1

I have a web server (nginx) and a CGI application (gitweb) that is ran with fcgiwrap to enable Fast CGI access to it. I want the Fast CGI protocol to take place over a unix socket file.

To start the fcgiwrap daemon, I run:

setuidgid git fcgiwrap -s "unix:$PWD/fastcgi.sock"

(this is a daemontools daemon)

The problem is that my web server runs as the user www-data and not the user git. And fcgiwrap creates the socket fastcgi.sock with user git, group git and read only fort the non owner. Thus, nginc with the user www-data can't access the socket.

Apparently, fcgiwrap is not able to select permissions of unix socket files. And this is quite annoying. Moreover, if I manage to have the socket file exists before I run fcgiwrap (which is quite difficult given I did not find any shell command to create a socket file), it quits with the following error:

Failed to bind: Address already in use

The only solution I found is to start the server the following way:

rm -f fastcgi.sock # Ensure that the socket doesn't already exists
(sleep 5; chgrp www-data fastcgi.sock; chmod g+w fastcgi.sock) &
exec setuidgid git fcgiwrap -s "unix:$PWD/fastcgi.sock"

Which is far from the most elegant solution. Can you think of anything better ?

Thanks

user36520
  • 3,171
  • 3
  • 24
  • 19

2 Answers2

0

One way would be to start fcgiwrap as a specific user and have it create the socket in a folder with the sticky bit set. Stickybit ensures that all files created in this directory have a given group.

mkdir sdir
chgrp www-data sdir
chmod g+s sdir
exec setuidgid git fcgiwrap -s "unix:$PWD/sdir/fastcgi.sock"

You can symlink if you still want to see the original socket name

ln -s fastcgi.sock sdir/fastcgi.sock
teknopaul
  • 448
0

Fcgiwrap is now compatible with systemd socket activation. It should be possible to use systemd protocol separately on os without systemd.

user36520
  • 3,171
  • 3
  • 24
  • 19