svn commit: r424112 - in head/www/fcgiwrap: . files
Mathieu Arnold
mat at FreeBSD.org
Wed Oct 18 10:05:10 UTC 2017
Le 17/10/2017 à 22:26, Xin LI a écrit :
> Hi, Mathieu,
>
> Sorry for catching this late, but is there any reason not to simply
> run the daemon under the desired credentials, instead of doing this
> chown/chmod dance afterward?
>
> Not all systems start fcgiwrap daemon quick enough for the socket to
> show up (a race condition, with potential of not setting it correctly,
> which is observed about 3/5 times on my server). Moreover, this will
> also encourage using unneeded privileges (assuming fcgiwrap runs under
> root credentials, which is the default fcgiwrap_user).
There is a very good reason to not run the application with a different
user than the web server, yes.
My use case is a git server, the web server runs as www, and to be able
to write to the repositories the gitweb application must be run as git.
I have:
fcgiwrap_enable="YES"
fcgiwrap_profiles="git"
fcgiwrap_socket_owner="www"
fcgiwrap_git_socket="unix:/var/run/fcgiwrap/git.socket"
fcgiwrap_git_user="git"
> Cheers,
>
> On Mon, Oct 17, 2016 at 5:03 AM, Mathieu Arnold <mat at freebsd.org> wrote:
>> Author: mat
>> Date: Mon Oct 17 12:03:08 2016
>> New Revision: 424112
>> URL: https://svnweb.freebsd.org/changeset/ports/424112
>>
>> Log:
>> Add changing the owner/group/mode for the socket.
>>
>> PR: 213385
>> Submitted by: mat
>> Approved by: maintainer
>> Sponsored by: Absolight
>>
>> Modified:
>> head/www/fcgiwrap/Makefile (contents, props changed)
>> head/www/fcgiwrap/files/fcgiwrap.in
>>
>> Modified: head/www/fcgiwrap/Makefile
>> ==============================================================================
>> --- head/www/fcgiwrap/Makefile Mon Oct 17 12:03:03 2016 (r424111)
>> +++ head/www/fcgiwrap/Makefile Mon Oct 17 12:03:08 2016 (r424112)
>> @@ -2,7 +2,7 @@
>>
>> PORTNAME= fcgiwrap
>> PORTVERSION= 1.1.0
>> -PORTREVISION= 3
>> +PORTREVISION= 4
>> CATEGORIES= www
>> MASTER_SITES= http://www.skysmurf.nl/comp/FreeBSD/distfiles/
>>
>>
>> Modified: head/www/fcgiwrap/files/fcgiwrap.in
>> ==============================================================================
>> --- head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:03 2016 (r424111)
>> +++ head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:08 2016 (r424112)
>> @@ -19,6 +19,9 @@
>> # - tcp6:[ipv6_addr]:port (for ipv6)
>> # fcgiwrap_flags=
>> # Use fcgiwrap_user to run fcgiwrap as user
>> +# Use fcgiwrap_socket_mode to change the mode of the socket
>> +# Use fcgiwrap_socket_owner to change the owner of the socket
>> +# Use fcgiwrap_socket_group to change the group of the socket
>>
>> # fcgiwrap rc.d script supports multiple profiles (a-la rc.d/nginx)
>> # When profiles are specified, the non-profile specific parameters become defaults.
>> @@ -29,10 +32,12 @@
>> # fcgiwrap_enable="YES"
>> # fcgiwrap_profiles="myserver myotherserver"
>> # fcgiwrap_flags="-c 4"
>> +# fcgiwrap_socket_owner="www"
>> # fcgiwrap_myserver_socket="unix:/var/run/fcgiwrap.myserver.socket"
>> # fcgiwrap_myserver_user="myuser"
>> # fcgiwrap_myotherserver_socket="unix:/var/run/fcgiwrap.myotherserver.socket"
>> # fcgiwrap_myotherserver_user="myotheruser"
>> +# fcgiwrap_myserver_socket_mode="0775"
>> # fcgiwrap_myotherserver_flags="" # No flags for this profile.
>>
>> . /etc/rc.subr
>> @@ -62,6 +67,26 @@ fcgiwrap_precmd() {
>> install -d -o root -g wheel -m 1777 /var/run/fcgiwrap
>> }
>>
>> +fcgiwrap_postcmd() {
>> + # This is only for unix sockets
>> + case "${fcgiwrap_socket}" in
>> + unix:*)
>> + ;;
>> + *)
>> + return
>> + ;;
>> + esac
>> + if [ -n "${fcgiwrap_socket_mode}" ]; then
>> + chmod ${fcgiwrap_socket_mode} ${fcgiwrap_socket#unix:}
>> + fi
>> + if [ -n "${fcgiwrap_socket_owner}" ]; then
>> + chown ${fcgiwrap_socket_owner} ${fcgiwrap_socket#unix:}
>> + fi
>> + if [ -n "${fcgiwrap_socket_group}" ]; then
>> + chgrp ${fcgiwrap_socket_group} ${fcgiwrap_socket#unix:}
>> + fi
>> +}
>> +
>> fcgiwrap_cleansocket() {
>> # Workaround the fact that fcgiwrap doesn't cleanup his socket at stopping
>> case ${fcgiwrap_socket} in
>> @@ -78,6 +103,7 @@ pidfile="${pidprefix}.pid" # May be a d
>> procname="%%PREFIX%%/sbin/${name}"
>> command="/usr/sbin/daemon"
>> start_precmd="fcgiwrap_precmd"
>> +start_postcmd="fcgiwrap_postcmd"
>> stop_postcmd="fcgiwrap_cleansocket"
>>
>> load_rc_config $name
>> @@ -86,6 +112,9 @@ load_rc_config $name
>> fcgiwrap_enable=${fcgiwrap_enable:-"NO"}
>> fcgiwrap_user=${fcgiwrap_user:-"root"}
>> fcgiwrap_socket=${fcgiwrap_socket:-"unix:/var/run/fcgiwrap/fcgiwrap.sock"}
>> +fcgiwrap_socket_mode=${fcgiwrap_socket_mode:-"0755"}
>> +fcgiwrap_socket_owner=${fcgiwrap_socket_owner:-"root"}
>> +fcgiwrap_socket_group=${fcgiwrap_socket_group:-"wheel"}
>>
>> # This handles profile specific vars.
>> if [ -n "$2" ]; then
>> @@ -96,6 +125,9 @@ if [ -n "$2" ]; then
>> eval fcgiwrap_fib="\${fcgiwrap_${profile}_fib:-${fcgiwrap_fib}}"
>> eval fcgiwrap_user="\${fcgiwrap_${profile}_user:-${fcgiwrap_user}}"
>> eval fcgiwrap_socket="\${fcgiwrap_${profile}_socket:?}"
>> + eval fcgiwrap_socket_mode="\${fcgiwrap_${profile}_socket_mode:-${fcgiwrap_socket_mode}}"
>> + eval fcgiwrap_socket_owner="\${fcgiwrap_${profile}_socket_owner:-${fcgiwrap_socket_owner}}"
>> + eval fcgiwrap_socket_group="\${fcgiwrap_${profile}_socket_group:-${fcgiwrap_socket_group}}"
>> eval fcgiwrap_flags="\${fcgiwrap_${profile}_flags:-${fcgiwrap_flags}}"
>> else
>> echo "$0: extra argument ignored"
>>
--
Mathieu Arnold
More information about the freebsd-ports
mailing list