svn commit: r424112 - in head/www/fcgiwrap: . files

Mathieu Arnold mat at FreeBSD.org
Wed Oct 18 22:47:03 UTC 2017 

Le 18/10/2017 à 12:05, Mathieu Arnold a écrit :
> Le 17/10/2017 à 22:26, Xin LI a écrit :
>> Hi, Mathieu,
>>
>> Sorry for catching this late, but is there any reason not to simply
>> run the daemon under the desired credentials, instead of doing this
>> chown/chmod dance afterward?
>>
>> Not all systems start fcgiwrap daemon quick enough for the socket to
>> show up (a race condition, with potential of not setting it correctly,
>> which is observed about 3/5 times on my server).  Moreover, this will
>> also encourage using unneeded privileges (assuming fcgiwrap runs under
>> root credentials, which is the default fcgiwrap_user).
> There is a very good reason to not run the application with a different
> user than the web server, yes.

s/to not run/to run/.

Also, I had not imagined anyone would run their cgi as root. The default
user should probably be nobody or something less silly, but definitively
not root.

> My use case is a git server, the web server runs as www, and to be able
> to write to the repositories the gitweb application must be run as git.
>
> I have:
>
> fcgiwrap_enable="YES"
> fcgiwrap_profiles="git"
> fcgiwrap_socket_owner="www"
> fcgiwrap_git_socket="unix:/var/run/fcgiwrap/git.socket"
> fcgiwrap_git_user="git"
>
>> Cheers,
>>
>> On Mon, Oct 17, 2016 at 5:03 AM, Mathieu Arnold <mat at freebsd.org> wrote:
>>> Author: mat
>>> Date: Mon Oct 17 12:03:08 2016
>>> New Revision: 424112
>>> URL: https://svnweb.freebsd.org/changeset/ports/424112
>>>
>>> Log:
>>>   Add changing the owner/group/mode for the socket.
>>>
>>>   PR:           213385
>>>   Submitted by: mat
>>>   Approved by:  maintainer
>>>   Sponsored by: Absolight
>>>
>>> Modified:
>>>   head/www/fcgiwrap/Makefile   (contents, props changed)
>>>   head/www/fcgiwrap/files/fcgiwrap.in
>>>
>>> Modified: head/www/fcgiwrap/Makefile
>>> ==============================================================================
>>> --- head/www/fcgiwrap/Makefile  Mon Oct 17 12:03:03 2016        (r424111)
>>> +++ head/www/fcgiwrap/Makefile  Mon Oct 17 12:03:08 2016        (r424112)
>>> @@ -2,7 +2,7 @@
>>>
>>>  PORTNAME=      fcgiwrap
>>>  PORTVERSION=   1.1.0
>>> -PORTREVISION=  3
>>> +PORTREVISION=  4
>>>  CATEGORIES=    www
>>>  MASTER_SITES=  http://www.skysmurf.nl/comp/FreeBSD/distfiles/
>>>
>>>
>>> Modified: head/www/fcgiwrap/files/fcgiwrap.in
>>> ==============================================================================
>>> --- head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:03 2016        (r424111)
>>> +++ head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:08 2016        (r424112)
>>> @@ -19,6 +19,9 @@
>>>  # - tcp6:[ipv6_addr]:port (for ipv6)
>>>  # fcgiwrap_flags=
>>>  # Use fcgiwrap_user to run fcgiwrap as user
>>> +# Use fcgiwrap_socket_mode to change the mode of the socket
>>> +# Use fcgiwrap_socket_owner to change the owner of the socket
>>> +# Use fcgiwrap_socket_group to change the group of the socket
>>>
>>>  # fcgiwrap rc.d script supports multiple profiles (a-la rc.d/nginx)
>>>  # When profiles are specified, the non-profile specific parameters become defaults.
