From 12169f28159f8b08bf7d490f0d6bab12ddd96039 Mon Sep 17 00:00:00 2001
From: David Wronek <david.wronek@mainlining.org>
Date: Sat, 2 May 2026 19:21:52 +0200
Subject: [PATCH] bootstrap: set UNIX socket permissions to 770

This grants other processes access to the socket, provided they are in
the correct group.

Signed-off-by: David Wronek <david.wronek@mainlining.org>
---
 internal/bootstrap/app_bootstrap.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/internal/bootstrap/app_bootstrap.go b/internal/bootstrap/app_bootstrap.go
index 3879c05e..c1cb8101 100644
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -215,6 +215,12 @@ func (app *BootstrapApp) Setup() error {
 		}
 
 		tlog.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
+		go func() {
+			// Ensure processes running as a different user can access the socket.
+			if err := os.Chmod(app.config.Server.SocketPath, 0770); err != nil {
+				tlog.App.Fatal().Err(err).Msg("Failed to update UNIX socket permissions")
+			}
+		}()
 		if err := router.RunUnix(app.config.Server.SocketPath); err != nil {
 			tlog.App.Fatal().Err(err).Msg("Failed to start server")
 		}