Re: slowcgi -u user option does not change socket ownership
Appologies for the delay, I have been busy with other things.
It's commited now.
Thanks,
Florian
On Fri, Aug 10, 2018 at 03:49:09PM -0500, Andrew Daugherity wrote:
> I think the -U/-u options are a good solution; hopefully that will be merged?
>
> I noticed a small inconsistency in the logging: slowcgi_user is logged
> at warn (which I think is too loud), whereas the chroot and socket
> paths are at debug, and the new sock_user setting isn't logged at all.
> I've attached an updated diff that uses debug for all of these.
>
>
> Thanks,
> Andrew
>
> On Wed, Aug 1, 2018 at 6:09 AM Florian Obser wrote:
> >
> > Nice to see it being useful on other systems, too. :)
> >
> > Does this work for you?
> >
> > [diff adding -U option]
> Add -U option for socket user.
> https://marc.info/?l=openbsd-bugs=153312182009277=2
>
> diff --git slowcgi.8 slowcgi.8
> index 117228403b4..10bd40d2e60 100644
> --- slowcgi.8
> +++ slowcgi.8
> @@ -25,6 +25,7 @@
> .Op Fl d
> .Op Fl p Ar path
> .Op Fl s Ar socket
> +.Op Fl U Ar user
> .Op Fl u Ar user
> .Sh DESCRIPTION
> .Nm
> @@ -75,6 +76,12 @@ effectively disables the chroot.
> .It Fl s Ar socket
> Create and bind to alternative local socket at
> .Ar socket .
> +.It Fl U Ar user
> +change the owner of
> +.Pa /var/www/run/slowcgi.sock
> +to
> +.Ar user
> +and its primary group instead of the default www:www.
> .It Fl u Ar user
> Drop privileges to
> .Ar user
> diff --git slowcgi.c slowcgi.c
> index a9a90b2db1f..9d1e6d47a82 100644
> --- slowcgi.c
> +++ slowcgi.c
> @@ -256,7 +256,8 @@ __dead void
> usage(void)
> {
> extern char *__progname;
> - fprintf(stderr, "usage: %s [-d] [-p path] [-s socket] [-u user]\n",
> + fprintf(stderr,
> + "usage: %s [-d] [-p path] [-s socket] [-U user] [-u user]\n",
> __progname);
> exit(1);
> }
> @@ -276,6 +277,7 @@ main(int argc, char *argv[])
> struct stat sb;
> int c, fd;
> const char *chrootpath = NULL;
> + const char *sock_user = SLOWCGI_USER;
> const char *slowcgi_user = SLOWCGI_USER;
>
> /*
> @@ -295,7 +297,7 @@ main(int argc, char *argv[])
> }
> }
>
> - while ((c = getopt(argc, argv, "dp:s:u:")) != -1) {
> + while ((c = getopt(argc, argv, "dp:s:U:u:")) != -1) {
> switch (c) {
> case 'd':
> debug = 1;
> @@ -306,6 +308,9 @@ main(int argc, char *argv[])
> case 's':
> fcgi_socket = optarg;
> break;
> + case 'U':
> + sock_user = optarg;
> + break;
> case 'u':
> slowcgi_user = optarg;
> break;
> @@ -326,13 +331,14 @@ main(int argc, char *argv[])
> logger =
> }
>
> - pw = getpwnam(SLOWCGI_USER);
> + ldebug("sock_user: %s", sock_user);
> + pw = getpwnam(sock_user);
> if (pw == NULL)
> - lerrx(1, "no %s user", SLOWCGI_USER);
> + lerrx(1, "no %s user", sock_user);
>
> fd = slowcgi_listen(fcgi_socket, pw);
>
> - lwarnx("slowcgi_user: %s", slowcgi_user);
> + ldebug("slowcgi_user: %s", slowcgi_user);
> pw = getpwnam(slowcgi_user);
> if (pw == NULL)
> lerrx(1, "no %s user", slowcgi_user);
--
I'm not entirely sure you are real.
Re: slowcgi -u user option does not change socket ownership
I think the -U/-u options are a good solution; hopefully that will be merged?
