From owner-freebsd-ports@freebsd.org  Tue Oct 17 20:26:49 2017
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 181C5E46C3A
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Tue, 17 Oct 2017 20:26:49 +0000 (UTC)
 (envelope-from delphij@gmail.com)
Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org
 [IPv6:2001:1900:2254:206a::50:5])
 by mx1.freebsd.org (Postfix) with ESMTP id EA6928254A
 for <freebsd-ports@freebsd.org>; Tue, 17 Oct 2017 20:26:48 +0000 (UTC)
 (envelope-from delphij@gmail.com)
Received: by mailman.ysv.freebsd.org (Postfix)
 id E6A4AE46C38; Tue, 17 Oct 2017 20:26:48 +0000 (UTC)
Delivered-To: ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6022E46C37;
 Tue, 17 Oct 2017 20:26:48 +0000 (UTC)
 (envelope-from delphij@gmail.com)
Received: from mail-it0-x242.google.com (mail-it0-x242.google.com
 [IPv6:2607:f8b0:4001:c0b::242])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id ADF5782549;
 Tue, 17 Oct 2017 20:26:48 +0000 (UTC)
 (envelope-from delphij@gmail.com)
Received: by mail-it0-x242.google.com with SMTP id f187so4096497itb.1;
 Tue, 17 Oct 2017 13:26:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=638T7h/TzfSIsGXdWskCLzT2AhMB85UTTKlZcyDrplg=;
 b=RKnEu2H3zz9ouxemTogpE+ZTKO1q373bd3h4bmPdj97VhO3obknoji3VxobGr30izQ
 NHXN056qaJoBOhMUkOx+VoVUbPaRwU7PjYwHBOk4TFEL5p9brRKRWcsyR4FLAz/M9NpE
 rUM/sPmPuE7Jz6G9eVHmQ+hrkabsj83WR3kisPQcKrg21FLGx88TkDeYsHTzwmSsjPHl
 i+X1sALuqVzK9Yr/2rx433tSuLEHek8tBNTuvUJe++z9b4FQCA7J65l007ssXOG6l1MP
 fWZAuiWhSevEUO4NEOnhVlfCE2Ibh9JFc3fiIbrIu/SEEfQiERoQWE2dhn6DwLZ2fc4T
 DwNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=638T7h/TzfSIsGXdWskCLzT2AhMB85UTTKlZcyDrplg=;
 b=d84ih8NzoLNGW4RFh+Jv8LmvXsrcuDyQLBh/WltIpP7pGY0G1BV0lLQLdfb/J49Cns
 zNS2gxjY29lMKV1u5ba8w9L5x9dKAOX6qhhe5UYUBmrXKBK7l7TqMXO6BMYal0VBUdU5
 oC+hlJUsxLQaDCOKn8MvjeFyVPQCtD6EUs8BW/iVbzwPkl9kASWdk1VH8jjmVVmvnS8z
 rD5+rSCmHq5kNTo/DYqs9V2rdNeBd+jzWyOrWxxhEhlp7W/Kz8OI6P63htVZyMU3crSp
 NObETjQWVasSSYQ5yGmDz/LCg8jt/8IHs045TSN796ERVxGL/QfXlzEvefUmTlcpfGRj
 nldA==
X-Gm-Message-State: AMCzsaVxFVgBNCBKRZ9OfH8ILUCUS7zbr9iX8HfT00Th/otEN2WvtifB
 RLyqxgN9RV/d/dT2vELDh1mdrAU0EE1u0yIrf4gAKQ==
X-Google-Smtp-Source: ABhQp+R1JZeg0M3jHzjYGsUJCkxC36XUpDqCFgw/A5yyPHf1XuqvFZP3dlEnvJGuEPWHu0XO8Of2OQ+5RPgXXZTSslA=
X-Received: by 10.36.69.203 with SMTP id c72mr7101823itd.134.1508272007560;
 Tue, 17 Oct 2017 13:26:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.107.7 with HTTP; Tue, 17 Oct 2017 13:26:46 -0700 (PDT)
In-Reply-To: <201610171203.u9HC38mE019029@repo.freebsd.org>
References: <201610171203.u9HC38mE019029@repo.freebsd.org>
From: Xin LI <delphij@gmail.com>
Date: Tue, 17 Oct 2017 13:26:46 -0700
Message-ID: <CAGMYy3uemgAoXipBCo6TmfbNXcyjB3sFwn9MMOG-QtGn-D3wVQ@mail.gmail.com>
Subject: Re: svn commit: r424112 - in head/www/fcgiwrap: . files
To: Mathieu Arnold <mat@freebsd.org>
Cc: ports@freebsd.org, FreeBSD Ports Security Team <ports-secteam@freebsd.org>,
 Matthew Seaman <matthew@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Oct 2017 20:26:49 -0000

Hi, Mathieu,

Sorry for catching this late, but is there any reason not to simply
run the daemon under the desired credentials, instead of doing this
chown/chmod dance afterward?

Not all systems start fcgiwrap daemon quick enough for the socket to
show up (a race condition, with potential of not setting it correctly,
which is observed about 3/5 times on my server).  Moreover, this will
also encourage using unneeded privileges (assuming fcgiwrap runs under
root credentials, which is the default fcgiwrap_user).

