Merge pull request #7638 from mxpv/perm

Fix shim socket permissions on Darwin
2022-11-08 07:34:02 -08:00 · 2022-11-08 07:34:02 -08:00 · 530c675841
commit 530c675841
parent d1564fec5b 3a9044f240
1 changed files with 14 additions and 7 deletions
--- a/runtime/v2/shim/util_unix.go
+++ b/runtime/v2/shim/util_unix.go
@ -26,6 +26,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"syscall"
 	"time"
@ -87,15 +88,20 @@ func AnonReconnectDialer(address string, timeout time.Duration) (net.Conn, error
 // NewSocket returns a new socket
 func NewSocket(address string) (*net.UnixListener, error) {
 	var (
-		sock = socket(address)
-		path = sock.path()
+		sock       = socket(address)
+		path       = sock.path()
+		isAbstract = sock.isAbstract()
+		perm       = os.FileMode(0600)
 	)

-	isAbstract := sock.isAbstract()
+	// Darwin needs +x to access socket, otherwise it'll fail with "bind: permission denied" when running as non-root.
+	if runtime.GOOS == "darwin" {
+		perm = 0700
+	}

 	if !isAbstract {
-		if err := os.MkdirAll(filepath.Dir(path), 0600); err != nil {
-			return nil, fmt.Errorf("%s: %w", path, err)
+		if err := os.MkdirAll(filepath.Dir(path), perm); err != nil {
+			return nil, fmt.Errorf("mkdir failed for %s: %w", path, err)
 		}
 	}
 	l, err := net.Listen("unix", path)
@ -104,12 +110,13 @@ func NewSocket(address string) (*net.UnixListener, error) {
 	}

 	if !isAbstract {
-		if err := os.Chmod(path, 0600); err != nil {
+		if err := os.Chmod(path, perm); err != nil {
 			os.Remove(sock.path())
 			l.Close()
-			return nil, err
+			return nil, fmt.Errorf("chmod failed for %s: %w", path, err)
 		}
 	}
+
 	return l.(*net.UnixListener), nil
 }