[Pdns-users] socket-dir perms for pdns UID/GID not sufficient : "Unable to bind to control socket ... reason: Permission denied". 'o+w' dir perms required?

Fri Dec 30 00:02:10 UTC 2016

This post

	[Pdns-users] control socket permissions
	 https://mailman.powerdns.com/pipermail/pdns-users/2011-September/020182.html

suggests that 

	If 'setgid' _is_ present, powerdns will run with that group ID; the socket will be set to that group ID too and permissions on the socket will be changed to 660.

I've installed

	dig chaos txt version.bind @127.0.0.1 -p 15301 +short
		"PowerDNS Authoritative Server 4.0.1-264-g50e4ab365 (built Dec 29 2016 09:49:29 by adm at dns.example.com)"

My config includes

	cat /usr/local/etc/powerdns/pdns.conf
		...
		#chroot=/var/pdns
		socket-dir=/var/pdns
		setgid=pdns
		setuid=pdns
		...

I've set 

	chmod 0775 /var/pdns
	chown pdns:pdns /var/pdns
	ls -ld /var/pdns
		drwxrwxr-x 2 pdns pdns 4.0K Dec 29 15:52 /var/pdns/

On exec

	rm -f /var/pdns/pdns.controlsocket
	systemctl start pdns

it fails.  Logs report,

	...
	Dec 29 15:53:45 dns pdns[12445]: This is a standalone pdns
	Dec 29 15:53:45 dns pdns[12445]: Unable to bind to control socket at '/var/pdns/pdns.controlsocket', reason: Permission denied
	...

Otoh, if

	rm -f /var/pdns/pdns.controlsocket
	chmod o+w /var/pdns
	ls -ld /var/pdns
		drwxrwxrwx 2 pdns pdns 4.0K Dec 29 15:52 /var/pdns/
	systemctl start pdns

it's successful

	tail -f /var/log/pdns/pdns.log
		...
		Dec 29 15:44:24 dns pdns[31649]: Creating backend connection for TCP
		Dec 29 15:44:24 dns pdns[31649]: Master/slave communicator launching
		Dec 29 15:44:24 dns pdns[31649]: No new unfresh slave domains, 0 queued for AXFR already, 0 in progress
		Dec 29 15:44:24 dns pdns[31649]: No master domains need notifications
		Dec 29 15:44:24 dns pdns[31649]: About to create 3 backend threads for UDP
		Dec 29 15:44:24 dns pdns[31649]: Done launching threads, ready to distribute questions
	ls -al /var/pdns/
		total 40K
		drwxrwxrwx  2 pdns pdns 4.0K Dec 29 15:44 ./
		drwxr-xr-x 27 root root 4.0K Dec 29 10:13 ../
		srw-rw----  1 root pdns    0 Dec 29 15:44 pdns.controlsocket=
		-rw-------  1 pdns pdns  26K Dec 29 10:14 powerdns.sqlite3

Why are o+w perms required for the socket directory?  Shouldn't 'pdns' uid/gid be sufficient?