The Library Basement
Reading under ground

Separate php-fpm pools for great victory

Let's say you use a pretty standard Nginx/PHp-fpm/Linux/Mariadb ("nephilim"?) stack for hosting web applications. On most distributions you'll have a single php-fpm pool which spawns workers to execute tasks handed to it by the web server, either via a POSIX or TCP socket. That's great for simplicity's sake.

But what if you have some web-app you want to run but don't really trust. HINT: You shouldn't really trust any internet facing application. If there's a remote code execution flaw in the code for webapp foo, an attacker then assumes the security persona of the entire php-fpm pool, including access to other applications' memory, file-system space, and databases. Yikes!

Nothing in the below is particularly novel, but it may be useful nonetheless. There's also the container approach to solving this, which is probably more secure overall, but is not available to everyone. The context of the examples below is running GNU Social on Centos 7. (On Centos 7, nginx runs as the "nginx" user, and php-fpm runs by default as the "apache" user, the same as httpd normally runs as).

Separate Databases

Each application should have its own database with its own unique username and password. I think most people know this, but stating it here for good measure.

Separate User

Each web application should have its own local unprivileged user account. If that account never needs a shell environment, it is best to not give it a login shell either. GNU Social requires a shell to run its queue daemon scripts, so here is how I did it:

useradd -m -s /bin/bash social

Assuming you have "PermitEmptyPasswords no" in your sshd_config, you don't have to set a password. Otherwise set a very strong one. It'll never be used under normal operations.

A note specific to GNU Social: the queue daemons should run as this user as well. We're in a systemd world now on Linux, so see an example of a unit file for queue daemons. You'll want to set the user to set:


Separate File-system Path

Take note of the group your webserver (nginx in my example) runs as. In Centos it is "nginx", in Debian derivatives it appears to be "www-data".

You've extracted your web application's files into /var/www/ . You'll want to lock this down so that only the application pool user and the webserver can have access:

chown -R social:nginx /var/www/
chmod -R o-rwx /var/www/
# Also follow GNU Social's install instructions for setting
# write permissions on avatar/ file/, and the base directory so
# config.php can be written by the installer

This way the web server can read the application's root contents (e.g. php scripts and static files), and the php-fpm pool for your application will have write access (for writing the configuration at install time and uploading files). Other users should have no access to this location (go ahead, test it).

When you create a separate php-fpm pool below, you'll need to provide a session and cache path which are writable by the social user:

mkdir -p /var/lib/social/{cache,session}
chown root:social /var/lib/social/{cache,session}
chmod 770 /var/lib/social/{cache,session}

Separate php-fpm pools

Pools for php-fpm.d are typically found in /etc/php-fpm.d/. Your mileage may vary based on distribution, etc. Take a look at the default pool to see how it is configured.

Depending on the resources of your system, you may want to reduce the value of pm.max_children (and relate settings) to make room for your new pool. This can be tuned depending on the relative resource demands of your pools.

Now copy the default pool to a new file in the same directory called social.conf and edit it. Below are the required edits:

  1. Give the pool a unique socket, either a different path for a POSIX socket, or a different port number for a TCP sockets. Assuming everything is on a single server, I recommend the POSIX socket, e.g. "listen = /var/run/php-fpm-social.sock"
  2. Set "user = social"
  3. Set "group = social"
  4. Set "php_value[session.save_path] = /var/lib/social/session"
  5. Set "php_value[wsdl_cache_dir] = /var/lib/social/cache"

Configure your nginx configuration file for the site to use the unique socket listed above:

fastcgi_pass unix:/var/run/php-fpm-social.sock;

Now you are ready to restart php-fpm and nginx and your queue daemons. If you run the following, you should see some php-fpm workers running as social:

ps aux | grep php-fpm

If there is trouble, there are a few places you'll want to look:

  • nginx error log
  • nginx access log
  • php-fpm error.log
  • php-fpm www-error.log

Assuming that worked, you've got a separate, more-secure install of GNU Social. I did the foolish thing and changed the configuration after installing the site. I don't recommend it, unless you want an exercise in rapid troubleshooting. ;-)

Category: ktl Tags: technology

Voting is the Act of an American

Erick Erickson this evening published a series of messages summarizing his stance on why voting for Donald Trump as the lesser of two evil is by no means compulsory for Christians. I must admit that in the past my previous conception of Erickson was more or less as a partisan hack. However in this election cycle he has been an unwavering pillar in the Never Trump movement. This has gained my attention. The below excerpt has earned my respect.

