On Thu, Jul 26, 2018 at 05:31:39PM -0500, [email protected] wrote:
> >Synopsis: slowcgi -u user option does not change socket ownership
> >Category: user
> >Environment:
> System : OpenBSD 6.3
> Details : OpenBSD 6.3 (GENERIC.MP) #4: Sun Jun 17 11:22:20 CEST 2018
>
> [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine : amd64
> >Description:
> When using the '-u user' option to run slowcgi under a different username, the
> socket is still owned by the default www user. This prevents the specified
> user from interacting with the slowcgi socket (and maybe even slowcgi itself
> after it drops privileges?).
It is behaving as intended. The slowcgi.sock is for the webserver to
interact with. The specified user is not supposed to interact with the
socket. CGI scripts are executed as this user.
slowcgi itself can use the socket just fine since it already has a
filedescriptor open.
What problem are you trying to solve?
>
> >How-To-Repeat:
> $ doas slowcgi -u andrew -s /home/andrew/slowcgi.sock
> $ ls -l /home/andrew/slowcgi.sock
> srw-rw---- 1 www www 0 Jul 26 16:07 /home/andrew/slowcgi.sock
>
> >Fix:
> Moving the slowcgi_listen() call to after the pw struct is set to slowcgi_user
> fixes it:
> ====
> --- usr.sbin/slowcgi/slowcgi.c 2018-07-25 20:46:56.358667880 -0500
> +++ usr.sbin/slowcgi/slowcgi.c 2018-07-26 15:14:52.840052633 -0500
> @@ -330,13 +330,13 @@
> if (pw == NULL)
> lerrx(1, "no %s user", SLOWCGI_USER);
>
> - fd = slowcgi_listen(fcgi_socket, pw);
> -
> lwarnx("slowcgi_user: %s", slowcgi_user);
> pw = getpwnam(slowcgi_user);
> if (pw == NULL)
> lerrx(1, "no %s user", slowcgi_user);
>
> + fd = slowcgi_listen(fcgi_socket, pw);
> +
> if (chrootpath == NULL)
> chrootpath = pw->pw_dir;
> ====
> $ ls -l /home/andrew/slowcgi.sock
> srw-rw---- 1 andrew andrew 0 Jul 26 16:34 /home/andrew/slowcgi.sock
>
--
I'm not entirely sure you are real.
