I am trying to tighten down some of the permissions for the listening
sockets for various web applications which are chrooted to /var/www. It
appears that httpd (which runs as user www and group www) refuses to
connect to a fastcgi socket unless the socket's user and group are also
www:www.
(I do realize that MySQL and its fork MariaDB are much more common for
"web" type applications, but they are licensed GPL, whereas PostgreSQL
is released under more of a BSD-style license, so in that respect it
almost seems to be a better "fit" with OpenBSD.)
Anyways, the PostgreSQL socket is normally placed in the /tmp directory,
but an additional directive does allow another socket to be placed
in /var/www/tmp, which really does have to be world readable and
writable with the sticky bit set in order for the user _postgresql to
place the socket there, because PostgreSQL drops privileges before
opening sockets.
In particular I have configured a php-fpm "pool" to listen at
/var/www/run/php/users/justina/php-fpm.sock
and run as user justina group justina.
Now PostgreSQL can authenticate even a chrooted user by the "peer"
method, because it matches the userid of the connecting process,
although the chrooted user must specify the username together with a
dummy password (which is not used) to connect to the socket inside the
chroot, apparently because there is no access to /etc/passwd
or /etc/group inside the chroot.
The other "pool" which I have listening at
/var/www/run/php/php-fpm.sock
is running as "www:www", but I would also like to drop its priveleges
somewhat from the "www" user which has a tendency to become a little bit
too powerful.
I have listed below some of the "tightened-down" permissions. Are
there any more ideas to ease this process? Or other security
considerations of which I am not aware?
====%<--------------------------------------------------------
amarillo# ls -lRd /var/www/run /var/www/tmp
drwxr-xr-x 4 root daemon 512 May 18 19:28 /var/www/run
drwxrwxrwt 2 root daemon 512 May 19 21:26 /var/www/tmp
amarillo# ls -lR /var/www/run /var/www/tmp
/var/www/run:
total 8
dr-x------ 2 www www 512 May 19 02:46 cgi
dr-x------ 3 www www 512 May 21 21:05 php
/var/www/run/cgi:
total 0
srw-rw---- 1 www www 0 May 19 02:46 slowcgi.sock
/var/www/run/php:
total 4
srw------- 1 www www 0 May 21 21:05 php-fpm.sock
dr-x------ 3 www www 512 May 18 17:27 users
/var/www/run/php/users:
total 4
dr-x------ 2 www www 512 May 21 21:05 justina
/var/www/run/php/users/justina:
total 0
srw------- 1 www www 0 May 21 21:05 php-fpm.sock
/var/www/tmp:
total 4
srwxrwxrwx 1 _postgresql _postgresql 0 May 21 20:49 .s.PGSQL.5432
-rw------- 1 _postgresql _postgresql 56 May 21 20:49 .s.PGSQL.5432.lock
amarillo#
