allow to not change fast cgi socket permissions

New config options:
fcgi_set_socket_chmod (bool) - default true
fcgi_set_socket_owner (bool) - default true
This commit is contained in:
Tomasz Sowa 2022-04-27 23:31:50 +02:00
parent f99191aa6f
commit 98c1e8daad
4 changed files with 62 additions and 29 deletions

View File

@ -184,16 +184,28 @@ void App::InitPlugins()
}
bool App::InitFCGI(char * sock, char * sock_user, char * sock_group)
bool App::TranslateFCGInames(char * sock, char * sock_user, char * sock_group)
{
if( !wide_to_utf8(config.fcgi_socket, sock, WINIX_OS_PATH_SIZE) )
{
log << log1 << "App: I cannot correctly change FastCGI socket path to utf-8 string" << logend;
return false;
}
if( !wide_to_utf8(config.fcgi_socket_user, sock_user, WINIX_OS_USERNAME_SIZE) )
return false;
if( config.fcgi_set_socket_owner )
{
if( !wide_to_utf8(config.fcgi_socket_user, sock_user, WINIX_OS_USERNAME_SIZE) )
{
log << log1 << "App: I cannot correctly change FastCGI user name to utf-8 string" << logend;
return false;
}
if( !wide_to_utf8(config.fcgi_socket_group, sock_group, WINIX_OS_USERNAME_SIZE) )
return false;
if( !wide_to_utf8(config.fcgi_socket_group, sock_group, WINIX_OS_USERNAME_SIZE) )
{
log << log1 << "App: I cannot correctly change FastCGI group name to utf-8 string" << logend;
return false;
}
}
return true;
}
@ -204,33 +216,39 @@ return true;
*/
bool App::InitFCGIChmodChownSocket(char * sock, char * sock_user, char * sock_group)
{
if( chmod(sock, config.fcgi_socket_chmod) < 0 )
if( config.fcgi_set_socket_chmod )
{
log << log1 << "App: I cannot chmod a FastCGI socket, check fcgi_socket_chmod in the config" << logend;
return false;
if( chmod(sock, config.fcgi_socket_chmod) < 0 )
{
log << log1 << "App: I cannot chmod a FastCGI socket, check fcgi_socket_chmod in the config" << logend;
return false;
}
}
passwd * pw = getpwnam(sock_user);
if( !pw )
if( config.fcgi_set_socket_owner )
{
log << log1 << "App: there is no a user: " << config.fcgi_socket_user << logend;
return false;
}
passwd * pw = getpwnam(sock_user);
if( !pw )
{
log << log1 << "App: there is no a user: " << config.fcgi_socket_user << logend;
return false;
}
group * gr = getgrnam(sock_group);
if( !gr )
{
log << log1 << "App: there is no a group: " << config.fcgi_socket_group << logend;
return false;
}
group * gr = getgrnam(sock_group);
if( !gr )
{
log << log1 << "App: there is no a group: " << config.fcgi_socket_group << logend;
return false;
}
if( chown(sock, pw->pw_uid, gr->gr_gid) < 0 )
{
log << log1 << "App: I cannot chown a FastCGI socket, check fcgi_socket_user "
<< "and fcgi_socket_group in the config" << logend;
return false;
if( chown(sock, pw->pw_uid, gr->gr_gid) < 0 )
{
log << log1 << "App: I cannot chown a FastCGI socket, check fcgi_socket_user "
<< "and fcgi_socket_group in the config" << logend;
return false;
}
}
return true;
@ -243,7 +261,7 @@ char sock[WINIX_OS_PATH_SIZE];
char sock_user[WINIX_OS_USERNAME_SIZE];
char sock_group[WINIX_OS_USERNAME_SIZE];
if( !InitFCGI(sock, sock_user, sock_group) )
if( !TranslateFCGInames(sock, sock_user, sock_group) )
return false;
unlink(sock);

View File

@ -188,7 +188,7 @@ private:
// file logger, one object for all Log objects
FileLog file_log;
bool InitFCGI(char * sock, char * sock_user, char * sock_group);
bool TranslateFCGInames(char * sock, char * sock_user, char * sock_group);
bool InitFCGIChmodChownSocket(char * sock, char * sock_user, char * sock_group);
bool DropPrivileges(char * user, char * group);
bool DropPrivileges(const char * user, uid_t uid, gid_t gid, bool additional_groups);

View File

@ -125,6 +125,8 @@ void Config::AssignValues()
log_file = Text(L"log_file");
log_delimiter = Text(L"log_delimiter", L"---------------------------------------------------------------------------------");
fcgi_socket = Text(L"fcgi_socket");
fcgi_set_socket_chmod = Bool(L"fcgi_set_socket_chmod", true);
fcgi_set_socket_owner = Bool(L"fcgi_set_socket_owner", true);
fcgi_socket_chmod = Int(L"fcgi_socket_chmod", 0770);
fcgi_socket_user = Text(L"fcgi_socket_user");
fcgi_socket_group = Text(L"fcgi_socket_group");

View File

@ -143,16 +143,29 @@ public:
// fast cgi: socket (unix domain)
std::wstring fcgi_socket;
// fast cgi: whether to change chmod of the socket
// default: true
// if true then you should set fcgi_socket_chmod as well
bool fcgi_set_socket_chmod;
// fast cgi: whether to change owner/group of the socket
// default: true
// if true then you should set fcgi_socket_user and fcgi_socket_group as well
bool fcgi_set_socket_owner;
// fast cgi: socket permissions
// taken into account if fcgi_set_socket_chmod is true
// chmod and chown of the socket are set before winix drops privileges
int fcgi_socket_chmod;
// fast cgi: owner of the socket
// chmod and chown of the socket are set before winix drops privileges
// taken into account if fcgi_set_socket_owner is true
std::wstring fcgi_socket_user;
// fast cgi: group of the socket
// chmod and chown of the socket are set before winix drops privileges
// taken into account if fcgi_set_socket_owner is true
std::wstring fcgi_socket_group;
// fcgi_socket_listen is the listen queue depth used in the listen() call