502 when fiddling with the socket permissions and --umask. Suggestions for restricting socket permissions?

[hadjiprocopis]

I am running a Nominatim server via gunicorn (v23.0.0) and then out to the world through nginx in one server, linux, fedora, all recent updates. I am using unix sockets for the communication between nginx and gunicorn.

With default settings all works fine and I have these permissions for the socket and its dir:

ls -al /run/nominatim/
total 0
drwxr-xr-x  2 _nominatim _nominatim   60 Oct 26 20:56 .
drwxr-xr-x 45 root       root       1200 Oct 26 20:56 ..
srw-rw-rw-  1 _nominatim _nominatim    0 Oct 26 20:56 nominatim.sock

Then I stop everything, delete the socket and change the permissions of the socket dir with chmod 0666 /run/nominatim and restart. I get a 502 error and nginx logs this:

[crit] 8981#8981: *4 connect() to unix:/run/nominatim/nominatim.sock failed (13: Permission denied) while connecting to upstream, client ...

The socket dir has now this permissions (and getting 502):

ls -al /run/nominatim/
total 0
drw-rw-rw-  2 _nominatim _nominatim   60 Oct 26 20:58 .
drwxr-xr-x 45 root       root       1200 Oct 26 20:58 ..
srw-rw-rw-  1 _nominatim _nominatim    0 Oct 26 20:58 nominatim.sock

Here are the two systemd gunicorn-related service files:

# /etc/systemd/system/nominatim.socket
[Unit]
Description=Gunicorn socket for Nominatim

[Socket]
ListenStream=/run/nominatim/nominatim.sock
SocketUser=_nominatim
#SocketMode=0660

[Install]
WantedBy=sockets.target

and

# /etc/systemd/system/nominatim.service 
[Unit]
Description=Nominatim running as a gunicorn application
After=network.target
Requires=nominatim.socket

[Service]
Type=simple
User=_nominatim
Group=_nominatim
WorkingDirectory=/var/www/nominatim-server/nominatim-project
#ExecStart=gunicorn --umask 0017 --user _nominatim --group __nominatim --bind 'unix:/run/nominatim/nominatim.sock' --timeout 60 --keep-alive 20 --workers '1' --log-level=debug -k uvicorn.workers.UvicornWorker "nominatim_api.server.falcon.server:run_wsgi()"
ExecStart=gunicorn --bind 'unix:/run/nominatim/nominatim.sock' --timeout 60 --keep-alive 20 --workers '1' --log-level=debug -k uvicorn.workers.UvicornWorker "nominatim_api.server.falcon.server:run_wsgi()"
ExecReload=/bin/kill -s HUP $MAINPID
StandardOutput=append:/var/log/gunicorn-nominatim.log
StandardError=inherit
PrivateTmp=true
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

Given that I want to restrict the socket permissions and its parent dir to rw-r-----
(chmod 640) or rw-rw---- (chmod 660), my questions are:

1. How should I initially chmod the socket dir (\run\nominatim)?
2. The gunicorn socket file /etc/systemd/system/nominatim.socket offers an option SocketMode=0660, shall I use it? (It has not been used for these experiments)
3. The gunicorn daemon file /etc/systemd/system/nominatim.service has User and Group settings which are set to _nominatim. Is that OK?
4. The gunicorn configuration (you can see the gunicorn starting command in /etc/systemd/system/nominatim.service) allows to set --umask, --user, --group. What shall I use for these, if any at all?
5. gunicorn's --umask option is documented to be an INT, so I guess 0017 (octal) is OK?

Thank you,
a.

[pajod]

Do not mix gunicorns own permission/uid fiddling with systemd. If you launch via systemd, let systemd handle all of that.
(the example in https://docs.gunicorn.org/en/latest/deploy.html#systemd does this.. but I guess it does not do a very good job at explaining so.)

1. Do not manually chmod, let systemd manage directories via RuntimeDirectory=, StateDirectory=, CacheDirectory=, .. and RuntimeDirectoryMode=, .. - if you need any at all.
2. SocketMode=0660 is fine
3. Yes that is OK (and not necessarily matching socket user is good thing for privilege separation)
4. Not needed with system socket activation
5. Not needed with system socket activation

Which means that a) runtime data of the application and b) the (optional: separate folder with the) socket that can be accessed by nginx do not need any overlap in permissions, and all runtime folders are automatically managed. Setting ListenStream=/run/example-for-nginx/http.sock SocketUser=www-data SocketGroup=www-data DirectoryMode=0750 on the .socket will let nginx bind there. Without the User= of your .service even having access there - it does not need to, because on startup, it inherits an already open file descriptor.

---

Side note: Socket file permissions are a thing on Linux, but not on other UNIX platforms. This is why you'll often find documentation caring to point out that the socket needs to be in a separate directory for (the folder!) permission to apply. Good for consistency, but not strictly needed when targeting Linux-exclusive systemd.