Question: Misleading Supervisor configuration?

[jp2masa]

In the configuration doc, section Running the FastCGI authorizer and responder, I think the Supervisor configuration is a bit misleading for two reasons:

1. The shibd user doesn't exist, it would be _shibd I guess?
2. Even with the previous fix, it wouldn't work, as the socket mode (0660) is assuming that the nginx user is shibd or belongs to the shibd group. I'm currently using www-data:www-data for the ownership of the sockets and process, and it seems to work fine, am I doing it correctly? (I also found someone who changed the mode to 0666, but I think that would be somewhat unsafe?)

If this makes sense, I can make a PR to add this detail to the doc.

[davidjb]

Thanks for raising this, @jp2masa. To answer your questions:

1. The shibd user doesn't exist, it would be _shibd I guess?

Different platforms may be different - on RPM-based distributions, the user and group are called shibd and these get created upon installation of the shibboleth package.

2. Even with the previous fix, it wouldn't work, as the socket mode (0660) is assuming that the nginx user is shibd or belongs to the shibd group. I'm currently using www-data:www-data for the ownership of the sockets and process, and it seems to work fine, am I doing it correctly? (I also found someone who changed the mode to 0666, but I think that would be somewhat unsafe?)

Yes, this is right. The web server user would need to be part of the shibd group given the example configuration and socket mode. The config is an example of how one might set up their environment given differences in OS and environments, but I agree, without more information, the example lacks that info. I've added and expanded the note attached to the example config, highlighting that users, permissions and paths may need to differ between environments.

As for whether the existing example is best-practice, the shib applications need access to the Shibboleth internals (e.g. shibd) so the processes would most easily be run as that user. As for the FastCGI sockets, I'm not sufficiently familiar with the internals of FastCGI or the shib apps to know if having the process running with one user but the socket owned by another could cause any issues. If you're finding it working for you with the www-data user (e.g. nginx's default user on Debian/Ubuntu/etc), then it is seemingly workable to have it like that. I could imagine SELinux or equivalent security mechanisms affecting this, however.

If you've got any suggestions to further clarify the above, feel free to open a PR and I can take a look.

[jp2masa]

Thanks for the update!