socket perms for system-wide access ? #231

pgnd · 2024-03-02T17:10:40Z

i've built/installed ydotool from src

i'm working on the required socket perms, hoping to harden access

it's launched via systemd

...
[Service]
UMask = 0117
User=ydotool
Group=input
PermissionsStartOnly=true
ExecStart=/usr/local/ydotool/bin/ydotoold \
 --socket-path=/run/ydotool/ydotoold.sock \
 --socket-perm=0660
...

it's up

ps aux | grep ydotool
	ydotool   9129  0.0  0.0   2476  1536 ?        Ss   11:37   0:00 /usr/local/ydotool/bin/ydotoold --socket-path=/run/ydotool/ydotoold.sock --socket-perm=0660

ls -alR /run/ydotool
	/run/ydotool:
	total 0
	drwxrwx---  2 ydotool input   60 Mar  2 11:47 ./
	drwxr-xr-x 49 root    root  1.4K Mar  2 10:42 ../
	srw-rw----  1 ydotool input    0 Mar  2 11:47 ydotoold.sock=

my local desktop and ydotool users have been added to the input group

id ydotool
	uid=376(ydotool) gid=377(ydotool) groups=377(ydotool),999(input)

getent group input
	input:x:999:ydotool,pgnd

at shell, as my user,

whoami
	pgnd
YDOTOOL_SOCKET=/run/ydotool/ydotoold.sock /usr/local/ydotool/bin/ydotool type 'TESTTEST'

fails with

failed to connect to socket `/run/ydotool/ydotoold.sock': Permission denied
Please check if the current user has sufficient permissions to access the socket file

if i open the sock's perms

chmod 777 /run/ydotool
chmod 666 /run/ydotool/ydotoold.sock
ls -alR /run/ydotool
	/run/ydotool:
	total 0
	drwxrwxrwx  2 ydotool input   60 Mar  2 11:47 ./
	drwxr-xr-x 49 root    root  1.4K Mar  2 10:42 ../
	srw-rw-rw-  1 ydotool input    0 Mar  2 11:47 ydotoold.sock=

then exec of

YDOTOOL_SOCKET=/run/ydotool/ydotoold.sock /usr/local/ydotool/bin/ydotool type 'TESTTEST'

types, as intended,

TESTTEST

also,

chmod 770 /run/ydotool
chmod 660 /run/ydotool/ydotoold.sock
sudo -u ydotool YDOTOOL_SOCKET=/run/ydotool/ydotoold.sock /usr/local/ydotool/bin/ydotool type 'TESTTEST'

users ydotool & pgnd, both as members of input group, should have equivalent r/w perms for the socket, no?

am i missing a config/assumption re: needed perms?

The text was updated successfully, but these errors were encountered:

pgnd · 2024-03-02T21:12:06Z

adding suid to rpm post-install

	%post
	...
+	chown ydotool:input /path/to/bin/ydotool
+	chmod +s /path/to/bin/ydotool

so that, with above config,

ls -al /run/ydotool/
	total 0
	drwxrwx---  2 ydotool input   60 Mar  2 16:09 ./
	drwxr-xr-x 49 root    root  1.4K Mar  2 10:42 ../
	srw-rw----  1 ydotool input    0 Mar  2 16:09 ydotoold.sock=

ls -al /path/to/bin/ydotool
	-rwsr-sr-x 1 ydotool input 32K Mar  1 19:00 /path/to/bin/ydotool*

does the trick. if only as a workaround ...

Paiusco · 2024-03-06T19:23:16Z

Can you share your working branch or code so I can try to reproduce it over here?

pgnd · 2024-03-07T11:07:40Z

fwiw, very WIP for builds @ Fedora,

https://pagure.io/pgnd/ydotool-pgnd/tree/main

seems to behave as built --- with the 'expanded' socket perms, as above.

biggest issue is assigning a 'hotkey' trigger in KDE to ydotool scripts; but that appears to be a KDE problem ...

Paiusco · 2024-04-29T20:27:03Z

I tested something similar to what you're trying to do, and it's still working... maybe I missed something?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

socket perms for system-wide access ? #231

socket perms for system-wide access ? #231

pgnd commented Mar 2, 2024

pgnd commented Mar 2, 2024 •

edited

Loading

Paiusco commented Mar 6, 2024

pgnd commented Mar 7, 2024

Paiusco commented Apr 29, 2024

socket perms for system-wide access ? #231

socket perms for system-wide access ? #231

Comments

pgnd commented Mar 2, 2024

pgnd commented Mar 2, 2024 • edited Loading

Paiusco commented Mar 6, 2024

pgnd commented Mar 7, 2024

Paiusco commented Apr 29, 2024

pgnd commented Mar 2, 2024 •

edited

Loading