Basic Ideas¶

spawn-fcgi drops priviledges (i.e. does setuid/setgid to the specified user/group) before creating the socket; that means

• You cannot listen on ports < 1024 (tcp mode)
• The socket will be created with the user/group you gave as parameter

Now, one nice thing about fastcgi is, that you can run the fastcgi application and the webserver with different users (priviledge separation); but lighttpd needs access to your socket. So if you are not using the tcp mode and don't want to give everyone read/write access to your sockets, you need a little trick:

Use a wrapper script like this ("./php"): (needs setuidgid from daemontools)

#!/bin/sh

# chown socket so webserver can access it
chown www-data:www-data /var/run/lighttpd/yourphpsocketname.sock
# change user for target application
exec setuidgid yourphpuser /usr/bin/php5-cgi

Now you can start php (or whatever fastcgi application you are using) like this: (you must be root of course, as only root will be able to chown/setuidgid)

/usr/sbin/spawn-fcgi -f./php -s /var/run/lighttpd/yourphpsocketname.sock -n

With daemontools/runit you could use this "./run" script:

#!/bin/sh

exec 2>&1
# do not change user here, as we need to be root to chown the socket!
exec /usr/sbin/spawn-fcgi -f./php -s /var/run/lighttpd/yourphpsocketname.sock -n