2993 src/http/ngx_http.c
--- a/src/http/ngx_http.c Wed Jul 26 13:13:51 2017 +0300
+++ b/src/http/ngx_http.c Fri Jul 28 22:39:23 2017 -0400
@@ -1772,6 +1772,11 @@
ls->reuseport = addr->opt.reuseport;
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ ls->sock_user = addr->opt.sock_user;
+ ls->sock_group = addr->opt.sock_group;
+ ls->sock_perm = addr->opt.sock_perm;
+#endif
return ls;
}
diff -r 72d3aefc2993 src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Wed Jul 26 13:13:51 2017 +0300
+++ b/src/http/ngx_http_core_module.c Fri Jul 28 22:39:23 2017 -0400
@@ -4067,6 +4067,74 @@
continue;
}
+ if (ngx_strncmp(value[n].data, "sock_user=", 10) == 0) {
+#if (NGX_HAVE_UNIX_DOMAIN)
+ struct passwd *s_user;
+
+ ngx_set_errno(0);
+ s_user = getpwnam((const char*) &value[n].data[10]);
+ if ((void*) s_user == NULL) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
+ "getpwnam(\"%s\") failed", &value[n].data[10]);
+ return NGX_CONF_ERROR;
+ }
+
+ lsopt.sock_user = (int) s_user->pw_uid;
+ if (lsopt.sock_group == -1) {
+ lsopt.sock_group = (int) s_user->pw_gid;
+ }
+ lsopt.set = 1;
+ lsopt.bind = 1;
+#else
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "sock_user is not supported "
+ "on this platform, ignored");
+#endif
+ continue;
+ }
+
+ if (ngx_strncmp(value[n].data, "sock_group=", 11) == 0) {
+#if (NGX_HAVE_UNIX_DOMAIN)
+ struct group *s_group;
+
+ ngx_set_errno(0);
+ s_group = getgrnam((const char*) &value[n].data[11]);
+ if ((void*) s_group == NULL) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
+ "getgrnam(\"%s\") failed", &value[n].data[11]);
+ return NGX_CONF_ERROR;
+ }
+
+ lsopt.sock_group = (int) s_group->gr_gid;
+ lsopt.set = 1;
+ lsopt.bind = 1;
+#else
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "sock_group is not supported "
+ "on this platform, ignored");
+#endif
+ continue;
+ }
+
+ if (ngx_strncmp(value[n].data, "sock_perm=", 10) == 0) {
+#if (NGX_HAVE_UNIX_DOMAIN)
+ lsopt.sock_perm = ngx_octtoi(value[n].data + 10, value[n].len - 10);
+ lsopt.set = 1;
+ lsopt.bind = 1;
+
+ if (lsopt.sock_perm == NGX_ERROR) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "invalid sock_perm \"%V\"", &value[n]);
+ return NGX_CONF_ERROR;
+ }
+#else
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "sock_perm is not supported "
+ "on this platform, ignored");
+#endif
+ continue;
+ }
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"invalid parameter \"%V\"", &value[n]);
return NGX_CONF_ERROR;
diff -r 72d3aefc2993 src/http/ngx_http_core_module.h
--- a/src/http/ngx_http_core_module.h Wed Jul 26 13:13:51 2017 +0300
+++ b/src/http/ngx_http_core_module.h Fri Jul 28 22:39:23 2017 -0400
@@ -101,6 +101,12 @@
char *accept_filter;
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ int sock_user;
+ int sock_group;
+ int sock_perm;
+#endif
+
u_char addr[NGX_SOCKADDR_STRLEN + 1];
} ngx_http_listen_opt_t;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment