Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
need advice: nginx php-fpm app level socket
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
modnaruved
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2011
Posts: 147

PostPosted: Sun Dec 16, 2012 8:31 pm    Post subject: need advice: nginx php-fpm app level socket Reply with quote

Hi

I need some suggestion or advice.

I have application that run by nginx+php-fpm. From web server side script needs to access unix local socket (like /tmp/app/my.sock) with read and write permissions. From other side at shell level some my application create such socket (shell-app) and listen it with read write perms (because own it). Nginx + php-fpm by default is running under nobody:nobody so i cant access from web-server to this socket. When shell-app started I can chmod 0666 and web-app can access to it, but guess its not secure. I can also make some group app-sock and allow access nobody to this group but its seems incorrect. Finally I might run php-fpm under another account - not in nobody, but it seems insecure.

For some simple reason I want to use unix local socket /tmp/app/my.sock not tcp://0.0.0.0:2000

Is it possible be more secure with local socket with web application or not?
What do you think about secure solution for this case?

thanks
Back to top
View user's profile Send private message
lxg
Veteran
Veteran


Joined: 12 Nov 2005
Posts: 1019
Location: Aachen, Germany

PostPosted: Tue Dec 18, 2012 1:19 am    Post subject: Reply with quote

I'm afraid I don't completely understand your problem, but in cases like this, you may use a TCP connection on 127.0.0.1 (instead of 0.0.0.0, which usually means "all network devices"). This is just as secure as the local socket. You might even keep the 0.0.0.0 connection, and set up a firewall rule blocking the app's port (2000 in your example).
_________________
lxg.de – codebits and tech talk
Back to top
View user's profile Send private message
modnaruved
Tux's lil' helper
Tux's lil' helper


Joined: 21 Mar 2011
Posts: 147

PostPosted: Tue Dec 18, 2012 2:50 pm    Post subject: Reply with quote

lxg wrote:
I'm afraid I don't completely understand your problem, but in cases like this, you may use a TCP connection on 127.0.0.1 (instead of 0.0.0.0, which usually means "all network devices"). This is just as secure as the local socket. You might even keep the 0.0.0.0 connection, and set up a firewall rule blocking the app's port (2000 in your example).

Thanks for your reply. Sorry for my English )

Yes it is. I can use 127.0.0.1:anyport. And its secure quite. But I need same with unix local socket based on file.

I do some investigation about it and saw that some applications like mysqld use unix local socket with 0666 permission and owned by mysql user. I think for security reasons access to such file socket need controlled by application level (access from host/ip, crypto and so on).

Currently I create socket with user account inherited from shell (not root - just shell-app-user) and set chmod 0666 so web application that run with nobody user can access to this socket. But web-app may delete it socket. I dont want enter root password for sudo when web-app needs to access this file, or enter sudo password when shell-app started or create socket.
How it do simple (without passwords) but more protected and secure with file socket?
Back to top
View user's profile Send private message
lxg
Veteran
Veteran


Joined: 12 Nov 2005
Posts: 1019
Location: Aachen, Germany

PostPosted: Tue Dec 18, 2012 6:43 pm    Post subject: Reply with quote

I still have difficulties understanding what you're trying to do … but not so much because of your English, but rather because of your scenario. ;)

Maybe what you're looking for is Setuid? Actually, mysqld.sock has the setuid bit. You could also set the sticky bit on the parent directory, which has a similar effect.

Of course, any interaction with your application via this socket must be checked for authorization by the application itself.
_________________
lxg.de – codebits and tech talk
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum