Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net: Listen{,Unix} don't set file modes, access control lists #11822

Closed
Terry-Mao opened this issue Jul 22, 2015 · 1 comment

Comments

Projects
None yet
3 participants
@Terry-Mao
Copy link

commented Jul 22, 2015

when use unix socket Listen:
net.Listen("unix", addr)
can't set unixsocketperm 777.

many reverse proxy such as nginx return http 502 when sock file not 777 permission.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Jul 22, 2015

You have two choices. One is to call syscall.Umask(0077) before creating the socket. This will affect your entire process and will make all created files, including the socket, disable the lower bits, so that the socket will be mode 0700 instead of 0777. The other is to call os.Chmod after creating the socket. This way there would still be a window where the socket has the 0777 mode, so if you are worried about attackers and not just appeasing nginx then that might not be preferable.

This program demonstrates both:

package main

import (
    "log"
    "net"
    "os"
    "syscall"
)

func main() {
    syscall.Umask(0077)
    l, err := net.Listen("unix", "/tmp/asdf")
    if err != nil {
        log.Fatal(err)
    }
    check()
    if err := os.Chmod("/tmp/asdf", 0700); err != nil {
        log.Fatal(err)
    }
    check()
    l.Close()
}

func check() {
    fi, err := os.Stat("/tmp/asdf")
    if err != nil {
        log.Fatal(err)
    }
    log.Println("mode", fi.Mode())
}

You only need either the syscall.Umask or the os.Chmod, not both.

@rsc rsc closed this Jul 22, 2015

@mikioh mikioh changed the title net Listen not support unixsocketperm net: Listen{,Unix} don't set file modes, access control lists Jul 23, 2015

@golang golang locked and limited conversation to collaborators Aug 5, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.