fix(sidecar): use fchown via SO_PEERCRED to grant cross-user SHM access

In PHP-FPM thread mode the master process runs as root and spawns worker
processes as www-data. Named POSIX SHM objects were created with 0600
(owner-only), so workers could not open them for writing.

The correct fix is to fchown() the SHM to the worker's UID after creation.
The worker UID is obtained via SO_PEERCRED (peer_cred()) on the first
accepted Unix socket connection in the thread listener, before the SHM
lazy-lock is initialized.

Changes:
- Replace set_shm_open_mode/SHM_OPEN_MODE with set_shm_owner_uid/SHM_OWNER_UID
  in both mem_handle.rs and mem_handle_macos.rs
- Call fchown(fd, worker_uid, None) in NamedShmHandle::create_mode() when
  SHM_OWNER_UID is set; restore default mode to S_IWUSR|S_IRUSR (0600)
- Add nix "user" feature to datadog-ipc for fchown/Uid support
- Add init_shm_eagerly field to MainLoopConfig (default true); thread mode
  sets it false to defer SHM initialization to first connection
- In accept_socket_loop_thread: use FIRST_CONNECTION_INIT OnceLock to call
  set_shm_owner_uid(peer_uid) then init SHM_LIMITER exactly once on first
  worker connection
- Remove ddog_sidecar_set_shm_open_mode FFI function (no longer needed)

Author: Leiyks

datadog-ipc/Cargo.toml

@@ -44,7 +44,7 @@ tracing-subscriber = { version = "0.3.22" }
 spawn_worker = { path = "../spawn_worker" }
 
 [target.'cfg(not(windows))'.dependencies]
-nix = { version = "0.29", features = ["fs", "mman", "process", "poll", "socket"] }
+nix = { version = "0.29", features = ["fs", "mman", "process", "poll", "socket", "user"] }
 sendfd = { version = "0.4", features = ["tokio"] }
 tokio = { version = "1.23", features = ["sync", "io-util", "signal"] }
 

datadog-ipc/src/platform/unix/mem_handle.rs

@@ -10,16 +10,20 @@ use nix::errno::Errno;
 use nix::fcntl::{open, OFlag};
 use nix::sys::mman::{self, mmap, munmap, MapFlags, ProtFlags};
 use nix::sys::stat::Mode;
-use nix::unistd::{ftruncate, mkdir, unlink};
+use nix::unistd::{fchown, ftruncate, mkdir, unlink, Uid};
 use nix::NixPath;
 use std::ffi::{CStr, CString};
 use std::fs::File;
 use std::io;
 use std::num::NonZeroUsize;
 use std::os::fd::AsFd;
 use std::os::unix::fs::MetadataExt;
+use std::os::unix::io::AsRawFd;
 use std::sync::atomic::{AtomicI32, AtomicU32, Ordering};
 
+// Sentinel value meaning "no owner UID override"
+const NO_OWNER_UID: u32 = u32::MAX;
+
 fn fallback_path<P: ?Sized + NixPath>(name: &P) -> nix::Result<CString> {
     name.with_nix_path(|cstr| {
         let mut path = "/tmp/libdatadog".to_string().into_bytes();
@@ -95,14 +99,19 @@ pub(crate) fn munmap_handle<T: MemoryHandle>(mapped: &mut MappedMem<T>) {
 
 static ANON_SHM_ID: AtomicI32 = AtomicI32::new(0);
 
-static SHM_OPEN_MODE: AtomicU32 = AtomicU32::new(0o600);
+static SHM_OWNER_UID: AtomicU32 = AtomicU32::new(NO_OWNER_UID);
 
-pub fn set_shm_open_mode(mode: u32) {
-    SHM_OPEN_MODE.store(mode, Ordering::Relaxed);
+pub fn set_shm_owner_uid(uid: u32) {
+    SHM_OWNER_UID.store(uid, Ordering::Relaxed);
 }
 
