Roger Hoover wrote: > 1) Keep the current behavior (not what people expect) - this means for > unix domain sockets, users must set their umasks and directory > permissions appropriately so that root can create sockets that non-root > processes can access. > 2) Have the root supervisord process do chmod/chown on the fcgi sockets > in the same way it does for the chmod/chown options in the > unix_http_server section of the config > (http://supervisord.org/manual/current/configuration.html#unix_http_server). > The only question about this approach is whether it's possible to > chown/chmod the socket so that the root supervisord process can no > longer clean up the socket when it needs to. > 3) Do something like Apache mod_fastcgi does with a FastCgiWrapper > (http://www.fastcgi.com/mod_fastcgi/docs/mod_fastcgi.html#FastCgiWrapper) > which I think means that each FCGI process group would need to fork a > "wrapper" process that runs as the non-root user and manages the FCGI > socket. This seems like a lot of work and potentially messy integration > with the main supervisord event loop for dealing with SIGCHILD, etc. > > #2 seems the most promising. Anyone see any issues with it? I already > tried setting chmod=0000 and chown=<non_root_user> in the > unix_http_server section of supervisord.conf and the domain socket file > was successfully deleted after supervisord exited.
That sounds about right to me... _______________________________________________ Supervisor-users mailing list [email protected] http://lists.supervisord.org/mailman/listinfo/supervisor-users
