feat(ui): add optional --unix-socket-gid flag to the ui subcommand

Adds an optional (and hidden) flag for specifying a group ID to apply group ownership to the unix-socket. Also sets the permissions to be group-writable. Use case: phenix starts from within a docker container as the root user, but normal users wish to be able to use the unix-socket to communicate with phenix (without having to switch to root). This allows the users to be a member of the group specified in the flag and have write access to the socket.
sandialabs · Aug 5, 2024 · a59f0ae · a59f0ae
1 parent 741ae8b
commit a59f0ae
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/src/go/cmd/ui.go b/src/go/cmd/ui.go
@@ -37,6 +37,7 @@ func newUICmd() *cobra.Command {
 				web.ServeMinimegaLogs(viper.GetString("ui.logs.minimega-path")),
 				web.ServeWithFeatures(viper.GetStringSlice("ui.features")),
 				web.ServeWithProxyAuthHeader(viper.GetString("ui.proxy-auth-header")),
+				web.ServeWithUnixSocketGid(viper.GetInt("unix-socket-gid")),
 			}
 
 			if endpoint := viper.GetString("ui.unix-socket-endpoint"); endpoint != "" {
@@ -154,6 +155,11 @@ func newUICmd() *cobra.Command {
 	cmd.Flags().MarkHidden("log-requests")
 	cmd.Flags().MarkHidden("log-full")
 
+	cmd.Flags().Int("unix-socket-gid", -1, "group id to allow writes to the unix socket")
+	cmd.Flags().MarkHidden("unix-socket-gid")
+	viper.BindPFlag("unix-socket-gid", cmd.Flags().Lookup("unix-socket-gid"))
+	viper.BindEnv("unix-socket-gid")
+
 	return cmd
 }
 

diff --git a/src/go/web/option.go b/src/go/web/option.go
@@ -35,6 +35,8 @@ type serverOptions struct {
 	proxyAuthHeader string
 
 	features map[string]bool
+
+	unixSocketGid int
 }
 
 func newServerOptions(opts ...ServerOption) serverOptions {
@@ -173,6 +175,12 @@ func ServeWithFeatures(f []string) ServerOption {
 	}
 }
 
+func ServeWithUnixSocketGid(g int) ServerOption {
+	return func(o *serverOptions) {
+		o.unixSocketGid = g
+	}
+}
+
 // GET /options
 func GetOptions(w http.ResponseWriter, r *http.Request) error {
 	plog.Debug("HTTP handler called", "handler", "GetOptions")

diff --git a/src/go/web/server.go b/src/go/web/server.go
@@ -316,6 +316,16 @@ func Start(opts ...ServerOption) error {
 			return err
 		}
 
+		if o.unixSocketGid != -1 {
+			plog.Info("setting Unix socket group permissions", "gid", o.unixSocketGid)
+			if err = os.Chown(common.UnixSocket, -1, o.unixSocketGid); err != nil {
+				return err
+			}
+			if err := os.Chmod(common.UnixSocket, 0775); err != nil {
+				return err
+			}
+		}
+
 		go func() {
 			if err := server.Serve(listener); err != nil {
 				plog.Error("serving Unix socket", "err", err)