Re: [zeromq-dev] Setting privileges on a UNIX socket

2016-05-27 Thread Ale Strooisma 
I got it working the way I wanted by setting the umask through systemd.

Thanks for the help!

On 26 May 2016 at 21:10, Michal Vyskocil  wrote:

> Hi,
>
> it does not work in libzmq by automatically. However there is a socket
> option use_fd which will skip the open_socket/bind/listen part, which
> is exaclty your use case.
>
> The documentation of systemd part is here
> http://0pointer.de/blog/projects/socket-activation.html
>
> usage is pretty simple if you're using just one fd
>  * call sd_listen_fds (1)
>  * if result is 1, assign use_fd to SD_LISTEN_FDS_START
>  * fail otherwise
>
> Here is the example of use_fd
> https://github.com/zeromq/libzmq/blob/master/tests/test_setsockopt.cpp#L86
>
> On Thu, May 26, 2016 at 12:34 PM, Ale Strooisma
>  wrote:
> > Hit send to quickly:
> >
> > There indeed seems to be a umask property available in systemd
> configuration
> > files (my program is initialized by systemd, hence the relevance).
> > Slight issue is that the program might also create log files, for
> example,
> > which would most likely require other permissions... but I suppose that
> is
> > insurmountable?
> >
> > Kind regards, Ale Strooisma
> >
> > On 26 May 2016 at 12:30, Ale Strooisma 
> > wrote:
> >>
> >> Sorry, I am not familiar with umask. As far as I understand, setting the
> >> umask determines what permissions new files created by the user have.
> >> However, in this case I need to specifically affect the files created by
> >> this specific program. Do you mean there is a way to run a program that
> >> determines what permissions a file created by it gets?
> >>
> >> On 26 May 2016 at 11:01, Arnaud Loonstra  wrote:
> >>>
> >>> I don't think zmq deals with permissions? The OS does. Shouldn't you be
> >>> using a umask?
> >>> What's your umask set at?
> >>>
> >>> Rg,
> >>>
> >>> Arnaud
> >>>
> >>> On 2016-05-26 10:49, Ale Strooisma wrote:
> 
>  I am using libzmq 4.0.5 - the one provided by EPEL for CentOS 7. I
>  have never noticed any systemd support in zeromq.
> 
>  Yes I am using the chmod function from sys/stat.h with which I change
>  the permissions on the socket file from 0755 to 0770. The socket is
>  created in the tmp directory which has 1777.
> 
>  Just to make it clear: Id prefer not having to mess around with
>  sockets outside ZeroMQ / my program.
> 
>  On 26 May 2016 at 10:30, Arnaud Loonstra 
>  wrote:
> 
> > I might be misinformed but some of my first thoughts
> >
> > - what version of zeromq? Are you using zeromqs systemd support? I
> > recall we were hacking on this in the hackathon during FOSDEM.
> > Otherwise the socket fd might be unlinked which results in weird
> > behaviour.
> > - Are you using chmod C method or the shell command? Usually you
> > set permissions on the directory where the socket is created
> >
> > Rg,
> >
> > Arnaud
> > On 2016-05-25 17:30, Ale Strooisma wrote:
> >
> >> the previous update might be incorrect. Now it seems that I cant
> >> bind
> >> to a socket created by systemd (I got something like "address
> >> already
> >> in use"). If I connect to it instead with my server program,
> >> which
> >> uses a REP socket, it does receive messages, but cant seem to
> >> reply...
> >>
> >> Anyway, all in all it would be highly preferable to be able to
> >> set
> >> with which permissions the socket is created. Currently I am
> >> working
> >> around this issue by calling chmod after binding to the socket.
> >>
> >>>
> >>>
> >>> ___
> >>> zeromq-dev mailing list
> >>> zeromq-dev@lists.zeromq.org
> >>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >>
> >>
> >
> >
> > ___
> > zeromq-dev mailing list
> > zeromq-dev@lists.zeromq.org
> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
>
> --
> best regards
>  Michal Vyskocil
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Setting privileges on a UNIX socket

2016-05-26 Thread Michal Vyskocil 
Hi,

it does not work in libzmq by automatically. However there is a socket
option use_fd which will skip the open_socket/bind/listen part, which
is exaclty your use case.

