Merge rpccookieperms_log_improvements-28+k

luke-jr · luke-jr · commit ec34bd875d15 · 2025-03-05T03:27:08.000Z
diff --git a/src/httprpc.cpp b/src/httprpc.cpp
@@ -25,6 +25,7 @@
 #include <optional>
 #include <set>
 #include <string>
+#include <utility>
 #include <vector>
 
 using util::SplitString;
@@ -308,7 +309,7 @@ static bool InitRPCAuthentication()
         }
 
         assert(strRPCUserColonPass.empty()); // Only support initializing once
-        if (!GenerateAuthCookie(&strRPCUserColonPass, cookie_perms)) {
+        if (!GenerateAuthCookie(&strRPCUserColonPass, std::make_pair(cookie_perms, bool(cookie_perms_arg)))) {
             return false;
         }
         if (strRPCUserColonPass.empty()) {
diff --git a/src/rpc/request.cpp b/src/rpc/request.cpp
@@ -16,6 +16,7 @@
 #include <fstream>
 #include <stdexcept>
 #include <string>
+#include <utility>
 #include <vector>
 
 /**
@@ -97,7 +98,7 @@ static fs::path GetAuthCookieFile(bool temp=false)
 
 static std::optional<std::string> g_generated_cookie;
 
-bool GenerateAuthCookie(std::string* cookie_out, std::optional<fs::perms> cookie_perms)
+bool GenerateAuthCookie(std::string* cookie_out, const std::pair<std::optional<fs::perms>, bool>& cookie_perms)
 {
     const size_t COOKIE_SIZE = 32;
     unsigned char rand_pwd[COOKIE_SIZE];
@@ -118,9 +119,9 @@ bool GenerateAuthCookie(std::string* cookie_out, std::optional<fs::perms> cookie
         return false;
     }
 
-    if (cookie_perms) {
+    if (cookie_perms.first) {
         std::error_code code;
-        fs::permissions(filepath_tmp, cookie_perms.value(), fs::perm_options::replace, code);
+        fs::permissions(filepath_tmp, cookie_perms.first.value(), fs::perm_options::replace, code);
         if (code) {
             LogWarning("Unable to set permissions on cookie authentication file %s", fs::PathToString(filepath_tmp));
             return false;
@@ -138,7 +139,9 @@ bool GenerateAuthCookie(std::string* cookie_out, std::optional<fs::perms> cookie
 
     g_generated_cookie = cookie;
     LogInfo("Generated RPC authentication cookie %s\n", fs::PathToString(filepath));
-    LogInfo("Permissions used for cookie: %s\n", PermsToSymbolicString(fs::status(filepath).permissions()));
+    LogInfo("Permissions used for cookie%s: %s\n",
+              (cookie_perms.first && cookie_perms.second) ? " (set by -rpccookieperms)" : "",
+              PermsToSymbolicString(fs::status(filepath).permissions()));
 
     if (cookie_out)
         *cookie_out = cookie;
diff --git a/src/rpc/request.h b/src/rpc/request.h
@@ -9,6 +9,7 @@
 #include <any>
 #include <optional>
 #include <string>
+#include <utility>
 
 #include <univalue.h>
 #include <util/fs.h>
@@ -24,7 +25,7 @@ UniValue JSONRPCReplyObj(UniValue result, UniValue error, std::optional<UniValue
 UniValue JSONRPCError(int code, const std::string& message);
 
 /** Generate a new RPC authentication cookie and write it to disk */
-bool GenerateAuthCookie(std::string* cookie_out, std::optional<fs::perms> cookie_perms=std::nullopt);
+bool GenerateAuthCookie(std::string* cookie_out, const std::pair<std::optional<fs::perms>, bool>& cookie_perms);
 /** Read the RPC authentication cookie from disk */
 bool GetAuthCookie(std::string *cookie_out);
 /** Delete RPC authentication cookie from disk */
diff --git a/src/util/fs_helpers.cpp b/src/util/fs_helpers.cpp
@@ -325,21 +325,37 @@ std::string PermsToSymbolicString(fs::perms p)
 {
     std::string perm_str(9, '-');
 
-    auto set_perm = [&](size_t pos, fs::perms required_perm, char letter) {
+    auto set_perm = [&](size_t pos, fs::perms required_perm, char letter, char else_letter = '\0') {
         if ((p & required_perm) != fs::perms::none) {
             perm_str[pos] = letter;
+        } else if (else_letter) {
+            perm_str[pos] = else_letter;
         }
     };
 
     set_perm(0, fs::perms::owner_read,   'r');
     set_perm(1, fs::perms::owner_write,  'w');
-    set_perm(2, fs::perms::owner_exec,   'x');
+    if ((p & fs::perms::owner_exec) != fs::perms::none) {
+        set_perm(2, fs::perms::set_uid,  's', 'x');
+    } else {
+        set_perm(2, fs::perms::set_uid,  'S');
+    }
+
     set_perm(3, fs::perms::group_read,   'r');
     set_perm(4, fs::perms::group_write,  'w');
-    set_perm(5, fs::perms::group_exec,   'x');
+    if ((p & fs::perms::group_exec) != fs::perms::none) {
+        set_perm(5, fs::perms::set_gid,  's', 'x');
+    } else {
+        set_perm(5, fs::perms::set_gid,  'S');
+    }
+
     set_perm(6, fs::perms::others_read,  'r');
     set_perm(7, fs::perms::others_write, 'w');
-    set_perm(8, fs::perms::others_exec,  'x');
+    if ((p & fs::perms::others_exec)  != fs::perms::none) {
+        set_perm(8, fs::perms::sticky_bit, 't', 'x');
+    } else {
+        set_perm(8, fs::perms::sticky_bit, 'T');
+    }
 
     return perm_str;
 }

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@`
`25`	`25`	`#include <optional>`
`26`	`26`	`#include <set>`
`27`	`27`	`#include <string>`
	`28`	`+#include <utility>`
`28`	`29`	`#include <vector>`
`29`	`30`
`30`	`31`	`using util::SplitString;`
`@@ -308,7 +309,7 @@ static bool InitRPCAuthentication()`
`308`	`309`	`}`
`309`	`310`
`310`	`311`	`assert(strRPCUserColonPass.empty()); // Only support initializing once`
`311`		`- if (!GenerateAuthCookie(&strRPCUserColonPass, cookie_perms)) {`
	`312`	`+ if (!GenerateAuthCookie(&strRPCUserColonPass, std::make_pair(cookie_perms, bool(cookie_perms_arg)))) {`
`312`	`313`	`return false;`
`313`	`314`	`}`
`314`	`315`	`if (strRPCUserColonPass.empty()) {`