Best practice question - linux user permissions for socket file

[dosvicap]

This is my current setup (running on a personal machine with linux):

• I have rtorrent running as my admin user
• ruTorrent is running on apache with apache's default www-data user

Yesterday I moved from a SCGI network port to a unix socket file for XMLRPC communication.
The socket file is owned by rtorrent's user and group and has 660 permission.

Originally, admin and www-data did not share a group. To make the socket work, I ended up adding www-data do my admin user's group.

I'm wondering: is this a good practice or am I compromising security by doing this? What is the best practice in terms of permissions to the socket file and user group memebership?

[dosvicap]

Answering my own question here. I learned how to use File Access Control Lists to add permissions to a specific group or user for a specific file.

So, after removig www-data from my admin group, I navigated to the rpc socket file path and simply did:

setfacl -m www-data:rwx rpc.socket
setfacl -m g:www-data:rwx rpc.socket

The commands granted read, write, and execute permissions for the www-data user and the www-data group to the socket file and nothing else.

[imperia777]

I am having the same issue/question. What is the solution to this.
Running rtorrent with rtorrent user and lighttpd as www-data.
My rtorrent data files are on NFS volume if that matters.
The problem is that the file rpc.socket is recreated on every restart of rtorrent.
Also I added rtorrent user to www-data and vice versa, but this doesn't help!

[dosvicap]

Hey! I think I was in the same place as you a few months ago and I have the solution!
First of all I'm not sure how your config file looks like. If you haven't already, I recommend that you switch to the "modern" config file style, for which you can find a template in the official rtorrent repo: https://github.com/rakshasa/rtorrent/wiki/CONFIG-Template

Once you do, you configure it to execute OS commands at startup.
This is the bit of my config file that sets the permissions (chmod, setcfacl) to the socket file.

## Run the rTorrent process as a daemon in the background
## (and control via XMLRPC sockets)
system.daemon.set = true
network.scgi.open_local = (cat,(session.path),rpc.socket)
execute.nothrow = chmod,770,(cat,(session.path),rpc.socket)
execute.nothrow = setfacl,-m,www-data:rwx,(cat,(session.path),rpc.socket)

Hope this helps!

[imperia777]

Thanks for your help. Actually the problem was that you cannot change ACL on NFS share. I moved rpc.socket out of the .session directory (which is located on NFS share) to local directory and now it is working fine.