From daac2d0e91dfdba8653200db3005bdf753df544e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mikk=20Margus=20M=C3=B6ll?= <mikk@cert.ee>
Date: Fri, 20 Oct 2023 10:32:28 +0300
Subject: [PATCH 1/2] bots/collectors/api: make socket file permissions
 configurable

---
 intelmq/bots/collectors/api/collector_api.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/intelmq/bots/collectors/api/collector_api.py b/intelmq/bots/collectors/api/collector_api.py
index c950c7cd6..1e3464f28 100644
--- a/intelmq/bots/collectors/api/collector_api.py
+++ b/intelmq/bots/collectors/api/collector_api.py
@@ -8,6 +8,7 @@
 """
 from threading import Thread
 from typing import Optional
+import grp
 import os
 import socket
 
@@ -42,6 +43,8 @@ class APICollectorBot(CollectorBot):
     _is_multithreadable: bool = False
     use_socket = False
     socket_path = '/tmp/imq_api_default_socket'
+    socket_perms = '600'
+    socket_group = ''
     _server: Optional['HTTPServer'] = None
     _unix_socket: Optional[socket.socket] = None
     _eventLoopThread: Optional[Thread] = None
@@ -56,7 +59,12 @@ def init(self):
 
         if self.use_socket:
             self.server = HTTPServer(app)
-            self._unix_socket = bind_unix_socket(self.socket_path)
+            self._unix_socket = bind_unix_socket(self.socket_path, mode=int(self.socket_perms, 8))
+            if self.socket_group:
+                group = grp.getgrnam(self.socket_group)
+                gid = group.gr_gid
+                os.chown(self.socket_path, -1, gid)
+
             self.server.add_socket(self._unix_socket)
         else:
             self.server = app.listen(self.port)

From 0fc3d6c0961ce66521d921127a04e462486061f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mikk=20Margus=20M=C3=B6ll?= <mikk@cert.ee>
Date: Tue, 31 Oct 2023 16:01:15 +0200
Subject: [PATCH 2/2] DOC: document PR#2417

---
 CHANGELOG.md      | 3 +++
 docs/user/bots.md | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b818da034..4ccfabf25 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -54,6 +54,9 @@
 #### Parsers
 
 #### Experts
+- `intelmq.bots.experts.jinja` (PR#2417 by Mikk Margus Möll):
+  - Add optional `socket_perms` and `socket_group` parameters to change
+    file permissions on socket file, if it is in use.
 
 #### Outputs
 - `intelmq.bots.outputs.stomp.output` (PR#2408 by Jan Kaliszewski):
diff --git a/docs/user/bots.md b/docs/user/bots.md
index 29977f56e..f0e733dde 100644
--- a/docs/user/bots.md
+++ b/docs/user/bots.md
@@ -259,6 +259,14 @@ used. Requires the [tornado](https://pypi.org/project/tornado/) library.
 
 (optional, string) Location of the socket. Defaults to `/tmp/imq_api_default_socket`.
 
+**`socket_perms`**
+
+(optional, octal integer) Unix permissions to grant to the socket file. Default: `600`
+
+**`socket_group`**
+
+(optional, string) Name of group to change group ownership of socket file to.
+
 ---
 
 ### Generic URL Fetcher <div id="intelmq.bots.collectors.http.collector_http" />