I noticed a small inconsistency in the logging: slowcgi_user is logged
at warn (which I think is too loud), whereas the chroot and socket
paths are at debug, and the new sock_user setting isn't logged at all.
I've attached an updated diff that uses debug for all of these.
Thanks,
Andrew
On Wed, Aug 1, 2018 at 6:09 AM Florian Obser wrote:
>
> Nice to see it being useful on other systems, too. :)
>
> Does this work for you?
>
> [diff adding -U option]
Add -U option for socket user.
https://marc.info/?l=openbsd-bugs=153312182009277=2
diff --git slowcgi.8 slowcgi.8
index 117228403b4..10bd40d2e60 100644
--- slowcgi.8
+++ slowcgi.8
@@ -25,6 +25,7 @@
.Op Fl d
.Op Fl p Ar path
.Op Fl s Ar socket
+.Op Fl U Ar user
.Op Fl u Ar user
.Sh DESCRIPTION
.Nm
@@ -75,6 +76,12 @@ effectively disables the chroot.
.It Fl s Ar socket
Create and bind to alternative local socket at
.Ar socket .
+.It Fl U Ar user
+change the owner of
+.Pa /var/www/run/slowcgi.sock
+to
+.Ar user
+and its primary group instead of the default www:www.
.It Fl u Ar user
Drop privileges to
.Ar user
diff --git slowcgi.c slowcgi.c
index a9a90b2db1f..9d1e6d47a82 100644
--- slowcgi.c
+++ slowcgi.c
@@ -256,7 +256,8 @@ __dead void
usage(void)
{
extern char *__progname;
- fprintf(stderr, "usage: %s [-d] [-p path] [-s socket] [-u user]\n",
+ fprintf(stderr,
+ "usage: %s [-d] [-p path] [-s socket] [-U user] [-u user]\n",
__progname);
exit(1);
}
@@ -276,6 +277,7 @@ main(int argc, char *argv[])
struct stat sb;
int c, fd;
const char *chrootpath = NULL;
+ const char *sock_user = SLOWCGI_USER;
const char *slowcgi_user = SLOWCGI_USER;
/*
@@ -295,7 +297,7 @@ main(int argc, char *argv[])
}
}
- while ((c = getopt(argc, argv, "dp:s:u:")) != -1) {
+ while ((c = getopt(argc, argv, "dp:s:U:u:")) != -1) {
switch (c) {
case 'd':
debug = 1;
@@ -306,6 +308,9 @@ main(int argc, char *argv[])
case 's':
fcgi_socket = optarg;
break;
+ case 'U':
+ sock_user = optarg;
+ break;
case 'u':
slowcgi_user = optarg;
break;
@@ -326,13 +331,14 @@ main(int argc, char *argv[])
logger =
}
- pw = getpwnam(SLOWCGI_USER);
+ ldebug("sock_user: %s", sock_user);
+ pw = getpwnam(sock_user);
if (pw == NULL)
- lerrx(1, "no %s user", SLOWCGI_USER);
+ lerrx(1, "no %s user", sock_user);
fd = slowcgi_listen(fcgi_socket, pw);
- lwarnx("slowcgi_user: %s", slowcgi_user);
+ ldebug("slowcgi_user: %s", slowcgi_user);
pw = getpwnam(slowcgi_user);
if (pw == NULL)
lerrx(1, "no %s user", slowcgi_user);
Re: slowcgi -u user option does not change socket ownership
On Fri, Aug 3, 2018 at 2:34 AM Florian Obser wrote: > > On Thu, Aug 02, 2018 at 04:22:35PM -0500, Andrew Daugherity wrote: > > I'm also playing around with a version that accepts "-U user:group" (a > > la chown), which I think would be preferable to a separate group > > Eww, do you really have a usecase for this? It seems like you would > only need this if you want to access to fcgi socket from two daemons > running as different users at the same time. > > I'd prefer to keep the code simple and not have it. Not currently... I threw this together as a proof-of-concept thinking of potential cases where someone might want e.g. nginx:www vs. nginx:nginx, but as you pointed out, there's no good reason to do that for the socket. Maybe for the CGI script user option, but there are other ways to solve that, e.g. a setgid directory. So, forget about the user:group parsing then. I agree: it's not worth the hassle.