The documentation of systemd part is here
http://0pointer.de/blog/projects/socket-activation.html

usage is pretty simple if you're using just one fd
 * call sd_listen_fds (1)
 * if result is 1, assign use_fd to SD_LISTEN_FDS_START
 * fail otherwise

Here is the example of use_fd
https://github.com/zeromq/libzmq/blob/master/tests/test_setsockopt.cpp#L86

On Thu, May 26, 2016 at 12:34 PM, Ale Strooisma
 wrote:
> Hit send to quickly:
>
> There indeed seems to be a umask property available in systemd configuration
> files (my program is initialized by systemd, hence the relevance).
> Slight issue is that the program might also create log files, for example,
> which would most likely require other permissions... but I suppose that is
> insurmountable?
>
> Kind regards, Ale Strooisma
>
> On 26 May 2016 at 12:30, Ale Strooisma 
> wrote:
>>
>> Sorry, I am not familiar with umask. As far as I understand, setting the
>> umask determines what permissions new files created by the user have.
>> However, in this case I need to specifically affect the files created by
>> this specific program. Do you mean there is a way to run a program that
>> determines what permissions a file created by it gets?
>>
>> On 26 May 2016 at 11:01, Arnaud Loonstra  wrote:
>>>
>>> I don't think zmq deals with permissions? The OS does. Shouldn't you be
>>> using a umask?
>>> What's your umask set at?
>>>
>>> Rg,
>>>
>>> Arnaud
>>>
>>> On 2016-05-26 10:49, Ale Strooisma wrote:

 I am using libzmq 4.0.5 - the one provided by EPEL for CentOS 7. I
 have never noticed any systemd support in zeromq.

 Yes I am using the chmod function from sys/stat.h with which I change
 the permissions on the socket file from 0755 to 0770. The socket is
 created in the tmp directory which has 1777.

 Just to make it clear: Id prefer not having to mess around with
 sockets outside ZeroMQ / my program.

 On 26 May 2016 at 10:30, Arnaud Loonstra 
 wrote:

> I might be misinformed but some of my first thoughts
>
> - what version of zeromq? Are you using zeromqs systemd support? I
> recall we were hacking on this in the hackathon during FOSDEM.
> Otherwise the socket fd might be unlinked which results in weird
> behaviour.
> - Are you using chmod C method or the shell command? Usually you
> set permissions on the directory where the socket is created
>
> Rg,
>
> Arnaud
> On 2016-05-25 17:30, Ale Strooisma wrote:
>
>> the previous update might be incorrect. Now it seems that I cant
>> bind
>> to a socket created by systemd (I got something like "address
>> already
>> in use"). If I connect to it instead with my server program,
>> which
>> uses a REP socket, it does receive messages, but cant seem to
>> reply...
>>
>> Anyway, all in all it would be highly preferable to be able to
>> set
>> with which permissions the socket is created. Currently I am
>> working
>> around this issue by calling chmod after binding to the socket.
>>
>>>
>>>
>>> ___
>>> zeromq-dev mailing list
>>> zeromq-dev@lists.zeromq.org
>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>>
>
>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev



-- 
best regards
 Michal Vyskocil
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Setting privileges on a UNIX socket

2016-05-26 Thread Arnaud Loonstra 
I don't think zmq deals with permissions? The OS does. Shouldn't you be 
using a umask?

What's your umask set at?

Rg,

Arnaud

On 2016-05-26 10:49, Ale Strooisma wrote:

I am using libzmq 4.0.5 - the one provided by EPEL for CentOS 7. I
have never noticed any systemd support in zeromq.

Yes I am using the chmod function from sys/stat.h with which I change
the permissions on the socket file from 0755 to 0770. The socket is
created in the tmp directory which has 1777.

Just to make it clear: Id prefer not having to mess around with
sockets outside ZeroMQ / my program.

On 26 May 2016 at 10:30, Arnaud Loonstra 
wrote:


I might be misinformed but some of my first thoughts

- what version of zeromq? Are you using zeromqs systemd support? I
recall we were hacking on this in the hackathon during FOSDEM.
Otherwise the socket fd might be unlinked which results in weird
behaviour.
- Are you using chmod C method or the shell command? Usually you
set permissions on the directory where the socket is created

Rg,

Arnaud
On 2016-05-25 17:30, Ale Strooisma wrote:


the previous update might be incorrect. Now it seems that I cant
bind
to a socket created by systemd (I got something like "address
already
in use"). If I connect to it instead with my server program,
which
uses a REP socket, it does receive messages, but cant seem to
reply...