When I was working out my thoughts on non-voting in 2008, the idea seemed beyond the pale to many of my acquaintances. In 2016, given the preposterous choice set before the American public, non-voting is becoming more and more attractive to the general public. In particular it appeals to those conservative Christians who once felt comfortably at home in the GOP but now are alienated by the strongman who won that party's nomination.

Erickson is right in that pocket. In another message he cites his seminary education in the recent years has forced him to rank politics and religion, and we can see from the above which one came out on top.

Donald Trump versus Hillary Clinton is a crisis for our republic, but a useful one. There have been many times throughout history when the faithful have worried about a friendly political status quo giving way. And yet the church persists. This is of course not to say that such epochal changes are without undesirable consequences. But part of the vocation of Christianity is courage.

Readings for July 2016

In which I go obscure and mainstream.

Advances in the Study of Greek by Constantine Campbell

I don't believe I had read any new Greek books after grad school until now. Seeing as I had a bit of a gap, Constantine Campbell's Advances in the Study of Greek seemed like a perfect way to catch up. The scope of its advances are mostly in the time-frame after I last did academic study, so it really was quite helpful.

The book is organized into various fields of Greek, with a survey of the various subjects of recent inquiry and a summary of the various positions where there is controversy. There is not too much wading into the weeds, except in the case of aspect - which I think can be forgiven given the author's stake in that subject.

It felt good to read up on recent topics and realize that I haven't gotten so far behind in spite of being about three years behind in reading JBL. Recommended for everyone who wants to stay abreast of Greek scholarship.

Go Set a Watchman by Harper Lee

The unexpected release of Harper Lee's Go Set a Watchman created a lot of media buzz and was a smashing success. I randomly encountered a pile of five of these in the stacks of my local public library after the frenzy had died down, so I decided to snag one. After all, I should try to read mainstream literature from time to time, right?

What was this novel's relationship to the To Kill a Mockingbird, that cornerstone of the American literary canon? It is set in the same universe as it were, with the same characters in the same town, only later. It was marketed, implicitly at least, as a "sequel", though Watchman was written first. However there happen to be a couple continuity issues, as my wife noticed in a back-to-back reading of the two. The other thing she noted is that a few passages are lifted verbatim, which serves as evidence of an emerging consensus: it was a first "draft" which was later reworked into Mockingbird.

"First draft" seems like a bit of a stretch, because that implies that Watchman became Mockingbird through revision and editing, which is absurd given that the finished products are distinct enough that one can be claimed to be the sequel of the other. But Watchman was definitely the precursor, though initially rejected.

One wonders about the wisdom of publishing works which were rejected or abandoned. My most memorable encounter with this practice was with Michael Crichton's Pirate Latitudes, which was discovered and published posthumously. That novel, while an amusing diversion from Crichton's normal genre, was a half-baked mess. Crichton probably left it in the drawer for a reason, and in my opinion his literary estate stained his legacy a bit by releasing it.

I don't think Watchman fits into that mold precisely. However it is true that the structure is not traditional for a novel. It is basically a series of a few recollections from Scout's past, accompanied by relatively few scenes of dialog and soliloquy. The recollections are, by the way, quite enjoyable, especially Scot and a friend playing "church revival."

Finally there is the matter of the "controversial" reveal of Atticus Finch being a segregationist in late life. I happen to not find anything controversial about good character development. I was somewhat disquieted by Scout's reaction to the bigoted reality of her hometown.

I will not recommend this one. If you'd like a good read, proceed to To Kill a Mockingbird.

Readings for May 2016

I continue to invest time in Gravity's Rainbow but have nothing yet to show for it.