Re: slowcgi -u user option does not change socket ownership
On Thu, Aug 02, 2018 at 04:22:35PM -0500, Andrew Daugherity wrote:
> On Wed, Aug 1, 2018 at 6:09 AM Florian Obser wrote:
> >
> > Nice to see it being useful on other systems, too. :)
> >
> > Does this work for you?
> > [diff snipped]
>
> Yes, that works great!
> Although I think you want to capitalize "Change" in the man page.
yes, jmc also pointed that out, fixed in my tree.
>
> I'm also playing around with a version that accepts "-U user:group" (a
> la chown), which I think would be preferable to a separate group
Eww, do you really have a usecase for this? It seems like you would
only need this if you want to access to fcgi socket from two daemons
running as different users at the same time.
I'd prefer to keep the code simple and not have it.
> option. That one is attached (since I can't seem to paste tabs
> inline).
>
> It's obviously preliminary and I'd also add that handing to the -u
> option, if this is acceptable.
>
> -Andrew
> --- dist/slowcgi.82018-07-27 16:54:03.166650504 -0500
> +++ slowcgi.8 2018-08-02 13:41:02.504823824 -0500
> @@ -25,6 +25,7 @@
> .Op Fl d
> .Op Fl p Ar path
> .Op Fl s Ar socket
> +.Op Fl U Ar user
> .Op Fl u Ar user
> .Sh DESCRIPTION
> .Nm
> @@ -75,6 +76,14 @@
> .It Fl s Ar socket
> Create and bind to alternative local socket at
> .Ar socket .
> +.It Fl U Ar user[:group]
> +Change the owner of
> +.Pa /var/www/run/slowcgi.sock
> +to
> +.Ar user
> +and its primary group instead of the default www:www. If specified as
> +.Qq user:group ,
> +use that group instead.
> .It Fl u Ar user
> Drop privileges to
> .Ar user
> --- dist/slowcgi.c2018-07-27 16:54:03.166650504 -0500
> +++ slowcgi.c 2018-08-02 15:14:42.440268902 -0500
> @@ -29,6 +29,7 @@
> #include
> #include
> #include
> +#include
> #include
> #include
> #include
> @@ -256,7 +257,8 @@
> usage(void)
> {
> extern char *__progname;
> - fprintf(stderr, "usage: %s [-d] [-p path] [-s socket] [-u user]\n",
> + fprintf(stderr,
> + "usage: %s [-d] [-p path] [-s socket] [-U user] [-u user]\n",
> __progname);
> exit(1);
> }
> @@ -273,9 +275,12 @@
> extern char *__progname;
> struct listener *l = NULL;
> struct passwd *pw;
> + struct group*gr;
> struct stat sb;
> int c, fd;
> const char *chrootpath = NULL;
> + const char *sock_user = SLOWCGI_USER;
> + const char *sock_group = NULL;
> const char *slowcgi_user = SLOWCGI_USER;
>
> /*
> @@ -295,7 +300,7 @@
> }
> }
>
> - while ((c = getopt(argc, argv, "dp:s:u:")) != -1) {
> + while ((c = getopt(argc, argv, "dp:s:U:u:")) != -1) {
> switch (c) {
> case 'd':
> debug = 1;
> @@ -306,6 +311,14 @@
> case 's':
> fcgi_socket = optarg;
> break;
> + case 'U':
> + if (strchr(optarg, ':')) {
> + /* accept "user:group" syntax */
> + sock_user = strsep(, ":");
> + sock_group = optarg;
> + } else
> + sock_user = optarg;
> + break;
> case 'u':
> slowcgi_user = optarg;
> break;
> @@ -326,9 +339,16 @@
> logger =
> }
>
> - pw = getpwnam(SLOWCGI_USER);
> + pw = getpwnam(sock_user);
> if (pw == NULL)
> - lerrx(1, "no %s user", SLOWCGI_USER);
> + lerrx(1, "no %s user", sock_user);
> + if (sock_group) {
> + gr = getgrnam(sock_group);
> + if (gr == NULL)
> + lerrx(1, "no %s group", sock_group);
> + else
> + pw->pw_gid = gr->gr_gid;
> + }
>
> fd = slowcgi_listen(fcgi_socket, pw);
>
--
I'm not entirely sure you are real.
