Feature request: add server config for setting permissions on Unix domain socket
I've managed to get Lighttpd and Pound proxy working together via a Unix domain socket (with the exception of the mod_cgi bug #653). However, because they run as different users, I have to start Lighttpd, chmod the socket, then start Pound otherwise I get "permission denied" errors from Pound.
It would be nice to be able to set a permission mode on the socket in the lighttpd.conf file.
Updated by gstrauss over 4 years ago
A commonly applicable solution is provided below, without need to modify lighttpd.A solution for two different users, each with a separate primary group, to have permission to a unix domain socket:
- Create a group, e.g.'lighound', and add 'lighttpd' and 'pound' users as members. This will be a supplemental group for each of them.
- Create a subdirectory (in the location under which you want sockets created)
mkdir sockets-lighound && chgrp lighound sockets-lighound && chmod 2750 sockets-lighound
- Set 'umask 002' before starting lighttpd and understand the security implications of doing so on your system. If you're on a system with user-private groups, or at least on which no other user is a member of 'lighttpd' primary group, then this is probably a reasonable action.
When lighttpd starts up, it will create a socket in the directory and the g+s permission on the directory will make the socket ownership lighttpd:lighound, and the umask setting 002 (set before starting lighttpd) will make the permissions on the socket writable by both user and group. Due to the permissions on the 'sockets-lighound/' directory, only the lighttpd user and members of the lighound group (lighttpd and pound) will be able to access the socket, and only the lighttpd user will be able to create or remove sockets from the 'sockets-lighound/' directory.
Also available in: Atom