  • Harper's April 2016
  • Harper's May 2016
Category: books Tags: readings

Walking the thin red line in Syria

More than 50 State Department diplomats have signed an internal memo sharply critical of the Obama administration’s policy in Syria, urging the United States to carry out military strikes against the government of President Bashar al-Assad to stop its persistent violations of a cease-fire in the country’s five-year-old civil war.

Yes, there's nothing like military strikes to help preserve a cease-fire...

I agree with the fifty-one U.S. State Department bureaucrats that US policy in Syria is not productive. The Obama administration calling for the ouster of Assad but taking no military action to back that up makes me speculate that they fear the consequences of the government falling. Based on recent misadventures in Iraq and Libya they should, mightily. However the U.S. has intervened by arming certain rebel groups, by brokering a chemical weapons deal with Russia, and by launching airstrikes against ISIS.

The aforementioned dissent memo in the State Department of course invokes ISIS in its justification - namely that to defeat the proto-state the civil war must first be resolved. I happen to agree with that point. Once there is a clear winner among the "legitimate" belligerents, the world will unite (or at least stop interfering) with the winning party to defeat ISIS. However the Obama administration's reluctance to use decisive force makes me wonder if they suspect that the rebels, having triumphed over Assad with U.S. help, would nonetheless be unable to effectively rule the country and defeat ISIS.

So here we stand in a great policy blunder: the U.S. officially opposes Assad thanks to old rivalries and a careless remark on the campaign trail, but President Obama's temperance won't allow the U.S. to double down. I appreciate his instinct to keep the U.S. out of a quagmire. I also mourn for the people of Syria who must endure this prolonged conflict.

"First as tragedy, then as farce", but now we're on to the third or fourth iteration.

Readings for April 2016

Novel streak!

The Land Across by Gene Wolfe

I happened across a positive review of Gene Wolfe's Book of the New Sun and decided to check it out. As it happened my local library branch did not have that particular work, but did have some more recent of his novels. I was honestly unsure what to choose, so after some jacket perusal I went with The Land Across. It is the surreal story of a travel writer stranded in a generic eastern European nation. Grafton suffers successive misadventures at the hands of the bureaucracy and the occult. Let the reader decide which threat is more dire.

Now I'm not one to put much stock in review blurbs. However, Gene Wolfe has the amazing distinction of being called the sci-fi/fantasy community's Melville by Ursula K. LeGuin. I was sold.

The Land Across is one of those novels where I have a particular issue: I really enjoy my reading experience, but I progress slowly. In this case I dragged through and eventually took a break to read My Struggle Book Four. Then I picked Wolfe up again and finished it. I love Wolfe's voice and I love the tone of this book. But for some reason I was not compelled to turn pages. Gass is another author with whom I had this struggle, but later enjoyed tremendously. So I'll try another by Wolfe, maybe the original recommendation.

Assumption by Percival Everett

After Glyph I went directly back to the Percival Everett well. Assumption is comprised of three novellas centered on the same small town policy deputy in the U.S. Southwest. Now I'll give this note in hopes it'll save another reader the confusion I suffered: Assumption is three discrete stories, not three acts in the same arc. I was confused in reading because I was looking for a link from the first story in the second before I more-carefully read the back cover description.

Do you like detective stories? Do you like deconstructing detective story tropes? Check it out. I really enjoyed it. Recommended.


  • Harper's March 2016

Readings for March 2016

I have gotten into a streak of reading novels, which is nice.

Glyph by Percival Everett

Everett is one of the authors I had on my "to try" list, so I grabbed a Glyph, a slim, fairly-recently published work. It is the farcical story of a an infant prodigy who doesn't deign to talk, but writes with a skill both startling and amazing to the adults in his world. Needless to say this draws interest from a number of fronts, and before long we're treated to the literary version of a baby outsmarting his kidnappers, a la the "Baby's Day Out" film. But it's better than that, of course. Really Everett draws together themes of childhood, race, and parental love to provide a rich subtext for the zany antics.

I'll recommend it, especially for its brevity, as an easy way to step in to Everett. I've already logged another by him, as you'll see next month.

