Usually, clapf listens on the localhost, so it cannot be accessed directly. It listens on a high port (>1024), and it does not require any special privileges. By default it switches to user 'clapf' after it's started. You may run it as a different user by setting the username parameter.


Because the clapf.conf file contains sensitive data, such as MySQL credentials, it's very important that it shouldn't be read by any other user than clapf.

chgrp clapf /usr/local/etc/clapf.conf
chmod 640 /usr/local/etc/clapf.conf

If you have clapf.pem for enabling starttls support for the clapf daemon, then fix permissions on it as well:

chgrp clapf /usr/local/etc/clapf.pem
chmod 640 /usr/local/etc/clapf.pem