[CalendarServer-changes] [4750] CalendarServer/trunk/calendarserver/tap

source_changes at macosforge.org source_changes at macosforge.org
Mon Nov 16 13:14:55 PST 2009 

Revision: 4750
          http://trac.macosforge.org/projects/calendarserver/changeset/4750
Author:   glyph at apple.com
Date:     2009-11-16 13:14:53 -0800 (Mon, 16 Nov 2009)
Log Message:
-----------
Open stats and logging sockets with a secure mode, so that only the invoking user can write to / read from them.

Modified Paths:
--------------
    CalendarServer/trunk/calendarserver/tap/caldav.py
    CalendarServer/trunk/calendarserver/tap/test/test_caldav.py

Modified: CalendarServer/trunk/calendarserver/tap/caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/caldav.py	2009-11-14 00:22:44 UTC (rev 4749)
+++ CalendarServer/trunk/calendarserver/tap/caldav.py	2009-11-16 21:14:53 UTC (rev 4750)
@@ -1,3 +1,4 @@
+# -*- test-case-name: calendarserver.tap.test.test_caldav -*-
 ##
 # Copyright (c) 2005-2009 Apple Inc. All rights reserved.
 #
@@ -26,7 +27,6 @@
 import sys
 from time import sleep, time
 
-from tempfile import mkstemp
 from subprocess import Popen, PIPE
 from pwd import getpwnam, getpwuid
 from grp import getgrnam
@@ -43,7 +43,7 @@
 from twisted.internet.process import ProcessExitedAlready
 from twisted.internet.protocol import Protocol, Factory
 from twisted.internet.address import IPv4Address
-from twisted.application.internet import TCPServer, SSLServer, UNIXServer
+from twisted.application.internet import TCPServer, UNIXServer
 from twisted.application.service import Service, MultiService, IServiceMaker
 from twisted.scripts.mktap import getid
 from twisted.runner import procmon
@@ -51,16 +51,15 @@
 from twisted.web2.dav import auth
 from twisted.web2.auth.basic import BasicCredentialFactory
 from twisted.web2.server import Site
-from twisted.web2.channel import HTTPFactory
 from twisted.web2.static import File as FileResource
-from twisted.web2.http import Request, RedirectResponse
 
 from twext.internet.ssl import ChainingOpenSSLContextFactory
 from twext.internet.tcp import MaxAcceptTCPServer, MaxAcceptSSLServer
-from twext.web2.channel.http import HTTP503LoggingFactory, LimitingHTTPFactory, SSLRedirectRequest
+from twext.web2.channel.http import LimitingHTTPFactory, SSLRedirectRequest
 
 try:
     from twistedcaldav.version import version
+    version                     # pacify pyflakes
 except ImportError:
     sys.path.insert(0, os.path.join(os.path.dirname(os.path.dirname(os.path.dirname(__file__))), "support"))
     from version import version as getVersion
@@ -94,6 +93,7 @@
 
 try:
     from twistedcaldav.authkerb import NegotiateCredentialFactory
+    NegotiateCredentialFactory  # pacify pyflakes
 except ImportError:
     NegotiateCredentialFactory = None
 
@@ -898,10 +898,12 @@
             RotatingFileAccessLoggingObserver(config.AccessLogFile)
         )
         if config.ControlSocket:
-            loggingService = UNIXServer(config.ControlSocket, logger)
+            loggingService = UNIXServer(config.ControlSocket, logger, mode=0700)
         else:
-            loggingService = ControlPortTCPServer(config.ControlPort, logger,
-                interface="127.0.0.1")
+            loggingService = ControlPortTCPServer(
+                config.ControlPort, logger, interface="127.0.0.1"
+            )
+        loggingService.setName("logging")
         loggingService.setServiceParent(s)
 
         monitor = DelayedStartupProcessMonitor()
@@ -1088,7 +1090,8 @@
 
 
         stats = CalDAVStatisticsServer(logger) 
-        statsService = UNIXServer(config.GlobalStatsSocket, stats) 
+        statsService = UNIXServer(config.GlobalStatsSocket, stats, mode=0700)
+        statsService.setName("stats")
         statsService.setServiceParent(s)
 
         return s

Modified: CalendarServer/trunk/calendarserver/tap/test/test_caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/test/test_caldav.py	2009-11-14 00:22:44 UTC (rev 4749)
+++ CalendarServer/trunk/calendarserver/tap/test/test_caldav.py	2009-11-16 21:14:53 UTC (rev 4750)
@@ -252,6 +252,29 @@
         self.assertRaises(UsageError, self.makeService)
 
 
+    def test_modesOnUNIXSockets(self):
+        """
+        The logging and stats UNIX sockets that are bound as part of the
+        'Combined' service hierarchy should have a secure mode specified: only
+        the executing user should be able to open and send to them.
+        """
+
+        self.config["HTTPPort"] = 0 # Don't conflict with the test above.
+
+        self.config["ProcessType"] = "Combined"
+        self.writeConfig()
+        svc = self.makeService()
+        for serviceName in ["logging", "stats"]:
+            socketService = svc.getServiceNamed(serviceName)
+            self.assertIsInstance(socketService, internet.UNIXServer)
+            m = socketService.kwargs.get("mode", 0666)
+            self.assertEquals(
+                m, int("700", 8),
+                "Wrong mode on %s: %s" % (serviceName, oct(m))
+            )
+
+
+
 class SlaveServiceTest(BaseServiceMakerTests):
     """
     Test various configurations of the Slave service
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20091116/94fe3a86/attachment.html>

More information about the calendarserver-changes mailing list