scgi: bake in secure default socket permission

jesec · jesec · commit b391b3f72997 · 2021-01-23T14:47:13.000+08:00
diff --git a/doc/rtorrent.rc b/doc/rtorrent.rc
@@ -116,7 +116,6 @@ network.http.dns_cache_timeout.set = 25
 
 # XML-RPC interface
 network.scgi.open_local = (cat,(cfg.basedir),rtorrent.sock)
-execute.nothrow = chmod,770,(cat,(cfg.basedir),rtorrent.sock)
 
 # Logging:
 #   Levels = critical error warn notice info debug
diff --git a/src/rpc/scgi.cc b/src/rpc/scgi.cc
@@ -1,7 +1,9 @@
 // SPDX-License-Identifier: GPL-2.0-or-later
 // Copyright (C) 2005-2011, Jari Sundell <jaris@ifi.uio.no>
 
+#include <sys/stat.h>
 #include <sys/un.h>
+
 #include <torrent/connection_manager.h>
 #include <torrent/exceptions.h>
 #include <torrent/poll.h>
@@ -66,6 +68,9 @@ SCgi::open_named(const std::string& filename) {
   if (!get_fd().open_local())
     throw torrent::resource_error("Could not open socket for listening.");
 
+  // 700 permission by default
+  fchmod(get_fd().get_fd(), S_IRWXU);
+
   open(sa, offsetof(struct sockaddr_un, sun_path) + filename.size() + 1);
   m_path = filename;
 }
