[Solved] Is there a recommended way to change the permissions of unix domain sockets created by lighttpd?
Hello,
This week I've been developing a web server infrastructure using lighttpd and so far it has been great. Everything is working as expected. Really like the project.
My current plan is to use lighttpd primarily as a reverse proxy. I have it configured to to require strong TLS security on connections and dispatch the traffic to backend http servers that are listening on unix domain sockets. I am using it this way because some of the backend servers have unproven, weak, or no security features (e.g. Navidrome, Jellyfin, radicale, ...).
I was also considering using a separate copy of lighttpd itself as a backend server. My reason being that I am also trying to confine lighttpd with apparmor, and having a separate process works a little nicer. I set this up for testing and wrote a config that listens on a unix domain socket:
# test.conf server.bind = "/run/lighttpd/test.socket" server.username = "lighttpd" server.groupname = "lighttpd"
Then I wrote my reverse proxy config to forward traffic to this socket inside a conditional:
# rproxy.conf
server.username = "lighttpd"
server.groupname = "lighttpd"
...
$HTTP["host"] == "test.example.com" {
proxy.server = ( "" => (( "socket" => "/run/lighttpd/test.socket" )) )
}
This does not work right away. In the log files lighttpd complains that it does not have permission to access the socket. These are the default socket permissions:
srwxr-xr-x 1 root root 0 Feb 13 22:53 test.socket
I can change them of course, and then the everything starts working as intended:
srwxr-xr-x 1 lighttpd lighttpd 0 Feb 13 22:53 test.socket
The problem is these changes don't last. when lighttpd is shut down it leaves the socket file behind BUT when it starts up again it will overwrite that socket with a new one that has
root:root ownership. I tried setgid on the parent directory but lighttpd does not seem to respect that permission.
This is not really a huge problem. I can just edit my init script to change the permissions after the socket is created, but I wanted to ask here to see if there is a better way (an option in the config file? a command line switch?). Or if you have a comment about how I am setting up my infrastructure and think I should set this up completely differently; I welcome those comments as well.
Thank you
Replies (5)
RE: Is there a recommended way to change the permissions of unix domain sockets created by lighttpd? - Added by gstrauss 3 months ago
I tried
setgidon the parent directory but lighttpd does not seem to respect that permission.
That is a general issue in your configuration that you should troubleshoot. It is not lighttpd. Check your filesystem mount options?
Prior releated discussions:
https://redmine.lighttpd.net/issues/656
https://redmine.lighttpd.net/issues/3018
https://redmine.lighttpd.net/boards/3/topics/10752
The reason lighttpd binds to sockets prior to setuid and setgid to server.username and server.groupname is so that lighttpd can bind to privileged ports like 80 and 443 prior to dropping privileges. Similar thoughts apply to creating unix domain sockets in directories protected by root. However, your question is subsequent ownership. I need to think a bit more on the topic of lighttpd listening on a unix domain socket and setting ownership to the target server.username and server.groupname.
One solution for you would be to have your daemon manager (e.g. sysvinit or systemd) start the lighttpd process using test.conf as user lighttpd, not as user root. Given the straightforward nature of this solution, I am not sure that lighttpd should be changed.
RE: Is there a recommended way to change the permissions of unix domain sockets created by lighttpd? - Added by zeault 3 months ago
Actually I just realized it was my default init script which was clearing the setgid bit on the /run/lighttpd directory. I changed that but it still doesn't quite solve the problem because the socket is not group writable by default. For the time being I can just change the umask to make it group writeable, but I'm afraid this will cause me some minor issues later. Does lighttpd ever reset it's umask internally?
RE: Is there a recommended way to change the permissions of unix domain sockets created by lighttpd? - Added by gstrauss 3 months ago
Please read https://redmine.lighttpd.net/issues/656 which I linked above. See Docs_ConfigurationOptions server.socket-perms
For the time being I can just change the umask to make it group writeable, but I'm afraid this will cause me some minor issues later.
It works as intended if your filesystem and user/groups are set up properly. No problem.
Does lighttpd ever reset it's umask internally?
No, not currently.
RE: Is there a recommended way to change the permissions of unix domain sockets created by lighttpd? - Added by zeault 3 months ago
Thank you,
I somehow missed that server.socket-perms option. This is the optimal solution for me.
My init system is OpenRC and while I am able to edit the init scripts fairly easily I am trying not to deviate too far from the defaults so I can continue to get upstream support from them. This is the main reason why I asked the question instead of just editing the init script straight away.
For the time being I can just change the umask to make it group writeable, but I'm afraid this will cause me some minor issues later.
It works as intended if your filesystem and user/groups are set up properly. No problem.
You are right, but umask is a blunt instrument and like you said in your response to issue 656 it has some security implications. I can't think of any problems it would cause in my current setup, but I can imagine some future unintended side effects from having webdav or a cgi-bin inherit the umask from lighttpd. I am glad I don't have to change it now.
I know the socket perms option was right in front of my face and I still missed it. However, may I suggest adding a link to it in the "See Also" section of the server.bind wiki page? That is where I looked first.
RE: Is there a recommended way to change the permissions of unix domain sockets created by lighttpd? - Added by gstrauss 3 months ago
However, may I suggest adding a link to it in the "See Also" section of the server.bind wiki page? That is where I looked first.
Please feel free to make constructive improvements to the wiki. (Changes are reviewed and may be reworded.)