starred/ntfy

Fork 0

mirror of https://github.com/binwiederhier/ntfy.git synced 2026-05-09 08:26:00 +02:00

[GH-ISSUE #376] Allow to config the owner, group and mode of the sock file #289

New issue

Closed

opened 2026-05-07 00:22:40 +02:00 by BreizhHardware · 6 comments

BreizhHardware commented

2026-05-07 00:22:40 +02:00

Owner

Originally created by @c33s on GitHub (Aug 7, 2022).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/376

is there a way to control the permissions of the created sock file?

i haven't found a way to set owner, group and mode of the sock file which leads to permission problems as my webserver is running with the user nginx but the sock file /var/run/ntfy/ntfy.sock is creates with the mode 0755 for ntfy:ntfy

it would be awesome to have a feature like in php-fpm where i can configure the owner and the group of the sock file.

my current workaround is to manually set the group to nginx and the mode to 0775 for the sock file.

Originally created by @c33s on GitHub (Aug 7, 2022). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/376 is there a way to control the permissions of the created sock file? i haven't found a way to set owner, group and mode of the sock file which leads to permission problems as my webserver is running with the user `nginx` but the sock file `/var/run/ntfy/ntfy.sock` is creates with the mode `0755` for `ntfy:ntfy` it would be awesome to have a feature like in php-fpm where i can configure the owner and the group of the sock file. my current workaround is to manually set the group to `nginx` and the mode to `0775` for the sock file.

BreizhHardware

2026-05-07 00:22:40 +02:00

closed this issue
added the
enhancement

server
labels

BreizhHardware commented

2026-05-07 00:22:41 +02:00

Author

Owner

@binwiederhier commented on GitHub (Aug 19, 2022):

This PR https://github.com/binwiederhier/ntfy/pull/356 makes it possible to set the permissions of the socket file. It's been merged a while ago, but hasn't been released yet. Is that enough, or does it need to chown too?

@binwiederhier commented on GitHub (Aug 19, 2022): This PR https://github.com/binwiederhier/ntfy/pull/356 makes it possible to set the permissions of the socket file. It's been merged a while ago, but hasn't been released yet. Is that enough, or does it need to chown too?

BreizhHardware commented

2026-05-07 00:22:41 +02:00

Author

Owner

@c33s commented on GitHub (Aug 21, 2022):

from DX¹ perspective it would make sense to be able to also do a chown. it makes the permission handling very flexible.

sometimes the web user is www-data sometimes it's nginx,... having a setting for the owner and the group makes it easy to handle the permissions easily.

i am not sure how easy it is to implement for ntfy. not frickling around with group memberships, sudo and custom startup scripts really has and awesome DX in php-fpm. simply configuring it like the following code is enough.

pool.conf:

...
listen.owner = www-data
listen.group = www-data
listen.mode = 0660
...

would be awesome to have the same feature in ntfy

Developer Experience ↩︎

@c33s commented on GitHub (Aug 21, 2022): from DX[^1] perspective it would make sense to be able to also do a `chown`. it makes the permission handling very flexible. sometimes the web user is `www-data` sometimes it's `nginx`,... having a setting for the owner and the group makes it easy to handle the permissions easily. i am not sure how easy it is to implement for ntfy. not frickling around with group memberships, `sudo` and custom startup scripts really has and awesome DX in php-fpm. simply configuring it like the following code is enough. `pool.conf`: ``` ... listen.owner = www-data listen.group = www-data listen.mode = 0660 ... ``` would be awesome to have the same feature in ntfy [^1]: Developer Experience

BreizhHardware commented

2026-05-07 00:22:41 +02:00

Author

Owner

@binwiederhier commented on GitHub (Nov 19, 2022):

@c33s A little late, but I was gonna quickly implement this just now, until I realized that chown and chgrp are privileged operations. Only root can execute these, so I suppose the question is: Is it still worth it? Because noone in their right mind would run the main process as room (hopefully). And Go (to the best of my knowledge) cannot fork and drop privileges like C-like languages can, due to the Go runtime.

I'm inclined to close this ticket, since no one else has asked for this ever.

@binwiederhier commented on GitHub (Nov 19, 2022): @c33s A little late, but I was gonna quickly implement this just now, until I realized that `chown` and `chgrp` are privileged operations. Only `root` can execute these, so I suppose the question is: Is it still worth it? Because noone in their right mind would run the main process as room (hopefully). And Go (to the best of my knowledge) cannot fork and drop privileges like C-like languages can, due to the Go runtime. I'm inclined to close this ticket, since no one else has asked for this ever.

BreizhHardware commented

2026-05-07 00:22:41 +02:00

Author

Owner

@c33s commented on GitHub (Nov 19, 2022):

as ntfy is a service i assume that people will run it as root. so i still think it should be solved. people run with 777 permissions or run software (even games) as admin. nobody cares for security in the end as long as it works.

the problem is that the file is recreated, so even if i change the permissions afterwards the next time they are gone.

but to be honest, if you are right with the limitation of golang i have currently no idea how to solve this.

@c33s commented on GitHub (Nov 19, 2022): as ntfy is a service i assume that people will run it as root. so i still think it should be solved. people run with 777 permissions or run software (even games) as admin. nobody cares for security in the end as long as it works. the problem is that the file is recreated, so even if i change the permissions afterwards the next time they are gone. but to be honest, if you are right with the limitation of golang i have currently no idea how to solve this.

BreizhHardware commented

2026-05-07 00:22:41 +02:00

Author

Owner

@c33s commented on GitHub (Nov 19, 2022):

jsut some thoughts: maybe allowing to call a helper script which can have a setuid bit? and the helper script does the permission changes. maybe even use sudo for the helper script call.

@c33s commented on GitHub (Nov 19, 2022): jsut some thoughts: maybe allowing to call a helper script which can have a setuid bit? and the helper script does the permission changes. maybe even use sudo for the helper script call.

BreizhHardware commented

2026-05-07 00:22:41 +02:00

Author

Owner

@binwiederhier commented on GitHub (Mar 12, 2023):

I'm running it on ntfy.sh as /tmp/ntfy.sock; and it works fine, and has the correct permissions. This is good enough IMHO.

root@ntfy:~# ll /tmp/ntfy.sock 
srw-rw---- 1 ntfy ntfy 0 Mar  5 10:58 /tmp/ntfy.sock=

@binwiederhier commented on GitHub (Mar 12, 2023): I'm running it on ntfy.sh as /tmp/ntfy.sock; and it works fine, and has the correct permissions. This is good enough IMHO. ``` root@ntfy:~# ll /tmp/ntfy.sock srw-rw---- 1 ntfy ntfy 0 Mar 5 10:58 /tmp/ntfy.sock= ```