From a59f0ae535eb2dbeb3d72669ea12f6fa07bbc35b Mon Sep 17 00:00:00 2001
From: glattercj <glattercj@gmail.com>
Date: Fri, 2 Aug 2024 08:52:28 -0600
Subject: [PATCH] feat(ui): add optional --unix-socket-gid flag to the ui
 subcommand

Adds an optional (and hidden) flag for specifying a group ID to apply
group ownership to the unix-socket. Also sets the permissions to be
group-writable.

Use case: phenix starts from within a docker container as the root user,
but normal users wish to be able to use the unix-socket to communicate
with phenix (without having to switch to root). This allows the users to
be a member of the group specified in the flag and have write access to
the socket.
---
 src/go/cmd/ui.go     |  6 ++++++
 src/go/web/option.go |  8 ++++++++
 src/go/web/server.go | 10 ++++++++++
 3 files changed, 24 insertions(+)

diff --git a/src/go/cmd/ui.go b/src/go/cmd/ui.go
index fcca75b9..63bc6dd7 100644
--- a/src/go/cmd/ui.go
+++ b/src/go/cmd/ui.go
@@ -37,6 +37,7 @@ func newUICmd() *cobra.Command {
 				web.ServeMinimegaLogs(viper.GetString("ui.logs.minimega-path")),
 				web.ServeWithFeatures(viper.GetStringSlice("ui.features")),
 				web.ServeWithProxyAuthHeader(viper.GetString("ui.proxy-auth-header")),
+				web.ServeWithUnixSocketGid(viper.GetInt("unix-socket-gid")),
 			}
 
 			if endpoint := viper.GetString("ui.unix-socket-endpoint"); endpoint != "" {
@@ -154,6 +155,11 @@ func newUICmd() *cobra.Command {
 	cmd.Flags().MarkHidden("log-requests")
 	cmd.Flags().MarkHidden("log-full")
 
+	cmd.Flags().Int("unix-socket-gid", -1, "group id to allow writes to the unix socket")
+	cmd.Flags().MarkHidden("unix-socket-gid")
+	viper.BindPFlag("unix-socket-gid", cmd.Flags().Lookup("unix-socket-gid"))
+	viper.BindEnv("unix-socket-gid")
+
 	return cmd
 }
 
diff --git a/src/go/web/option.go b/src/go/web/option.go
index 2f172971..bd330d79 100644
--- a/src/go/web/option.go
+++ b/src/go/web/option.go
@@ -35,6 +35,8 @@ type serverOptions struct {
 	proxyAuthHeader string
 
 	features map[string]bool
+
+	unixSocketGid int
 }
 
 func newServerOptions(opts ...ServerOption) serverOptions {
@@ -173,6 +175,12 @@ func ServeWithFeatures(f []string) ServerOption {
 	}
 }
 
+func ServeWithUnixSocketGid(g int) ServerOption {
+	return func(o *serverOptions) {
+		o.unixSocketGid = g
+	}
+}
+
 // GET /options
 func GetOptions(w http.ResponseWriter, r *http.Request) error {
 	plog.Debug("HTTP handler called", "handler", "GetOptions")
diff --git a/src/go/web/server.go b/src/go/web/server.go
index 7e14f772..0f53fdaa 100644
--- a/src/go/web/server.go
+++ b/src/go/web/server.go
@@ -316,6 +316,16 @@ func Start(opts ...ServerOption) error {
 			return err
 		}
 
+		if o.unixSocketGid != -1 {
+			plog.Info("setting Unix socket group permissions", "gid", o.unixSocketGid)
+			if err = os.Chown(common.UnixSocket, -1, o.unixSocketGid); err != nil {
+				return err
+			}
+			if err := os.Chmod(common.UnixSocket, 0775); err != nil {
+				return err
+			}
+		}
+
 		go func() {
 			if err := server.Serve(listener); err != nil {
 				plog.Error("serving Unix socket", "err", err)