Server: Make unix socket permission configurable (#52944)

3 years ago · 6dd3584f77
parent 44069b64cd
commit 6dd3584f77
5 changed files with 42 additions and 3 deletions
--- a/conf/defaults.ini
+++ b/conf/defaults.ini
@ -66,6 +66,15 @@ enable_gzip = false
 cert_file =
 cert_key =

+# Unix socket gid
+# Changing the gid of a file without privileges requires that the target group is in the group of the process and that the process is the file owner
+# It is recommended to set the gid as http server user gid
+# Not set when the value is -1
+socket_gid = -1
+
+# Unix socket mode
+socket_mode = 0660
+
 # Unix socket path
 socket = /tmp/grafana.sock

--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -67,6 +67,15 @@
 ;cert_file =
 ;cert_key =

+# Unix socket gid
+# Changing the gid of a file without privileges requires that the target group is in the group of the process and that the process is the file owner
+# It is recommended to set the gid as http server user gid
+# Not set when the value is -1
+;socket_gid =
+
+# Unix socket mode
+;socket_mode =
+
 # Unix socket path
 ;socket =

--- a/docs/sources/setup-grafana/configure-grafana/_index.md
+++ b/docs/sources/setup-grafana/configure-grafana/_index.md
@ -257,9 +257,20 @@ Path to the certificate file (if `protocol` is set to `https` or `h2`).

 Path to the certificate key file (if `protocol` is set to `https` or `h2`).

+### socket_gid
+
+GID where the socket should be set when `protocol=socket`.
+Make sure that the target group is in the group of Grafana process and that Grafana process is the file owner before you change this setting.
+It is recommended to set the gid as http server user gid.
+Not set when the value is -1.
+
+### socket_mode
+
+Mode where the socket should be set when `protocol=socket`. Make sure that Grafana process is the file owner before you change this setting.
+
 ### socket

-Path where the socket should be created when `protocol=socket`. Make sure that Grafana has appropriate permissions before you change this setting.
+Path where the socket should be created when `protocol=socket`. Make sure Grafana has appropriate permissions for that path before you change this setting.

 ### cdn_url

--- a/pkg/api/http_server.go
+++ b/pkg/api/http_server.go
@ -470,8 +470,14 @@ func (hs *HTTPServer) getListener() (net.Listener, error) {

 		// Make socket writable by group
 		// nolint:gosec
-		if err := os.Chmod(hs.Cfg.SocketPath, 0660); err != nil {
-			return nil, fmt.Errorf("failed to change socket permissions: %w", err)
+		if err := os.Chmod(hs.Cfg.SocketPath, os.FileMode(hs.Cfg.SocketMode)); err != nil {
+			return nil, fmt.Errorf("failed to change socket mode %d: %w", hs.Cfg.SocketMode, err)
+		}
+
+		// golang.org/pkg/os does not have chgrp
+		// Changing the gid of a file without privileges requires that the target group is in the group of the process and that the process is the file owner
+		if err := os.Chown(hs.Cfg.SocketPath, -1, hs.Cfg.SocketGid); err != nil {
+			return nil, fmt.Errorf("failed to change socket group id %d: %w", hs.Cfg.SocketGid, err)
 		}

 		return listener, nil
--- a/pkg/setting/setting.go
+++ b/pkg/setting/setting.go
@ -204,6 +204,8 @@ type Cfg struct {
 	ServeFromSubPath bool
 	StaticRootPath   string
 	Protocol         Scheme
+	SocketGid        int
+	SocketMode       int
 	SocketPath       string
 	RouterLogging    bool
 	Domain           string
@ -1622,6 +1624,8 @@ func (cfg *Cfg) readServerSettings(iniFile *ini.File) error {
 	}
 	if protocolStr == "socket" {
 		cfg.Protocol = SocketScheme
+		cfg.SocketGid = server.Key("socket_gid").MustInt(-1)
+		cfg.SocketMode = server.Key("socket_mode").MustInt(0660)
 		cfg.SocketPath = server.Key("socket").String()
 	}