My Struggle: Book 4 by Karl Ove Knausgaard

I am one of those shameless Karl Ove Knausgaard fans of whom it has become hip to make fun. I discovered that the fourth installment of My Struggle had been published in English, so I took a detour on the way to another meeting to pop into Powell's and purchase it. I was late to the meeting. I suppose that means I'm an addict, as the Knausgaard habit is affecting my responsibilities in the rest of my life.

The theme of this work is so simple: a young man trying to get lucky. At first it seems so cliche for a memoir, but then it really is foundational to the ego of a young man, isn't it? This volume interweaves the Quest with his last two years of secondary school and a year working as a teacher in Northern Norway.

As always, Knausgaard's recollections have the effect of stirring up my own memories of my youth, sometimes dredging up things I haven't recalled for years. On the whole it is a good thing, but can be uncomfortable as well. And zooming in to a young man's first year of independence - and the seemingly-boundless potential lying ahead - has the peculiar effect of forcing the reader to also consider "what could have been"?

Recommended of course, and I can't wait until the next volume drops. Maybe I'll be the only one in a tent on the sidewalk, waiting to buy it on its first day.

Moved some git repositories

I have become enamored of Gogs, a self-hosting solution for git repositories, so I've moved most of my personal repositories from a certain large centralized git service provider to my own instance. Check it out:

I understand this may require collaborates to actually use git in the manner in which it was designed - namely as decentralized version control. If you'd like to submit a patch to one of my projects, you'll need to craft a git pull request and email me.

Will non-voting be chic in 2016?

In 2008 I read an essay collection entitled Electing Not to Vote and it threw me for a loop, launching me on a prodigious series of blog posts in which I concluded that "the only way to vote righteously is to vote self-righteously." During the next US presidential election cycle I started an abortive series called "Peace in Babylon" from which my best observation was that "the end of Constantinianism requires Christians to be courageous once more". In retrospect those are some of the posts of which I am most proud of in my short personal history of blogging, because they represent a serious engagement with a text and a topic without much of a safety net. Being a bit older now I have found I am less likely to take such strong stances in published works, but I'm not necessarily proud of that.

In addition to the increased writing output, reflecting on Electing Not to Vote troubled how I think about politics and the storm unleashed has not really calmed since. I have not voted for President since (sorry Mom), though I have participated in some local elections. I joke that I am on the spectrum between socialism and Christian anarchism, but I have mainly centered on what I call Yoderian pacifism. Centered, not settled. If there is something political I believe every day, it is that US national politics are ridiculous.

This present 2016 election cycle presents fertile ground for further reflection on these topics, because it is of course the most ludicrous Presidential primary race in memory. So if I was scandalized in 2008, by 2016 it is "first as tragedy, then as farce." Therefore I will re-read Electing Not to Vote and see where it takes me. Given the present cynicism taking root among the American electorate, I would not be surprised if non-voting becomes a popular choice this fall. But will it be meaningful, or despondent?

Category: politics

Readings for February 2016

In which I enjoy some pop novels.

Shadows of Self by Brandon Sanderson

When in doubt, Brandon Sanderson. Shadows of Self is the next installment in the Mistborn series, and the second in the Wax and Wayne cycle: you know, magic in a steam-punk setting. And I'm OK with that. Sanderson in this novel is showing his increasing command of comedy - I had some honest guffaws. He also managed to find a way to write novels (for some series) which do not stretch the technology of book binding, so that is a plus. Recommended.

The Martian by Andy Weir

I saw the film The Martian in the theater with a friend and loved it. My wife picked up the novel recently, and it was even better. I really devoured it (and so did she, after I relinquished it). Most of the time I don't put too much stock in "real science" sci-fi, because to me the storytelling is ultimately more important than the genre bonafides. This story managed to blend both to perfect taste. Recommended, and I hope the author Andy Weir writes more to enjoy in the future.


  • Tin House #62

koine-nlp release

Today I am formally releasing koine-nlp 0.2, a Python library for common NLP-related tasks for Koine Greek. I decided to make a fancy koine-nlp homepage with the help of sphinx. It includes info on installation, a tutorial, and an API reference for the koinenlp module. You can find the source repository on my gogs instance.

