I am trying to tighten down some of the permissions for the listening sockets for various web applications which are chrooted to /var/www. It appears that httpd (which runs as user www and group www) refuses to connect to a fastcgi socket unless the socket's user and group are also www:www.
(I do realize that MySQL and its fork MariaDB are much more common for "web" type applications, but they are licensed GPL, whereas PostgreSQL is released under more of a BSD-style license, so in that respect it almost seems to be a better "fit" with OpenBSD.) Anyways, the PostgreSQL socket is normally placed in the /tmp directory, but an additional directive does allow another socket to be placed in /var/www/tmp, which really does have to be world readable and writable with the sticky bit set in order for the user _postgresql to place the socket there, because PostgreSQL drops privileges before opening sockets. In particular I have configured a php-fpm "pool" to listen at /var/www/run/php/users/justina/php-fpm.sock and run as user justina group justina. Now PostgreSQL can authenticate even a chrooted user by the "peer" method, because it matches the userid of the connecting process, although the chrooted user must specify the username together with a dummy password (which is not used) to connect to the socket inside the chroot, apparently because there is no access to /etc/passwd or /etc/group inside the chroot. The other "pool" which I have listening at /var/www/run/php/php-fpm.sock is running as "www:www", but I would also like to drop its priveleges somewhat from the "www" user which has a tendency to become a little bit too powerful. I have listed below some of the "tightened-down" permissions. Are there any more ideas to ease this process? Or other security considerations of which I am not aware? ====%<-------------------------------------------------------- amarillo# ls -lRd /var/www/run /var/www/tmp drwxr-xr-x 4 root daemon 512 May 18 19:28 /var/www/run drwxrwxrwt 2 root daemon 512 May 19 21:26 /var/www/tmp amarillo# ls -lR /var/www/run /var/www/tmp /var/www/run: total 8 dr-x------ 2 www www 512 May 19 02:46 cgi dr-x------ 3 www www 512 May 21 21:05 php /var/www/run/cgi: total 0 srw-rw---- 1 www www 0 May 19 02:46 slowcgi.sock /var/www/run/php: total 4 srw------- 1 www www 0 May 21 21:05 php-fpm.sock dr-x------ 3 www www 512 May 18 17:27 users /var/www/run/php/users: total 4 dr-x------ 2 www www 512 May 21 21:05 justina /var/www/run/php/users/justina: total 0 srw------- 1 www www 0 May 21 21:05 php-fpm.sock /var/www/tmp: total 4 srwxrwxrwx 1 _postgresql _postgresql 0 May 21 20:49 .s.PGSQL.5432 -rw------- 1 _postgresql _postgresql 56 May 21 20:49 .s.PGSQL.5432.lock amarillo#