From 50d8d1a8c7cf10580049712bdf5048ffbd737242 Mon Sep 17 00:00:00 2001
From: Ilya Zlobintsev <ilya.zl@protonmail.com>
Date: Mon, 8 Feb 2021 16:18:07 +0200
Subject: [PATCH] Restrict socket access

---
 README.md         | 2 ++
 daemon/src/lib.rs | 8 +++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index abea6dd..797a331 100644
--- a/README.md
+++ b/README.md
@@ -34,3 +34,5 @@ Enable and start the service (otherwise you won't be able to change any settings
 sudo systemctl enable --now lactd
 ```
 You can now use the application.
+
+Note: only members of the group `wheel` can change settings.
\ No newline at end of file
diff --git a/daemon/src/lib.rs b/daemon/src/lib.rs
index 42b8899..7e83967 100644
--- a/daemon/src/lib.rs
+++ b/daemon/src/lib.rs
@@ -54,10 +54,16 @@ impl Daemon {
         let listener = UnixListener::bind(SOCK_PATH).unwrap();
 
         Command::new("chmod")
-            .arg("666")
+            .arg("664")
             .arg(SOCK_PATH)
             .output()
             .expect("Failed to chmod");
+        
+        Command::new("chown")
+            .arg("nobody:wheel")
+            .arg(SOCK_PATH)
+            .output()
+            .expect("Failed to chown");
 
         let config_path = PathBuf::from("/etc/lact.json");
         let mut config = if unprivileged {