Hi T.
I warn you that I am no unix/security expert. The following should be
reviewed by somebody with more experience, especially with regard to
permissions.
Nevertheless, I did manage to get fcgi running on 5.7. In my case I
used C/Luajit/FCGX. I used the FCGX headers in fcgiapp.h rather than
fcgi_stdio.h because the "normal" interface uses several macros that
do not play nice with luajit.
It is likely that the problem is with permissions or with the chroot
environment. OpenBSD's documentation is great, but doing this correctly
is tricky.
I believe that your script needs to be able to create a file in its
/run directory, so it needs permission to be able to do that. httpd
does not create the socket there by itself. I think by default, the
www user does not have permission to create a unix socket here.
In order to get the chroot working I did the following:
I started by compiling a simple C test example to minimize
dependencies. Make sure this example works as a
standard CGI program from the command line. Make sure that it can
create a unix domain socket.
Then I tested the chroot environment from the command line, using
"ldd" on the executable to understand exactly what dynamic libraries
it loaded and where they expect to be found. For example, in my case
I needed libc and libm in a "/usr/lib" subdirectory. I did this
locally in my home directory to so that there were no
permissions issues.
Then I tested the program chrooted to /var/www/[progroot]/ . I used a
subdirectory because I didn't want all of the libraries used to be
visible to every chrooted FCGI program ... and because my site needs a
LOT of space. Make sure that the program is started as the correct
user, e.g.
chroot -g www -u www /var/www/progroot/ /bin/progname ... arguments
If the program requires any devices like /dev/null, then there is more
work to be done, which is complicated by the fact that non-root
partitions are mounted with the nodev (no device) option. In my case,
my fcgi program runs from a separate partion at /var/www/[progname],
so I could change this if it were necessary (it isn't).
Then, httpd worked like a charm:
/etc/httpd:
...
server "default" {
listen on .... tls port 443
tls certificate ....
tls key ....
location "/*" {
fastcgi socket "/[progroot]/run/test.sock
}
}
