Suraj Kurapati <[email protected]> wrote:
> Hello,
>
> I set the socket for my app to reside in /tmp/ because my app's
> Capistrano deploy directory is NFS-mounted:
>
> listen '/tmp/my_app.sock'
>
> That socket file is being created with mode 0777 + sticky bit. I
> don't want others to accidentally delete or write to this socket file,
> so I added the following line to my before_fork() block:
>
> before_fork do |server, worker|
> File.chmod 0600, '/tmp/my_app.sock'
> # ...
> end
>
> Is there a better place to put this chmod? Or maybe tell unicorn to
> create the socket with mode 0600?
Hi Suraj,
That's probably the best place to put chmod for now... I could be
persuaded to add a :umask option for listen. E.g.:
listen '/tmp/my_app.sock', :umask => 0077
On the other hand, I don't think it's even possible for others to
accidentally delete the socket if it's in /tmp (the directory itself
should be sticky, not the socket file).
I don't think world-read/writability is a problem for deployed apps.
Making sockets world-read/writable fits the model of localhost-bound TCP
sockets better: it's one step easier for people to port/change existing
testing/monitoring tools from the TCP ones.
Also, in my experience with FastCGI deployments, a less permissive umask
was often a source of breakage/confusion for FastCGI apps. TCP sockets
don't have this problem, and I've seen people prefer it for that reason
alone.
--
Eric Wong
_______________________________________________
mongrel-unicorn mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/mongrel-unicorn
