Skip to content

Add options to change mode, user, and group of API server socket #612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rogerlz merged 5 commits into from
Mar 10, 2025
Merged

Add options to change mode, user, and group of API server socket #612

rogerlz merged 5 commits into from
Mar 10, 2025

Conversation

@synthead
Copy link
Contributor

@synthead synthead commented Mar 6, 2025
edited
Loading

Closes #604!

This PR adds three new options to klippy.py, as seen from this truncated help page:

  --api-server-user=APISERVER_USER
                        api server unix domain socket user
  --api-server-group=APISERVER_GROUP
                        api server unix domain socket group
  --api-server-file-mode=APISERVER_FILE_MODE
                        api server unix domain socket file mode

These options allow user to change the user, group, and file mode of the API server socket, i.e. /run/kalico/ud_sock.

For example, these options...

/usr/bin/python /usr/lib/kalico/klippy/klippy.py \
  /etc/kalico/kalico.cfg \
  --input-tty=/run/kalico/sock \
  --api-server=/run/kalico/ud_sock \
  --api-server-group=tty \
  --api-server-file-mode=660

...will create /run/kalico/ud_sock like so:

srw-rw---- 1 kalico tty     0 Mar  5 21:30 ud_sock

From a UNIX permissions perspective, it's a good idea to have Moonraker and Kalico run as different users. Kalico typically has access to hardware, video, network, etc., and if Moonraker runs as the same user, then Moonraker also has access to these things. Moonraker is an API server that should only be communicating with Kalico, and should not have access to the extra privileges Kalico requires. For example, if an RCE in Moonraker is discovered, then the attacker will have access to these elevated permissions.

With this PR, the principle of least permissions can be applied between Kalico, Moonraker, and other software. The socket can be given 660 permissions with a special group, and as long as the Moonraker user is in this group, then it can read/write to the socket without additional permissions.

If the end user doesn't need these features, then no biggie: this PR is not a breaking change, and there will be no behavioral difference before and after this PR without these options set 👍

Checklist

  • pr title makes sense
  • added a test case if possible
  • if new feature, added to the readme
  • ci is happy and green

@synthead synthead requested a review from a team as a code owner March 6, 2025 05:19
@synthead synthead changed the title Add options to change mode, user, and group to API server socket Add options to change mode, user, and group of API server socket Mar 6, 2025
@rogerlz rogerlz merged commit 2b52087 into KalicoCrew:main Mar 10, 2025
2 checks passed
@rogerlz
Copy link
Contributor

rogerlz commented Mar 10, 2025

nice one. Thanks!

@Laikulo Laikulo mentioned this pull request May 16, 2025
Merged
4 tasks
liampwll pushed a commit to liampwll/kalico that referenced this pull request Oct 16, 2025
@synthead @liampwll
Add options to change mode, user, and group of API server socket (Kal…
9510c5f 
…icoCrew#612)

* Add options to change mode, user, and group to API socket.

* Add newline between classes in webhooks.py.

* Add API server socket permissions PR to README.md.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for setting file mode and group ownership for Klippy API server socket

2 participants

@synthead @rogerlz