Cheers,

On Mon, Oct 17, 2016 at 5:03 AM, Mathieu Arnold <mat@freebsd.org> wrote:
> Author: mat
> Date: Mon Oct 17 12:03:08 2016
> New Revision: 424112
> URL: https://svnweb.freebsd.org/changeset/ports/424112
>
> Log:
>   Add changing the owner/group/mode for the socket.
>
>   PR:           213385
>   Submitted by: mat
>   Approved by:  maintainer
>   Sponsored by: Absolight
>
> Modified:
>   head/www/fcgiwrap/Makefile   (contents, props changed)
>   head/www/fcgiwrap/files/fcgiwrap.in
>
> Modified: head/www/fcgiwrap/Makefile
> ==============================================================================
> --- head/www/fcgiwrap/Makefile  Mon Oct 17 12:03:03 2016        (r424111)
> +++ head/www/fcgiwrap/Makefile  Mon Oct 17 12:03:08 2016        (r424112)
> @@ -2,7 +2,7 @@
>
>  PORTNAME=      fcgiwrap
>  PORTVERSION=   1.1.0
> -PORTREVISION=  3
> +PORTREVISION=  4
>  CATEGORIES=    www
>  MASTER_SITES=  http://www.skysmurf.nl/comp/FreeBSD/distfiles/
>
>
> Modified: head/www/fcgiwrap/files/fcgiwrap.in
> ==============================================================================
> --- head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:03 2016        (r424111)
> +++ head/www/fcgiwrap/files/fcgiwrap.in Mon Oct 17 12:03:08 2016        (r424112)
> @@ -19,6 +19,9 @@
>  # - tcp6:[ipv6_addr]:port (for ipv6)
>  # fcgiwrap_flags=
>  # Use fcgiwrap_user to run fcgiwrap as user
> +# Use fcgiwrap_socket_mode to change the mode of the socket
> +# Use fcgiwrap_socket_owner to change the owner of the socket
> +# Use fcgiwrap_socket_group to change the group of the socket
>
>  # fcgiwrap rc.d script supports multiple profiles (a-la rc.d/nginx)
>  # When profiles are specified, the non-profile specific parameters become defaults.
> @@ -29,10 +32,12 @@
>  # fcgiwrap_enable="YES"
>  # fcgiwrap_profiles="myserver myotherserver"
>  # fcgiwrap_flags="-c 4"
> +# fcgiwrap_socket_owner="www"
>  # fcgiwrap_myserver_socket="unix:/var/run/fcgiwrap.myserver.socket"
>  # fcgiwrap_myserver_user="myuser"
>  # fcgiwrap_myotherserver_socket="unix:/var/run/fcgiwrap.myotherserver.socket"
>  # fcgiwrap_myotherserver_user="myotheruser"
> +# fcgiwrap_myserver_socket_mode="0775"
>  # fcgiwrap_myotherserver_flags=""  # No flags for this profile.
>
>  . /etc/rc.subr
> @@ -62,6 +67,26 @@ fcgiwrap_precmd() {
>         install -d -o root -g wheel -m 1777 /var/run/fcgiwrap
>  }
>
> +fcgiwrap_postcmd() {
> +       # This is only for unix sockets
> +       case "${fcgiwrap_socket}" in
> +               unix:*)
> +                       ;;
> +               *)
> +                       return
> +                       ;;
> +       esac
> +       if [ -n "${fcgiwrap_socket_mode}" ]; then
> +               chmod ${fcgiwrap_socket_mode} ${fcgiwrap_socket#unix:}
> +       fi
> +       if [ -n "${fcgiwrap_socket_owner}" ]; then
> +               chown ${fcgiwrap_socket_owner} ${fcgiwrap_socket#unix:}
> +       fi
> +       if [ -n "${fcgiwrap_socket_group}" ]; then
> +               chgrp ${fcgiwrap_socket_group} ${fcgiwrap_socket#unix:}
> +       fi
> +}
> +
>  fcgiwrap_cleansocket() {
>         # Workaround the fact that fcgiwrap doesn't cleanup his socket at stopping
>         case ${fcgiwrap_socket} in
> @@ -78,6 +103,7 @@ pidfile="${pidprefix}.pid"  # May be a d
>  procname="%%PREFIX%%/sbin/${name}"
>  command="/usr/sbin/daemon"
>  start_precmd="fcgiwrap_precmd"
> +start_postcmd="fcgiwrap_postcmd"
>  stop_postcmd="fcgiwrap_cleansocket"
>
>  load_rc_config $name
> @@ -86,6 +112,9 @@ load_rc_config $name
>  fcgiwrap_enable=${fcgiwrap_enable:-"NO"}
>  fcgiwrap_user=${fcgiwrap_user:-"root"}
>  fcgiwrap_socket=${fcgiwrap_socket:-"unix:/var/run/fcgiwrap/fcgiwrap.sock"}
> +fcgiwrap_socket_mode=${fcgiwrap_socket_mode:-"0755"}
> +fcgiwrap_socket_owner=${fcgiwrap_socket_owner:-"root"}
> +fcgiwrap_socket_group=${fcgiwrap_socket_group:-"wheel"}
>
>  # This handles profile specific vars.
>  if [ -n "$2" ]; then
> @@ -96,6 +125,9 @@ if [ -n "$2" ]; then
>                 eval fcgiwrap_fib="\${fcgiwrap_${profile}_fib:-${fcgiwrap_fib}}"
>                 eval fcgiwrap_user="\${fcgiwrap_${profile}_user:-${fcgiwrap_user}}"
>                 eval fcgiwrap_socket="\${fcgiwrap_${profile}_socket:?}"
> +               eval fcgiwrap_socket_mode="\${fcgiwrap_${profile}_socket_mode:-${fcgiwrap_socket_mode}}"
> +               eval fcgiwrap_socket_owner="\${fcgiwrap_${profile}_socket_owner:-${fcgiwrap_socket_owner}}"
> +               eval fcgiwrap_socket_group="\${fcgiwrap_${profile}_socket_group:-${fcgiwrap_socket_group}}"
>                 eval fcgiwrap_flags="\${fcgiwrap_${profile}_flags:-${fcgiwrap_flags}}"
>         else
>                 echo "$0: extra argument ignored"
>