Le 18/10/2017 à 12:05, Mathieu Arnold a écrit : > Le 17/10/2017 à 22:26, Xin LI a écrit : >> Hi, Mathieu, >> >> Sorry for catching this late, but is there any reason not to simply >> run the daemon under the desired credentials, instead of doing this >> chown/chmod dance afterward? >> >> Not all systems start fcgiwrap daemon quick enough for the socket to >> show up (a race condition, with potential of not setting it correctly, >> which is observed about 3/5 times on my server). Moreover, this will >> also encourage using unneeded privileges (assuming fcgiwrap runs under >> root credentials, which is the default fcgiwrap_user). > There is a very good reason to not run the application with a different > user than the web server, yes.
s/to not run/to run/. Also, I had not imagined anyone would run their cgi as root. The default user should probably be nobody or something less silly, but definitively not root. > My use case is a git server, the web server runs as www, and to be able > to write to the repositories the gitweb application must be run as git. > > I have: > > fcgiwrap_enable="YES" > fcgiwrap_profiles="git" > fcgiwrap_socket_owner="www" > fcgiwrap_git_socket="unix:/var/run/fcgiwrap/git.socket" > fcgiwrap_git_user="git" > >> Cheers, >> >> On Mon, Oct 17, 2016 at 5:03 AM, Mathieu Arnold <m...@freebsd.org> wrote: >>> Author: mat >>> Date: Mon Oct 17 12:03:08 2016 >>> New Revision: 424112 >>> URL: https://svnweb.freebsd.org/changeset/ports/424112 >>> >>> Log: >>> Add changing the owner/group/mode for the socket. >>> >>> PR: 213385 >>> Submitted by: mat >>> Approved by: maintainer >>> Sponsored by: Absolight >>> >>> Modified: >>> head/www/fcgiwrap/Makefile (contents, props changed) >>> head/www/fcgiwrap/files/fcgiwrap.in >>> >>> Modified: head/www/fcgiwrap/Makefile >>> ============================================================================== >>> --- head/www/fcgiwrap/Makefile Mon Oct 17 12:03:03 2016 (r424111) >>> +++ head/www/fcgiwrap/Makefile Mon Oct 17 12:03:08 2016 (r424112) >>> @@ -2,7 +2,7 @@ >>> >>> PORTNAME= fcgiwrap >>> PORTVERSION= 1.1.0 >>> -PORTREVISION= 3 >>> +PORTREVISION= 4 >>> CATEGORIES= www >>> MASTER_SITES= http://www.skysmurf.nl/comp/FreeBSD/distfiles/ >>> >>> >>> Modified: head/www/fcgiwrap/files/fcgiwrap.in >>> ============================================================================== >>> --- head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:03 2016 >>> (r424111) >>> +++ head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:08 2016 >>> (r424112) >>> @@ -19,6 +19,9 @@ >>> # - tcp6:[ipv6_addr]:port (for ipv6) >>> # fcgiwrap_flags= >>> # Use fcgiwrap_user to run fcgiwrap as user >>> +# Use fcgiwrap_socket_mode to change the mode of the socket >>> +# Use fcgiwrap_socket_owner to change the owner of the socket >>> +# Use fcgiwrap_socket_group to change the group of the socket >>> >>> # fcgiwrap rc.d script supports multiple profiles (a-la rc.d/nginx) >>> # When profiles are specified, the non-profile specific parameters become >>> defaults. >>> @@ -29,10 +32,12 @@ >>> # fcgiwrap_enable="YES" >>> # fcgiwrap_profiles="myserver myotherserver" >>> # fcgiwrap_flags="-c 4" >>> +# fcgiwrap_socket_owner="www" >>> # fcgiwrap_myserver_socket="unix:/var/run/fcgiwrap.myserver.socket" >>> # fcgiwrap_myserver_user="myuser" >>> # >>> fcgiwrap_myotherserver_socket="unix:/var/run/fcgiwrap.myotherserver.socket" >>> # fcgiwrap_myotherserver_user="myotheruser" >>> +# fcgiwrap_myserver_socket_mode="0775" >>> # fcgiwrap_myotherserver_flags="" # No flags for this profile. >>> >>> . /etc/rc.subr >>> @@ -62,6 +67,26 @@ fcgiwrap_precmd() { >>> install -d -o root -g wheel -m 1777 /var/run/fcgiwrap >>> } >>> >>> +fcgiwrap_postcmd() { >>> + # This is only for unix sockets >>> + case "${fcgiwrap_socket}" in >>> + unix:*) >>> + ;; >>> + *) >>> + return >>> + ;; >>> + esac >>> + if [ -n "${fcgiwrap_socket_mode}" ]; then >>> + chmod ${fcgiwrap_socket_mode} ${fcgiwrap_socket#unix:} >>> + fi >>> + if [ -n "${fcgiwrap_socket_owner}" ]; then >>> + chown ${fcgiwrap_socket_owner} ${fcgiwrap_socket#unix:} >>> + fi >>> + if [ -n "${fcgiwrap_socket_group}" ]; then >>> + chgrp ${fcgiwrap_socket_group} ${fcgiwrap_socket#unix:} >>> + fi >>> +} >>> + >>> fcgiwrap_cleansocket() { >>> # Workaround the fact that fcgiwrap doesn't cleanup his socket at >>> stopping >>> case ${fcgiwrap_socket} in >>> @@ -78,6 +103,7 @@ pidfile="${pidprefix}.pid" # May be a d >>> procname="%%PREFIX%%/sbin/${name}" >>> command="/usr/sbin/daemon" >>> start_precmd="fcgiwrap_precmd" >>> +start_postcmd="fcgiwrap_postcmd" >>> stop_postcmd="fcgiwrap_cleansocket" >>> >>> load_rc_config $name >>> @@ -86,6 +112,9 @@ load_rc_config $name >>> fcgiwrap_enable=${fcgiwrap_enable:-"NO"} >>> fcgiwrap_user=${fcgiwrap_user:-"root"} >>> fcgiwrap_socket=${fcgiwrap_socket:-"unix:/var/run/fcgiwrap/fcgiwrap.sock"} >>> +fcgiwrap_socket_mode=${fcgiwrap_socket_mode:-"0755"} >>> +fcgiwrap_socket_owner=${fcgiwrap_socket_owner:-"root"} >>> +fcgiwrap_socket_group=${fcgiwrap_socket_group:-"wheel"} >>> >>> # This handles profile specific vars. >>> if [ -n "$2" ]; then >>> @@ -96,6 +125,9 @@ if [ -n "$2" ]; then >>> eval >>> fcgiwrap_fib="\${fcgiwrap_${profile}_fib:-${fcgiwrap_fib}}" >>> eval >>> fcgiwrap_user="\${fcgiwrap_${profile}_user:-${fcgiwrap_user}}" >>> eval fcgiwrap_socket="\${fcgiwrap_${profile}_socket:?}" >>> + eval >>> fcgiwrap_socket_mode="\${fcgiwrap_${profile}_socket_mode:-${fcgiwrap_socket_mode}}" >>> + eval >>> fcgiwrap_socket_owner="\${fcgiwrap_${profile}_socket_owner:-${fcgiwrap_socket_owner}}" >>> + eval >>> fcgiwrap_socket_group="\${fcgiwrap_${profile}_socket_group:-${fcgiwrap_socket_group}}" >>> eval >>> fcgiwrap_flags="\${fcgiwrap_${profile}_flags:-${fcgiwrap_flags}}" >>> else >>> echo "$0: extra argument ignored" >>> -- Mathieu Arnold
signature.asc
Description: OpenPGP digital signature