Re: slowcgi -u user option does not change socket ownership
On Wed, Aug 1, 2018 at 6:09 AM Florian Obser wrote:
>
> Nice to see it being useful on other systems, too. :)
>
> Does this work for you?
> [diff snipped]
Yes, that works great!
Although I think you want to capitalize "Change" in the man page.
I'm also playing around with a version that accepts "-U user:group" (a
la chown), which I think would be preferable to a separate group
option. That one is attached (since I can't seem to paste tabs
inline).
It's obviously preliminary and I'd also add that handing to the -u
option, if this is acceptable.
-Andrew
--- dist/slowcgi.8 2018-07-27 16:54:03.166650504 -0500
+++ slowcgi.8 2018-08-02 13:41:02.504823824 -0500
@@ -25,6 +25,7 @@
.Op Fl d
.Op Fl p Ar path
.Op Fl s Ar socket
+.Op Fl U Ar user
.Op Fl u Ar user
.Sh DESCRIPTION
.Nm
@@ -75,6 +76,14 @@
.It Fl s Ar socket
Create and bind to alternative local socket at
.Ar socket .
+.It Fl U Ar user[:group]
+Change the owner of
+.Pa /var/www/run/slowcgi.sock
+to
+.Ar user
+and its primary group instead of the default www:www. If specified as
+.Qq user:group ,
+use that group instead.
.It Fl u Ar user
Drop privileges to
.Ar user
--- dist/slowcgi.c 2018-07-27 16:54:03.166650504 -0500
+++ slowcgi.c 2018-08-02 15:14:42.440268902 -0500
@@ -29,6 +29,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -256,7 +257,8 @@
usage(void)
{
extern char *__progname;
- fprintf(stderr, "usage: %s [-d] [-p path] [-s socket] [-u user]\n",
+ fprintf(stderr,
+ "usage: %s [-d] [-p path] [-s socket] [-U user] [-u user]\n",
__progname);
exit(1);
}
@@ -273,9 +275,12 @@
extern char *__progname;
struct listener *l = NULL;
struct passwd *pw;
+ struct group*gr;
struct stat sb;
int c, fd;
const char *chrootpath = NULL;
+ const char *sock_user = SLOWCGI_USER;
+ const char *sock_group = NULL;
const char *slowcgi_user = SLOWCGI_USER;
/*
@@ -295,7 +300,7 @@
}
}
- while ((c = getopt(argc, argv, "dp:s:u:")) != -1) {
+ while ((c = getopt(argc, argv, "dp:s:U:u:")) != -1) {
switch (c) {
case 'd':
debug = 1;
@@ -306,6 +311,14 @@
case 's':
fcgi_socket = optarg;
break;
+ case 'U':
+ if (strchr(optarg, ':')) {
+ /* accept "user:group" syntax */
+ sock_user = strsep(, ":");
+ sock_group = optarg;
+ } else
+ sock_user = optarg;
+ break;
case 'u':
slowcgi_user = optarg;
break;
@@ -326,9 +339,16 @@
logger =
}
- pw = getpwnam(SLOWCGI_USER);
+ pw = getpwnam(sock_user);
if (pw == NULL)
- lerrx(1, "no %s user", SLOWCGI_USER);
+ lerrx(1, "no %s user", sock_user);
+ if (sock_group) {
+ gr = getgrnam(sock_group);
+ if (gr == NULL)
+ lerrx(1, "no %s group", sock_group);
+ else
+ pw->pw_gid = gr->gr_gid;
+ }
fd = slowcgi_listen(fcgi_socket, pw);
Re: slowcgi -u user option does not change socket ownership
On Wed, Aug 01, 2018 at 12:57:18PM +0200, Florian Obser wrote: > On Tue, Jul 31, 2018 at 06:39:18PM -0500, Andrew Daugherity wrote: > [...] > > Related: in the same section of code (at the end of my diff actually, > > as context), I noticed that when -u is used, the chroot path is set to > > the target user's home directory instead of /var/www. I found this > > surprising, so I added a manpage diff to my patchset: > > > > --- slowcgi.8 2017-10-17 17:47:58.0 -0500 > > +++ slowcgi.8 2018-07-26 13:34:06.459779115 -0500 > > @@ -78,7 +78,9 @@ > > .It Fl u Ar user > > Drop privileges to > > .Ar user > > -instead of default user www. > > +instead of the default www, and chroot to that user's home directory, > > +unless you specify otherwise with > > +.Ar -p . > > .El > > .Sh SEE ALSO > > .Xr httpd 8 > > > > Perhaps that's a bit too wordy and only the first line is needed, I dunno. > > How about this? jmc? > > diff --git slowcgi.8 slowcgi.8 > index 52bded7eee6..117228403b4 100644 > --- slowcgi.8 > +++ slowcgi.8 > @@ -79,6 +79,12 @@ Create and bind to alternative local socket at > Drop privileges to > .Ar user > instead of default user www. > +.Nm > +will > +.Xr chroot 8 > +to > +the home directory of > +.Ar user . reads ok. you could shorten it to: ... user www and .Xr chroot 8 ... > .El > .Sh SEE ALSO > .Xr httpd 8 > > Jmc: Btw, why are we using the section 8 man page in Xr, technically > slowcgi uses chroot(2). > we tend to try and use userland refs in userland docs. however if it makes more sense to reference chroot(2), by all means do so (whichever will be the most use to the target reader). jmc
Re: slowcgi -u user option does not change socket ownership
Nice to see it being useful on other systems, too. :)
Does this work for you?
diff --git slowcgi.8 slowcgi.8
index 117228403b4..10bd40d2e60 100644
--- slowcgi.8
+++ slowcgi.8
@@ -25,6 +25,7 @@
.Op Fl d
.Op Fl p Ar path
.Op Fl s Ar socket
+.Op Fl U Ar user
.Op Fl u Ar user
.Sh DESCRIPTION
.Nm
@@ -75,6 +76,12 @@ effectively disables the chroot.
.It Fl s Ar socket
Create and bind to alternative local socket at
.Ar socket .
+.It Fl U Ar user
+change the owner of
+.Pa /var/www/run/slowcgi.sock
+to
+.Ar user
+and its primary group instead of the default www:www.
.It Fl u Ar user
Drop privileges to
.Ar user
diff --git slowcgi.c slowcgi.c
index a9a90b2db1f..8e860ec2ad6 100644
--- slowcgi.c
+++ slowcgi.c
@@ -256,7 +256,8 @@ __dead void
usage(void)
{
extern char *__progname;
- fprintf(stderr, "usage: %s [-d] [-p path] [-s socket] [-u user]\n",
+ fprintf(stderr,
+ "usage: %s [-d] [-p path] [-s socket] [-U user] [-u user]\n",
__progname);
exit(1);
}
@@ -276,6 +277,7 @@ main(int argc, char *argv[])
struct stat sb;
int c, fd;
const char *chrootpath = NULL;
+ const char *sock_user = SLOWCGI_USER;
const char *slowcgi_user = SLOWCGI_USER;
/*
@@ -295,7 +297,7 @@ main(int argc, char *argv[])
}
}
- while ((c = getopt(argc, argv, "dp:s:u:")) != -1) {
+ while ((c = getopt(argc, argv, "dp:s:U:u:")) != -1) {
switch (c) {
case 'd':
debug = 1;
@@ -306,6 +308,9 @@ main(int argc, char *argv[])
case 's':
fcgi_socket = optarg;
break;
+ case 'U':
+ sock_user = optarg;
+ break;
case 'u':
slowcgi_user = optarg;
break;
@@ -326,9 +331,9 @@ main(int argc, char *argv[])
logger =
}
- pw = getpwnam(SLOWCGI_USER);
+ pw = getpwnam(sock_user);
if (pw == NULL)
- lerrx(1, "no %s user", SLOWCGI_USER);
+ lerrx(1, "no %s user", sock_user);
fd = slowcgi_listen(fcgi_socket, pw);
On Tue, Jul 31, 2018 at 06:39:18PM -0500, Andrew Daugherity wrote:
> On Sun, Jul 29, 2018 at 11:07 AM, Florian Obser wrote:
> > It is behaving as intended. The slowcgi.sock is for the webserver to
> > interact with. The specified user is not supposed to interact with the
> > socket. CGI scripts are executed as this user.
