Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No way to specify specific abstract socket name with --allow-read/write. #24621

Open
maxmcd opened this issue Jul 17, 2024 · 0 comments
Open

No way to specify specific abstract socket name with --allow-read/write. #24621

maxmcd opened this issue Jul 17, 2024 · 0 comments
Labels
permissions related to --allow-* flags suggestion suggestions for new features (yet to be agreed)

Comments

@maxmcd
Copy link

maxmcd commented Jul 17, 2024
edited
Loading

Version: Deno 1.44.2

Abstract sockets play very nice with Deno's sandboxing module because --allow-read=foo.sock --allow-write=foo.sock allows the process to delete the socket and replace it with a file of the same name. With abstract sockets you can provide unix socket access without providing filesystem access! Neat! However, there is no way to name a specific abstract socket path using the command line arguments.

Source:

Deno.serve(
  {
    path: "\0sdfas",
    transport: "unix",
    onListen: async (s) => {
      const conn = await Deno.connect({
        path: "\0sdfas",
        transport: "unix",
      });
      console.log(s, conn.remoteAddr);
    },
  },
  (req: Request) => {
    return new Response("Hello, world!");
  }
);

What works:

$ deno run ./deno.ts
┌ ⚠️  Deno requests read access to "\0sdfas".
├ Requested by `Deno.serve()` API.
├ Run again with --allow-read to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all read permissions) > ^C

$ deno run --allow-read ./deno.ts
┌ ⚠️  Deno requests write access to "\0sdfas".
├ Requested by `Deno.serve()` API.
├ Run again with --allow-write to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all write permissions) > ^C

$ deno run --allow-read --allow-write ./deno.ts
{ transport: "unix", path: null } { transport: "unix", path: null }

What doesn't:

$ deno run --allow-read=\0sdfas --allow-write=\0sdfas ./deno.ts
┌ ⚠️  Deno requests read access to "\0sdfas".
├ Requested by `Deno.serve()` API.
├ Run again with --allow-read to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all read permissions) >

$ deno run --allow-read=\x00sdfas --allow-write=\x00sdfas ./deno.ts
┌ ⚠️  Deno requests read access to "\0sdfas".
├ Requested by `Deno.serve()` API.
├ Run again with --allow-read to bypass this prompt.
└ Allow? [y/n/A] (y = yes, allow; n = no, deny; A = allow all read permissions) >

I believe this is an OS issue and not a deno issue, but maybe the interface could be expanded to somehow allow the naming of abstract sockets?

For prior art, echo has the flag -e that "enables the interpretation of backslash escapes". So "\0sdfas" would work with that flag set:

$ echo -e "\0foo" | hexdump -C
00000000  00 66 6f 6f 0a                                    |.foo.|
00000005
$ echo "\0foo" | hexdump -C
00000000  5c 30 66 6f 6f 0a                                 |\0foo.|
00000006

Although I can think of no other Deno command line arguments that would be benefitted by this addition :/
@lucacasonato lucacasonato added permissions related to --allow-* flags suggestion suggestions for new features (yet to be agreed) labels Aug 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
permissions related to --allow-* flags suggestion suggestions for new features (yet to be agreed)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maxmcd @lucacasonato