Re: [zeromq-dev] Setting privileges on a UNIX socket
I got it working the way I wanted by setting the umask through systemd. Thanks for the help! On 26 May 2016 at 21:10, Michal Vyskocilwrote: > Hi, > > it does not work in libzmq by automatically. However there is a socket > option use_fd which will skip the open_socket/bind/listen part, which > is exaclty your use case. > > The documentation of systemd part is here > http://0pointer.de/blog/projects/socket-activation.html > > usage is pretty simple if you're using just one fd > * call sd_listen_fds (1) > * if result is 1, assign use_fd to SD_LISTEN_FDS_START > * fail otherwise > > Here is the example of use_fd > https://github.com/zeromq/libzmq/blob/master/tests/test_setsockopt.cpp#L86 > > On Thu, May 26, 2016 at 12:34 PM, Ale Strooisma > wrote: > > Hit send to quickly: > > > > There indeed seems to be a umask property available in systemd > configuration > > files (my program is initialized by systemd, hence the relevance). > > Slight issue is that the program might also create log files, for > example, > > which would most likely require other permissions... but I suppose that > is > > insurmountable? > > > > Kind regards, Ale Strooisma > > > > On 26 May 2016 at 12:30, Ale Strooisma > > wrote: > >> > >> Sorry, I am not familiar with umask. As far as I understand, setting the > >> umask determines what permissions new files created by the user have. > >> However, in this case I need to specifically affect the files created by > >> this specific program. Do you mean there is a way to run a program that > >> determines what permissions a file created by it gets? > >> > >> On 26 May 2016 at 11:01, Arnaud Loonstra wrote: > >>> > >>> I don't think zmq deals with permissions? The OS does. Shouldn't you be > >>> using a umask? > >>> What's your umask set at? > >>> > >>> Rg, > >>> > >>> Arnaud > >>> > >>> On 2016-05-26 10:49, Ale Strooisma wrote: > > I am using libzmq 4.0.5 - the one provided by EPEL for CentOS 7. I > have never noticed any systemd support in zeromq. > > Yes I am using the chmod function from sys/stat.h with which I change > the permissions on the socket file from 0755 to 0770. The socket is > created in the tmp directory which has 1777. > > Just to make it clear: Id prefer not having to mess around with > sockets outside ZeroMQ / my program. > > On 26 May 2016 at 10:30, Arnaud Loonstra > wrote: > > > I might be misinformed but some of my first thoughts > > > > - what version of zeromq? Are you using zeromqs systemd support? I > > recall we were hacking on this in the hackathon during FOSDEM. > > Otherwise the socket fd might be unlinked which results in weird > > behaviour. > > - Are you using chmod C method or the shell command? Usually you > > set permissions on the directory where the socket is created > > > > Rg, > > > > Arnaud > > On 2016-05-25 17:30, Ale Strooisma wrote: > > > >> the previous update might be incorrect. Now it seems that I cant > >> bind > >> to a socket created by systemd (I got something like "address > >> already > >> in use"). If I connect to it instead with my server program, > >> which > >> uses a REP socket, it does receive messages, but cant seem to > >> reply... > >> > >> Anyway, all in all it would be highly preferable to be able to > >> set > >> with which permissions the socket is created. Currently I am > >> working > >> around this issue by calling chmod after binding to the socket. > >> > >>> > >>> > >>> ___ > >>> zeromq-dev mailing list > >>> zeromq-dev@lists.zeromq.org > >>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev > >> > >> > > > > > > ___ > > zeromq-dev mailing list > > zeromq-dev@lists.zeromq.org > > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > > > > -- > best regards > Michal Vyskocil > ___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Setting privileges on a UNIX socket
