PID file ownership and group

Lee Hambley leehambley at me.com
Tue Sep 20 04:18:21 EDT 2011


I'm using unicorn in an environment with /very/ strict permissions (one might so as far as to say that the sysadmin is being too careful) and I've observed that when starting Unicorn via `upstart` (runs as root) with unicorn.rb configured to suid and sguid, the logs and other files are correctly owned by `selected user:group` but the pidfile is owned by root:root. Owing to very restrictive unmasking and other permissions, this file is not readable by any lower-level users, and thus one has to be root to read the pidfile.

What's the logic here, is it a bug, an oversight or an intentional design, naturally one can use `ps` or any other number of ways to get a pid, so protecting the pidfile doesn't seem like a security concern/

Of course this is somewhat academic, as one must be root to signal the process anyway, but I'll cross that particular bridge when I come to it!

Lee


More information about the mongrel-unicorn mailing list