From 62493dbe19028a3290057a93955ddb21a578c2e5 Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Wed, 8 Jan 2025 12:04:53 +0100
Subject: [PATCH] [backend/asp] Allow customizing the unix socket permissions
 that are set on startup (ISH-671)

---
 .../Core/Configuration/Config.cs              | 15 +++++-----
 .../Extensions/WebApplicationExtensions.cs    | 28 +++++++++++++++----
 Iceshrimp.Backend/configuration.ini           |  1 +
 3 files changed, 31 insertions(+), 13 deletions(-)

diff --git a/Iceshrimp.Backend/Core/Configuration/Config.cs b/Iceshrimp.Backend/Core/Configuration/Config.cs
index 86e6b78e..199f7b15 100644
--- a/Iceshrimp.Backend/Core/Configuration/Config.cs
+++ b/Iceshrimp.Backend/Core/Configuration/Config.cs
@@ -33,13 +33,14 @@ public sealed class Config
 		public string  Version    => _versionInfo.Version;
 		public string  UserAgent  => $"Iceshrimp.NET/{Version} (+https://{WebDomain}/)";
 
-		[Range(1, 65535)] public  int     ListenPort      { get; init; } = 3000;
-		[Required]        public  string  ListenHost      { get; init; } = "localhost";
-		public                    string? ListenSocket    { get; init; }
-		[Required]         public string  WebDomain       { get; init; } = null!;
-		[Required]         public string  AccountDomain   { get; init; } = null!;
-		[Range(1, 100000)] public int     CharacterLimit  { get; init; } = 8192;
-		public                    string? RedirectIndexTo { get; init; }
+		[Range(1, 65535)] public  int     ListenPort        { get; init; } = 3000;
+		[Required]        public  string  ListenHost        { get; init; } = "localhost";
+		public                    string? ListenSocket      { get; init; }
+		public                    string  ListenSocketPerms { get; init; } = "660";
+		[Required]         public string  WebDomain         { get; init; } = null!;
+		[Required]         public string  AccountDomain     { get; init; } = null!;
+		[Range(1, 100000)] public int     CharacterLimit    { get; init; } = 8192;
+		public                    string? RedirectIndexTo   { get; init; }
 
 		public string? AdditionalDomains
 		{
diff --git a/Iceshrimp.Backend/Core/Extensions/WebApplicationExtensions.cs b/Iceshrimp.Backend/Core/Extensions/WebApplicationExtensions.cs
index 4edf4075..9e16065f 100644
--- a/Iceshrimp.Backend/Core/Extensions/WebApplicationExtensions.cs
+++ b/Iceshrimp.Backend/Core/Extensions/WebApplicationExtensions.cs
@@ -302,8 +302,8 @@ public static class WebApplicationExtensions
 
 	public static void SetKestrelUnixSocketPermissions(this WebApplication app)
 	{
-		var config = app.Configuration.GetSection("Instance").Get<Config.InstanceSection>() ??
-		             throw new Exception("Failed to read instance config");
+		var config = app.Configuration.GetSection("Instance").Get<Config.InstanceSection>()
+		             ?? throw new Exception("Failed to read instance config");
 		if (config.ListenSocket == null) return;
 		using var scope = app.Services.CreateScope();
 		var logger = scope.ServiceProvider.GetRequiredService<ILoggerFactory>()
@@ -312,14 +312,30 @@ public static class WebApplicationExtensions
 		if (!OperatingSystem.IsLinux() && !OperatingSystem.IsMacOS() && !OperatingSystem.IsFreeBSD())
 			throw new Exception("Can't set unix socket permissions on a non-UNIX system");
 
-		var perms    = "660";
-		var exitCode = chmod(config.ListenSocket, Convert.ToInt32(perms, 8));
+		int perms;
+		try
+		{
+			perms = Convert.ToInt32(config.ListenSocketPerms, 8);
+		}
+		catch
+		{
+			logger.LogError("Failed to set Kestrel unix socket permissions to {SocketPerms}: failed to parse octal digits",
+			                config.ListenSocketPerms);
+			Environment.Exit(1);
+			return;
+		}
 
+		var exitCode = chmod(config.ListenSocket, perms);
 		if (exitCode < 0)
+		{
 			logger.LogError("Failed to set Kestrel unix socket permissions to {SocketPerms}, return code: {ExitCode}",
-			                perms, exitCode);
+			                config.ListenSocketPerms, exitCode);
+		}
 		else
-			logger.LogInformation("Kestrel unix socket permissions were set to {SocketPerms}", perms);
+		{
+			logger.LogInformation("Kestrel unix socket permissions were set to {SocketPerms}",
+			                      config.ListenSocketPerms);
+		}
 
 		return;
 
diff --git a/Iceshrimp.Backend/configuration.ini b/Iceshrimp.Backend/configuration.ini
index 3a72ccd8..8659c0df 100644
--- a/Iceshrimp.Backend/configuration.ini
+++ b/Iceshrimp.Backend/configuration.ini
@@ -4,6 +4,7 @@ ListenHost = localhost
 
 ;; If you want to have the application listen on a unix socket instead, uncomment the line below. Make sure to configure filesystem permissions correctly!
 ;;ListenSocket = /var/run/iceshrimp/iceshrimp.net.sock
+;;ListenSocketPerms = 660
 
 ;; Caution: changing these settings after initial setup *will* break federation
 WebDomain = shrimp.example.org