FIX Restrict socket permissions and manage ACLs if needed

chibenwa · chibenwa · commit d58ec6671201 · 2025-02-28T10:18:51.000+01:00
diff --git a/docs/en/latest/how-it-works.md b/docs/en/latest/how-it-works.md
@@ -64,7 +64,7 @@ Note: If you see some error logs like
 phase_func(): failed to connect to the unix socket unix:/tmp/runner.sock: permission denied
 ```
 
-in the `error.log` of APISIX, you can change the permissions of this file for debug, execute commands like
+in the `error.log` of APISIX, ensure the APISIX user is provided rights on the socket.
 
 ```shell
 chmod 766 /tmp/runner.sock
diff --git a/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java b/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java
@@ -32,6 +32,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.stereotype.Component;
+
 import com.google.common.cache.Cache;
 import io.netty.bootstrap.ServerBootstrap;
 import io.netty.channel.ChannelFuture;
@@ -114,7 +115,7 @@ public void start(String path) throws Exception {
         try {
             initServerBootstrap(bootstrap);
             ChannelFuture future = bootstrap.bind(new DomainSocketAddress(path)).sync();
-            Runtime.getRuntime().exec("chmod 777 " + socketFile);
+            Runtime.getRuntime().exec("chmod 700 " + socketFile);
             logger.warn("java runner is listening on the socket file: {}", socketFile);
 
             future.channel().closeFuture().sync();
