net: Listen{,Unix} don't set file modes, access control lists

[Terry-Mao]

when use unix socket Listen:
net.Listen("unix", addr)
can't set unixsocketperm 777.

many reverse proxy such as nginx return http 502 when sock file not 777 permission.

[rsc]

You have two choices. One is to call syscall.Umask(0077) before creating the socket. This will affect your entire process and will make all created files, including the socket, disable the lower bits, so that the socket will be mode 0700 instead of 0777. The other is to call os.Chmod after creating the socket. This way there would still be a window where the socket has the 0777 mode, so if you are worried about attackers and not just appeasing nginx then that might not be preferable.

This program demonstrates both:

package main

import (
    "log"
    "net"
    "os"
    "syscall"
)

func main() {
    syscall.Umask(0077)
    l, err := net.Listen("unix", "/tmp/asdf")
    if err != nil {
        log.Fatal(err)
    }
    check()
    if err := os.Chmod("/tmp/asdf", 0700); err != nil {
        log.Fatal(err)
    }
    check()
    l.Close()
}

func check() {
    fi, err := os.Stat("/tmp/asdf")
    if err != nil {
        log.Fatal(err)
    }
    log.Println("mode", fi.Mode())
}

You only need either the syscall.Umask or the os.Chmod, not both.