Unix Socket permission

[mengguyi]

Please make sure of the following things

• I have read the documentation.
• I'm sure there are no duplicate issues or discussions.
• I'm sure it's due to alist and not something else(such as Dependencies or Operational).
• I'm sure I'm using the latest version

Alist Version / Alist 版本

3.20.1

Driver used / 使用的存储驱动

OneDrive

Describe the bug / 问题描述

我将alist运行在用户alist下，alist程序监听/var/run/alist/alist.socket
这个socket的权限是srwxr-xr-x，也就是除了alist自己可读可写以外任何用户都无法写。
这导致运行在www-data用户的nginx无法写入从而导致503错误。
虽然可以用命令重新分配权限

chown -R www-data:alist /var/run/alist/alist.socket

但是这个socket文件alist每次运行都会重新设置权限
导致每次启动都需要执行一遍。这非常麻烦
希望可以让alist在创建的时候可以自定义权限

Reproduction / 复现链接

alist配置文件

{
  "force": false,
  "site_url": "https://drive.mengguyi.com",
  "cdn": "",
  "jwt_secret": "jQs3MBFNaBPySFls",
  "token_expires_in": 48,
  "database": {
    "type": "postgres",
    "host": "/var/run/postgresql",
    "port": 5432,
    "user": "alist",
    "password": "",
    "name": "alist",
    "db_file": "",
    "table_prefix": "x_",
    "ssl_mode": ""
  },
  "scheme": {
    "address": "",
    "http_port": -1,
    "https_port": -1,
    "force_https": false,
    "cert_file": "",
    "key_file": "",
    "unix_file": "/var/run/alist/alist.socket"
  },
  "temp_dir": "data/temp",
  "bleve_dir": "data/bleve",
  "log": {
    "enable": true,
    "name": "data/log/log.log",
    "max_size": 10,
    "max_backups": 5,
    "max_age": 28,
    "compress": false
  },
  "delayed_start": 0,
  "max_connections": 0,
  "tls_insecure_skip_verify": true
}

nginx配置文件

upstream alist {
  server unix:/var/run/alist/alist.socket fail_timeout=0;
}

log_format alist_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $server_protocol" $status $body_bytes_sent "$http_user_agent"';

## Redirects all HTTP traffic to the HTTPS host
server {
  listen 80;
  server_name drive.mengguyi.com; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://$http_host$request_uri;
  access_log  /var/log/nginx/alist_access.log alist_ssl_access;
  error_log   /var/log/nginx/alist_error.log;
}

## HTTPS host
server {
  listen 443 ssl http2;
  server_name drive.mengguyi.com; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl_certificate /etc/nginx/cert/mengguyi.com.pem;
  ssl_certificate_key /etc/nginx/cert/mengguyi.com.key;

  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  # These settings are in line with the modern settings from https://ssl-config.mozilla.org/
  # and are supported by all still-supported browsers since 2019. If you have specific needs
  # for older settings, please consult the intermediate settings there.
  ssl_protocols TLSv1.3;
  ssl_prefer_server_ciphers off;

  real_ip_header X-Real-IP; ## X-Real-IP or X-Forwarded-For or proxy_protocol
  real_ip_recursive off;    ## If you enable 'on'
  ## If you have a trusted IP address, uncomment it and set it
  # set_real_ip_from YOUR_TRUSTED_ADDRESS; ## Replace this with something like 192.168.1.0/24

  access_log  /var/log/nginx/alist_access.log alist_ssl_access;
  error_log   /var/log/nginx/alist_error.log;

  location / {
    client_max_body_size 0;
    gzip off;

    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Ssl     on;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_set_header    Upgrade             $http_upgrade;

    proxy_pass http://alist;
  }
  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  error_page 503 /503.html;
  location ~ ^/(404|422|500|502|503)\.html$ {
    root /opt/www-data/general-pages;
    internal;
  }
}

Logs / 日志

No response

[anwen-anyi]

Unix套接字 是做什么的？ 前两天在浏览器搜索过相关的没看太明白 有什么例子么~

[mengguyi]

Unix套接字 是做什么的？ 前两天在浏览器搜索过相关的没看太明白 有什么例子么~

这个是我前两天提的issue，使用套接字可以提高alist和nginx的通信效率。
但是套接字会有权限问题。这个需要注意。
比如这里的alist.socket它的文件权限只允许alist用户写入，导致nginx无法写入使得nginx报错503