-fn shm_open_mode() -> Mode {
-    Mode::from_bits_truncate(SHM_OPEN_MODE.load(Ordering::Relaxed))
+fn shm_owner_uid() -> Option<u32> {
+    let uid = SHM_OWNER_UID.load(Ordering::Relaxed);
+    if uid == NO_OWNER_UID {
+        None
+    } else {
+        Some(uid)
+    }
 }
 
 impl ShmHandle {
@@ -149,12 +158,15 @@ impl ShmHandle {
 
 impl NamedShmHandle {
     pub fn create(path: CString, size: usize) -> io::Result<NamedShmHandle> {
-        Self::create_mode(path, size, shm_open_mode())
+        Self::create_mode(path, size, Mode::S_IWUSR | Mode::S_IRUSR)
     }
 
     pub fn create_mode(path: CString, size: usize, mode: Mode) -> io::Result<NamedShmHandle> {
         let fd = shm_open(path.as_bytes(), OFlag::O_CREAT | OFlag::O_RDWR, mode)?;
         ftruncate(&fd, size as off_t)?;
+        if let Some(uid) = shm_owner_uid() {
+            let _ = fchown(fd.as_raw_fd(), Some(Uid::from_raw(uid)), None);
+        }
         Self::new(fd, Some(path), size)
     }
 

datadog-ipc/src/platform/unix/mem_handle_macos.rs

@@ -9,11 +9,12 @@ use nix::errno::Errno;
 use nix::fcntl::OFlag;
 use nix::sys::mman::{mmap, munmap, shm_open, shm_unlink, MapFlags, ProtFlags};
 use nix::sys::stat::Mode;
-use nix::unistd::ftruncate;
+use nix::unistd::{fchown, ftruncate, Uid};
 use std::ffi::{CStr, CString};
 use std::io;
 use std::num::NonZeroUsize;
 use std::os::fd::{AsFd, OwnedFd};
+use std::os::unix::io::AsRawFd;
 use std::sync::atomic::{AtomicI32, AtomicU32, AtomicUsize, Ordering};
 
 const MAPPING_MAX_SIZE: usize = 1 << 17; // 128 MiB ought to be enough for everybody?
@@ -69,14 +70,21 @@ pub(crate) fn munmap_handle<T: MemoryHandle>(mapped: &MappedMem<T>) {
 
 static ANON_SHM_ID: AtomicI32 = AtomicI32::new(0);
 
-static SHM_OPEN_MODE: AtomicU32 = AtomicU32::new(0o600);
+const NO_OWNER_UID: u32 = u32::MAX;
 
-pub fn set_shm_open_mode(mode: u32) {
-    SHM_OPEN_MODE.store(mode, Ordering::Relaxed);
+static SHM_OWNER_UID: AtomicU32 = AtomicU32::new(NO_OWNER_UID);
+
+pub fn set_shm_owner_uid(uid: u32) {
+    SHM_OWNER_UID.store(uid, Ordering::Relaxed);
 }
 
-fn shm_open_mode() -> Mode {
-    Mode::from_bits_truncate(SHM_OPEN_MODE.load(Ordering::Relaxed) as u16)
+fn shm_owner_uid() -> Option<u32> {
+    let uid = SHM_OWNER_UID.load(Ordering::Relaxed);
+    if uid == NO_OWNER_UID {
+        None
+    } else {
+        Some(uid)
+    }
 }
 
 impl ShmHandle {
@@ -110,7 +118,7 @@ fn path_slice(path: &CStr) -> &[u8] {
 
 impl NamedShmHandle {
     pub fn create(path: CString, size: usize) -> io::Result<NamedShmHandle> {
-        Self::create_mode(path, size, shm_open_mode())
+        Self::create_mode(path, size, Mode::S_IWUSR | Mode::S_IRUSR)
     }
 
     pub fn create_mode(path: CString, size: usize, mode: Mode) -> io::Result<NamedShmHandle> {
@@ -122,6 +130,9 @@ impl NamedShmHandle {
                 truncate?;
             }
         }
+        if let Some(uid) = shm_owner_uid() {
+            let _ = fchown(fd.as_raw_fd(), Some(Uid::from_raw(uid)), None);
+        }
         Self::new(fd, Some(path), size)
     }
 

datadog-ipc/src/platform/unix/mod.rs

@@ -19,11 +19,11 @@ pub(crate) use mem_handle_macos::*;
 #[cfg(not(target_os = "macos"))]
 mod mem_handle;
 #[cfg(not(target_os = "macos"))]
-pub use mem_handle::set_shm_open_mode;
+pub use mem_handle::set_shm_owner_uid;
 #[cfg(not(target_os = "macos"))]
 pub(crate) use mem_handle::*;
 #[cfg(target_os = "macos")]
-pub use mem_handle_macos::set_shm_open_mode;
+pub use mem_handle_macos::set_shm_owner_uid;
 
