where to chmod socket file?

Eric Wong normalperson at yhbt.net
Thu Nov 12 21:03:52 EST 2009

Suraj Kurapati <sunaku at gmail.com> wrote:
> Hello,
> I set the socket for my app to reside in /tmp/ because my app's
> Capistrano deploy directory is NFS-mounted:
>   listen '/tmp/my_app.sock'
> That socket file is being created with mode 0777 + sticky bit.  I
> don't want others to accidentally delete or write to this socket file,
> so I added the following line to my before_fork() block:
>   before_fork do |server, worker|
>     File.chmod 0600, '/tmp/my_app.sock'
>     # ...
>   end
> Is there a better place to put this chmod?  Or maybe tell unicorn to
> create the socket with mode 0600?

Hi Suraj,

That's probably the best place to put chmod for now... I could be
persuaded to add a :umask option for listen.  E.g.:

    listen '/tmp/my_app.sock', :umask => 0077

On the other hand, I don't think it's even possible for others to
accidentally delete the socket if it's in /tmp (the directory itself
should be sticky, not the socket file).

I don't think world-read/writability is a problem for deployed apps.
Making sockets world-read/writable fits the model of localhost-bound TCP
sockets better: it's one step easier for people to port/change existing
testing/monitoring tools from the TCP ones.

Also, in my experience with FastCGI deployments, a less permissive umask
was often a source of breakage/confusion for FastCGI apps.  TCP sockets
don't have this problem, and I've seen people prefer it for that reason

Eric Wong

More information about the mongrel-unicorn mailing list