[CalendarServer-changes] [4787] CalendarServer/trunk/calendarserver/tap
source_changes at macosforge.org
source_changes at macosforge.org
Fri Nov 20 08:38:21 PST 2009
Revision: 4787
http://trac.macosforge.org/projects/calendarserver/changeset/4787
Author: glyph at apple.com
Date: 2009-11-20 08:38:16 -0800 (Fri, 20 Nov 2009)
Log Message:
-----------
Loosen the permissions on the socket to allow group connectivity, and adjust the group when binding the port so that subprocesses (spawned in that group) can connect.
Modified Paths:
--------------
CalendarServer/trunk/calendarserver/tap/caldav.py
CalendarServer/trunk/calendarserver/tap/test/test_caldav.py
Modified: CalendarServer/trunk/calendarserver/tap/caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/caldav.py 2009-11-20 16:27:16 UTC (rev 4786)
+++ CalendarServer/trunk/calendarserver/tap/caldav.py 2009-11-20 16:38:16 UTC (rev 4787)
@@ -338,6 +338,30 @@
)
+
+class GroupOwnedUNIXServer(UNIXServer, object):
+ """
+ A L{GroupOwnedUNIXServer} is a L{UNIXServer} which changes the group
+ ownership of its socket immediately after binding its port.
+
+ @ivar gid: the group ID which should own the socket after it is bound.
+ """
+ def __init__(self, gid, *args, **kw):
+ super(GroupOwnedUNIXServer, self).__init__(*args, **kw)
+ self.gid = gid
+
+
+ def privilegedStartService(self):
+ """
+ Bind the UNIX socket and then change its group.
+ """
+ super(GroupOwnedUNIXServer, self).privilegedStartService()
+ fileName = self._port.port # Unfortunately, there's no public way to
+ # access this. -glyph
+ os.chown(fileName, os.getuid(), self.gid)
+
+
+
class CalDAVServiceMaker (LoggingMixIn):
implements(IPlugin, IServiceMaker)
@@ -897,8 +921,14 @@
logger = AMPLoggingFactory(
RotatingFileAccessLoggingObserver(config.AccessLogFile)
)
+ if config.GroupName:
+ gid = getgrnam(config.GroupName).gr_gid
+ else:
+ gid = os.getgid()
if config.ControlSocket:
- loggingService = UNIXServer(config.ControlSocket, logger, mode=0600)
+ loggingService = GroupOwnedUNIXServer(
+ gid, config.ControlSocket, logger, mode=0660
+ )
else:
loggingService = ControlPortTCPServer(
config.ControlPort, logger, interface="127.0.0.1"
@@ -1090,7 +1120,9 @@
stats = CalDAVStatisticsServer(logger)
- statsService = UNIXServer(config.GlobalStatsSocket, stats, mode=0600)
+ statsService = GroupOwnedUNIXServer(
+ gid, config.GlobalStatsSocket, stats, mode=0660
+ )
statsService.setName("stats")
statsService.setServiceParent(s)
Modified: CalendarServer/trunk/calendarserver/tap/test/test_caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/test/test_caldav.py 2009-11-20 16:27:16 UTC (rev 4786)
+++ CalendarServer/trunk/calendarserver/tap/test/test_caldav.py 2009-11-20 16:38:16 UTC (rev 4787)
@@ -15,10 +15,18 @@
##
import os
+import stat
+import grp
+
from os.path import dirname, abspath
+from twisted.trial.unittest import TestCase as BaseTestCase
+
from twisted.python.usage import Options, UsageError
from twisted.python.reflect import namedAny
+
+from twisted.internet.protocol import ServerFactory
+
from twisted.application.service import IService
from twisted.application import internet
@@ -36,7 +44,8 @@
from twistedcaldav.directory.directory import UnknownRecordTypeError
from twistedcaldav.test.util import TestCase
-from calendarserver.tap.caldav import CalDAVOptions, CalDAVServiceMaker, CalDAVService
+from calendarserver.tap.caldav import (CalDAVOptions, CalDAVServiceMaker,
+ CalDAVService, GroupOwnedUNIXServer)
# Points to top of source tree.
@@ -229,6 +238,37 @@
return service.services[0].args[1].protocolArgs["requestFactory"]
+
+def determineAppropriateGroupID():
+ """
+ Determine a secondary group ID which can be used for testing.
+ """
+ return os.getgroups()[1]
+
+
+
+class SocketGroupOwnership(BaseTestCase):
+ """
+ Tests for L{GroupOwnedUNIXServer}.
+ """
+
+ def test_groupOwnedUNIXSocket(self):
+ """
+ When a L{GroupOwnedUNIXServer} is started, it will change the group of
+ its socket.
+ """
+ alternateGroup = determineAppropriateGroupID()
+ socketName = self.mktemp()
+ gous = GroupOwnedUNIXServer(alternateGroup, socketName, ServerFactory(), mode=0660)
+ gous.privilegedStartService()
+ self.addCleanup(gous.stopService)
+ filestat = os.stat(socketName)
+ self.assertTrue(stat.S_ISSOCK(filestat.st_mode))
+ self.assertEquals(filestat.st_gid, alternateGroup)
+ self.assertEquals(filestat.st_uid, os.getuid())
+
+
+
class CalDAVServiceMakerTests(BaseServiceMakerTests):
"""
Test the service maker's behavior
@@ -260,18 +300,21 @@
"""
self.config["HTTPPort"] = 0 # Don't conflict with the test above.
+ alternateGroup = determineAppropriateGroupID()
+ self.config.GroupName = grp.getgrgid(alternateGroup).gr_name
self.config["ProcessType"] = "Combined"
self.writeConfig()
svc = self.makeService()
for serviceName in ["logging", "stats"]:
socketService = svc.getServiceNamed(serviceName)
- self.assertIsInstance(socketService, internet.UNIXServer)
+ self.assertIsInstance(socketService, GroupOwnedUNIXServer)
m = socketService.kwargs.get("mode", 0666)
self.assertEquals(
- m, int("600", 8),
+ m, int("660", 8),
"Wrong mode on %s: %s" % (serviceName, oct(m))
)
+ self.assertEquals(socketService.gid, alternateGroup)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20091120/3e47e11c/attachment-0001.html>
More information about the calendarserver-changes
mailing list