> >
> > slowcgi itself can use the socket just fine since it already has a
> > filedescriptor open.
> >
> > What problem are you trying to solve?
>
> I ported slowcgi to Linux [1], (primarily) for use with nginx, since
> the commonly recommended alternative 'fcgiwrap' seems possibly
> unmaintained, and is a bit heavyweight in comparison.
>
> openSUSE gives nginx its own user, separate from the wwwrun user used
> by Apache etc. I figured making wwwrun the compile-time default and
> using '-u nginx' when needed would suffice, but it didn't, as nginx
> was unable to access the socket.
>
> Running it as 'andrew' in this bug report was just a verification that
> this also occurs on OpenBSD, and wasn't a porting issue. It seemed
> like setting the user should also set the socket owner, and appeared
> that the socket was just created too "early" (since the chroot etc. is
> done after setting the user). Your explanation makes sense; I
> honestly never considered that the -u option was *not* supposed to
> also set the socket ownership.
>
> Obviously I could chown the socket after startup, or add yet another
> option for socket ownership, but this seemed like a cleaner fix.
>
> Related: in the same section of code (at the end of my diff actually,
> as context), I noticed that when -u is used, the chroot path is set to
> the target user's home directory instead of /var/www. I found this
> surprising, so I added a manpage diff to my patchset:
>
> --- slowcgi.8 2017-10-17 17:47:58.0 -0500
> +++ slowcgi.8 2018-07-26 13:34:06.459779115 -0500
> @@ -78,7 +78,9 @@
> .It Fl u Ar user
> Drop privileges to
> .Ar user
> -instead of default user www.
> +instead of the default www, and chroot to that user's home directory,
> +unless you specify otherwise with
> +.Ar -p .
> .El
> .Sh SEE ALSO
> .Xr httpd 8
>
> Perhaps that's a bit too wordy and only the first line is needed, I dunno.
>
> Thanks for the software, it works great for me so far! (At least for
> running Nagios...)
>
>
> -Andrew
>
> [1] https://github.com/adaugherity/slowcgi-portable
> Not that hard to port, thanks to libbsd. The only thing missing was
> getdtablecount() and of course pledge().
>
>
>
> >> >Fix:
> >> Moving the slowcgi_listen() call to after the pw struct is set to
> >> slowcgi_user
> >> fixes it:
> >>
> >> --- usr.sbin/slowcgi/slowcgi.c 2018-07-25
Re: slowcgi -u user option does not change socket ownership
On Tue, Jul 31, 2018 at 06:39:18PM -0500, Andrew Daugherity wrote: [...] > Related: in the same section of code (at the end of my diff actually, > as context), I noticed that when -u is used, the chroot path is set to > the target user's home directory instead of /var/www. I found this > surprising, so I added a manpage diff to my patchset: > > --- slowcgi.8 2017-10-17 17:47:58.0 -0500 > +++ slowcgi.8 2018-07-26 13:34:06.459779115 -0500 > @@ -78,7 +78,9 @@ > .It Fl u Ar user > Drop privileges to > .Ar user > -instead of default user www. > +instead of the default www, and chroot to that user's home directory, > +unless you specify otherwise with > +.Ar -p . > .El > .Sh SEE ALSO > .Xr httpd 8 > > Perhaps that's a bit too wordy and only the first line is needed, I dunno. How about this? jmc? diff --git slowcgi.8 slowcgi.8 index 52bded7eee6..117228403b4 100644 --- slowcgi.8 +++ slowcgi.8 @@ -79,6 +79,12 @@ Create and bind to alternative local socket at Drop privileges to .Ar user instead of default user www. +.Nm +will +.Xr chroot 8 +to +the home directory of +.Ar user . .El .Sh SEE ALSO .Xr httpd 8 Jmc: Btw, why are we using the section 8 man page in Xr, technically slowcgi uses chroot(2). -- I'm not entirely sure you are real.
