Project

General

Profile

Feature #656

Feature request: add server config for setting permissions on Unix domain socket

Added by Anonymous over 11 years ago. Updated 5 months ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
core
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

I've managed to get Lighttpd and Pound proxy working together via a Unix domain socket (with the exception of the mod_cgi bug #653). However, because they run as different users, I have to start Lighttpd, chmod the socket, then start Pound otherwise I get "permission denied" errors from Pound.

It would be nice to be able to set a permission mode on the socket in the lighttpd.conf file.

-- cliff

Associated revisions

Revision d15ddcb6 (diff)
Added by gstrauss 5 months ago

[core] server.socket-perms to set perms on unix (fixes #656)

server.socket-perms = "0770" to set perms on unix domain socket
on which lighttpd listens for requests, e.g. $SERVER["socket"] == "..."

x-ref:
"Feature request: add server config for setting permissions on Unix domain socket"
https://redmine.lighttpd.net/issues/656

History

#1

Updated by moo over 11 years ago

does a umask before lighttpd help? which might affect any fastcgi umask, unless you start fastcgi with umask reset.

#2

Updated by gstrauss over 1 year ago

A commonly applicable solution is provided below, without need to modify lighttpd.

A solution for two different users, each with a separate primary group, to have permission to a unix domain socket:
  1. Create a group, e.g.'lighound', and add 'lighttpd' and 'pound' users as members. This will be a supplemental group for each of them.
  2. Create a subdirectory (in the location under which you want sockets created)
    mkdir sockets-lighound && chgrp lighound sockets-lighound && chmod 2750 sockets-lighound
    
  3. Set 'umask 002' before starting lighttpd and understand the security implications of doing so on your system. If you're on a system with user-private groups, or at least on which no other user is a member of 'lighttpd' primary group, then this is probably a reasonable action.

When lighttpd starts up, it will create a socket in the directory and the g+s permission on the directory will make the socket ownership lighttpd:lighound, and the umask setting 002 (set before starting lighttpd) will make the permissions on the socket writable by both user and group. Due to the permissions on the 'sockets-lighound/' directory, only the lighttpd user and members of the lighound group (lighttpd and pound) will be able to access the socket, and only the lighttpd user will be able to create or remove sockets from the 'sockets-lighound/' directory.

#3

Updated by stbuehler over 1 year ago

  • Description updated (diff)
  • Assignee deleted (jan)
  • Target version set to 1.4.x
#4

Updated by gstrauss 5 months ago

  • Status changed from New to Patch Pending
  • Priority changed from Normal to Low
  • Target version changed from 1.4.x to 1.4.46

new directive: server.socket-perms = "0770"

#5

Updated by gstrauss 5 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom