Allow setting unix socket mode

2xsaiko · 2xsaiko · commit 0c7495f8a23d · 2025-04-05T00:29:02.000+02:00
Signed-off-by: Marco Rebhan &lt;me@dblsaiko.net&gt;
diff --git a/crates/cli/src/server.rs b/crates/cli/src/server.rs
@@ -5,9 +5,10 @@
 // Please see LICENSE in the repository root for full details.
 
 use std::{
+    fs,
     future::ready,
     net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr, TcpListener, ToSocketAddrs},
-    os::unix::net::UnixListener,
+    os::unix::{fs::PermissionsExt, net::UnixListener},
 };
 
 use anyhow::Context;
@@ -329,8 +330,20 @@ pub fn build_listeners(
                 listener.try_into()?
             }
 
-            HttpBindConfig::Unix { socket } => {
+            HttpBindConfig::Unix { socket, mode } => {
                 let listener = UnixListener::bind(socket).context("could not bind socket")?;
+
+                if let Some(mode) = mode {
+                    let mut permissions = fs::metadata(socket)
+                        .context("could not read socket metadata")?
+                        .permissions();
+                    let mode = u32::from_str_radix(mode, 8)
+                        .with_context(|| format!("could not parse mode: {}", mode))?;
+                    permissions.set_mode(mode);
+                    fs::set_permissions(socket, permissions)
+                        .context("could not set socket permissions")?;
+                }
+
                 listener.try_into()?
             }
 
diff --git a/crates/config/src/sections/http.rs b/crates/config/src/sections/http.rs
@@ -124,6 +124,9 @@ pub enum BindConfig {
         /// Path to the socket
         #[schemars(with = "String")]
         socket: Utf8PathBuf,
+
+        /// Socket file mode
+        mode: Option<String>,
     },
 
     /// Accept connections on file descriptors passed by the parent process.
diff --git a/docs/config.schema.json b/docs/config.schema.json
@@ -889,6 +889,10 @@
             "socket": {
               "description": "Path to the socket",
               "type": "string"
+            },
+            "mode": {
+              "description": "Socket file mode",
+              "type": "string"
             }
           }
         },
diff --git a/docs/reference/configuration.md b/docs/reference/configuration.md
@@ -58,6 +58,7 @@ http:
 
         # Third option: listen on the given UNIX socket
         - socket: /tmp/mas.sock
+          mode: "660" # optional
 
         # Fourth option: grab an already open file descriptor given by the parent process
         # This is useful when using systemd socket activation

Original file line number	Diff line number	Diff line change
`@@ -889,6 +889,10 @@`
`889`	`889`	`"socket": {`
`890`	`890`	`"description": "Path to the socket",`
`891`	`891`	`"type": "string"`
	`892`	`+ },`
	`893`	`+ "mode": {`
	`894`	`+ "description": "Socket file mode",`
	`895`	`+ "type": "string"`
`892`	`896`	`}`
`893`	`897`	`}`
`894`	`898`	`},`