Re: slowcgi -u user option does not change socket ownership
On Sun, Jul 29, 2018 at 11:07 AM, Florian Obser wrote:
> It is behaving as intended. The slowcgi.sock is for the webserver to
> interact with. The specified user is not supposed to interact with the
> socket. CGI scripts are executed as this user.
>
> slowcgi itself can use the socket just fine since it already has a
> filedescriptor open.
>
> What problem are you trying to solve?
I ported slowcgi to Linux [1], (primarily) for use with nginx, since
the commonly recommended alternative 'fcgiwrap' seems possibly
unmaintained, and is a bit heavyweight in comparison.
openSUSE gives nginx its own user, separate from the wwwrun user used
by Apache etc. I figured making wwwrun the compile-time default and
using '-u nginx' when needed would suffice, but it didn't, as nginx
was unable to access the socket.
Running it as 'andrew' in this bug report was just a verification that
this also occurs on OpenBSD, and wasn't a porting issue. It seemed
like setting the user should also set the socket owner, and appeared
that the socket was just created too "early" (since the chroot etc. is
done after setting the user). Your explanation makes sense; I
honestly never considered that the -u option was *not* supposed to
also set the socket ownership.
Obviously I could chown the socket after startup, or add yet another
option for socket ownership, but this seemed like a cleaner fix.
Related: in the same section of code (at the end of my diff actually,
as context), I noticed that when -u is used, the chroot path is set to
the target user's home directory instead of /var/www. I found this
surprising, so I added a manpage diff to my patchset:
--- slowcgi.8 2017-10-17 17:47:58.0 -0500
+++ slowcgi.8 2018-07-26 13:34:06.459779115 -0500
@@ -78,7 +78,9 @@
.It Fl u Ar user
Drop privileges to
.Ar user
-instead of default user www.
+instead of the default www, and chroot to that user's home directory,
+unless you specify otherwise with
+.Ar -p .
.El
.Sh SEE ALSO
.Xr httpd 8
Perhaps that's a bit too wordy and only the first line is needed, I dunno.
Thanks for the software, it works great for me so far! (At least for
running Nagios...)
-Andrew
[1] https://github.com/adaugherity/slowcgi-portable
Not that hard to port, thanks to libbsd. The only thing missing was
getdtablecount() and of course pledge().
>> >Fix:
>> Moving the slowcgi_listen() call to after the pw struct is set to
>> slowcgi_user
>> fixes it:
>>
>> --- usr.sbin/slowcgi/slowcgi.c 2018-07-25 20:46:56.358667880 -0500
>> +++ usr.sbin/slowcgi/slowcgi.c 2018-07-26 15:14:52.840052633 -0500
>> @@ -330,13 +330,13 @@
>> if (pw == NULL)
>> lerrx(1, "no %s user", SLOWCGI_USER);
>>
>> - fd = slowcgi_listen(fcgi_socket, pw);
>> -
>> lwarnx("slowcgi_user: %s", slowcgi_user);
>> pw = getpwnam(slowcgi_user);
>> if (pw == NULL)
>> lerrx(1, "no %s user", slowcgi_user);
>>
>> + fd = slowcgi_listen(fcgi_socket, pw);
>> +
>> if (chrootpath == NULL)
>> chrootpath = pw->pw_dir;
>>
Re: slowcgi -u user option does not change socket ownership
On Thu, Jul 26, 2018 at 05:31:39PM -0500, andrew.daugher...@gmail.com wrote:
> >Synopsis:slowcgi -u user option does not change socket ownership
> >Category:user
> >Environment:
> System : OpenBSD 6.3
> Details : OpenBSD 6.3 (GENERIC.MP) #4: Sun Jun 17 11:22:20 CEST 2018
>
> r...@syspatch-63-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine : amd64
> >Description:
> When using the '-u user' option to run slowcgi under a different username, the
> socket is still owned by the default www user. This prevents the specified
> user from interacting with the slowcgi socket (and maybe even slowcgi itself
> after it drops privileges?).
