Date: Tue, 17 Oct 2017 13:26:46 -0700 From: Xin LI <delphij@gmail.com> To: Mathieu Arnold <mat@freebsd.org> Cc: ports@freebsd.org, FreeBSD Ports Security Team <ports-secteam@freebsd.org>, Matthew Seaman <matthew@freebsd.org> Subject: Re: svn commit: r424112 - in head/www/fcgiwrap: . files Message-ID: <CAGMYy3uemgAoXipBCo6TmfbNXcyjB3sFwn9MMOG-QtGn-D3wVQ@mail.gmail.com> In-Reply-To: <201610171203.u9HC38mE019029@repo.freebsd.org> References: <201610171203.u9HC38mE019029@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Mathieu, Sorry for catching this late, but is there any reason not to simply run the daemon under the desired credentials, instead of doing this chown/chmod dance afterward? Not all systems start fcgiwrap daemon quick enough for the socket to show up (a race condition, with potential of not setting it correctly, which is observed about 3/5 times on my server). Moreover, this will also encourage using unneeded privileges (assuming fcgiwrap runs under root credentials, which is the default fcgiwrap_user). Cheers, On Mon, Oct 17, 2016 at 5:03 AM, Mathieu Arnold <mat@freebsd.org> wrote: > Author: mat > Date: Mon Oct 17 12:03:08 2016 > New Revision: 424112 > URL: https://svnweb.freebsd.org/changeset/ports/424112 > > Log: > Add changing the owner/group/mode for the socket. > > PR: 213385 > Submitted by: mat > Approved by: maintainer > Sponsored by: Absolight > > Modified: > head/www/fcgiwrap/Makefile (contents, props changed) > head/www/fcgiwrap/files/fcgiwrap.in > > Modified: head/www/fcgiwrap/Makefile > ============================================================================== > --- head/www/fcgiwrap/Makefile Mon Oct 17 12:03:03 2016 (r424111) > +++ head/www/fcgiwrap/Makefile Mon Oct 17 12:03:08 2016 (r424112) > @@ -2,7 +2,7 @@ > > PORTNAME= fcgiwrap > PORTVERSION= 1.1.0 > -PORTREVISION= 3 > +PORTREVISION= 4 > CATEGORIES= www > MASTER_SITES= http://www.skysmurf.nl/comp/FreeBSD/distfiles/ > > > Modified: head/www/fcgiwrap/files/fcgiwrap.in > ============================================================================== > --- head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:03 2016 (r424111) > +++ head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:08 2016 (r424112) > @@ -19,6 +19,9 @@ > # - tcp6:[ipv6_addr]:port (for ipv6) > # fcgiwrap_flags= > # Use fcgiwrap_user to run fcgiwrap as user > +# Use fcgiwrap_socket_mode to change the mode of the socket > +# Use fcgiwrap_socket_owner to change the owner of the socket > +# Use fcgiwrap_socket_group to change the group of the socket > > # fcgiwrap rc.d script supports multiple profiles (a-la rc.d/nginx) > # When profiles are specified, the non-profile specific parameters become defaults. > @@ -29,10 +32,12 @@ > # fcgiwrap_enable="YES" > # fcgiwrap_profiles="myserver myotherserver" > # fcgiwrap_flags="-c 4" > +# fcgiwrap_socket_owner="www" > # fcgiwrap_myserver_socket="unix:/var/run/fcgiwrap.myserver.socket" > # fcgiwrap_myserver_user="myuser" > # fcgiwrap_myotherserver_socket="unix:/var/run/fcgiwrap.myotherserver.socket" > # fcgiwrap_myotherserver_user="myotheruser" > +# fcgiwrap_myserver_socket_mode="0775" > # fcgiwrap_myotherserver_flags="" # No flags for this profile. > > . /etc/rc.subr > @@ -62,6 +67,26 @@ fcgiwrap_precmd() { > install -d -o root -g wheel -m 1777 /var/run/fcgiwrap > } > > +fcgiwrap_postcmd() { > + # This is only for unix sockets > + case "${fcgiwrap_socket}" in > + unix:*) > + ;; > + *) > + return > + ;; > + esac > + if [ -n "${fcgiwrap_socket_mode}" ]; then > + chmod ${fcgiwrap_socket_mode} ${fcgiwrap_socket#unix:} > + fi > + if [ -n "${fcgiwrap_socket_owner}" ]; then > + chown ${fcgiwrap_socket_owner} ${fcgiwrap_socket#unix:} > + fi > + if [ -n "${fcgiwrap_socket_group}" ]; then > + chgrp ${fcgiwrap_socket_group} ${fcgiwrap_socket#unix:} > + fi > +} > + > fcgiwrap_cleansocket() { > # Workaround the fact that fcgiwrap doesn't cleanup his socket at stopping > case ${fcgiwrap_socket} in > @@ -78,6 +103,7 @@ pidfile="${pidprefix}.pid" # May be a d > procname="%%PREFIX%%/sbin/${name}" > command="/usr/sbin/daemon" > start_precmd="fcgiwrap_precmd" > +start_postcmd="fcgiwrap_postcmd" > stop_postcmd="fcgiwrap_cleansocket" > > load_rc_config $name > @@ -86,6 +112,9 @@ load_rc_config $name > fcgiwrap_enable=${fcgiwrap_enable:-"NO"} > fcgiwrap_user=${fcgiwrap_user:-"root"} > fcgiwrap_socket=${fcgiwrap_socket:-"unix:/var/run/fcgiwrap/fcgiwrap.sock"} > +fcgiwrap_socket_mode=${fcgiwrap_socket_mode:-"0755"} > +fcgiwrap_socket_owner=${fcgiwrap_socket_owner:-"root"} > +fcgiwrap_socket_group=${fcgiwrap_socket_group:-"wheel"} > > # This handles profile specific vars. > if [ -n "$2" ]; then > @@ -96,6 +125,9 @@ if [ -n "$2" ]; then > eval fcgiwrap_fib="\${fcgiwrap_${profile}_fib:-${fcgiwrap_fib}}" > eval fcgiwrap_user="\${fcgiwrap_${profile}_user:-${fcgiwrap_user}}" > eval fcgiwrap_socket="\${fcgiwrap_${profile}_socket:?}" > + eval fcgiwrap_socket_mode="\${fcgiwrap_${profile}_socket_mode:-${fcgiwrap_socket_mode}}" > + eval fcgiwrap_socket_owner="\${fcgiwrap_${profile}_socket_owner:-${fcgiwrap_socket_owner}}" > + eval fcgiwrap_socket_group="\${fcgiwrap_${profile}_socket_group:-${fcgiwrap_socket_group}}" > eval fcgiwrap_flags="\${fcgiwrap_${profile}_flags:-${fcgiwrap_flags}}" > else > echo "$0: extra argument ignored" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGMYy3uemgAoXipBCo6TmfbNXcyjB3sFwn9MMOG-QtGn-D3wVQ>