From 5777edbcad82016d4c45c9c8bd720c9c05f3a482 Mon Sep 17 00:00:00 2001
From: nisbet-hubbard <87453615+nisbet-hubbard@users.noreply.github.com>
Date: Sat, 9 Dec 2023 11:31:08 +0800
Subject: [PATCH 1/4] Fix unix socket permissions

---
 v3.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/v3.go b/v3.go
index 6333b81f..4b2dfc23 100644
--- a/v3.go
+++ b/v3.go
@@ -249,7 +249,7 @@ func unixSocketListener(bindAddr string) net.Listener {
 		logger.Fatal().Err(err).Msg("failed to serve unix socket")
 	}
 	// TODO: safe default for now (rwxr-xr-x), could be extracted as env variable if needed
-	err = os.Chmod(bindAddr, 0755)
+	err = os.Chmod(bindAddr, 0220)
 	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to set unix socket permissions")
 	}

From c63e69d0406de49233bb30d8c1859de7d14521b9 Mon Sep 17 00:00:00 2001
From: nisbet-hubbard <87453615+nisbet-hubbard@users.noreply.github.com>
Date: Sat, 9 Dec 2023 11:44:13 +0800
Subject: [PATCH 2/4] Update comment

---
 v3.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/v3.go b/v3.go
index 4b2dfc23..1452da10 100644
--- a/v3.go
+++ b/v3.go
@@ -248,7 +248,7 @@ func unixSocketListener(bindAddr string) net.Listener {
 	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to serve unix socket")
 	}
-	// TODO: safe default for now (rwxr-xr-x), could be extracted as env variable if needed
+	// User of web server needs to belong to group 'synv3' (-w--w----), could be extracted as env variable if needed
 	err = os.Chmod(bindAddr, 0220)
 	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to set unix socket permissions")

From 6f99876d0e27377d2a1f869ffeaa5ea13428a436 Mon Sep 17 00:00:00 2001
From: nisbet-hubbard <87453615+nisbet-hubbard@users.noreply.github.com>
Date: Sat, 9 Dec 2023 13:01:46 +0800
Subject: [PATCH 3/4] Clean-up

---
 v3.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/v3.go b/v3.go
index 1452da10..9983ba2f 100644
--- a/v3.go
+++ b/v3.go
@@ -248,7 +248,8 @@ func unixSocketListener(bindAddr string) net.Listener {
 	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to serve unix socket")
 	}
-	// User of web server needs to belong to group 'synv3' (-w--w----), could be extracted as env variable if needed
+	// User of web server needs to belong to the group of 'syncv3' (-w--w----); could be
+	// extracted as env variable if needed
 	err = os.Chmod(bindAddr, 0220)
 	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to set unix socket permissions")

From cef9361c6c0496bd2a68ef9db0d9ed43ea52b4e5 Mon Sep 17 00:00:00 2001
From: nisbet-hubbard <87453615+nisbet-hubbard@users.noreply.github.com>
Date: Sat, 9 Dec 2023 13:50:59 +0800
Subject: [PATCH 4/4] Use 0222

---
 v3.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/v3.go b/v3.go
index 9983ba2f..53e40637 100644
--- a/v3.go
+++ b/v3.go
@@ -248,9 +248,9 @@ func unixSocketListener(bindAddr string) net.Listener {
 	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to serve unix socket")
 	}
-	// User of web server needs to belong to the group of 'syncv3' (-w--w----); could be
-	// extracted as env variable if needed
-	err = os.Chmod(bindAddr, 0220)
+	// least permissions and work out of box (-w--w--w-); could be extracted as
+	// env variable if needed
+	err = os.Chmod(bindAddr, 0222)
 	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to set unix socket permissions")
 	}