From 6d8b6dcf982001f1c1fe8789c67e161159065c09 Mon Sep 17 00:00:00 2001
From: Bartosz Sosnowski <bartosz@janeasystems.com>
Date: Thu, 8 Mar 2018 00:09:24 +0100
Subject: [PATCH] net: allow IPC servers be accessible by all

Adds mappings to uv_pipe_chmod call by adding two new options to
listen call. This allows the IPC server pipe to be made readable or
writable by all users.

Fixes: https://github.com/nodejs/node/issues/19154
---
 doc/api/net.md                               |  8 ++++++++
 lib/net.js                                   | 13 ++++++++++++
 src/pipe_wrap.cc                             | 15 ++++++++++++++
 src/pipe_wrap.h                              |  1 +
 test/parallel/test-net-server-listen-path.js | 21 ++++++++++++++++++++
 5 files changed, 58 insertions(+)

diff --git a/doc/api/net.md b/doc/api/net.md
index 21d14fc7068bc5..31988d40fd1548 100644
--- a/doc/api/net.md
+++ b/doc/api/net.md
@@ -259,6 +259,10 @@ added: v0.11.14
   * `backlog` {number} Common parameter of [`server.listen()`][]
     functions.
   * `exclusive` {boolean} **Default:** `false`
+  * `readableAll` {boolean} For IPC servers makes the pipe readable
+    for all users. **Default:** `false`
+  * `writableAll` {boolean} For IPC servers makes the pipe writable
+    for all users. **Default:** `false`
 * `callback` {Function} Common parameter of [`server.listen()`][]
   functions.
 * Returns: {net.Server}
@@ -284,6 +288,10 @@ server.listen({
 });
 ```
 
+Starting an IPC server as root may cause the server path to be inaccessible for
+unprivileged users. Using `readableAll` and `writableAll` will make the server
+accessible for all users.
+
 #### server.listen(path[, backlog][, callback])
 <!-- YAML
 added: v0.1.90
diff --git a/lib/net.js b/lib/net.js
index 5537c472fe05e3..bbb6fe0122e4df 100644
--- a/lib/net.js
+++ b/lib/net.js
@@ -1475,6 +1475,19 @@ Server.prototype.listen = function(...args) {
     backlog = options.backlog || backlogFromArgs;
     listenInCluster(this, pipeName, -1, -1,
                     backlog, undefined, options.exclusive);
+    let mode = 0;
+    if (options.readableAll === true)
+      mode |= PipeConstants.UV_READABLE;
+    if (options.writableAll === true)
+      mode |= PipeConstants.UV_WRITABLE;
+    if (mode !== 0) {
+      const err = this._handle.fchmod(mode);
+      if (err) {
+        this._handle.close();
+        this._handle = null;
+        throw errnoException(err, 'uv_pipe_chmod');
+      }
+    }
     return this;
   }
 
diff --git a/src/pipe_wrap.cc b/src/pipe_wrap.cc
index f3a88a2ecc80c3..52e3f2730ed125 100644
--- a/src/pipe_wrap.cc
+++ b/src/pipe_wrap.cc
@@ -98,6 +98,8 @@ void PipeWrap::Initialize(Local<Object> target,
   env->SetProtoMethod(t, "setPendingInstances", SetPendingInstances);
 #endif
 
+  env->SetProtoMethod(t, "fchmod", Fchmod);
+
   target->Set(pipeString, t->GetFunction());
   env->set_pipe_constructor_template(t);
 
@@ -114,6 +116,8 @@ void PipeWrap::Initialize(Local<Object> target,
   NODE_DEFINE_CONSTANT(constants, SOCKET);
   NODE_DEFINE_CONSTANT(constants, SERVER);
   NODE_DEFINE_CONSTANT(constants, IPC);
+  NODE_DEFINE_CONSTANT(constants, UV_READABLE);
+  NODE_DEFINE_CONSTANT(constants, UV_WRITABLE);
   target->Set(context,
               FIXED_ONE_BYTE_STRING(env->isolate(), "constants"),
               constants).FromJust();
@@ -184,6 +188,17 @@ void PipeWrap::SetPendingInstances(const FunctionCallbackInfo<Value>& args) {
 #endif
 
 
+void PipeWrap::Fchmod(const v8::FunctionCallbackInfo<v8::Value>& args) {
+  PipeWrap* wrap;
+  ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
+  CHECK(args[0]->IsInt32());
+  int mode = args[0].As<Int32>()->Value();
+  int err = uv_pipe_chmod(reinterpret_cast<uv_pipe_t*>(&wrap->handle_),
+                          mode);
+  args.GetReturnValue().Set(err);
+}
+
+
 void PipeWrap::Listen(const FunctionCallbackInfo<Value>& args) {
   PipeWrap* wrap;
   ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
diff --git a/src/pipe_wrap.h b/src/pipe_wrap.h
index 5a611c0f94b639..d6e45c28ff7822 100644
--- a/src/pipe_wrap.h
+++ b/src/pipe_wrap.h
@@ -63,6 +63,7 @@ class PipeWrap : public ConnectionWrap<PipeWrap, uv_pipe_t> {
   static void SetPendingInstances(
       const v8::FunctionCallbackInfo<v8::Value>& args);
 #endif
+  static void Fchmod(const v8::FunctionCallbackInfo<v8::Value>& args);
 };
 
 
diff --git a/test/parallel/test-net-server-listen-path.js b/test/parallel/test-net-server-listen-path.js
index b16b7c7ba81236..22ad50f11ea2f6 100644
--- a/test/parallel/test-net-server-listen-path.js
+++ b/test/parallel/test-net-server-listen-path.js
@@ -2,6 +2,8 @@
 
 const common = require('../common');
 const net = require('net');
+const assert = require('assert');
+const fs = require('fs');
 
 const tmpdir = require('../common/tmpdir');
 tmpdir.refresh();
@@ -48,3 +50,22 @@ function randomPipePath() {
   net.createServer()
     .listen({ path: handlePath }, closeServer());
 }
+
+// Test pipe chmod
+{
+  const handlePath = randomPipePath();
+
+  const srv = net.createServer()
+    .listen({
+      path: handlePath,
+      readableAll: true,
+      writableAll: true
+    }, common.mustCall(() => {
+      if (process.platform !== 'win32') {
+        const mode = fs.statSync(handlePath).mode;
+        assert.ok(mode & fs.constants.S_IROTH !== 0);
+        assert.ok(mode & fs.constants.S_IWOTH !== 0);
+      }
+      srv.close();
+    }));
+}