Hi, it does not work in libzmq by automatically. However there is a socket option use_fd which will skip the open_socket/bind/listen part, which is exaclty your use case. The documentation of systemd part is here http://0pointer.de/blog/projects/socket-activation.html usage is pretty simple if you're using just one fd * call sd_listen_fds (1) * if result is 1, assign use_fd to SD_LISTEN_FDS_START * fail otherwise Here is the example of use_fd https://github.com/zeromq/libzmq/blob/master/tests/test_setsockopt.cpp#L86 On Thu, May 26, 2016 at 12:34 PM, Ale Strooismawrote: > Hit send to quickly: > > There indeed seems to be a umask property available in systemd configuration > files (my program is initialized by systemd, hence the relevance). > Slight issue is that the program might also create log files, for example, > which would most likely require other permissions... but I suppose that is > insurmountable? > > Kind regards, Ale Strooisma > > On 26 May 2016 at 12:30, Ale Strooisma > wrote: >> >> Sorry, I am not familiar with umask. As far as I understand, setting the >> umask determines what permissions new files created by the user have. >> However, in this case I need to specifically affect the files created by >> this specific program. Do you mean there is a way to run a program that >> determines what permissions a file created by it gets? >> >> On 26 May 2016 at 11:01, Arnaud Loonstra wrote: >>> >>> I don't think zmq deals with permissions? The OS does. Shouldn't you be >>> using a umask? >>> What's your umask set at? >>> >>> Rg, >>> >>> Arnaud >>> >>> On 2016-05-26 10:49, Ale Strooisma wrote: I am using libzmq 4.0.5 - the one provided by EPEL for CentOS 7. I have never noticed any systemd support in zeromq. Yes I am using the chmod function from sys/stat.h with which I change the permissions on the socket file from 0755 to 0770. The socket is created in the tmp directory which has 1777. Just to make it clear: Id prefer not having to mess around with sockets outside ZeroMQ / my program. On 26 May 2016 at 10:30, Arnaud Loonstra wrote: > I might be misinformed but some of my first thoughts > > - what version of zeromq? Are you using zeromqs systemd support? I > recall we were hacking on this in the hackathon during FOSDEM. > Otherwise the socket fd might be unlinked which results in weird > behaviour. > - Are you using chmod C method or the shell command? Usually you > set permissions on the directory where the socket is created > > Rg, > > Arnaud > On 2016-05-25 17:30, Ale Strooisma wrote: > >> the previous update might be incorrect. Now it seems that I cant >> bind >> to a socket created by systemd (I got something like "address >> already >> in use"). If I connect to it instead with my server program, >> which >> uses a REP socket, it does receive messages, but cant seem to >> reply... >> >> Anyway, all in all it would be highly preferable to be able to >> set >> with which permissions the socket is created. Currently I am >> working >> around this issue by calling chmod after binding to the socket. >> >>> >>> >>> ___ >>> zeromq-dev mailing list >>> zeromq-dev@lists.zeromq.org >>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev >> >> > > > ___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev -- best regards Michal Vyskocil ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Setting privileges on a UNIX socket
I don't think zmq deals with permissions? The OS does. Shouldn't you be using a umask? What's your umask set at? Rg, Arnaud On 2016-05-26 10:49, Ale Strooisma wrote: I am using libzmq 4.0.5 - the one provided by EPEL for CentOS 7. I have never noticed any systemd support in zeromq. Yes I am using the chmod function from sys/stat.h with which I change the permissions on the socket file from 0755 to 0770. The socket is created in the tmp directory which has 1777. Just to make it clear: Id prefer not having to mess around with sockets outside ZeroMQ / my program. On 26 May 2016 at 10:30, Arnaud Loonstrawrote: I might be misinformed but some of my first thoughts - what version of zeromq? Are you using zeromqs systemd support? I recall we were hacking on this in the hackathon during FOSDEM. Otherwise the socket fd might be unlinked which results in weird behaviour. - Are you using chmod C method or the shell command? Usually you set permissions on the directory where the socket is created Rg, Arnaud On 2016-05-25 17:30, Ale Strooisma wrote: the previous update might be incorrect. Now it seems that I cant bind to a socket created by systemd (I got something like "address already in use"). If I connect to it instead with my server program, which uses a REP socket, it does receive messages, but cant seem to reply... Anyway, all in all it would be highly preferable to be able to set with which permissions the socket is created. Currently I am working around this issue by calling chmod after binding to the socket. ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Setting privileges on a UNIX socket