 #[no_mangle]
 #[cfg(polyfill_glibc_memfd)]

datadog-sidecar-ffi/src/lib.rs

@@ -323,12 +323,6 @@ pub extern "C" fn ddog_sidecar_connect_master(pid: i32) -> MaybeError {
     MaybeError::None
 }
 
-#[no_mangle]
-#[cfg(unix)]
-pub extern "C" fn ddog_sidecar_set_shm_open_mode(mode: u32) {
-    datadog_ipc::platform::set_shm_open_mode(mode);
-}
-
 #[no_mangle]
 pub extern "C" fn ddog_sidecar_connect_worker(
     pid: i32,

datadog-sidecar/src/entry.rs

@@ -37,6 +37,9 @@ pub struct MainLoopConfig {
     pub enable_ctrl_c_handler: bool,
     pub enable_crashtracker: bool,
     pub external_shutdown_rx: Option<oneshot::Receiver<()>>,
+    /// Set to false in thread mode so the worker's UID can be obtained on the
+    /// first connection and used to fchown the SHM.
+    pub init_shm_eagerly: bool,
 }
 
 impl Default for MainLoopConfig {
@@ -45,6 +48,7 @@ impl Default for MainLoopConfig {
             enable_ctrl_c_handler: true,
             enable_crashtracker: true,
             external_shutdown_rx: None,
+            init_shm_eagerly: true,
         }
     }
 }
@@ -125,8 +129,9 @@ where
         });
     }
 
-    // Init. Early, before we start listening.
-    drop(SHM_LIMITER.lock());
+    if loop_config.init_shm_eagerly {
+        drop(SHM_LIMITER.lock());
+    }
 
     let server = SidecarServer::default();
 

datadog-sidecar/src/setup/thread_listener.rs

@@ -16,10 +16,14 @@ use crate::setup::AbstractUnixSocketLiaison;
 use crate::setup::Liaison;
 #[cfg(not(target_os = "linux"))]
 use crate::setup::SharedDirLiaison;
+use crate::tracer::SHM_LIMITER;
 use datadog_ipc::transport::blocking::BlockingTransport;
 
 static MASTER_LISTENER: OnceLock<Mutex<Option<MasterListener>>> = OnceLock::new();
 
+/// Ensures first-connection SHM initialization runs exactly once across all threads.
+static FIRST_CONNECTION_INIT: OnceLock<()> = OnceLock::new();
+
 pub struct MasterListener {
     shutdown_tx: Option<oneshot::Sender<()>>,
     thread_handle: Option<JoinHandle<()>>,
@@ -139,6 +143,15 @@ async fn accept_socket_loop_thread(
                 match accept {
                     Ok((socket, _)) => {
                         info!("Accepted new worker connection");
+                        // On the first connection, get the worker's UID and
+                        // fchown the SHM to that UID so cross-user access works when
+                        // the master runs as root and workers run as a different user.
+                        FIRST_CONNECTION_INIT.get_or_init(|| {
+                            if let Ok(cred) = socket.peer_cred() {
+                                datadog_ipc::platform::set_shm_owner_uid(cred.uid());
+                            }
+                            drop(SHM_LIMITER.lock());
+                        });
                         handler(socket);
                     }
                     Err(e) => {
@@ -179,6 +192,8 @@ fn run_listener(pid: u32, _config: Config, shutdown_rx: oneshot::Receiver<()>) -
         enable_ctrl_c_handler: false,
         enable_crashtracker: false,
         external_shutdown_rx: None,
+        // Defer SHM init to first connection so we can fchown using the worker's UID.
+        init_shm_eagerly: false,
     };
 
     let runtime = tokio::runtime::Builder::new_current_thread()