Bobby Bobby - 1 year ago 94
Node.js Question

Node Express Unix Domain Socket Permissions

I am running an nginx server and a node express web server, using daemontools, setup to communicate over Unix Domain Sockets. There's just a few problems:

  1. The socket file stays present on shutdown, so I have to delete it when bringing the server back up, otherwise I will get the EADDRINUSE error.

  2. The nginx server runs as the nginx user, and the node server runs as the node user.

  3. The socket file gets created by Express when the server starts up and umask sets the permissions on the socket file to 755.

  4. The setuidgid application sets the group to the default group of the user, both the node username in this case.

  5. The deployment scripts for the application and daemontools' run script execute before the node server instance gets launched, so there's no way to set the permissions on the file, as it has to get recreated during the launch process.

If I chgrp and chmod g+w the socket file, everything works fine. Is there a way to set this up so that the node application's socket file gets generated with the correct permissions for nginx to be able to write to it without compromising the security independence of one application or the other? I would even be okay with adding nginx to the node user's group, if there was still a way to set the permissions on the socket file so that it would be group writable.

Answer Source

Maybe I am too late.

As a complement of your own answer there is a solution not having to add the nginx user to the node group.

Create a directory only for the socket file, assign it to the node user and www-data (or whatever group the nginx is) group and set the group-id bit (SGID) on that directory.

mkdir -p /var/lib/yourapp/socket
chown nodeuser:nginxgroup /var/lib/yourapp/socket
chmod g+rxs /var/lib/yourapp/socket

All files created inside this directory will automatically be owned by the nginxgroup group.