Project

General

Profile

[Solved] Add UID and GID to UNIX socket config?

Added by Anonymous over 1 year ago

Dear colleagues,

I'd like to resurrect an old issue (https://redmine.lighttpd.net/issues/3018).

It already exists an ability to bind a UNIX socket and change its perms. That's good, actually, and I like that. But IMHO, an option to change user and group for this socket would be really great.

Why it would be a great idea:

Lighttpd is very good in use with Tor hidden services. UNIX sockets are considered the best option from a security perspective (it is, quote, "a good practice to avoid leaking an Onion Service to a local network" - https://community.torproject.org/onion-services/setup/). UNIX sockets may be the only good option if your server uses TAILS (https://tails.boum.org/), which blocks all localhost ports by default. However, this requires more fine-tuning of user permissions.

For now, I solve this problem with

chown www-data:debian-tor ${socket}
after every reboot. But, I believe, it can be much easier with two additional options (for example, server.socket-user and server.socket-group).

Also, I'd recommend to add Lighttpd + Tor best practices to the wiki. Actually, I can help, because for my HS I mostly use lighttpd.

Best regards,

Emil


Replies (5)

RE: Add UID and GID to UNIX socket config? - Added by gstrauss over 1 year ago

The answer ("no") was already given in my comment in https://redmine.lighttpd.net/issues/3018 Please re-read it.

For lighttpd to chown to another user, lighttpd would need to be run as root. For lighttpd to be able to chgrp, lighttpd www-data would need to be a member of the group, or would need to be root. People can run lighttpd without starting it as root, and even if lighttpd is started as root, it might be configured to drop privileges to a less-privileged user. If lighttpd needed to recreate the socket for any reason, lighttpd would be unable to do so if lighttpd were no longer able to chown or chgrp to the target user or group.

It is good practice to have your file-based sockets in a protected directory, e.g. a directory owned by the lighttpd user, in your case www-data.
If you have a protected directory, then you can do a one-time setup to chgrp debian-tor the directory to the target group and then chmod g+s the directory so that files created in that directory inherit group from the directory.

RE: [Solved] Add UID and GID to UNIX socket config? - Added by gstrauss over 1 year ago

Also, I'd recommend to add Lighttpd + Tor best practices to the wiki. Actually, I can help, because for my HS I mostly use lighttpd.

You're more than welcome to craft such a wiki page using your experience with tor. Please understand that wiki pages may be further edited for clarity and consistency.

RE: [Solved] Add UID and GID to UNIX socket config? - Added by Anonymous over 1 year ago

Dear gstrauss,

Thank you very much for the answer and the solution!

If you could add some lines about it to the wiki, it would be great. I guess there are many people who would use that.

Best regards,

Emil

RE: [Solved] Add UID and GID to UNIX socket config? - Added by Anonymous over 1 year ago

gstrauss wrote in RE: [Solved] Add UID and GID to UNIX socket config?:

Also, I'd recommend to add Lighttpd + Tor best practices to the wiki. Actually, I can help, because for my HS I mostly use lighttpd.

You're more than welcome to craft such a wiki page using your experience with tor. Please understand that wiki pages may be further edited for clarity and consistency.

I'd be my pleasure.
I will create a topic here when I finish.

Best regards,

Emil

    (1-5/5)