where to chmod socket file?
normalperson at yhbt.net
Thu Nov 12 21:03:52 EST 2009
Suraj Kurapati <sunaku at gmail.com> wrote:
> I set the socket for my app to reside in /tmp/ because my app's
> Capistrano deploy directory is NFS-mounted:
> listen '/tmp/my_app.sock'
> That socket file is being created with mode 0777 + sticky bit. I
> don't want others to accidentally delete or write to this socket file,
> so I added the following line to my before_fork() block:
> before_fork do |server, worker|
> File.chmod 0600, '/tmp/my_app.sock'
> # ...
> Is there a better place to put this chmod? Or maybe tell unicorn to
> create the socket with mode 0600?
That's probably the best place to put chmod for now... I could be
persuaded to add a :umask option for listen. E.g.:
listen '/tmp/my_app.sock', :umask => 0077
On the other hand, I don't think it's even possible for others to
accidentally delete the socket if it's in /tmp (the directory itself
should be sticky, not the socket file).
I don't think world-read/writability is a problem for deployed apps.
Making sockets world-read/writable fits the model of localhost-bound TCP
sockets better: it's one step easier for people to port/change existing
testing/monitoring tools from the TCP ones.
Also, in my experience with FastCGI deployments, a less permissive umask
was often a source of breakage/confusion for FastCGI apps. TCP sockets
don't have this problem, and I've seen people prefer it for that reason
More information about the mongrel-unicorn