On Sun, Jul 29, 2018 at 11:07 AM, Florian Obser <[email protected]> wrote: > It is behaving as intended. The slowcgi.sock is for the webserver to > interact with. The specified user is not supposed to interact with the > socket. CGI scripts are executed as this user. > > slowcgi itself can use the socket just fine since it already has a > filedescriptor open. > > What problem are you trying to solve?
I ported slowcgi to Linux [1], (primarily) for use with nginx, since the commonly recommended alternative 'fcgiwrap' seems possibly unmaintained, and is a bit heavyweight in comparison. openSUSE gives nginx its own user, separate from the wwwrun user used by Apache etc. I figured making wwwrun the compile-time default and using '-u nginx' when needed would suffice, but it didn't, as nginx was unable to access the socket. Running it as 'andrew' in this bug report was just a verification that this also occurs on OpenBSD, and wasn't a porting issue. It seemed like setting the user should also set the socket owner, and appeared that the socket was just created too "early" (since the chroot etc. is done after setting the user). Your explanation makes sense; I honestly never considered that the -u option was *not* supposed to also set the socket ownership. Obviously I could chown the socket after startup, or add yet another option for socket ownership, but this seemed like a cleaner fix. Related: in the same section of code (at the end of my diff actually, as context), I noticed that when -u is used, the chroot path is set to the target user's home directory instead of /var/www. I found this surprising, so I added a manpage diff to my patchset: ==== --- slowcgi.8 2017-10-17 17:47:58.000000000 -0500 +++ slowcgi.8 2018-07-26 13:34:06.459779115 -0500 @@ -78,7 +78,9 @@ .It Fl u Ar user Drop privileges to .Ar user -instead of default user www. +instead of the default www, and chroot to that user's home directory, +unless you specify otherwise with +.Ar -p . .El .Sh SEE ALSO .Xr httpd 8 ==== Perhaps that's a bit too wordy and only the first line is needed, I dunno. Thanks for the software, it works great for me so far! (At least for running Nagios...) -Andrew [1] https://github.com/adaugherity/slowcgi-portable Not that hard to port, thanks to libbsd. The only thing missing was getdtablecount() and of course pledge(). >> >Fix: >> Moving the slowcgi_listen() call to after the pw struct is set to >> slowcgi_user >> fixes it: >> ==== >> --- usr.sbin/slowcgi/slowcgi.c 2018-07-25 20:46:56.358667880 -0500 >> +++ usr.sbin/slowcgi/slowcgi.c 2018-07-26 15:14:52.840052633 -0500 >> @@ -330,13 +330,13 @@ >> if (pw == NULL) >> lerrx(1, "no %s user", SLOWCGI_USER); >> >> - fd = slowcgi_listen(fcgi_socket, pw); >> - >> lwarnx("slowcgi_user: %s", slowcgi_user); >> pw = getpwnam(slowcgi_user); >> if (pw == NULL) >> lerrx(1, "no %s user", slowcgi_user); >> >> + fd = slowcgi_listen(fcgi_socket, pw); >> + >> if (chrootpath == NULL) >> chrootpath = pw->pw_dir; >> ====
