Permissions on UNIX domain sockets
I recently encountered some permissions trouble with a UNIX domain socket.
I was trying to bind Nginx on PHP-FPM that way to get rid of the TCP socket usually used.
PHP-FPM spawned its socket with its user/group set up in its configuration file. I had:
- User: www-data
- Group: www-data
- Mode: 0660 (User + Group have both rw access)
The socket read the right user/group owners and the right permissions mode when listed in the filesystem.
Nginx spawns its worker processes with the user 'nginx' who belongs to the 'www-data' group.
But when Nginx tried to bind on the PHP-FPM socket, it encountered a 'permission denied' error.
The only workaround I found was to spawn the PHP-FPM UNIX socket with the 'nginx' user as owner (and thus restricting mode to 0600).
The group permissions are now useless.
One of my friend told me it was a genuine behavior of Debian but didn't explain it to me.
Is he right or was it bullshit?
What's wrong? Why can't I use group permissions on my socket?