Anyway, all in all it would be highly preferable to be able to
set
with which permissions the socket is created. Currently I am
working
around this issue by calling chmod after binding to the socket.




___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Setting privileges on a UNIX socket

2016-05-26 Thread Ale Strooisma 
I am using libzmq 4.0.5 - the one provided by EPEL for CentOS 7. I have
never noticed any systemd support in zeromq.

Yes I am using the chmod function from sys/stat.h with which I change the
permissions on the socket file from 0755 to 0770. The socket is created in
the tmp directory which has 1777.

Just to make it clear: I'd prefer not having to mess around with sockets
outside ZeroMQ / my program.

On 26 May 2016 at 10:30, Arnaud Loonstra  wrote:

> I might be misinformed but some of my first thoughts
>
> - what version of zeromq? Are you using zeromq's systemd support? I recall
> we were hacking on this in the hackathon during FOSDEM. Otherwise the
> socket fd might be unlinked which results in weird behaviour.
> - Are you using chmod C method or the shell command? Usually you set
> permissions on the directory where the socket is created
>
> Rg,
>
> Arnaud
> On 2016-05-25 17:30, Ale Strooisma wrote:
>
>> the previous update might be incorrect. Now it seems that I cant bind
>> to a socket created by systemd (I got something like "address already
>> in use"). If I connect to it instead with my server program, which
>> uses a REP socket, it does receive messages, but cant seem to reply...
>>
>> Anyway, all in all it would be highly preferable to be able to set
>> with which permissions the socket is created. Currently I am working
>> around this issue by calling chmod after binding to the socket.
>>
>> On 25 May 2016 at 14:50, Ale Strooisma > [2]> wrote:
>>
>> Okay, a bit of an update: I tried ensuring the socket was available
>>> using systemd, but when the program that binds to the port runs, it
>>> resets the privileges.
>>>
>>> On 25 May 2016 at 12:32, Ale Strooisma
>>>  wrote:
>>>
>>> Hi all,

 For my program, I am using the ipc protocol. The unix socket used
 needs to be accessible to various programs run by different users,
 so I want to set group write privileges. How can I do this? Can I
 set this using ZeroMQ from within the program that binds the
 socket, or do I need to make sure the socket is in place with the
 right privileges before running any of my programs? The latter
 option would be rather unpractical of course.

 Kind regards,
 Ale Strooisma

>>>
>>
>>
>> Links:
>> --
>> [1] mailto:a.strooi...@student.utwente.nl
>> [2] mailto:a.strooi...@student.utwente.nl
>>
>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Setting privileges on a UNIX socket

2016-05-26 Thread Ale Strooisma 
I only have the EPEL7 version of libzmq available, so those options won't
work for me, sadly.
Also I'd rather not use systemd to create the socket, but leave it to
ZeroMQ (in my program).

It seems like there is no way to set the permissions on a unix socket - is
this correct?
Would it make sense to add this as a zmq_setsockopt option called
ZMQ_IPC_UMASK, or something like that?

Kind regards,
Ale Strooisma

On 25 May 2016 at 19:34, Luca Boccassi  wrote:

