Hello, I am definitely not an expert in this field, but here are some thoughts:
connect to a fastcgi socket unless the socket's user and group are also > www:www. > Should not unix domain sockets be treated as regular files in case permissions? If yes, then httpd should be able to access any file if: 1) httpd is member of some group 2) this group has appropriate permisions (rxw?) to this file So, you can create "_fastcgi" group, add www to this group, and configure php-fpm to create socket with this group (it must be main group of user used by php-fpm). See listen.group and listen.mode options. > are much more common for > "web" type applications, > In PHP world maybe, but for Python/Django Postgres is default database. > > which really does have to be world readable and > writable with the sticky bit set in order for the user _postgresql to > place the socket there, > Again, you can add _postgres to some group, and give it permissions to create socket in this folder. > although the chrooted user must specify the username together with a > dummy password (which is not used) to connect to the socket inside the > chroot, apparently because there is no access to /etc/passwd > or /etc/group inside the chroot. > /etc/passwd must be accessed by postgres (which is not chrooted, right?) but not by client. Client (php) just opens socket file, and postgres uses openbsd API to get its user id.
