lib/config, gui: Set unix socket permissions for GUI listen address (fixes #5979) (#6310)

gui/default/syncthing/core/syncthingController.js

@@ -2491,4 +2491,11 @@ angular.module('syncthing.core')
             $scope.config.options.crashReportingEnabled = enabled;
             $scope.saveConfig();
         };
+
+        $scope.isUnixAddress = function (address) {
+            return address != null &&
+                (address.startsWith('/') ||
+                    address.startsWith('unix://') ||
+                    address.startsWith('unixs://'));
+        }
     });

gui/default/syncthing/settings/settingsModalView.html

@@ -172,6 +172,13 @@
               </div>
             </div>
             <div class="col-md-6">
+              <div ng-if="isUnixAddress(tmpGUI.address)" class="form-group" ng-class="{'has-error': settingsEditor.UnixSocketPermissions.$invalid && settingsEditor.UnixSocketPermissions.$dirty}">
+                <label translate>UNIX Permissions</label>
+                <input id="UnixSocketPermissions" name="UnixSocketPermissions" class="form-control" type="text" ng-model="tmpGUI.unixSocketPermissions" ng-pattern="/^0?[0-7]{0,3}$/" />
+                <p class="help-block" ng-show="settingsEditor.UnixSocketPermissions.$invalid" translate>
+                  Enter up to three octal digits.
+                </p>
+              </div>
             </div>
           </div>
         </div>

lib/api/api.go

@@ -187,6 +187,15 @@ func (s *service) getListener(guiCfg config.GUIConfiguration) (net.Listener, err
 		return nil, err
 	}
 
+	if guiCfg.Network() == "unix" && guiCfg.UnixSocketPermissions() != 0 {
+		// We should error if this fails under the assumption that these permissions are
+		// required for operation.
+		err = os.Chmod(guiCfg.Address(), guiCfg.UnixSocketPermissions())
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	listener := &tlsutil.DowngradingListener{
 		Listener:  rawListener,
 		TLSConfig: tlsCfg,

lib/config/guiconfiguration.go

@@ -9,12 +9,14 @@ package config
 import (
 	"net/url"
 	"os"
+	"strconv"
 	"strings"
 )
 
 type GUIConfiguration struct {
 	Enabled                   bool     `xml:"enabled,attr" json:"enabled" default:"true"`
 	RawAddress                string   `xml:"address" json:"address" default:"127.0.0.1:8384"`
+	RawUnixSocketPermissions  string   `xml:"unixSocketPermissions,omitempty" json:"unixSocketPermissions"`
 	User                      string   `xml:"user,omitempty" json:"user"`
 	Password                  string   `xml:"password,omitempty" json:"password"`
 	AuthMode                  AuthMode `xml:"authMode,omitempty" json:"authMode"`
@@ -59,6 +61,15 @@ func (c GUIConfiguration) Address() string {
 	return c.RawAddress
 }
 
+func (c GUIConfiguration) UnixSocketPermissions() os.FileMode {
+	perm, err := strconv.ParseUint(c.RawUnixSocketPermissions, 8, 32)
+	if err != nil {
+		// ignore incorrectly formatted permissions
+		return 0
+	}
+	return os.FileMode(perm) & os.ModePerm
+}
+
 func (c GUIConfiguration) Network() string {
 	if override := os.Getenv("STGUIADDRESS"); strings.Contains(override, "/") {
 		url, err := url.Parse(override)