Date: Wed, 18 Oct 2017 12:05:05 +0200 From: Mathieu Arnold <mat@FreeBSD.org> To: Xin LI <delphij@gmail.com>, Mathieu Arnold <mat@freebsd.org> Cc: ports@freebsd.org, FreeBSD Ports Security Team <ports-secteam@freebsd.org>, Matthew Seaman <matthew@freebsd.org> Subject: Re: svn commit: r424112 - in head/www/fcgiwrap: . files Message-ID: <474fb7c2-35ad-e70f-0236-7f2b57e309a1@FreeBSD.org> In-Reply-To: <CAGMYy3uemgAoXipBCo6TmfbNXcyjB3sFwn9MMOG-QtGn-D3wVQ@mail.gmail.com> References: <201610171203.u9HC38mE019029@repo.freebsd.org> <CAGMYy3uemgAoXipBCo6TmfbNXcyjB3sFwn9MMOG-QtGn-D3wVQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Le 17/10/2017 =C3=A0 22:26, Xin LI a =C3=A9crit=C2=A0: > Hi, Mathieu, > > Sorry for catching this late, but is there any reason not to simply > run the daemon under the desired credentials, instead of doing this > chown/chmod dance afterward? > > Not all systems start fcgiwrap daemon quick enough for the socket to > show up (a race condition, with potential of not setting it correctly, > which is observed about 3/5 times on my server). Moreover, this will > also encourage using unneeded privileges (assuming fcgiwrap runs under > root credentials, which is the default fcgiwrap_user). There is a very good reason to not run the application with a different user than the web server, yes. My use case is a git server, the web server runs as www, and to be able to write to the repositories the gitweb application must be run as git. I have: fcgiwrap_enable=3D"YES" fcgiwrap_profiles=3D"git" fcgiwrap_socket_owner=3D"www" fcgiwrap_git_socket=3D"unix:/var/run/fcgiwrap/git.socket" fcgiwrap_git_user=3D"git" > Cheers, > > On Mon, Oct 17, 2016 at 5:03 AM, Mathieu Arnold <mat@freebsd.org> wrote= : >> Author: mat >> Date: Mon Oct 17 12:03:08 2016 >> New Revision: 424112 >> URL: https://svnweb.freebsd.org/changeset/ports/424112 >> >> Log: >> Add changing the owner/group/mode for the socket. >> >> PR: 213385 >> Submitted by: mat >> Approved by: maintainer >> Sponsored by: Absolight >> >> Modified: >> head/www/fcgiwrap/Makefile (contents, props changed) >> head/www/fcgiwrap/files/fcgiwrap.in >> >> Modified: head/www/fcgiwrap/Makefile >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >> --- head/www/fcgiwrap/Makefile Mon Oct 17 12:03:03 2016 (r4241= 11) >> +++ head/www/fcgiwrap/Makefile Mon Oct 17 12:03:08 2016 (r4241= 12) >> @@ -2,7 +2,7 @@ >> >> PORTNAME=3D fcgiwrap >> PORTVERSION=3D 1.1.0 >> -PORTREVISION=3D 3 >> +PORTREVISION=3D 4 >> CATEGORIES=3D www >> MASTER_SITES=3D http://www.skysmurf.nl/comp/FreeBSD/distfiles/ >> >> >> Modified: head/www/fcgiwrap/files/fcgiwrap.in >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >> --- head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:03 2016 = (r424111) >> +++ head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:08 2016 = (r424112) >> @@ -19,6 +19,9 @@ >> # - tcp6:[ipv6_addr]:port (for ipv6) >> # fcgiwrap_flags=3D >> # Use fcgiwrap_user to run fcgiwrap as user >> +# Use fcgiwrap_socket_mode to change the mode of the socket >> +# Use fcgiwrap_socket_owner to change the owner