Set correct rights to unix socket with Mojo::Server::Daemon
57 views
Skip to first unread message
Илья Рассадин
Apr 26, 2019, 9:50:57 AM4/26/19
to Mojolicious
Hi!
I want to run my mojo app with hypnotoad listening on unix socket. conf
file looks like this
{
...
hypnotoad => {
listen => ['http+unix://%2Ftmp%2Fmy_app.sock'],
workers => 2,
proxy => 1,
},
}
And then file /tmp/my_app.sock has 755 rights (according to user umask).
But I need to change it to 777 to allow nginx to write queries to socket.
Is there a proper recommended way to achieve that goal?
--
Best Regards, Ilya 'elcamlost' Rassadin.
I want to run my mojo app with hypnotoad listening on unix socket. conf
file looks like this
{
...
hypnotoad => {
listen => ['http+unix://%2Ftmp%2Fmy_app.sock'],
workers => 2,
proxy => 1,
},
}
And then file /tmp/my_app.sock has 755 rights (according to user umask).
But I need to change it to 777 to allow nginx to write queries to socket.
Is there a proper recommended way to achieve that goal?
--
Best Regards, Ilya 'elcamlost' Rassadin.
Charlie Brady
Apr 30, 2019, 10:46:07 PM4/30/19
to Mojolicious
IMO you *never* want to use 777. Use user or group id of the socket file
to control whether nginx can write to it.
Илья Рассадин
May 1, 2019, 4:22:00 AM5/1/19
to mojol...@googlegroups.com
Thanks for your advice.
But
1) It's requirement from my devops collegue and I need to achieve it
somehow. Just tell "some people think that your approach is wrong and
insecure" is not a valid solution in my case.
2) Other apps (like php-fpm) allows to set up socket rights, as well as
socket user and groups via config file. Hypnotoad (and other mojo
daemons) has no such options, at least I'm not aware of them. Instead,
hypnotoad relies on user umask.
I think (though most likely mistaken), this option should be available
to mojo daemons. If a process runs from root, then it should be able to
create socket, change permissions according to configuration (or safe
default) and then fork children with another user permissions and from
that moment relies on user umask.
Is there any thoughts from Mojolicious core team about it?
On 01/05/2019 05:43, Charlie Brady wrote:
> IMO you *never* want to use 777. Use user or group id of the socket file
> to control whether nginx can write to it.
>
But
1) It's requirement from my devops collegue and I need to achieve it
somehow. Just tell "some people think that your approach is wrong and
insecure" is not a valid solution in my case.
2) Other apps (like php-fpm) allows to set up socket rights, as well as
socket user and groups via config file. Hypnotoad (and other mojo
daemons) has no such options, at least I'm not aware of them. Instead,
hypnotoad relies on user umask.
I think (though most likely mistaken), this option should be available
to mojo daemons. If a process runs from root, then it should be able to
create socket, change permissions according to configuration (or safe
default) and then fork children with another user permissions and from
that moment relies on user umask.
Is there any thoughts from Mojolicious core team about it?
On 01/05/2019 05:43, Charlie Brady wrote:
> IMO you *never* want to use 777. Use user or group id of the socket file
> to control whether nginx can write to it.
>
Heiko Jansen
May 30, 2019, 3:22:17 PM5/30/19
to Mojolicious
What about simply running your Mojo app under the same user or a user with the same user group as used for nginx?
Otherwise, what about using Perl's "umask" builtin in your app start script to set the appropriate value and probably reset it after the app started?
Reply all
Reply to author
Forward
0 new messages