Where to create an AF_LOCAL/AF_UNIX socket file when not allowed to write in /var/run?

hl037_ asked:

FSH says that socket and pid files should go to /var/run
However, for security purpose, only root can creates file and subdirectories in this location.

A common solution is creating a subdirectory for the script in /var/run and ten chmod it… But what to do when you don’t have access to root user ?

Where should I put a .socket (and a .pid) if I don’t have access to root ?

My answer:

On systemd-based systems such as Arch Linux and (latest) Debian, services are expected to tell systemd that they want a directory under /run by adding a a tmpfiles.d configuration file to the system.

By default these are stored in /usr/lib/tmpfiles.d, though local additions can be added in /etc/tmpfiles.d which override the defaults.

The tmpfiles.d facility can be used to create and empty directories, create files, symlinks, device nodes, sockets, and more.

For example:

# cat /usr/lib/tmpfiles.d/php-fpm.conf
d /run/php-fpm 755 root root

This specifies to create a directory /run/php-fpm, with mode 0755, owned by root and group root. The directory will be created at system startup or whenever the systemd-tmpfiles-setup service is restarted. You can also run systemd-tmpfiles manually.

There are many other options available; check the tmpfiles.d documentation for full details.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.