I am using libzmq 4.0.5 - the one provided by EPEL for CentOS 7. I have never noticed any systemd support in zeromq. Yes I am using the chmod function from sys/stat.h with which I change the permissions on the socket file from 0755 to 0770. The socket is created in the tmp directory which has 1777. Just to make it clear: I'd prefer not having to mess around with sockets outside ZeroMQ / my program. On 26 May 2016 at 10:30, Arnaud Loonstrawrote: > I might be misinformed but some of my first thoughts > > - what version of zeromq? Are you using zeromq's systemd support? I recall > we were hacking on this in the hackathon during FOSDEM. Otherwise the > socket fd might be unlinked which results in weird behaviour. > - Are you using chmod C method or the shell command? Usually you set > permissions on the directory where the socket is created > > Rg, > > Arnaud > On 2016-05-25 17:30, Ale Strooisma wrote: > >> the previous update might be incorrect. Now it seems that I cant bind >> to a socket created by systemd (I got something like "address already >> in use"). If I connect to it instead with my server program, which >> uses a REP socket, it does receive messages, but cant seem to reply... >> >> Anyway, all in all it would be highly preferable to be able to set >> with which permissions the socket is created. Currently I am working >> around this issue by calling chmod after binding to the socket. >> >> On 25 May 2016 at 14:50, Ale Strooisma > [2]> wrote: >> >> Okay, a bit of an update: I tried ensuring the socket was available >>> using systemd, but when the program that binds to the port runs, it >>> resets the privileges. >>> >>> On 25 May 2016 at 12:32, Ale Strooisma >>> wrote: >>> >>> Hi all, For my program, I am using the ipc protocol. The unix socket used needs to be accessible to various programs run by different users, so I want to set group write privileges. How can I do this? Can I set this using ZeroMQ from within the program that binds the socket, or do I need to make sure the socket is in place with the right privileges before running any of my programs? The latter option would be rather unpractical of course. Kind regards, Ale Strooisma >>> >> >> >> Links: >> -- >> [1] mailto:a.strooi...@student.utwente.nl >> [2] mailto:a.strooi...@student.utwente.nl >> > > ___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Setting privileges on a UNIX socket
I only have the EPEL7 version of libzmq available, so those options won't work for me, sadly. Also I'd rather not use systemd to create the socket, but leave it to ZeroMQ (in my program). It seems like there is no way to set the permissions on a unix socket - is this correct? Would it make sense to add this as a zmq_setsockopt option called ZMQ_IPC_UMASK, or something like that? Kind regards, Ale Strooisma On 25 May 2016 at 19:34, Luca Boccassiwrote: > Hi Ale, > > If you have systemd managing your socket with a socket unit, it will > create and bind it for you, so that's why it's saying it's already in > use. > > Are you using the ZMQ_USE_FD API? I added that exactly for > systemd-managed sockets. > > If you use CZMQ, you just have to set either the env var > ZSYS_AUTO_USE_FD=1 or the runtime var via the zsys_set_auto_use_fd(1) > function call, and then if the ZMQ endpoint matches a socket managed by > systemd, it will all work out automagically and ZMQ will use the file > descriptor passed by systemd. > > If you are using just libzmq, you'll have to get the file descriptor > yourself from the systemd APIs, and then use the ZMQ_USE_FD > zmq_setsockopt call to pass it down after creating a socket and before > binding it. > > Note that this is available only on the master branches of libzmq and > czmq, not in any released version yet. > > Kind regards, > Luca Boccassi > > On Wed, 2016-05-25 at 17:30 +0200, Ale Strooisma wrote: > > the previous update might be incorrect. Now it seems that I can't bind > to a > > socket created by systemd (I got something like "address already in > use"). > > If I connect to it instead with my 'server' program, which uses a REP > > socket, it does receive messages, but can't seem to reply... > > > > Anyway, all in