of the socket >> +# Use fcgiwrap_socket_group to change the group of the socket >> >> # fcgiwrap rc.d script supports multiple profiles (a-la rc.d/nginx) >> # When profiles are specified, the non-profile specific parameters be= come defaults. >> @@ -29,10 +32,12 @@ >> # fcgiwrap_enable=3D"YES" >> # fcgiwrap_profiles=3D"myserver myotherserver" >> # fcgiwrap_flags=3D"-c 4" >> +# fcgiwrap_socket_owner=3D"www" >> # fcgiwrap_myserver_socket=3D"unix:/var/run/fcgiwrap.myserver.socket"= >> # fcgiwrap_myserver_user=3D"myuser" >> # fcgiwrap_myotherserver_socket=3D"unix:/var/run/fcgiwrap.myotherserv= er.socket" >> # fcgiwrap_myotherserver_user=3D"myotheruser" >> +# fcgiwrap_myserver_socket_mode=3D"0775" >> # fcgiwrap_myotherserver_flags=3D"" # No flags for this profile. >> >> . /etc/rc.subr >> @@ -62,6 +67,26 @@ fcgiwrap_precmd() { >> install -d -o root -g wheel -m 1777 /var/run/fcgiwrap >> } >> >> +fcgiwrap_postcmd() { >> + # This is only for unix sockets >> + case "${fcgiwrap_socket}" in >> + unix:*) >> + ;; >> + *) >> + return >> + ;; >> + esac >> + if [ -n "${fcgiwrap_socket_mode}" ]; then >> + chmod ${fcgiwrap_socket_mode} ${fcgiwrap_socket#unix:}= >> + fi >> + if [ -n "${fcgiwrap_socket_owner}" ]; then >> + chown ${fcgiwrap_socket_owner} ${fcgiwrap_socket#unix:= } >> + fi >> + if [ -n "${fcgiwrap_socket_group}" ]; then >> + chgrp ${fcgiwrap_socket_group} ${fcgiwrap_socket#unix:= } >> + fi >> +} >> + >> fcgiwrap_cleansocket() { >> # Workaround the fact that fcgiwrap doesn't cleanup his socket= at stopping >> case ${fcgiwrap_socket} in >> @@ -78,6 +103,7 @@ pidfile=3D"${pidprefix}.pid" # May be a d >> procname=3D"%%PREFIX%%/sbin/${name}" >> command=3D"/usr/sbin/daemon" >> start_precmd=3D"fcgiwrap_precmd" >> +start_postcmd=3D"fcgiwrap_postcmd" >> stop_postcmd=3D"fcgiwrap_cleansocket" >> >> load_rc_config $name >> @@ -86,6 +112,9 @@ load_rc_config $name >> fcgiwrap_enable=3D${fcgiwrap_enable:-"NO"} >> fcgiwrap_user=3D${fcgiwrap_user:-"root"} >> fcgiwrap_socket=3D${fcgiwrap_socket:-"unix:/var/run/fcgiwrap/fcgiwrap= =2Esock"} >> +fcgiwrap_socket_mode=3D${fcgiwrap_socket_mode:-"0755"} >> +fcgiwrap_socket_owner=3D${fcgiwrap_socket_owner:-"root"} >> +fcgiwrap_socket_group=3D${fcgiwrap_socket_group:-"wheel"} >> >> # This handles profile specific vars. >> if [ -n "$2" ]; then >> @@ -96,6 +125,9 @@ if [ -n "$2" ]; then >> eval fcgiwrap_fib=3D"\${fcgiwrap_${profile}_fib:-${fcg= iwrap_fib}}" >> eval fcgiwrap_user=3D"\${fcgiwrap_${profile}_user:-${f= cgiwrap_user}}" >> eval fcgiwrap_socket=3D"\${fcgiwrap_${profile}_socket:= ?}" >> + eval fcgiwrap_socket_mode=3D"\${fcgiwrap_${profile}_so= cket_mode:-${fcgiwrap_socket_mode}}" >> + eval fcgiwrap_socket_owner=3D"\${fcgiwrap_${profile}_s= ocket_owner:-${fcgiwrap_socket_owner}}" >> + eval fcgiwrap_socket_group=3D"\${fcgiwrap_${profile}_s= ocket_group:-${fcgiwrap_socket_group}}" >> eval fcgiwrap_flags=3D"\${fcgiwrap_${profile}_flags:-$= {fcgiwrap_flags}}" >> else >> echo "$0: extra argument ignored" >> --=20 Mathieu Arnold
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?474fb7c2-35ad-e70f-0236-7f2b57e309a1>