From 813ace92374129310b259a1a93735e7652a880c2 Mon Sep 17 00:00:00 2001 From: Sam & Claude Date: Fri, 5 Jun 2026 10:53:01 +0200 Subject: [PATCH] fix(daemon): make the Herdr socket group-writable (0770) (Sam & Claude) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Re-landed on current main (the earlier branch never merged — main moved under it). Operators hit "permission denied" connecting to the colibri daemon from colibri-tui / the `clawdie` helper: socket.rs binds the Unix socket but never sets its mode, so it stays at the umask default (0755 = owner-only write). Connecting needs WRITE perm, so a colibri-group member (clawdie) gets EACCES. chmod the socket to 0770 after bind. Shared socket::serve, so it covers both colibri-daemon and the clawdie agent. Co-Authored-By: Claude Opus 4.8 --- crates/colibri-daemon/src/socket.rs | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/crates/colibri-daemon/src/socket.rs b/crates/colibri-daemon/src/socket.rs index 11472cf..5711e89 100644 --- a/crates/colibri-daemon/src/socket.rs +++ b/crates/colibri-daemon/src/socket.rs @@ -66,6 +66,26 @@ pub async fn serve(state: SharedState, mut shutdown_rx: broadcast::Receiver<()>) } }; + // Make the socket group-accessible. Connecting to a Unix socket requires + // WRITE permission on the socket file, but bind() creates it with the + // umask-default mode (typically 0755 = owner-only write). An operator who is + // a member of the daemon's group (e.g. `clawdie` in the `colibri` group) is + // then rejected with EACCES ("permission denied"). 0770 lets owner + group + // connect while keeping other users out. + #[cfg(unix)] + { + use std::os::unix::fs::PermissionsExt; + if let Err(e) = + std::fs::set_permissions(&socket_path, std::fs::Permissions::from_mode(0o770)) + { + warn!( + path = %socket_path.display(), + error = %e, + "failed to set socket permissions to 0770; group operators may get EACCES" + ); + } + } + info!(path = %socket_path.display(), "Herdr socket API listening"); loop { -- 2.45.3