(apisix-java-plugin-runner) branch main updated: fix: restrict local listening socket permissions (#318)

[membphis]

This is an automated email from the ASF dual-hosted git repository.

membphis pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/apisix-java-plugin-runner.git


The following commit(s) were added to refs/heads/main by this push:
     new b8836d3  fix: restrict local listening socket permissions (#318)
b8836d3 is described below

commit b8836d3148580ee8c77bf69bd678061fa3b1ab82
Author: Benoit TELLIER <btell...@linagora.com>
AuthorDate: Mon Mar 3 08:54:23 2025 +0700

    fix: restrict local listening socket permissions (#318)
---
 docs/en/latest/how-it-works.md                              | 13 +++++++++----
 .../apisix/plugin/runner/server/ApplicationRunner.java      |  3 ++-
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/docs/en/latest/how-it-works.md b/docs/en/latest/how-it-works.md
index a7e5867..d8d5794 100644
--- a/docs/en/latest/how-it-works.md
+++ b/docs/en/latest/how-it-works.md
@@ -64,10 +64,15 @@ Note: If you see some error logs like
 phase_func(): failed to connect to the unix socket unix:/tmp/runner.sock: 
permission denied
 ```
 
-in the `error.log` of APISIX, you can change the permissions of this file for 
debug, execute commands like
-
-```shell
-chmod 766 /tmp/runner.sock
+in the `error.log` of APISIX, ensure the APISIX user is provided rights on the 
socket. This can be done
+for instance by using a common group. Example:
+
+```bash
+groupadd apisix_group
+usermod -aG apisix_group apisix
+usermod -aG apisix_group java_plugin_runner
+chown java_plugin_runner:apisix_group /tmp/runner.sock
+chmod 760 /tmp/runner.sock
 ```
 
 To get more detailed debugging information, you can modify the output level of 
the log.
diff --git 
a/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java
 
b/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java
index 865983a..8d1206e 100644
--- 
a/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java
+++ 
b/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java
@@ -32,6 +32,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.stereotype.Component;
+
 import com.google.common.cache.Cache;
 import io.netty.bootstrap.ServerBootstrap;
 import io.netty.channel.ChannelFuture;
@@ -114,7 +115,7 @@ public class ApplicationRunner implements CommandLineRunner 
{
         try {
             initServerBootstrap(bootstrap);
             ChannelFuture future = bootstrap.bind(new 
DomainSocketAddress(path)).sync();
-            Runtime.getRuntime().exec("chmod 777 " + socketFile);
+            Runtime.getRuntime().exec("chmod 700 " + socketFile);
             logger.warn("java runner is listening on the socket file: {}", 
socketFile);
 
             future.channel().closeFuture().sync();