I'd like my PHP web application (run as user apache) to connect to redis via a UNIX socket. So I thought of running redis as user apache as well and the socket permissions can be 0700 owned by apache. But I also want the socket in /var/run, which is owned by root and not writable by apache.
So if I run redis as root, my PHP app cannot connect unless I open the socket permissions, which I'd rather not do if I can avoid it.
How do I square this circle? (Redis is managed by systemd)
Usually IPC sockets don't live in /run/ directly, but rather in a subdirectory owned by the daemon – such as under /run/redis/.
drwxr-xr-x 37 root root 920 Jun 1 08:14 /run/
drwxr-xr-x 2 redis redis 40 Jun 1 08:14 /run/redis/
srw-rw-rw- 1 redis redis 0 Jun 1 08:14 /run/redis/socket=
The directory can be automaticaly pre-created with the correct permissions on boot (by a tmpfiles.d configuration in all systemd versions), or upon starting the service (by the RuntimeDirectory= parameter in your service in systemd ≥v211). Very likely that your distribution has already done so.
Note that it would be more secure to run the daemons under separate UIDs, but make the socket group-accessible by one of the groups that apache is member of. This will allow IPC connections as intended, but will still prevent Apache from messing around with the Redis daemon itself.