In the most basic mode of operation, koine-nlp is used to prepare polytonic Greek text for indexing by normalizing. This done by means of the omnibus normalize() function:

>>> import koinenlp
>>> koinenlp.normalize("καὶ ἡ σκοτία αὐτὸ οὐ κατέλαβεν.")
'και η σκοτια αυτο ου κατελαβεν'

There's plenty more to it - see the documentation for more.

I do plan on adding some features in the future, so watch this space.

Formation over information

My old man emailed me a link to a blog post by singer Ashley Cleveland. In it she relates some of the history of her spiritual journey, and it is well worth a read. One line in particular stood out to me, regarding her transition to the Episcopal Church:

My desire is less for information and more for formation, less like Martha, more like Mary.

Formation over information. It has a nice ring to it. She continues:

To that end, the beauty and repetition of the Episcopalian liturgy which is built on the scripture, the common worship, the symbolic gestures and the centerpiece of communion have given me a rich experience of worship and a place for practice, regardless of my spiritual fitness at any given time.

All churches are repetitive. Some like to pretend that they don't have a liturgy, but they really do. Yet there is something distinct about the never-ending cycle of the Church Year. We repeat the same seasons and the same feasts year in and year out. We read through the lectionary every three years. And we repeat the same form of the Eucharist each week. All of these provide signposts by which I can look back and assess the progress of my Christian life. Formation.

It's not that information is bad. I have an advanced degree in Christian information (Biblical Studies) after all. And it's not that Biblical exposition in a church setting is wholly inappropriate (though I do think that Sunday school is probably a better venue for it).

One of the main things I came to appreciate early on about the Episcopal church was the short and sweet sermons. They are detached from a need to convey a lot of facts about the reading and instead provide a moment for reflection in the midst of worship. They are the opportunity for the clergy to provide some context to the never-ending liturgical cycles.

So yes: formation. It is a good theme to focus on in this Lent.

Readings for January 2016

Getting caught up on periodicals feels good. Getting deep into long books feels good too, though they don't show up in the ledger in a timely fashion.


  • Harper's January 2016
  • Harper's February 2016
Category: books Tags: readings

Readings for December 2015

In which our hero realizes that life changes have made reading more difficult by observing his end-of-year reading stats.

Basically I lost a long train commute which afforded a lot of reading time and on top of that had a baby. It was my lowest total since 2010, when I had my first son.

The Technological Society by Jacques Ellul

Considered by many to be Ellul's magnum opus, The Technological Society did not disappoint. It is the full exposition of the thinking of Ellul which I had only seen in small bits previously. Reading his account of technique will change how you perceive the world in a fundamental sense. Or at least it has for me.

I left many dog-ears in my copy, and I keep saying I'm going to a post expanding on my observations there. For the most part his observations are prescient and still relevant to this day. One fascinating angle in the work is that he wrote at the height of the Cold War, at a time when it was not clear how it would pan out.

This is a very dense work, so it takes commitment to complete. Recommended if you have the will to get through it. Perhaps warm up on some shorter articles or interviews to find out if you have the taste for Ellul.

The Moviegoer by Walker Percy

Walker Percy has a boisterous following, and some thinkers I respect are among them. The Moviegoer won the National Book Award and therefore in some sense is a part of the American literary canon. Yet it is in a realist school which I find a bit tiresome. I felt as I did after reading The Sun Also Rises, that nothing important had really transpired in the course of the novel. Yeah, I probably didn't read closely enough, and missed the point. But this one did not inspire close reading for me.

The Sleeper and the Spindle by Neil Gaiman

Gaiman's The Sleeper and the Spindle is a delightful short story which springboards from a certain well-known (but never explicitly named) fairy tale. The version I read was made even more delightful by the inclusion of fantastic illustrations by Chris Riddell. I got through it in a single sitting, and I do believe it has re-read value (once I get it back from a friend to whom I lent it). Recommended.


  • Harper's October 2015
  • Harper's November 2015
  • Harper's December 2015

Year-end stats

In 2015 I read:

  • 14 magazines
  • 18 books
  • 7,874 pages
  • or about 22 pages per day

Much less than last year, as discussed above.