fixup! FIX Restrict socket permissions and manage ACLs if needed

chibenwa · chibenwa · commit e900fa6d89d5 · 2025-02-26T10:59:09.000+01:00
diff --git a/.github/workflows/runner-e2e.yml b/.github/workflows/runner-e2e.yml
@@ -55,7 +55,6 @@ jobs:
       run: |
         cd dist
         tar -zxvf apache-apisix-java-plugin-runner-*bin.tar.gz
-        chmod 777 /tmp/runner.sock
         java -jar -DAPISIX_LISTEN_ADDRESS=unix:/tmp/runner.sock -DAPISIX_CONF_EXPIRE_TIME=3600 ./apisix-runner-bin/apisix-java-plugin-runner.jar &
 
     - name: startup apisix
diff --git a/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java b/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java
@@ -26,13 +26,11 @@
 import java.nio.file.attribute.AclEntryPermission;
 import java.nio.file.attribute.AclEntryType;
 import java.nio.file.attribute.AclFileAttributeView;
-import java.nio.file.attribute.PosixFilePermission;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
 import java.util.Optional;
-import java.util.Set;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -75,6 +73,8 @@ public class ApplicationRunner implements CommandLineRunner {
 
     private final Logger logger = LoggerFactory.getLogger(ApplicationRunner.class);
     private static final List<String> SOCKET_ALLOWED_USERS = Splitter.on(',')
+        .omitEmptyStrings()
+        .trimResults()
         .splitToList(System.getProperty("socket.allowed.users", ""));
 
     @Value("${socket.file}")
@@ -136,16 +136,11 @@ public void start(String path) throws Exception {
         }
     }
 
-    private static void manageSocketPermissions(String pathString) throws IOException {
-        Set<PosixFilePermission> permissions = Set.of(
-            PosixFilePermission.OWNER_READ,
-            PosixFilePermission.OWNER_WRITE,
-            PosixFilePermission.OWNER_EXECUTE);
-        Path path = Paths.get(pathString);
-        Files.setPosixFilePermissions(path, permissions);
+    private static void manageSocketPermissions(String socketFile) throws IOException {
+        Runtime.getRuntime().exec("chmod 700 " + socketFile);
 
         if (!SOCKET_ALLOWED_USERS.isEmpty()) {
-            Optional.ofNullable(Files.getFileAttributeView(path, AclFileAttributeView.class))
+            Optional.ofNullable(Files.getFileAttributeView(Paths.get(socketFile), AclFileAttributeView.class))
                 .orElseThrow(() -> new UnsupportedOperationException("ACLs are not supported on this filesystem."))
                 .setAcl(SOCKET_ALLOWED_USERS.stream()
                     .map(ApplicationRunner::computeAclEntry)
