FIX Restrict socket permissions and manage ACLs if needed

chibenwa · chibenwa · commit 7bd354df0281 · 2025-02-26T09:55:41.000+01:00
diff --git a/.github/workflows/runner-e2e.yml b/.github/workflows/runner-e2e.yml
@@ -55,6 +55,7 @@ jobs:
       run: |
         cd dist
         tar -zxvf apache-apisix-java-plugin-runner-*bin.tar.gz
+        chmod 777 /tmp/runner.sock
         java -jar -DAPISIX_LISTEN_ADDRESS=unix:/tmp/runner.sock -DAPISIX_CONF_EXPIRE_TIME=3600 ./apisix-runner-bin/apisix-java-plugin-runner.jar &
 
     - name: startup apisix
diff --git a/docs/en/latest/how-it-works.md b/docs/en/latest/how-it-works.md
@@ -64,10 +64,12 @@ Note: If you see some error logs like
 phase_func(): failed to connect to the unix socket unix:/tmp/runner.sock: permission denied
 ```
 
-in the `error.log` of APISIX, you can change the permissions of this file for debug, execute commands like
+in the `error.log` of APISIX, ensure the APISIX user is provided rights on the socket.
+This can be done by starting the APISIX Java pugin runner with a system property to grant 
+APISIX the right to read and write to the Java plugin through a unix ACL.
 
 ```shell
-chmod 766 /tmp/runner.sock
+java ... -Dsocket.allowed.users=apisixUser1,apisixUser2 ...
 ```
 
 To get more detailed debugging information, you can modify the output level of the log.
@@ -118,3 +120,10 @@ then add the following configure in the `config.yaml` file of APISIX
 ext-plugin:
   cmd: ['java', '-jar', '-Xmx4g', '-Xms4g', '/path/to/apisix-runner-bin/apisix-java-plugin-runner.jar']
 ```
+
+If running on a different user grant APISIX the unix ACL to the socket:
+
+```yaml
+ext-plugin:
+  cmd: ['java', '-jar', '-Xmx4g', '-Xms4g', '-Dsocket.allowed.users=apisixUser', '/path/to/apisix-runner-bin/apisix-java-plugin-runner.jar']
+```
diff --git a/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java b/runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java
@@ -17,13 +17,22 @@
 
 package org.apache.apisix.plugin.runner.server;
 
+import java.io.IOException;
+import java.nio.file.FileSystems;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.nio.file.attribute.AclEntry;
+import java.nio.file.attribute.AclEntryPermission;
+import java.nio.file.attribute.AclEntryType;
+import java.nio.file.attribute.AclFileAttributeView;
+import java.nio.file.attribute.PosixFilePermission;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.stream.Collectors;
+import java.util.Optional;
+import java.util.Set;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -32,6 +41,8 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.stereotype.Component;
+
+import com.google.common.base.Splitter;
 import com.google.common.cache.Cache;
 import io.netty.bootstrap.ServerBootstrap;
 import io.netty.channel.ChannelFuture;
@@ -63,6 +74,8 @@
 public class ApplicationRunner implements CommandLineRunner {
 
     private final Logger logger = LoggerFactory.getLogger(ApplicationRunner.class);
+    private static final List<String> SOCKET_ALLOWED_USERS = Splitter.on(',')
+        .splitToList(System.getProperty("socket.allowed.users", ""));
 
     @Value("${socket.file}")
     private String socketFile;
@@ -114,7 +127,7 @@ public void start(String path) throws Exception {
         try {
             initServerBootstrap(bootstrap);
             ChannelFuture future = bootstrap.bind(new DomainSocketAddress(path)).sync();
-            Runtime.getRuntime().exec("chmod 777 " + socketFile);
+            manageSocketPermissions(socketFile);
             logger.warn("java runner is listening on the socket file: {}", socketFile);
 
             future.channel().closeFuture().sync();
@@ -123,6 +136,40 @@ public void start(String path) throws Exception {
         }
     }
 
+    private static void manageSocketPermissions(String pathString) throws IOException {
+        Set<PosixFilePermission> permissions = Set.of(
+            PosixFilePermission.OWNER_READ,
+            PosixFilePermission.OWNER_WRITE,
+            PosixFilePermission.OWNER_EXECUTE);
+        Path path = Paths.get(pathString);
+        Files.setPosixFilePermissions(path, permissions);
+
+        if (!SOCKET_ALLOWED_USERS.isEmpty()) {
+            Optional.ofNullable(Files.getFileAttributeView(path, AclFileAttributeView.class))
+                .orElseThrow(() -> new UnsupportedOperationException("ACLs are not supported on this filesystem."))
+                .setAcl(SOCKET_ALLOWED_USERS.stream()
+                    .map(ApplicationRunner::computeAclEntry)
+                    .collect(Collectors.toList()));
+        }
+    }
+
+    private static AclEntry computeAclEntry(String user) {
+        try {
+            return AclEntry.newBuilder()
+                .setType(AclEntryType.ALLOW)
+                .setPrincipal(FileSystems.getDefault()
+                    .getUserPrincipalLookupService()
+                    .lookupPrincipalByName(user))
+                .setPermissions(
+                    AclEntryPermission.READ_DATA,
+                    AclEntryPermission.WRITE_DATA,
+                    AclEntryPermission.EXECUTE)
+                .build();
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
     private void initServerBootstrap(ServerBootstrap bootstrap) {
         bootstrap.childHandler(new ChannelInitializer<DomainSocketChannel>() {
             @Override
