Unix domain socket permissions between Ubuntu Lucid and Trusty

Question

I have a web application which I am migrating from Ubuntu Lucid to Trusty. The app communicates w/ Nginx via unix domain sockets (created w/ a umask of 000). On Lucid, I've had no problem with this setup. However, on Trusty, using the same permissions setup, Nginx gives me the following error:

*51 connect() to unix:/opt/run/skyhook/skyhook.socket failed (13: Permission denied) while connecting to upstream, client

Examining the permissions on both servers, I see this:

On lucid:

$ sudo ls -lh /opt/run/skyhook/skyhook.socket
srwxrwxrwx 1 skyhook skyhook 0 2014-08-21 17:09 /opt/run/skyhook/skyhook.socket
$ sudo sudo -u www-data ls -lh /opt/run/skyhook/skyhook.socket
srwxrwxrwx 1 skyhook skyhook 0 2014-08-21 17:09 /opt/run/skyhook/skyhook.socket

On trusty:

$ sudo ls -lh /opt/run/skyhook/skyhook.socket
srwxrwxrwx 1 skyhook skyhook 0 Nov  4 15:36 /opt/run/skyhook/skyhook.socket
$ sudo sudo -u www-data ls -lh /opt/run/skyhook/skyhook.socket
ls: cannot access /opt/run/skyhook/skyhook.socket: Permission denied

Same permissions on both servers, different results. Nginx runs as www-data on Ubuntu. With the 777 permissions, I would expect www-data to be able to interact with the socket, but it can't. What is going on?

UPDATE:

The permissions of /opt/run/skyhook are the same on both lucid and trusty:

$ sudo ls -lhd /opt/run/skyhook
drwxrwx--- 2 skyhook skyhook 4.0K Nov  4 15:36 /opt/run/skyhook

For /opt/run the differences are minor. On lucid:

$ sudo ls -lhd /opt/run/
drwxrwxr-x 4 www-data www-data 4.0K 2014-01-27 18:11 /opt/run/

On trusty:

$ sudo ls -lhd /opt/run/
drwxr-xr-x 4 root root 4.0K Nov  4 09:33 /opt/run/

For /opt both are the same:

$ sudo ls -lhd /opt/
drwxr-xr-x 7 root root 4.0K 2013-06-07 17:15 /opt/

However, I don't see how any ancestors beyond the parent directory would affect this?

What are the permissions on `/opt/run/skyhook/`? Does `www-data` have execute access to it? — Kevin, Nov 05 '14 at 18:32
I've updated the question to reflect parent directory permissions. — David Eyk, Nov 05 '14 at 18:58
Is the `www-data` user in the `skyhook` group? If not, then it doesn't have permission to `chdir()` to `/opt/run/skyhook` or read it... `id -a www-data` to check... — twalberg, Nov 05 '14 at 19:52
@twalberg Yes, in fact, that was the problem. Feel free to add an answer to that effect. — David Eyk, Nov 05 '14 at 19:58

score 0 · Accepted Answer · answered Nov 05 '14 at 20:06

Given the updates, it appears that the /opt/run/skyhook directory only grants permissions to a) the skyhook user, and b) any user that is a member of the skyhook group.

On the system where www-data cannot access files in the /opt/run/skyhook directory, it is most likely the case that www-data is not a member of the skyhook group, while it does have such membership on the other system.

This can be resolved either by adding www-data to the skyhook group, or by giving read/execute permissions to the world on /opt/run/skyhook, so that it looks similar to the permissions on /opt/run.

A silly mistake, in the end. I'm moving from a largely hand-assembled server to a managed-configuration server, so obscure-yet-important details like this will be codified somewhere! — David Eyk, Nov 05 '14 at 20:41

Unix domain socket permissions between Ubuntu Lucid and Trusty

1 Answers1