fix(rpc): handle EINVAL from chmod on Unix sockets in containers by dichro · Pull Request #1399 · steveyegge/beads

dichro · 2026-01-30T16:39:21Z

Some filesystems (e.g., virtio-fs used by Apple's Virtualization.framework for containers) don't support chmod on Unix domain sockets, returning EINVAL.

This change makes the chmod error non-fatal for EINVAL/ENOTSUP, since the socket is already protected by:

Parent directory permissions (0700)
Process umask

The security intent from bd-158 (commit 0dac4b9) is preserved - we still attempt chmod and fail on other errors (e.g., EPERM).

Fixes #1084

cc @steveyegge (original author of the socket permission check in bd-158)

🤖 Generated with Claude Code

Strace shows:

9178  fchmodat(AT_FDCWD, "/home/miki/c/.beads", 0700) = 0
9178  newfstatat(AT_FDCWD, "/home/miki/c/.beads/bd.sock", 0x4000568638, 0) = -1 ENOENT (No such file or directory)
9178  socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 10
9178  openat(AT_FDCWD, "/proc/sys/net/core/somaxconn", O_RDONLY|O_CLOEXEC) = 11
9178  fcntl(11, F_GETFL)                = 0x20000 (flags O_RDONLY|O_LARGEFILE)
9178  fcntl(11, F_SETFL, O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 0
9178  epoll_ctl(4, EPOLL_CTL_ADD, 11, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data=0xffff525b87280002}) = 0
9179  <... epoll_pwait resumed>[{events=EPOLLIN|EPOLLOUT, data=0xffff525b87280002}], 128, 4999, NULL, 0) = 1
9179  epoll_pwait(4,  <unfinished ...>
9178  read(11, "4096\n", 65536)         = 5
9178  read(11, "", 65531)               = 0
9178  epoll_ctl(4, EPOLL_CTL_DEL, 11, 0x40008af8b0) = 0
9178  close(11)                         = 0
9178  setsockopt(10, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
9178  bind(10, {sa_family=AF_UNIX, sun_path="/home/miki/c/.beads/bd.sock"}, 30) = 0
9178  listen(10, 4096)                  = 0
9178  epoll_ctl(4, EPOLL_CTL_ADD, 10, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data=0xffff525b87280003}) = 0
9178  getsockname(10, {sa_family=AF_UNIX, sun_path="/home/miki/c/.beads/bd.sock"}, [112 => 30]) = 0
9178  fchmodat(AT_FDCWD, "/home/miki/c/.beads/bd.sock", 0600) = -1 EINVAL (Invalid argument)
9178  unlinkat(AT_FDCWD, "/home/miki/c/.beads/bd.sock", 0) = 0

@steveyegge

Some filesystems (e.g., virtio-fs used by Apple's Virtualization.framework for containers) don't support chmod on Unix domain sockets, returning EINVAL. This change makes the chmod error non-fatal for EINVAL/ENOTSUP, since the socket is already protected by: - Parent directory permissions (0700) - Process umask The security intent from bd-158 (commit 0dac4b9) is preserved - we still attempt chmod and fail on other errors (e.g., EPERM). Fixes steveyegge#1084 cc @steveyegge (original author of the socket permission check in bd-158) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>

steveyegge

Easy-win: makes chmod non-fatal for EINVAL/ENOTSUP on Unix sockets in containers. Security intent from bd-158 preserved (still fails on EPERM etc). Good strace evidence. LGTM.

@steveyegge

…veyegge#1399) Some filesystems (e.g., virtio-fs used by Apple's Virtualization.framework for containers) don't support chmod on Unix domain sockets, returning EINVAL. This change makes the chmod error non-fatal for EINVAL/ENOTSUP, since the socket is already protected by: - Parent directory permissions (0700) - Process umask The security intent from bd-158 (commit 0dac4b9) is preserved - we still attempt chmod and fail on other errors (e.g., EPERM). Fixes steveyegge#1084 cc @steveyegge (original author of the socket permission check in bd-158) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: r. Miki Habryn <[email protected]> Co-authored-by: Claude Opus 4.5 <[email protected]> (cherry picked from commit 306de3b)

@steveyegge

…veyegge#1399) Some filesystems (e.g., virtio-fs used by Apple's Virtualization.framework for containers) don't support chmod on Unix domain sockets, returning EINVAL. This change makes the chmod error non-fatal for EINVAL/ENOTSUP, since the socket is already protected by: - Parent directory permissions (0700) - Process umask The security intent from bd-158 (commit 0dac4b9) is preserved - we still attempt chmod and fail on other errors (e.g., EPERM). Fixes steveyegge#1084 cc @steveyegge (original author of the socket permission check in bd-158) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: r. Miki Habryn <[email protected]> Co-authored-by: Claude Opus 4.5 <[email protected]> (cherry picked from commit 306de3b)

steveyegge approved these changes Jan 31, 2026

View reviewed changes

steveyegge merged commit 306de3b into steveyegge:main Jan 31, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(rpc): handle EINVAL from chmod on Unix sockets in containers#1399

fix(rpc): handle EINVAL from chmod on Unix sockets in containers#1399
steveyegge merged 1 commit intosteveyegge:mainfrom
dichro:fix/socket-chmod-einval

dichro commented Jan 30, 2026

Uh oh!

steveyegge left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

Conversation

dichro commented Jan 30, 2026

Uh oh!

steveyegge left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments