Nice to see it being useful on other systems, too. :)
Does this work for you?
diff --git slowcgi.8 slowcgi.8
index 117228403b4..10bd40d2e60 100644
--- slowcgi.8
+++ slowcgi.8
@@ -25,6 +25,7 @@
.Op Fl d
.Op Fl p Ar path
.Op Fl s Ar socket
+.Op Fl U Ar user
.Op Fl u Ar user
.Sh DESCRIPTION
.Nm
@@ -75,6 +76,12 @@ effectively disables the chroot.
.It Fl s Ar socket
Create and bind to alternative local socket at
.Ar socket .
+.It Fl U Ar user
+change the owner of
+.Pa /var/www/run/slowcgi.sock
+to
+.Ar user
+and its primary group instead of the default www:www.
.It Fl u Ar user
Drop privileges to
.Ar user
diff --git slowcgi.c slowcgi.c
index a9a90b2db1f..8e860ec2ad6 100644
--- slowcgi.c
+++ slowcgi.c
@@ -256,7 +256,8 @@ __dead void
usage(void)
{
extern char *__progname;
- fprintf(stderr, "usage: %s [-d] [-p path] [-s socket] [-u user]\n",
+ fprintf(stderr,
+ "usage: %s [-d] [-p path] [-s socket] [-U user] [-u user]\n",
__progname);
exit(1);
}
@@ -276,6 +277,7 @@ main(int argc, char *argv[])
struct stat sb;
int c, fd;
const char *chrootpath = NULL;
+ const char *sock_user = SLOWCGI_USER;
const char *slowcgi_user = SLOWCGI_USER;
/*
@@ -295,7 +297,7 @@ main(int argc, char *argv[])
}
}
- while ((c = getopt(argc, argv, "dp:s:u:")) != -1) {
+ while ((c = getopt(argc, argv, "dp:s:U:u:")) != -1) {
switch (c) {
case 'd':
debug = 1;
@@ -306,6 +308,9 @@ main(int argc, char *argv[])
case 's':
fcgi_socket = optarg;
break;
+ case 'U':
+ sock_user = optarg;
+ break;
case 'u':
slowcgi_user = optarg;
break;
@@ -326,9 +331,9 @@ main(int argc, char *argv[])
logger = &syslogger;
}
- pw = getpwnam(SLOWCGI_USER);
+ pw = getpwnam(sock_user);
if (pw == NULL)
- lerrx(1, "no %s user", SLOWCGI_USER);
+ lerrx(1, "no %s user", sock_user);
fd = slowcgi_listen(fcgi_socket, pw);
On Tue, Jul 31, 2018 at 06:39:18PM -0500, Andrew Daugherity wrote:
> On Sun, Jul 29, 2018 at 11:07 AM, Florian Obser <[email protected]> wrote:
> > It is behaving as intended. The slowcgi.sock is for the webserver to
> > interact with. The specified user is not supposed to interact with the
> > socket. CGI scripts are executed as this user.
> >
> > slowcgi itself can use the socket just fine since it already has a
> > filedescriptor open.
> >
> > What problem are you trying to solve?
>
> I ported slowcgi to Linux [1], (primarily) for use with nginx, since
> the commonly recommended alternative 'fcgiwrap' seems possibly
> unmaintained, and is a bit heavyweight in comparison.
>
> openSUSE gives nginx its own user, separate from the wwwrun user used
> by Apache etc. I figured making wwwrun the compile-time default and
> using '-u nginx' when needed would suffice, but it didn't, as nginx
> was unable to access the socket.
>
> Running it as 'andrew' in this bug report was just a verification that
> this also occurs on OpenBSD, and wasn't a porting issue. It seemed
> like setting the user should also set the socket owner, and appeared
> that the socket was just created too "early" (since the chroot etc. is
> done after setting the user). Your explanation makes sense; I
> honestly never considered that the -u option was *not* supposed to
> also set the socket ownership.
>
> Obviously I could chown the socket after startup, or add yet another
> option for socket ownership, but this seemed like a cleaner fix.
>
> Related: in the same section of code (at the end of my diff actually,
> as context), I noticed that when -u is used, the chroot path is set to
> the target user's home directory instead of /var/www. I found this
> surprising, so I added a manpage diff to my patchset:
> ====
> --- slowcgi.8 2017-10-17 17:47:58.000000000 -0500
> +++ slowcgi.8 2018-07-26 13:34:06.459779115 -0500
> @@ -78,7 +78,9 @@
> .It Fl u Ar user
> Drop privileges to
> .Ar user
> -instead of default user www.
> +instead of the default www, and chroot to that user's home directory,
> +unless you specify otherwise with
> +.Ar -p .
> .El
> .Sh SEE ALSO
> .Xr httpd 8
> ====
> Perhaps that's a bit too wordy and only the first line is needed, I dunno.
>
> Thanks for the software, it works great for me so far! (At least for
> running Nagios...)
>
>
> -Andrew
>
> [1] https://github.com/adaugherity/slowcgi-portable
> Not that hard to port, thanks to libbsd. The only thing missing was
> getdtablecount() and of course pledge().
>
>
>
> >> >Fix:
> >> Moving the slowcgi_listen() call to after the pw struct is set to
> >> slowcgi_user
> >> fixes it:
> >> ====
> >> --- usr.sbin/slowcgi/slowcgi.c 2018-07-25 20:46:56.358667880 -0500
> >> +++ usr.sbin/slowcgi/slowcgi.c 2018-07-26 15:14:52.840052633 -0500
> >> @@ -330,13 +330,13 @@
> >> if (pw == NULL)
> >> lerrx(1, "no %s user", SLOWCGI_USER);
> >>
> >> - fd = slowcgi_listen(fcgi_socket, pw);
> >> -
> >> lwarnx("slowcgi_user: %s", slowcgi_user);
> >> pw = getpwnam(slowcgi_user);
> >> if (pw == NULL)
> >> lerrx(1, "no %s user", slowcgi_user);
> >>
> >> + fd = slowcgi_listen(fcgi_socket, pw);
> >> +
> >> if (chrootpath == NULL)
> >> chrootpath = pw->pw_dir;
> >> ====
--
I'm not entirely sure you are real.