It is behaving as intended. The slowcgi.sock is for the webserver to
interact with. The specified user is not supposed to interact with the
socket. CGI scripts are executed as this user.
slowcgi itself can use the socket just fine since it already has a
filedescriptor open.
What problem are you trying to solve?
>
> >How-To-Repeat:
> $ doas slowcgi -u andrew -s /home/andrew/slowcgi.sock
> $ ls -l /home/andrew/slowcgi.sock
> srw-rw 1 www www 0 Jul 26 16:07 /home/andrew/slowcgi.sock
>
> >Fix:
> Moving the slowcgi_listen() call to after the pw struct is set to slowcgi_user
> fixes it:
>
> --- usr.sbin/slowcgi/slowcgi.c 2018-07-25 20:46:56.358667880 -0500
> +++ usr.sbin/slowcgi/slowcgi.c 2018-07-26 15:14:52.840052633 -0500
> @@ -330,13 +330,13 @@
> if (pw == NULL)
> lerrx(1, "no %s user", SLOWCGI_USER);
>
> - fd = slowcgi_listen(fcgi_socket, pw);
> -
> lwarnx("slowcgi_user: %s", slowcgi_user);
> pw = getpwnam(slowcgi_user);
> if (pw == NULL)
> lerrx(1, "no %s user", slowcgi_user);
>
> + fd = slowcgi_listen(fcgi_socket, pw);
> +
> if (chrootpath == NULL)
> chrootpath = pw->pw_dir;
>
> $ ls -l /home/andrew/slowcgi.sock
> srw-rw 1 andrew andrew 0 Jul 26 16:34 /home/andrew/slowcgi.sock
>
--
I'm not entirely sure you are real.
slowcgi -u user option does not change socket ownership
>Synopsis: slowcgi -u user option does not change socket ownership
>Category: user
>Environment:
System : OpenBSD 6.3
Details : OpenBSD 6.3 (GENERIC.MP) #4: Sun Jun 17 11:22:20 CEST 2018
r...@syspatch-63-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
When using the '-u user' option to run slowcgi under a different username, the
socket is still owned by the default www user. This prevents the specified
user from interacting with the slowcgi socket (and maybe even slowcgi itself
after it drops privileges?).
>How-To-Repeat:
$ doas slowcgi -u andrew -s /home/andrew/slowcgi.sock
$ ls -l /home/andrew/slowcgi.sock
srw-rw 1 www www 0 Jul 26 16:07 /home/andrew/slowcgi.sock
>Fix:
Moving the slowcgi_listen() call to after the pw struct is set to slowcgi_user
fixes it:
--- usr.sbin/slowcgi/slowcgi.c 2018-07-25 20:46:56.358667880 -0500
+++ usr.sbin/slowcgi/slowcgi.c 2018-07-26 15:14:52.840052633 -0500
@@ -330,13 +330,13 @@
if (pw == NULL)
lerrx(1, "no %s user", SLOWCGI_USER);
- fd = slowcgi_listen(fcgi_socket, pw);
-
lwarnx("slowcgi_user: %s", slowcgi_user);
pw = getpwnam(slowcgi_user);
if (pw == NULL)
lerrx(1, "no %s user", slowcgi_user);
+ fd = slowcgi_listen(fcgi_socket, pw);
+
if (chrootpath == NULL)
chrootpath = pw->pw_dir;
$ ls -l /home/andrew/slowcgi.sock
srw-rw 1 andrew andrew 0 Jul 26 16:34 /home/andrew/slowcgi.sock