> Hi Ale,
>
> If you have systemd managing your socket with a socket unit, it will
> create and bind it for you, so that's why it's saying it's already in
> use.
>
> Are you using the ZMQ_USE_FD API? I added that exactly for
> systemd-managed sockets.
>
> If you use CZMQ, you just have to set either the env var
> ZSYS_AUTO_USE_FD=1 or the runtime var via the zsys_set_auto_use_fd(1)
> function call, and then if the ZMQ endpoint matches a socket managed by
> systemd, it will all work out automagically and ZMQ will use the file
> descriptor passed by systemd.
>
> If you are using just libzmq, you'll have to get the file descriptor
> yourself from the systemd APIs, and then use the ZMQ_USE_FD
> zmq_setsockopt call to pass it down after creating a socket and before
> binding it.
>
> Note that this is available only on the master branches of libzmq and
> czmq, not in any released version yet.
>
> Kind regards,
> Luca Boccassi
>
> On Wed, 2016-05-25 at 17:30 +0200, Ale Strooisma wrote:
> > the previous update might be incorrect. Now it seems that I can't bind
> to a
> > socket created by systemd (I got something like "address already in
> use").
> > If I connect to it instead with my 'server' program, which uses a REP
> > socket, it does receive messages, but can't seem to reply...
> >
> > Anyway, all in all it would be highly preferable to be able to set with
> > which permissions the socket is created. Currently I am working around
> this
> > issue by calling chmod after binding to the socket.
> >
> > On 25 May 2016 at 14:50, Ale Strooisma 
> > wrote:
> >
> > > Okay, a bit of an update: I tried ensuring the socket was available
> using
> > > systemd, but when the program that binds to the port runs, it resets
> the
> > > privileges.
> > >
> > > On 25 May 2016 at 12:32, Ale Strooisma  >
> > > wrote:
> > >
> > >> Hi all,
> > >>
> > >> For my program, I am using the ipc protocol. The unix socket used
> needs
> > >> to be accessible to various programs run by different users, so I
> want to
> > >> set group write privileges. How can I do this? Can I set this using
> ZeroMQ
> > >> from within the program that binds the socket, or do I need to make
> sure
> > >> the socket is in place with the right privileges before running any
> of my
> > >> programs? The latter option would be rather unpractical of course.
> > >>
> > >> Kind regards,
> > >> Ale Strooisma
> > >>
> > >
> > >
> > ___
> > zeromq-dev mailing list
> > zeromq-dev@lists.zeromq.org
> > http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
>
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev

Re: [zeromq-dev] Setting privileges on a UNIX socket

2016-05-25 Thread Luca Boccassi 
Hi Ale,

If you have systemd managing your socket with a socket unit, it will
create and bind it for you, so that's why it's saying it's already in
use.

Are you using the ZMQ_USE_FD API? I added that exactly for
systemd-managed sockets.

If you use CZMQ, you just have to set either the env var
ZSYS_AUTO_USE_FD=1 or the runtime var via the zsys_set_auto_use_fd(1)
function call, and then if the ZMQ endpoint matches a socket managed by
systemd, it will all work out automagically and ZMQ will use the file
descriptor passed by systemd.

If you are using just libzmq, you'll have to get the file descriptor
yourself from the systemd APIs, and then use the ZMQ_USE_FD
zmq_setsockopt call to pass it down after creating a socket and before
binding it.

Note that this is available only on the master branches of libzmq and
czmq, not in any released version yet.

Kind regards,
Luca Boccassi

On Wed, 2016-05-25 at 17:30 +0200, Ale Strooisma wrote:
> the previous update might be incorrect. Now it seems that I can't bind to a
> socket created by systemd (I got something like "address already in use").
> If I connect to it instead with my 'server' program, which uses a REP
> socket, it does receive messages, but can't seem to reply...
> 
> Anyway, all in all it would be highly preferable to be able to set with
> which permissions the socket is created. Currently I am working around this
> issue by calling chmod after binding to the socket.
> 
> On 25 May 2016 at 14:50, Ale Strooisma 
> wrote:
> 
> > Okay, a bit of an update: I tried ensuring the socket was available using
> > systemd, but when the program that binds to the port runs, it resets the
> > privileges.
> >
> > On 25 May 2016 at 12:32, Ale Strooisma 
> > wrote:
> >
> >> Hi all,
> >>
> >> For my program, I am using the ipc protocol. The unix socket used needs
> >> to be accessible to various programs run by different users, so I want to
> >> set group write privileges. How can I do this? Can I set this using ZeroMQ
> >> from within the program that binds the socket, or do I need to make sure
> >> the socket is in place with the right privileges before running any of my
> >> programs? The latter option would be rather unpractical of course.
> >>
> >> Kind regards,
> >> Ale Strooisma
> >>
> >
> >
> ___
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev




signature.asc
Description: This is a digitally signed message part
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev

[zeromq-dev] Setting privileges on a UNIX socket

2016-05-25 Thread Ale Strooisma 
Hi all,

For my program, I am using the ipc protocol. The unix socket used needs to
be accessible to various programs run by different users, so I want to set
group write privileges. How can I do this? Can I set this using ZeroMQ from
within the program that binds the socket, or do I need to make sure the
socket is in place with the right privileges before running any of my
programs? The latter option would be rather unpractical of course.

Kind regards,
Ale Strooisma
___
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev