Httpd has no permission to access /var/lib/gssproxy/default.sock

[yixiangzhike]

The directory /var/lib/gssproxy is listed in StateDirectory, and the permission will be changed to 0700 after starting gssproxy.service because of StateDirectoryMode=0700. Httpd's children run by user apache, they can't access /var/lib/gssproxy/default.sock.
https://github.com/gssapi/gssproxy/blob/main/systemd/gssproxy.service.in#L8

httpd.log.14723:connect(5, {sa_family=AF_UNIX, sun_path="/var/lib/gssproxy/default.sock"}, 110) = -1 EACCES (Permission denied)
httpd.log.14725:connect(13, {sa_family=AF_UNIX, sun_path="/var/lib/gssproxy/default.sock"}, 110) = -1 EACCES (Permission denied)

[root@localhost ~]# getfacl /var/lib/gssproxy
getfacl: Removing leading '/' from absolute path names
# file: var/lib/gssproxy
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@localhost ~]# systemctl start gssproxy
[root@localhost ~]# getfacl /var/lib/gssproxy
getfacl: Removing leading '/' from absolute path names
# file: var/lib/gssproxy
# owner: root
# group: root
user::rwx
group::---
other::---

[simo5]

Perhaps we should change the example files to use /run/gssproxy.sock for things like HTTPD which dos not run as root ...

[simo5]

@jrisc how do you handle this in Fedora packages?

[jrisc]

In Fedora, we use the --with-socket-name parameter of configure to point to /run/gssproxy.default.sock by default.

[simo5]

@jrisc should we change the default upstream as well, or maybe just add documentation to that effect ?

[simo5]

@yixiangzhike in the short term I suggest you change the httpd service configuration to create a socket elsewhere

[yixiangzhike]

@simo5 @jrisc Thank you! I have changed my configuration of httpd.service to create a custom socket file. It works well.

[jrisc]

@simo5 Apparently /run is meant to contain sockets:

System programs that maintain transient UNIX-domain sockets must place them in this directory [...]

I'm just wondering if we can consider it "transient", since it's a default socket that is supposed to be active as long as gssproxy is running (which I suppose is most of the machine's uptime)...

[simo5]

Yes I think we should move the socket to the right place.
Technically we could also use systemd to listen on the socket and run gss-proxy on demand if there is a connection so I think it fits the "transient" definition.

[simo5]

that said for security reasons it should probably be created in a subdirectory which everyone can read but only gssproxy can create the socket ?

[simo5]

Nevermind, only root can create stuff in /run so yeah I think moving the upstream default there is just fine. The problem is making sure this is clearly communicated as it may break existing systems if we clumsily change it