Project

General

Profile

Actions

Feature #656

closed

Feature request: add server config for setting permissions on Unix domain socket

Added by Anonymous almost 18 years ago. Updated almost 7 years ago.

Status:
Fixed
Priority:
Low
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

I've managed to get Lighttpd and Pound proxy working together via a Unix domain socket (with the exception of the mod_cgi bug #653). However, because they run as different users, I have to start Lighttpd, chmod the socket, then start Pound otherwise I get "permission denied" errors from Pound.

It would be nice to be able to set a permission mode on the socket in the lighttpd.conf file.

-- cliff

Actions #1

Updated by moo almost 18 years ago

does a umask before lighttpd help? which might affect any fastcgi umask, unless you start fastcgi with umask reset.

Actions #2

Updated by gstrauss about 8 years ago

A commonly applicable solution is provided below, without need to modify lighttpd.

A solution for two different users, each with a separate primary group, to have permission to a unix domain socket:
  1. Create a group, e.g.'lighound', and add 'lighttpd' and 'pound' users as members. This will be a supplemental group for each of them.
  2. Create a subdirectory (in the location under which you want sockets created)
    mkdir sockets-lighound && chgrp lighound sockets-lighound && chmod 2750 sockets-lighound
    
  3. Set 'umask 002' before starting lighttpd and understand the security implications of doing so on your system. If you're on a system with user-private groups, or at least on which no other user is a member of 'lighttpd' primary group, then this is probably a reasonable action.

When lighttpd starts up, it will create a socket in the directory and the g+s permission on the directory will make the socket ownership lighttpd:lighound, and the umask setting 002 (set before starting lighttpd) will make the permissions on the socket writable by both user and group. Due to the permissions on the 'sockets-lighound/' directory, only the lighttpd user and members of the lighound group (lighttpd and pound) will be able to access the socket, and only the lighttpd user will be able to create or remove sockets from the 'sockets-lighound/' directory.

Actions #3

Updated by stbuehler about 8 years ago

  • Description updated (diff)
  • Assignee deleted (jan)
  • Target version set to 1.4.x
Actions #4

Updated by gstrauss almost 7 years ago

  • Status changed from New to Patch Pending
  • Priority changed from Normal to Low
  • Target version changed from 1.4.x to 1.4.46

new directive: server.socket-perms = "0770"

Actions #5

Updated by gstrauss almost 7 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom