| View previous topic :: View next topic |
| Author |
Message |
modnaruved
Apprentice
Joined: 21 Mar 2011
Posts: 160
|
 Posted: Sun Dec 16, 2012 8:31 pm Post subject: need advice: nginx php-fpm app level socket |
 |
|
Hi
I need some suggestion or advice.
I have application that run by nginx+php-fpm. From web server side script needs to access unix local socket (like /tmp/app/my.sock) with read and write permissions. From other side at shell level some my application create such socket (shell-app) and listen it with read write perms (because own it). Nginx + php-fpm by default is running under nobody:nobody so i cant access from web-server to this socket. When shell-app started I can chmod 0666 and web-app can access to it, but guess its not secure. I can also make some group app-sock and allow access nobody to this group but its seems incorrect. Finally I might run php-fpm under another account - not in nobody, but it seems insecure.
For some simple reason I want to use unix local socket /tmp/app/my.sock not tcp://0.0.0.0:2000
Is it possible be more secure with local socket with web application or not?
What do you think about secure solution for this case?
thanks |
|
| Back to top |
|
 |
lxg
Veteran
Joined: 12 Nov 2005
Posts: 1019
Location: Aachen, Germany
|
| Posted: Tue Dec 18, 2012 1:19 am Post subject: |
|
|
I'm afraid I don't completely understand your problem, but in cases like this, you may use a TCP connection on 127.0.0.1 (instead of 0.0.0.0, which usually means "all network devices"). This is just as secure as the local socket. You might even keep the 0.0.0.0 connection, and set up a firewall rule blocking the app's port (2000 in your example).
_________________
lxg.de – codebits and tech talk |
|
| Back to top |
|
|
modnaruved
Apprentice
Joined: 21 Mar 2011
Posts: 160
|
| Posted: Tue Dec 18, 2012 2:50 pm Post subject: |
|
|
| lxg wrote: | | I'm afraid I don't completely understand your problem, but in cases like this, you may use a TCP connection on 127.0.0.1 (instead of 0.0.0.0, which usually means "all network devices"). This is just as secure as the local socket. You might even keep the 0.0.0.0 connection, and set up a firewall rule blocking the app's port (2000 in your example). |
Thanks for your reply. Sorry for my English )
Yes it is. I can use 127.0.0.1:anyport. And its secure quite. But I need same with unix local socket based on file.
I do some investigation about it and saw that some applications like mysqld use unix local socket with 0666 permission and owned by mysql user. I think for security reasons access to such file socket need controlled by application level (access from host/ip, crypto and so on).
Currently I create socket with user account inherited from shell (not root - just shell-app-user) and set chmod 0666 so web application that run with nobody user can access to this socket. But web-app may delete it socket. I dont want enter root password for sudo when web-app needs to access this file, or enter sudo password when shell-app started or create socket.
How it do simple (without passwords) but more protected and secure with file socket? |
|
| Back to top |
|
|
lxg
Veteran
Joined: 12 Nov 2005
Posts: 1019
Location: Aachen, Germany
|
| Posted: Tue Dec 18, 2012 6:43 pm Post subject: |
|
|
I still have difficulties understanding what you're trying to do … but not so much because of your English, but rather because of your scenario. 
Maybe what you're looking for is Setuid? Actually, mysqld.sock has the setuid bit. You could also set the sticky bit on the parent directory, which has a similar effect.
Of course, any interaction with your application via this socket must be checked for authorization by the application itself.
_________________
lxg.de – codebits and tech talk |
|
| Back to top |
|
|
|
Networking & Security
