[ic] mod_interchange and socket permissions
John Young
john_young at sonic.net
Sat Sep 27 13:47:29 EDT 2003
Kaare Rasmussen wrote:
>>Temporarily set permissions at restart:
>>interchange -r SocketPerms=666
>
>
> This is more unsecure than should be necessary. I'd like it to be only the
> specific user and group that are allowed access to the socket.
In interchange.cfg:
SocketPerms 0660
Create a specific group for your web server / httpd (for example, 'wwwsrv').
Place the Interchange socket in a directory with group ownership = httpd
group.
(In Linux, chown interch.wwwsrv directoryname)
Set the group ID bit on the directory.
(In Linux, chmod 2770 directoryname (Solaris requires chmod g+s
directoryname))
Now, whenever Interchange is started, it will create a socket owned by
your Interchange user, but with a group ownership that httpd can read/write:
srw-rw---- 1 interch wwwsrv 0 Sep 24 01:04 socket
If your httpd group is exclusive enough, that should solve your problem.
I would not allow the httpd user and/or group to read other Interchange
files, though.
John Young
More information about the interchange-users
mailing list