all it would be highly preferable to be able to set with > > which permissions the socket is created. Currently I am working around > this > > issue by calling chmod after binding to the socket. > > > > On 25 May 2016 at 14:50, Ale Strooisma > > wrote: > > > > > Okay, a bit of an update: I tried ensuring the socket was available > using > > > systemd, but when the program that binds to the port runs, it resets > the > > > privileges. > > > > > > On 25 May 2016 at 12:32, Ale Strooisma > > > > wrote: > > > > > >> Hi all, > > >> > > >> For my program, I am using the ipc protocol. The unix socket used > needs > > >> to be accessible to various programs run by different users, so I > want to > > >> set group write privileges. How can I do this? Can I set this using > ZeroMQ > > >> from within the program that binds the socket, or do I need to make > sure > > >> the socket is in place with the right privileges before running any > of my > > >> programs? The latter option would be rather unpractical of course. > > >> > > >> Kind regards, > > >> Ale Strooisma > > >> > > > > > > > > ___ > > zeromq-dev mailing list > > zeromq-dev@lists.zeromq.org > > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > > > > ___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
Re: [zeromq-dev] Setting privileges on a UNIX socket
Hi Ale, If you have systemd managing your socket with a socket unit, it will create and bind it for you, so that's why it's saying it's already in use. Are you using the ZMQ_USE_FD API? I added that exactly for systemd-managed sockets. If you use CZMQ, you just have to set either the env var ZSYS_AUTO_USE_FD=1 or the runtime var via the zsys_set_auto_use_fd(1) function call, and then if the ZMQ endpoint matches a socket managed by systemd, it will all work out automagically and ZMQ will use the file descriptor passed by systemd. If you are using just libzmq, you'll have to get the file descriptor yourself from the systemd APIs, and then use the ZMQ_USE_FD zmq_setsockopt call to pass it down after creating a socket and before binding it. Note that this is available only on the master branches of libzmq and czmq, not in any released version yet. Kind regards, Luca Boccassi On Wed, 2016-05-25 at 17:30 +0200, Ale Strooisma wrote: > the previous update might be incorrect. Now it seems that I can't bind to a > socket created by systemd (I got something like "address already in use"). > If I connect to it instead with my 'server' program, which uses a REP > socket, it does receive messages, but can't seem to reply... > > Anyway, all in all it would be highly preferable to be able to set with > which permissions the socket is created. Currently I am working around this > issue by calling chmod after binding to the socket. > > On 25 May 2016 at 14:50, Ale Strooisma> wrote: > > > Okay, a bit of an update: I tried ensuring the socket was available using > > systemd, but when the program that binds to the port runs, it resets the > > privileges. > > > > On 25 May 2016 at 12:32, Ale Strooisma > > wrote: > > > >> Hi all, > >> > >> For my program, I am using the ipc protocol. The unix socket used needs > >> to be accessible to various programs run by different users, so I want to > >> set group write privileges. How can I do this? Can I set this using ZeroMQ > >> from within the program that binds the socket, or do I need to make sure > >> the socket is in place with the right privileges before running any of my > >> programs? The latter option would be rather unpractical of course. > >> > >> Kind regards, > >> Ale Strooisma > >> > > > > > ___ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev signature.asc Description: This is a digitally signed message part ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
[zeromq-dev] Setting privileges on a UNIX socket
Hi all, For my program, I am using the ipc protocol. The unix socket used needs to be accessible to various programs run by different users, so I want to set group write privileges. How can I do this? Can I set this using ZeroMQ from within the program that binds the socket, or do I need to make sure the socket is in place with the right privileges before running any of my programs? The latter option would be rather unpractical of course. Kind regards, Ale Strooisma ___ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev