crates/colibri-daemon/src/socket.rs

@@ -66,6 +66,26 @@ pub async fn serve(state: SharedState, mut shutdown_rx: broadcast::Receiver<()>)
         }
     };
 
+    // Make the socket group-accessible. Connecting to a Unix socket requires
+    // WRITE permission on the socket file, but bind() creates it with the
+    // umask-default mode (typically 0755 = owner-only write). An operator who is
+    // a member of the daemon's group (e.g. `clawdie` in the `colibri` group) is
+    // then rejected with EACCES ("permission denied"). 0770 lets owner + group
+    // connect while keeping other users out.
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::PermissionsExt;
+        if let Err(e) =
+            std::fs::set_permissions(&socket_path, std::fs::Permissions::from_mode(0o770))
+        {
+            warn!(
+                path = %socket_path.display(),
+                error = %e,
+                "failed to set socket permissions to 0770; group operators may get EACCES"
+            );
+        }
+    }
+
     info!(path = %socket_path.display(), "Herdr socket API listening");
 
     loop {