Staging for a rollout of EL 6, and ran into a very strange permissions issue with xinetd that defies all (my) logic.

It's a script called "spfiled" that we use for messaging between our server cluster servers. I'm trying to get it to run with "least permissions necessary". Because it reads/writes files in conjunction with a web-based service, it runs as user "apache".

Here's my xinet.d/spfiled.conf: (this is in dev, each developer has his own number)

#################### spfiled.conf ##################

service spfiled461

{

socket_type = stream

wait = no

user = apache

group = apache

server = /path/to/filed.php

protocol = tcp

disable = no

bind = 192.168.3.2

port = 12461

banner_fail = /path/to/banner_fail.txt

cps = 10000 0

max_load = 10.0

}

#################### spfiled.conf ##################

Here's the permissions of the script:

# ls -laFd /path/to/filed.php

-rwxr-xr-- 1 bens apache 18042 Jan 7 2011 filed.php

When I restart xinetd, I see in system log:

#################### /var/log/messages ##################

Jul 18 16:32:25 bender xinetd[17830]: Server /path/to/filed.php is not executable [file=/etc/xinetd.d/spfiled461] [line=11]

Jul 18 16:32:25 bender xinetd[17830]: Error parsing attribute server - DISABLING SERVICE [file=/etc/xinetd.d/spfiled461] [line=11]

I've turned off SELinux completely.

# setenforce 0;

Strangely, setting permissions to o+x and it starts up fine, but I don't want to leave permissions that open.

What am I missing?