I think the -U/-u options are a good solution; hopefully that will be merged?
I noticed a small inconsistency in the logging: slowcgi_user is logged at warn (which I think is too loud), whereas the chroot and socket paths are at debug, and the new sock_user setting isn't logged at all. I've attached an updated diff that uses debug for all of these. Thanks, Andrew On Wed, Aug 1, 2018 at 6:09 AM Florian Obser <[email protected]> wrote: > > Nice to see it being useful on other systems, too. :) > > Does this work for you? > > [diff adding -U option]
Add -U option for socket user. https://marc.info/?l=openbsd-bugs&m=153312182009277&w=2 diff --git slowcgi.8 slowcgi.8 index 117228403b4..10bd40d2e60 100644 --- slowcgi.8 +++ slowcgi.8 @@ -25,6 +25,7 @@ .Op Fl d .Op Fl p Ar path .Op Fl s Ar socket +.Op Fl U Ar user .Op Fl u Ar user .Sh DESCRIPTION .Nm @@ -75,6 +76,12 @@ effectively disables the chroot. .It Fl s Ar socket Create and bind to alternative local socket at .Ar socket . +.It Fl U Ar user +change the owner of +.Pa /var/www/run/slowcgi.sock +to +.Ar user +and its primary group instead of the default www:www. .It Fl u Ar user Drop privileges to .Ar user diff --git slowcgi.c slowcgi.c index a9a90b2db1f..9d1e6d47a82 100644 --- slowcgi.c +++ slowcgi.c @@ -256,7 +256,8 @@ __dead void usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-d] [-p path] [-s socket] [-u user]\n", + fprintf(stderr, + "usage: %s [-d] [-p path] [-s socket] [-U user] [-u user]\n", __progname); exit(1); } @@ -276,6 +277,7 @@ main(int argc, char *argv[]) struct stat sb; int c, fd; const char *chrootpath = NULL; + const char *sock_user = SLOWCGI_USER; const char *slowcgi_user = SLOWCGI_USER; /* @@ -295,7 +297,7 @@ main(int argc, char *argv[]) } } - while ((c = getopt(argc, argv, "dp:s:u:")) != -1) { + while ((c = getopt(argc, argv, "dp:s:U:u:")) != -1) { switch (c) { case 'd': debug = 1; @@ -306,6 +308,9 @@ main(int argc, char *argv[]) case 's': fcgi_socket = optarg; break; + case 'U': + sock_user = optarg; + break; case 'u': slowcgi_user = optarg; break; @@ -326,13 +331,14 @@ main(int argc, char *argv[]) logger = &syslogger; } - pw = getpwnam(SLOWCGI_USER); + ldebug("sock_user: %s", sock_user); + pw = getpwnam(sock_user); if (pw == NULL) - lerrx(1, "no %s user", SLOWCGI_USER); + lerrx(1, "no %s user", sock_user); fd = slowcgi_listen(fcgi_socket, pw); - lwarnx("slowcgi_user: %s", slowcgi_user); + ldebug("slowcgi_user: %s", slowcgi_user); pw = getpwnam(slowcgi_user); if (pw == NULL) lerrx(1, "no %s user", slowcgi_user);
