How to restrict permissions for Unix socket?

[Densaugeo]

Initial Checks

• I confirm this was discussed, and the maintainers suggest I open an issue.
• I'm aware that if I created this issue without a discussion, it may be closed without a response.

Discussion Link

I asked about this on the Discord, but didn't receive a reply after several days. Sorry if this isn't the right place.

Description

When the --uds option is used Uvicorn creates a socket with 766 permissions, accessible to any user on the server, and this does not appear to be configurable. What is the recommended way to restrict a socket to 760 or similar?

I could separately chmod the socket after it is created, but this leads to tricky questions about error detection and handling if the chmod doesn't happen for some reason.

Example Code

Python, Uvicorn & OS Version

Fedora 41
Python 3.12.11
Uvicorn 0.37.0

[Kludex]

Uvicorn maintains the permissions from the uds if it was created previously. Is that enough?

[Densaugeo]

After some debugging, I figured out why that approach wasn't working: Uvicorn will not bind to an existing socket when --reload is used.

The following code works:

> nc --unixsock -l socket
^C
> sudo chmod 760 socket
> python -m uvicorn app-fastapi:app --uds socket
INFO:     Started server process [24255]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on unix socket socket (Press CTRL+C to quit)

But this code results in an "address already in use" error:

> nc --unixsock -l socket
^C
> sudo chmod 760 socket
> python -m uvicorn app-fastapi:app --uds socket --reload
INFO:     Will watch for changes in these directories: ['/projects/tir-na-nog']
ERROR:    [Errno 98] Address already in use

My first thought was that reload might have been binding to the socket, but I also tried moving the socket to a folder outside the watch area and that didn't help.

I used the following minimal app-fastapi.py for this test:

from fastapi import FastAPI

app = FastAPI()

[Densaugeo]

Looks like this bug occurred previously #722 . In that thread it was reported to be fixed sometime in 2022.