From 81f72015f0b96b1227a2de38409049fba0e73aad Mon Sep 17 00:00:00 2001
From: euxane <euxane.trangirard@pacien.net>
Date: Sat, 8 Jun 2024 23:07:30 +0200
Subject: [PATCH] nixos/fcgiwrap: add unix socket owner, private by default

This adds a few options to properly set the ownership and permissions
on UNIX local sockets, set to private by default.

Previously, the created UNIX local sockets could be used by any local
user. This was especially problematic when fcgiwrap is running as root
(the default).
---
 .../manual/release-notes/rl-2411.section.md   |  2 +
 .../modules/services/web-servers/fcgiwrap.nix | 48 +++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index f59c3d88fdb3..3caa36ab22d8 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -49,6 +49,8 @@
   configuration of each individual instance.
   This requires migrating any previous configuration keys from
   `services.fcgiwrap.*` to `services.fcgiwrap.some-instance.*`.
+  The ownership and mode of the UNIX sockets created by this service are now
+  configurable and private by default.
 
 - `nvimpager` was updated to version 0.13.0, which changes the order of user and
   nvimpager settings: user commands in `-c` and `--cmd` now override the
diff --git a/nixos/modules/services/web-servers/fcgiwrap.nix b/nixos/modules/services/web-servers/fcgiwrap.nix
index 1dc9632e3513..6b633386089f 100644
--- a/nixos/modules/services/web-servers/fcgiwrap.nix
+++ b/nixos/modules/services/web-servers/fcgiwrap.nix
@@ -45,10 +45,55 @@ in {
           In case of a UNIX socket, this should be its filesystem path.
         '';
       };
+
+      socket.user = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          User to be set as owner of the UNIX socket.
+          Defaults to the process running user.
+        '';
+      };
+
+      socket.group = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = ''
+          Group to be set as owner of the UNIX socket.
+          Defaults to the process running group.
+        '';
+      };
+
+      socket.mode = mkOption {
+        type = types.nullOr types.str;
+        default = if config.socket.type == "unix" then "0600" else null;
+        defaultText = literalExpression ''
+          if config.socket.type == "unix" then "0600" else null
+        '';
+        description = ''
+          Mode to be set on the UNIX socket.
+          Defaults to private to the socket's owner.
+        '';
+      };
     }; }));
   };
 
   config = {
+    assertions = concatLists (mapAttrsToList (name: cfg: [
+      {
+        assertion = cfg.socket.user != null -> cfg.socket.type == "unix";
+        message = "Socket owner can only be set for the UNIX socket type.";
+      }
+      {
+        assertion = cfg.socket.group != null -> cfg.socket.type == "unix";
+        message = "Socket owner can only be set for the UNIX socket type.";
+      }
+      {
+        assertion = cfg.socket.mode != null -> cfg.socket.type == "unix";
+        message = "Socket mode can only be set for the UNIX socket type.";
+      }
+    ]) config.services.fcgiwrap);
+
     systemd.services = forEachInstance (cfg: {
       after = [ "nss-user-lookup.target" ];
       wantedBy = optional (cfg.socket.type != "unix") "multi-user.target";
@@ -71,6 +116,9 @@ in {
       wantedBy = [ "sockets.target" ];
       socketConfig = {
         ListenStream = cfg.socket.address;
+        SocketUser = cfg.socket.user;
+        SocketGroup = cfg.socket.group;
+        SocketMode = cfg.socket.mode;
       };
     });
   };