Merge pull request #98 from hatlabs/feat/halpid-socket-group

mairas · web-flow · commit 8bf4807b46df · 2026-02-15T22:43:54.000+02:00
Use dedicated halpid group for socket access control
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 5.0.1
+current_version = 5.0.2
 commit = True
 tag = False
 
diff --git a/Cargo.toml b/Cargo.toml
@@ -3,7 +3,7 @@ members = ["halpid", "halpi", "halpi-common"]
 resolver = "2"
 
 [workspace.package]
-version = "5.0.1"
+version = "5.0.2"
 authors = ["Matti Airas <matti.airas@hatlabs.fi>"]
 edition = "2024"
 rust-version = "1.90"
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-5.0.1
+5.0.2
diff --git a/halpid/debian/halpid.postinst b/halpid/debian/halpid.postinst
@@ -12,9 +12,15 @@ case "$1" in
             chmod 755 /run/halpid
         fi
 
-        # Ensure the adm group exists (for socket access)
-        if ! getent group adm > /dev/null 2>&1; then
-            addgroup --system adm
+        # Create the halpid system group with fixed GID 960 (for socket access)
+        if ! getent group halpid > /dev/null 2>&1; then
+            addgroup --system --gid 960 halpid
+        fi
+
+        # Add the default user (UID 1000) to the halpid group for CLI access
+        DEFAULT_USER=$(getent passwd 1000 | cut -d: -f1)
+        if [ -n "$DEFAULT_USER" ]; then
+            adduser "$DEFAULT_USER" halpid || true
         fi
 
         # Reload systemd daemon to recognize new service
diff --git a/halpid/src/server/app.rs b/halpid/src/server/app.rs
@@ -59,7 +59,7 @@ pub async fn run_server(state: AppState) -> anyhow::Result<()> {
     let listener = UnixListener::bind(&socket_path)?;
 
     // Set socket permissions and group ownership
-    setup_socket_permissions(&socket_path, "adm").await?;
+    setup_socket_permissions(&socket_path, "halpid").await?;
 
     tracing::info!("HTTP server listening on {}", socket_path.display());
 
