No way to set permissions on UNIX socket

[chewi]

You can set permissions on the socket using the second callback argument on the listen function but a user of this library has no way of doing that. This makes the socket feature quite useless unless you run the server as the same user as the proxying server, which is far from ideal.

I'm not a Node.js guy, I just want to set up Xen Orchestra in a secure manner.

[julien-f]

As far as I can tell, Node does not provide a way to set the socket permissions with HttpServer#listen() method.

[chewi]

Here's an example.

[chewi]

Also here's an alternative. I think I like the second one better.

[julien-f]

This is done by changing the umask of the process before and resetting after the socket has been created or by changing the socket mode after the socket has been created.

It can be achieved with http-server-plus as well:

import fs from 'fs
import { create } from 'http-server-plus'

const server = create()
server.listen('./app.sock').then(() => {
  fs.chmod('./app.sock', 0o777)
})

[julien-f]

It could be automated though, by adding a socketMode option for instance (like in systemd).