diff options
-rw-r--r-- | src/configuration.hpp | 4 | ||||
-rw-r--r-- | src/main.cpp | 18 | ||||
-rw-r--r-- | virtual-media.json | 8 |
3 files changed, 26 insertions, 4 deletions
diff --git a/src/configuration.hpp b/src/configuration.hpp index 25f9855..c29e133 100644 --- a/src/configuration.hpp +++ b/src/configuration.hpp @@ -3,6 +3,8 @@ #include "logger.hpp" #include "system.hpp" +#include <sys/types.h> + #include <algorithm> #include <boost/container/flat_map.hpp> #include <iostream> @@ -27,6 +29,8 @@ class Configuration legacy = 1, }; + static constexpr mode_t defaultUmask = 077; + struct MountPoint { static constexpr int defaultTimeout = 30; diff --git a/src/main.cpp b/src/main.cpp index 49dab24..a20c68a 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -4,6 +4,8 @@ #include "system.hpp" #include <sys/mount.h> +#include <sys/stat.h> +#include <sys/types.h> #include <boost/asio.hpp> #include <boost/asio/buffer.hpp> @@ -76,6 +78,22 @@ int main() if (!config.valid) return -1; + // setup secure ownership for newly created files (always succeeds) + umask(Configuration::defaultUmask); + + // Create directory with limited access rights to hold sockets + try + { + std::filesystem::create_directories( + std::filesystem::temp_directory_path() / "sock"); + } + catch (std::filesystem::filesystem_error& e) + { + LogMsg(Logger::Error, + "Cannot create secure directory for sockets: ", e.what()); + return -1; + } + boost::asio::io_context ioc; boost::asio::signal_set signals(ioc, SIGINT, SIGTERM); signals.async_wait( diff --git a/virtual-media.json b/virtual-media.json index 602ba1e..c5c53ed 100644 --- a/virtual-media.json +++ b/virtual-media.json @@ -5,7 +5,7 @@ "EndpointId": "/nbd/0", "Mode": 0, "NBDDevice": "nbd0", - "UnixSocket": "/tmp/nbd0.sock", + "UnixSocket": "/tmp/sock/nbd0.sock", "Timeout": 30, "BlockSize": 512 }, @@ -13,7 +13,7 @@ "EndpointId": "/nbd/1", "Mode": 0, "NBDDevice": "nbd1", - "UnixSocket": "/tmp/nbd1.sock", + "UnixSocket": "/tmp/sock/nbd1.sock", "Timeout": 30, "BlockSize": 512 }, @@ -21,7 +21,7 @@ "EndpointId": "", "Mode": 1, "NBDDevice": "nbd2", - "UnixSocket": "/tmp/nbd2.sock", + "UnixSocket": "/tmp/sock/nbd2.sock", "Timeout": 90, "BlockSize": 512 }, @@ -29,7 +29,7 @@ "EndpointId": "", "Mode": 1, "NBDDevice": "nbd3", - "UnixSocket": "/tmp/nbd3.sock", + "UnixSocket": "/tmp/sock/nbd3.sock", "Timeout": 90, "BlockSize": 512 } |