[CalendarServer-changes] [4787] CalendarServer/trunk/calendarserver/tap

source_changes at macosforge.org source_changes at macosforge.org
Fri Nov 20 08:38:21 PST 2009


Revision: 4787
          http://trac.macosforge.org/projects/calendarserver/changeset/4787
Author:   glyph at apple.com
Date:     2009-11-20 08:38:16 -0800 (Fri, 20 Nov 2009)
Log Message:
-----------
Loosen the permissions on the socket to allow group connectivity, and adjust the group when binding the port so that subprocesses (spawned in that group) can connect.

Modified Paths:
--------------
    CalendarServer/trunk/calendarserver/tap/caldav.py
    CalendarServer/trunk/calendarserver/tap/test/test_caldav.py

Modified: CalendarServer/trunk/calendarserver/tap/caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/caldav.py	2009-11-20 16:27:16 UTC (rev 4786)
+++ CalendarServer/trunk/calendarserver/tap/caldav.py	2009-11-20 16:38:16 UTC (rev 4787)
@@ -338,6 +338,30 @@
             )
 
 
+
+class GroupOwnedUNIXServer(UNIXServer, object):
+    """
+    A L{GroupOwnedUNIXServer} is a L{UNIXServer} which changes the group
+    ownership of its socket immediately after binding its port.
+
+    @ivar gid: the group ID which should own the socket after it is bound.
+    """
+    def __init__(self, gid, *args, **kw):
+        super(GroupOwnedUNIXServer, self).__init__(*args, **kw)
+        self.gid = gid
+
+
+    def privilegedStartService(self):
+        """
+        Bind the UNIX socket and then change its group.
+        """
+        super(GroupOwnedUNIXServer, self).privilegedStartService()
+        fileName = self._port.port # Unfortunately, there's no public way to
+                                   # access this. -glyph
+        os.chown(fileName, os.getuid(), self.gid)
+
+
+
 class CalDAVServiceMaker (LoggingMixIn):
     implements(IPlugin, IServiceMaker)
 
@@ -897,8 +921,14 @@
         logger = AMPLoggingFactory(
             RotatingFileAccessLoggingObserver(config.AccessLogFile)
         )
+        if config.GroupName:
+            gid = getgrnam(config.GroupName).gr_gid
+        else:
+            gid = os.getgid()
         if config.ControlSocket:
-            loggingService = UNIXServer(config.ControlSocket, logger, mode=0600)
+            loggingService = GroupOwnedUNIXServer(
+                gid, config.ControlSocket, logger, mode=0660
+            )
         else:
             loggingService = ControlPortTCPServer(
                 config.ControlPort, logger, interface="127.0.0.1"
@@ -1090,7 +1120,9 @@
 
 
         stats = CalDAVStatisticsServer(logger) 
-        statsService = UNIXServer(config.GlobalStatsSocket, stats, mode=0600)
+        statsService = GroupOwnedUNIXServer(
+            gid, config.GlobalStatsSocket, stats, mode=0660
+        )
         statsService.setName("stats")
         statsService.setServiceParent(s)
 

Modified: CalendarServer/trunk/calendarserver/tap/test/test_caldav.py
===================================================================
--- CalendarServer/trunk/calendarserver/tap/test/test_caldav.py	2009-11-20 16:27:16 UTC (rev 4786)
+++ CalendarServer/trunk/calendarserver/tap/test/test_caldav.py	2009-11-20 16:38:16 UTC (rev 4787)
@@ -15,10 +15,18 @@
 ##
 
 import os
+import stat
+import grp
+
 from os.path import dirname, abspath
 
+from twisted.trial.unittest import TestCase as BaseTestCase
+
 from twisted.python.usage import Options, UsageError
 from twisted.python.reflect import namedAny
+
+from twisted.internet.protocol import ServerFactory
+
 from twisted.application.service import IService
 from twisted.application import internet
 
@@ -36,7 +44,8 @@
 from twistedcaldav.directory.directory import UnknownRecordTypeError
 from twistedcaldav.test.util import TestCase
 
-from calendarserver.tap.caldav import CalDAVOptions, CalDAVServiceMaker, CalDAVService
+from calendarserver.tap.caldav import (CalDAVOptions, CalDAVServiceMaker,
+                                       CalDAVService, GroupOwnedUNIXServer)
 
 
 # Points to top of source tree.
@@ -229,6 +238,37 @@
         return service.services[0].args[1].protocolArgs["requestFactory"]
 
 
+
+def determineAppropriateGroupID():
+    """
+    Determine a secondary group ID which can be used for testing.
+    """
+    return os.getgroups()[1]
+
+
+
+class SocketGroupOwnership(BaseTestCase):
+    """
+    Tests for L{GroupOwnedUNIXServer}.
+    """
+
+    def test_groupOwnedUNIXSocket(self):
+        """
+        When a L{GroupOwnedUNIXServer} is started, it will change the group of
+        its socket.
+        """
+        alternateGroup = determineAppropriateGroupID()
+        socketName = self.mktemp()
+        gous = GroupOwnedUNIXServer(alternateGroup, socketName, ServerFactory(), mode=0660)
+        gous.privilegedStartService()
+        self.addCleanup(gous.stopService)
+        filestat = os.stat(socketName)
+        self.assertTrue(stat.S_ISSOCK(filestat.st_mode))
+        self.assertEquals(filestat.st_gid, alternateGroup)
+        self.assertEquals(filestat.st_uid, os.getuid())
+
+
+
 class CalDAVServiceMakerTests(BaseServiceMakerTests):
     """
     Test the service maker's behavior
@@ -260,18 +300,21 @@
         """
 
         self.config["HTTPPort"] = 0 # Don't conflict with the test above.
+        alternateGroup = determineAppropriateGroupID()
+        self.config.GroupName = grp.getgrgid(alternateGroup).gr_name
 
         self.config["ProcessType"] = "Combined"
         self.writeConfig()
         svc = self.makeService()
         for serviceName in ["logging", "stats"]:
             socketService = svc.getServiceNamed(serviceName)
-            self.assertIsInstance(socketService, internet.UNIXServer)
+            self.assertIsInstance(socketService, GroupOwnedUNIXServer)
             m = socketService.kwargs.get("mode", 0666)
             self.assertEquals(
-                m, int("600", 8),
+                m, int("660", 8),
                 "Wrong mode on %s: %s" % (serviceName, oct(m))
             )
+            self.assertEquals(socketService.gid, alternateGroup)
 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20091120/3e47e11c/attachment-0001.html>


More information about the calendarserver-changes mailing list