allow to not change fast cgi socket permissions

New config options:
fcgi_set_socket_chmod (bool) - default true
fcgi_set_socket_owner (bool) - default true
This commit is contained in:
Tomasz Sowa 2022-04-27 23:31:50 +02:00
parent f99191aa6f
commit 98c1e8daad
4 changed files with 62 additions and 29 deletions

View File

@ -184,16 +184,28 @@ void App::InitPlugins()
} }
bool App::InitFCGI(char * sock, char * sock_user, char * sock_group) bool App::TranslateFCGInames(char * sock, char * sock_user, char * sock_group)
{ {
if( !wide_to_utf8(config.fcgi_socket, sock, WINIX_OS_PATH_SIZE) ) if( !wide_to_utf8(config.fcgi_socket, sock, WINIX_OS_PATH_SIZE) )
{
log << log1 << "App: I cannot correctly change FastCGI socket path to utf-8 string" << logend;
return false; return false;
}
if( !wide_to_utf8(config.fcgi_socket_user, sock_user, WINIX_OS_USERNAME_SIZE) ) if( config.fcgi_set_socket_owner )
return false; {
if( !wide_to_utf8(config.fcgi_socket_user, sock_user, WINIX_OS_USERNAME_SIZE) )
{
log << log1 << "App: I cannot correctly change FastCGI user name to utf-8 string" << logend;
return false;
}
if( !wide_to_utf8(config.fcgi_socket_group, sock_group, WINIX_OS_USERNAME_SIZE) ) if( !wide_to_utf8(config.fcgi_socket_group, sock_group, WINIX_OS_USERNAME_SIZE) )
return false; {
log << log1 << "App: I cannot correctly change FastCGI group name to utf-8 string" << logend;
return false;
}
}
return true; return true;
} }
@ -204,33 +216,39 @@ return true;
*/ */
bool App::InitFCGIChmodChownSocket(char * sock, char * sock_user, char * sock_group) bool App::InitFCGIChmodChownSocket(char * sock, char * sock_user, char * sock_group)
{ {
if( chmod(sock, config.fcgi_socket_chmod) < 0 ) if( config.fcgi_set_socket_chmod )
{ {
log << log1 << "App: I cannot chmod a FastCGI socket, check fcgi_socket_chmod in the config" << logend; if( chmod(sock, config.fcgi_socket_chmod) < 0 )
return false; {
log << log1 << "App: I cannot chmod a FastCGI socket, check fcgi_socket_chmod in the config" << logend;
return false;
}
} }
passwd * pw = getpwnam(sock_user); if( config.fcgi_set_socket_owner )
if( !pw )
{ {
log << log1 << "App: there is no a user: " << config.fcgi_socket_user << logend; passwd * pw = getpwnam(sock_user);
return false;
} if( !pw )
{
log << log1 << "App: there is no a user: " << config.fcgi_socket_user << logend;
return false;
}
group * gr = getgrnam(sock_group);
if( !gr )
{
log << log1 << "App: there is no a group: " << config.fcgi_socket_group << logend;
return false;
}
group * gr = getgrnam(sock_group); if( chown(sock, pw->pw_uid, gr->gr_gid) < 0 )
{
if( !gr ) log << log1 << "App: I cannot chown a FastCGI socket, check fcgi_socket_user "
{ << "and fcgi_socket_group in the config" << logend;
log << log1 << "App: there is no a group: " << config.fcgi_socket_group << logend; return false;
return false; }
}
if( chown(sock, pw->pw_uid, gr->gr_gid) < 0 )
{
log << log1 << "App: I cannot chown a FastCGI socket, check fcgi_socket_user "
<< "and fcgi_socket_group in the config" << logend;
return false;
} }
return true; return true;
@ -243,7 +261,7 @@ char sock[WINIX_OS_PATH_SIZE];
char sock_user[WINIX_OS_USERNAME_SIZE]; char sock_user[WINIX_OS_USERNAME_SIZE];
char sock_group[WINIX_OS_USERNAME_SIZE]; char sock_group[WINIX_OS_USERNAME_SIZE];
if( !InitFCGI(sock, sock_user, sock_group) ) if( !TranslateFCGInames(sock, sock_user, sock_group) )
return false; return false;
unlink(sock); unlink(sock);

View File

@ -188,7 +188,7 @@ private:
// file logger, one object for all Log objects // file logger, one object for all Log objects
FileLog file_log; FileLog file_log;
bool InitFCGI(char * sock, char * sock_user, char * sock_group); bool TranslateFCGInames(char * sock, char * sock_user, char * sock_group);
bool InitFCGIChmodChownSocket(char * sock, char * sock_user, char * sock_group); bool InitFCGIChmodChownSocket(char * sock, char * sock_user, char * sock_group);
bool DropPrivileges(char * user, char * group); bool DropPrivileges(char * user, char * group);
bool DropPrivileges(const char * user, uid_t uid, gid_t gid, bool additional_groups); bool DropPrivileges(const char * user, uid_t uid, gid_t gid, bool additional_groups);

View File

@ -125,6 +125,8 @@ void Config::AssignValues()
log_file = Text(L"log_file"); log_file = Text(L"log_file");
log_delimiter = Text(L"log_delimiter", L"---------------------------------------------------------------------------------"); log_delimiter = Text(L"log_delimiter", L"---------------------------------------------------------------------------------");
fcgi_socket = Text(L"fcgi_socket"); fcgi_socket = Text(L"fcgi_socket");
fcgi_set_socket_chmod = Bool(L"fcgi_set_socket_chmod", true);
fcgi_set_socket_owner = Bool(L"fcgi_set_socket_owner", true);
fcgi_socket_chmod = Int(L"fcgi_socket_chmod", 0770); fcgi_socket_chmod = Int(L"fcgi_socket_chmod", 0770);
fcgi_socket_user = Text(L"fcgi_socket_user"); fcgi_socket_user = Text(L"fcgi_socket_user");
fcgi_socket_group = Text(L"fcgi_socket_group"); fcgi_socket_group = Text(L"fcgi_socket_group");

View File

@ -143,16 +143,29 @@ public:
// fast cgi: socket (unix domain) // fast cgi: socket (unix domain)
std::wstring fcgi_socket; std::wstring fcgi_socket;
// fast cgi: whether to change chmod of the socket
// default: true
// if true then you should set fcgi_socket_chmod as well
bool fcgi_set_socket_chmod;
// fast cgi: whether to change owner/group of the socket
// default: true
// if true then you should set fcgi_socket_user and fcgi_socket_group as well
bool fcgi_set_socket_owner;
// fast cgi: socket permissions // fast cgi: socket permissions
// taken into account if fcgi_set_socket_chmod is true
// chmod and chown of the socket are set before winix drops privileges // chmod and chown of the socket are set before winix drops privileges
int fcgi_socket_chmod; int fcgi_socket_chmod;
// fast cgi: owner of the socket // fast cgi: owner of the socket
// chmod and chown of the socket are set before winix drops privileges // chmod and chown of the socket are set before winix drops privileges
// taken into account if fcgi_set_socket_owner is true
std::wstring fcgi_socket_user; std::wstring fcgi_socket_user;
// fast cgi: group of the socket // fast cgi: group of the socket
// chmod and chown of the socket are set before winix drops privileges // chmod and chown of the socket are set before winix drops privileges
// taken into account if fcgi_set_socket_owner is true
std::wstring fcgi_socket_group; std::wstring fcgi_socket_group;
// fcgi_socket_listen is the listen queue depth used in the listen() call // fcgi_socket_listen is the listen queue depth used in the listen() call