diff options
-rw-r--r-- | admin_test.go | 16 | ||||
-rw-r--r-- | helpers.go | 8 |
2 files changed, 24 insertions, 0 deletions
diff --git a/admin_test.go b/admin_test.go index b6ccac09..7ceaa82a 100644 --- a/admin_test.go +++ b/admin_test.go @@ -6,6 +6,7 @@ import ( "net" "net/http" "net/http/httptest" + "os" "testing" "time" @@ -25,6 +26,21 @@ var ( adminToken = "super-secret\n" ) +func TestAdminUnixPermissions(t *testing.T) { + socketPath := "admin.socket" + // Use "../../" because the pages executable cd's into shared/pages + adminArgs := append(adminSecretArgs, "-admin-unix-listener", "../../"+socketPath) + teardown := RunPagesProcessWithoutWait(t, *pagesBinary, listeners, "", adminArgs...) + defer teardown() + + waitHTTP2RoundTripUnix(t, socketPath) + + st, err := os.Stat(socketPath) + require.NoError(t, err) + expectedMode := os.FileMode(0777) + require.Equal(t, expectedMode, st.Mode()&expectedMode, "file permissions of unix socket") +} + func TestAdminHealthCheckUnix(t *testing.T) { socketPath := "admin.socket" // Use "../../" because the pages executable cd's into shared/pages @@ -37,6 +37,14 @@ func createUnixSocket(addr string) (net.Listener, *os.File) { fatal(err) } + // This socket should be world-accessible; we have authentication at the + // application level. When pages runs with privilege separation, the + // default permissions will prevent gitlab-rails from connecting to the + // admin socket. + if err := os.Chmod(addr, 0777); err != nil { + fatal(err) + } + return l, fileForListener(l) } |