>>> @@ -29,10 +32,12 @@
>>>  # fcgiwrap_enable="YES"
>>>  # fcgiwrap_profiles="myserver myotherserver"
>>>  # fcgiwrap_flags="-c 4"
>>> +# fcgiwrap_socket_owner="www"
>>>  # fcgiwrap_myserver_socket="unix:/var/run/fcgiwrap.myserver.socket"
>>>  # fcgiwrap_myserver_user="myuser"
>>>  # fcgiwrap_myotherserver_socket="unix:/var/run/fcgiwrap.myotherserver.socket"
>>>  # fcgiwrap_myotherserver_user="myotheruser"
>>> +# fcgiwrap_myserver_socket_mode="0775"
>>>  # fcgiwrap_myotherserver_flags=""  # No flags for this profile.
>>>
>>>  . /etc/rc.subr
>>> @@ -62,6 +67,26 @@ fcgiwrap_precmd() {
>>>         install -d -o root -g wheel -m 1777 /var/run/fcgiwrap
>>>  }
>>>
>>> +fcgiwrap_postcmd() {
>>> +       # This is only for unix sockets
>>> +       case "${fcgiwrap_socket}" in
>>> +               unix:*)
>>> +                       ;;
>>> +               *)
>>> +                       return
>>> +                       ;;
>>> +       esac
>>> +       if [ -n "${fcgiwrap_socket_mode}" ]; then
>>> +               chmod ${fcgiwrap_socket_mode} ${fcgiwrap_socket#unix:}
>>> +       fi
>>> +       if [ -n "${fcgiwrap_socket_owner}" ]; then
>>> +               chown ${fcgiwrap_socket_owner} ${fcgiwrap_socket#unix:}
>>> +       fi
>>> +       if [ -n "${fcgiwrap_socket_group}" ]; then
>>> +               chgrp ${fcgiwrap_socket_group} ${fcgiwrap_socket#unix:}
>>> +       fi
>>> +}
>>> +
>>>  fcgiwrap_cleansocket() {
>>>         # Workaround the fact that fcgiwrap doesn't cleanup his socket at stopping
>>>         case ${fcgiwrap_socket} in
>>> @@ -78,6 +103,7 @@ pidfile="${pidprefix}.pid"  # May be a d
>>>  procname="%%PREFIX%%/sbin/${name}"
>>>  command="/usr/sbin/daemon"
>>>  start_precmd="fcgiwrap_precmd"
>>> +start_postcmd="fcgiwrap_postcmd"
>>>  stop_postcmd="fcgiwrap_cleansocket"
>>>
>>>  load_rc_config $name
>>> @@ -86,6 +112,9 @@ load_rc_config $name
>>>  fcgiwrap_enable=${fcgiwrap_enable:-"NO"}
>>>  fcgiwrap_user=${fcgiwrap_user:-"root"}
>>>  fcgiwrap_socket=${fcgiwrap_socket:-"unix:/var/run/fcgiwrap/fcgiwrap.sock"}
>>> +fcgiwrap_socket_mode=${fcgiwrap_socket_mode:-"0755"}
>>> +fcgiwrap_socket_owner=${fcgiwrap_socket_owner:-"root"}
>>> +fcgiwrap_socket_group=${fcgiwrap_socket_group:-"wheel"}
>>>
>>>  # This handles profile specific vars.
>>>  if [ -n "$2" ]; then
>>> @@ -96,6 +125,9 @@ if [ -n "$2" ]; then
>>>                 eval fcgiwrap_fib="\${fcgiwrap_${profile}_fib:-${fcgiwrap_fib}}"
>>>                 eval fcgiwrap_user="\${fcgiwrap_${profile}_user:-${fcgiwrap_user}}"
>>>                 eval fcgiwrap_socket="\${fcgiwrap_${profile}_socket:?}"
>>> +               eval fcgiwrap_socket_mode="\${fcgiwrap_${profile}_socket_mode:-${fcgiwrap_socket_mode}}"
>>> +               eval fcgiwrap_socket_owner="\${fcgiwrap_${profile}_socket_owner:-${fcgiwrap_socket_owner}}"
>>> +               eval fcgiwrap_socket_group="\${fcgiwrap_${profile}_socket_group:-${fcgiwrap_socket_group}}"
>>>                 eval fcgiwrap_flags="\${fcgiwrap_${profile}_flags:-${fcgiwrap_flags}}"
>>>         else
>>>                 echo "$0: extra argument ignored"
>>>

-- 
Mathieu Arnold


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20171019/5ad441de/attachment.sig>

More information about the freebsd-ports mailing list