Change ownership of admin socket before dropping permissions (#1336)

This is to allow access to the socket by members of the group that permissions are dropped to.
2026-05-22 13:56:30 +03:00 · 2026-05-12 20:39:55 +00:00
parent be5daeba7a
commit aaf263957b
4 changed files with 22 additions and 10 deletions
--- a/cmd/yggdrasil/chuser_unix.go
+++ b/cmd/yggdrasil/chuser_unix.go
@@ -4,6 +4,8 @@ package main

 import (
 	"fmt"
+	"net/url"
+	"os"
 	"os/user"
 	"strconv"
 	"strings"
@@ -11,7 +13,7 @@ import (
 	"golang.org/x/sys/unix"
 )

-func chuser(input string) error {
+func chuser(input, adminSockUrl string) error {
 	givenUser, givenGroup, _ := strings.Cut(input, ":")
 	if givenUser == "" {
 		return fmt.Errorf("user is empty")
@@ -48,6 +50,16 @@ func chuser(input string) error {
 		gid, _ = strconv.Atoi(usr.Gid)
 	}

+	if adminSockUrl != "" {
+		u, err := url.Parse(adminSockUrl)
+		if err == nil && u.Scheme == "unix" {
+			err = os.Chown(u.Path, uid, gid)
+		}
+		if err != nil {
+			return fmt.Errorf("chown %s %d:%d: %v", adminSockUrl, uid, gid, err)
+		}
+	}
+
 	if err := unix.Setgroups([]int{gid}); err != nil {
 		return fmt.Errorf("setgroups: %d: %v", gid, err)
 	}