allow to not change fast cgi socket permissions

New config options: fcgi_set_socket_chmod (bool) - default true fcgi_set_socket_owner (bool) - default true
3 months ago · 98c1e8daad
4 changed files with 61 additions and 28 deletions
--- a/winixd/core/app.cpp
+++ b/winixd/core/app.cpp
@ -184,16 +184,28 @@ void App::InitPlugins()
 }


-bool App::InitFCGI(char * sock, char * sock_user, char * sock_group)
+bool App::TranslateFCGInames(char * sock, char * sock_user, char * sock_group)
 {
 	if( !wide_to_utf8(config.fcgi_socket, sock, WINIX_OS_PATH_SIZE) )
+	{
+		log << log1 << "App: I cannot correctly change FastCGI socket path to utf-8 string" << logend;
 		return false;
+	}

-	if( !wide_to_utf8(config.fcgi_socket_user, sock_user, WINIX_OS_USERNAME_SIZE) )
-		return false;
+	if( config.fcgi_set_socket_owner )
+	{
+		if( !wide_to_utf8(config.fcgi_socket_user, sock_user, WINIX_OS_USERNAME_SIZE) )
+		{
+			log << log1 << "App: I cannot correctly change FastCGI user name to utf-8 string" << logend;
+			return false;
+		}

-	if( !wide_to_utf8(config.fcgi_socket_group, sock_group, WINIX_OS_USERNAME_SIZE) )
-		return false;
+		if( !wide_to_utf8(config.fcgi_socket_group, sock_group, WINIX_OS_USERNAME_SIZE) )
+		{
+			log << log1 << "App: I cannot correctly change FastCGI group name to utf-8 string" << logend;
+			return false;
+		}
+	}

 return true;
 }
@ -204,33 +216,39 @@ return true;
 */
 bool App::InitFCGIChmodChownSocket(char * sock, char * sock_user, char * sock_group)
 {
-	if( chmod(sock, config.fcgi_socket_chmod) < 0 )
+	if( config.fcgi_set_socket_chmod )
 	{
-		log << log1 << "App: I cannot chmod a FastCGI socket, check fcgi_socket_chmod in the config" << logend;
-		return false;
+		if( chmod(sock, config.fcgi_socket_chmod) < 0 )
+		{
+			log << log1 << "App: I cannot chmod a FastCGI socket, check fcgi_socket_chmod in the config" << logend;
+			return false;
+		}
 	}
 	
-	passwd * pw = getpwnam(sock_user);
-
-	if( !pw )
+	if( config.fcgi_set_socket_owner )
 	{
-		log << log1 << "App: there is no a user: " << config.fcgi_socket_user << logend;
-		return false;
-	}
-	
-	group * gr = getgrnam(sock_group);
+		passwd * pw = getpwnam(sock_user);

-	if( !gr )
-	{
-		log << log1 << "App: there is no a group: " << config.fcgi_socket_group << logend;
-		return false;
-	}
+		if( !pw )
+		{
+			log << log1 << "App: there is no a user: " << config.fcgi_socket_user << logend;
+			return false;
+		}

-	if( chown(sock, pw->pw_uid, gr->gr_gid) < 0 )
-	{
-		log << log1 << "App: I cannot chown a FastCGI socket, check fcgi_socket_user "
-					<< "and fcgi_socket_group in the config" << logend;
-		return false;
+		group * gr = getgrnam(sock_group);
+
+		if( !gr )
+		{
+			log << log1 << "App: there is no a group: " << config.fcgi_socket_group << logend;
+			return false;
+		}
+	
+		if( chown(sock, pw->pw_uid, gr->gr_gid) < 0 )
+		{
+			log << log1 << "App: I cannot chown a FastCGI socket, check fcgi_socket_user "
+						<< "and fcgi_socket_group in the config" << logend;
+			return false;
+		}
 	}

 return true;
@ -243,7 +261,7 @@ char sock[WINIX_OS_PATH_SIZE];
 char sock_user[WINIX_OS_USERNAME_SIZE];
 char sock_group[WINIX_OS_USERNAME_SIZE];

-	if( !InitFCGI(sock, sock_user, sock_group) )
+	if( !TranslateFCGInames(sock, sock_user, sock_group) )
 		return false;

 	unlink(sock);
--- a/winixd/core/app.h
+++ b/winixd/core/app.h
@ -188,7 +188,7 @@ private:
 	// file logger, one object for all Log objects
 	FileLog file_log;

-	bool InitFCGI(char * sock, char * sock_user, char * sock_group);
+	bool TranslateFCGInames(char * sock, char * sock_user, char * sock_group);
 	bool InitFCGIChmodChownSocket(char * sock, char * sock_user, char * sock_group);
 	bool DropPrivileges(char * user, char * group);
 	bool DropPrivileges(const char * user, uid_t uid, gid_t gid, bool additional_groups);
--- a/winixd/core/config.cpp
+++ b/winixd/core/config.cpp
@ -125,6 +125,8 @@ void Config::AssignValues()
 	log_file				= Text(L"log_file");
 	log_delimiter			= Text(L"log_delimiter", L"---------------------------------------------------------------------------------");
 	fcgi_socket				= Text(L"fcgi_socket");
+	fcgi_set_socket_chmod	= Bool(L"fcgi_set_socket_chmod", true);
+	fcgi_set_socket_owner	= Bool(L"fcgi_set_socket_owner", true);
 	fcgi_socket_chmod 		= Int(L"fcgi_socket_chmod", 0770);
 	fcgi_socket_user  		= Text(L"fcgi_socket_user");
 	fcgi_socket_group 		= Text(L"fcgi_socket_group");
--- a/winixd/core/config.h
+++ b/winixd/core/config.h
@ -143,16 +143,29 @@ public:
 	// fast cgi: socket (unix domain)
 	std::wstring fcgi_socket;

+	// fast cgi: whether to change chmod of the socket
+	// default: true
+	// if true then you should set fcgi_socket_chmod as well
+	bool fcgi_set_socket_chmod;
+
+	// fast cgi: whether to change owner/group of the socket
+	// default: true
+	// if true then you should set fcgi_socket_user and fcgi_socket_group as well
+	bool fcgi_set_socket_owner;
+
 	// fast cgi: socket permissions
+	// taken into account if fcgi_set_socket_chmod is true
 	// chmod and chown of the socket are set before winix drops privileges
 	int fcgi_socket_chmod;

 	// fast cgi: owner of the socket
 	// chmod and chown of the socket are set before winix drops privileges
+	// taken into account if fcgi_set_socket_owner is true
 	std::wstring fcgi_socket_user;
 	
 	// fast cgi: group of the socket
 	// chmod and chown of the socket are set before winix drops privileges
+	// taken into account if fcgi_set_socket_owner is true
 	std::wstring fcgi_socket_group;

 	// fcgi_socket_listen is the listen queue depth used in the listen() call