From 53e7dcfd3360475790f3c7384bfbe43ba7a0560e Mon Sep 17 00:00:00 2001
From: Ara Sadoyan <ara.sadoyan@netangels.net>
Date: Fri, 19 Jun 2026 11:14:40 +0200
Subject: [PATCH] Pid file follow symlink problem.

---
 Cargo.lock         |  1 +
 Cargo.toml         |  1 +
 src/utils/tools.rs | 14 ++++++++++++++
 src/web/start.rs   |  7 +++++--
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index b8cd0e9..ae275cc 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -139,6 +139,7 @@ dependencies = [
  "futures",
  "instant-acme",
  "jsonwebtoken",
+ "libc",
  "log",
  "log4rs",
  "mimalloc",
diff --git a/Cargo.toml b/Cargo.toml
index 5f37e21..5f23063 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -53,3 +53,4 @@ log4rs = "1.4.0"
 mimalloc = { version = "0.1.52", default-features = false }
 signal-hook = "0.4.4"
 sd-notify = "0.5.0"
+libc = "0.2.186"
diff --git a/src/utils/tools.rs b/src/utils/tools.rs
index 1bccd8e..0cb99c5 100644
--- a/src/utils/tools.rs
+++ b/src/utils/tools.rs
@@ -10,9 +10,12 @@ use sha2::{Digest, Sha256};
 use std::any::type_name;
 use std::collections::{HashMap, HashSet};
 use std::fmt::Write;
+use std::fs::OpenOptions;
+use std::io::Write as IoWrite;
 use std::net::SocketAddr;
 use std::net::TcpListener;
 use std::os::unix::fs::MetadataExt;
+use std::os::unix::fs::OpenOptionsExt;
 use std::str::FromStr;
 use std::sync::atomic::{AtomicUsize, Ordering};
 use std::sync::mpsc::{channel, Sender};
@@ -380,3 +383,14 @@ pub fn prepend(prefix: &str, val: &Option<Arc<str>>, uri: &str, port: &str) -> O
         buf
     })
 }
+
+pub fn write_pid_file(path: &str) -> std::io::Result<()> {
+    let mut file = OpenOptions::new()
+        .write(true)
+        .create(true)
+        .truncate(true)
+        .custom_flags(libc::O_NOFOLLOW) // refuse to follow symlinks
+        .open(path)?;
+    file.write_all(process::id().to_string().as_bytes())?;
+    Ok(())
+}
diff --git a/src/web/start.rs b/src/web/start.rs
index aad2043..b21e82c 100644
--- a/src/web/start.rs
+++ b/src/web/start.rs
@@ -23,7 +23,7 @@ use signal_hook::{
 use std::sync::mpsc::{channel, Receiver, Sender};
 use std::sync::Arc;
 use std::time::Duration;
-use std::{fs, process, thread};
+use std::{fs, thread};
 
 pub fn run() {
     // default_provider().install_default().expect("Failed to install rustls crypto provider");
@@ -146,8 +146,11 @@ pub fn run() {
         drop_priv(user, group, cfg.proxy_address_http.clone(), cfg.proxy_address_tls.clone());
     }
     let _ = sd_notify::notify(&[NotifyState::Ready]);
-    let _ = fs::write(cfg.pid_file.clone().unwrap_or("/tmp/aralez.pid".to_string()), process::id().to_string());
 
+    let pf = cfg.pid_file.clone().unwrap_or("/tmp/aralez.pid".to_string());
+    if let Err(e) = write_pid_file(pf.as_str()) {
+        panic!("Failed to write PID file: {} : {}", pf, e);
+    }
     let mut signals = Signals::new(&[SIGINT, SIGTERM, SIGQUIT]).unwrap();
     for sig in signals.forever() {
         match sig {