fix: restrict local listening socket permissions (#318)

Author: chibenwa

docs/en/latest/how-it-works.md

@@ -64,10 +64,15 @@ Note: If you see some error logs like
 phase_func(): failed to connect to the unix socket unix:/tmp/runner.sock: permission denied
 ```
 
-in the `error.log` of APISIX, you can change the permissions of this file for debug, execute commands like
-
-```shell
-chmod 766 /tmp/runner.sock
+in the `error.log` of APISIX, ensure the APISIX user is provided rights on the socket. This can be done
+for instance by using a common group. Example:
+
+```bash
+groupadd apisix_group
+usermod -aG apisix_group apisix
+usermod -aG apisix_group java_plugin_runner
+chown java_plugin_runner:apisix_group /tmp/runner.sock
+chmod 760 /tmp/runner.sock
 ```
 
 To get more detailed debugging information, you can modify the output level of the log.

runner-core/src/main/java/org/apache/apisix/plugin/runner/server/ApplicationRunner.java

@@ -32,6 +32,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.CommandLineRunner;
 import org.springframework.stereotype.Component;
+
 import com.google.common.cache.Cache;
 import io.netty.bootstrap.ServerBootstrap;
 import io.netty.channel.ChannelFuture;
@@ -114,7 +115,7 @@ public void start(String path) throws Exception {
         try {
             initServerBootstrap(bootstrap);
             ChannelFuture future = bootstrap.bind(new DomainSocketAddress(path)).sync();
-            Runtime.getRuntime().exec("chmod 777 " + socketFile);
+            Runtime.getRuntime().exec("chmod 700 " + socketFile);
             logger.warn("java runner is listening on the socket file: {}", socketFile);
 
             future.channel().closeFuture().sync();