Hi Guix,

this patch adds additional options to the fcgiwrap service. In particular it allows 1. writing the output of the fcgi process to a file (with the 'log-file' option) 2. arranging for a directory to be created so that the fcgiwrap process can create its listening socket without running into permission problems (with the 'ensure-socket-dir?' option) 3. adjusting the permissions on the listening unix domain socket, typically so that users in the fcgiwrap group have read and write access to that socket (with the 'adjusted-socket-permissions' option) Additionally, a potentially left-over fcgiwrap socket is cleaned up before starting the service, which would otherwise lead to the process refusing to run. The documentation is also changed to address a potential security issue, now recommending against running fcgiwrap as root. The configuration defaults are not ideal (a tcp socket with unrestricted access from any local user), but impossible to change without breaking existing system definitions. - Florian --------------0EC48590587DD7B3CAB39C78 Content-Type: text/x-patch; name="0001-services-fcgiwrap-Implement-additional-options.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename*0="0001-services-fcgiwrap-Implement-additional-options.patch" =46rom 3ac9c6fa536faff23291b21d4e649b85386fedfc Mon Sep 17 00:00:00 2001 From: Florian Dold <flo@HIDDEN> Date: Thu, 3 Jan 2019 14:22:49 +0100 Subject: [PATCH] services: fcgiwrap: Implement additional options The fcgiwrap service now supports logging and can be run on a unix domain socket as unprivileged user. * doc/guix.texi (Web Services): Document new options and replace dangerous advice about running fcgiwrap as root. * gnu/services/web.scm: Add the options 'log-file', 'adjusted-socket-permissions' and 'ensure-socket-dir?'. --- doc/guix.texi | 26 +++++++--- gnu/services/web.scm | 119 ++++++++++++++++++++++++++++++++++++------- 2 files changed, 120 insertions(+), 25 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index fcb5b8c08..608dd26ca 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -17756,12 +17756,26 @@ The user and group names, as strings, under whi= ch to run the the user asks for the specific user or group names @code{fcgiwrap} that the corresponding user and/or group is present on the system. =20 -It is possible to configure a FastCGI-backed web service to pass HTTP -authentication information from the front-end to the back-end, and to -allow @code{fcgiwrap} to run the back-end process as a corresponding -local user. To enable this capability on the back-end., run -@code{fcgiwrap} as the @code{root} user and group. Note that this -capability also has to be configured on the front-end as well. +Note that whoever can write to the fcgiwrap socket is effectively able t= o +execute programs as the user/group running the fcgiwrap process. It is = thus +strongly discouraged to run fcgiwrap as the @code{root} user or group. + +@item @code{log-file} (default: @code{#f}) +File where @command{fcgiwrap}'s output is written, or @code{#f} to not +store the output. + +@item @code{adjusted-socket-permissions} (default: @code{#f}) +Only applies to @code{unix} sockets. Adjusts the permissions of the soc= ket +after it has been created. If set to an integer, it is interpreted as a= +numeric file mode. If set to @code{#t}, it is interpreted as mode @code= {#o660} +(read and write permissions for user and group). If set to the default +@code{#f}, no adjustments are made. + +@item @code{ensure-socket-dir?} (default: @code{#f}) +Only applies to @code{unix} sockets. If set to @code{#t} and the direct= ory +component of the socket path in @code{socket} does not exist yet, the +directory is created with ownership set to the user and group running th= e +fcgiwrap process. @end table @end deftp =20 diff --git a/gnu/services/web.scm b/gnu/services/web.scm index d71fed20e..a3d435489 100644 --- a/gnu/services/web.scm +++ b/gnu/services/web.scm @@ -39,6 +39,7 @@ #:use-module (guix records) #:use-module (guix modules) #:use-module (guix gexp) + #:use-module (guix i18n) #:use-module ((guix store) #:select (text-file)) #:use-module ((guix utils) #:select (version-major)) #:use-module ((guix packages) #:select (package-version)) @@ -696,14 +697,21 @@ of index files." (define-record-type* <fcgiwrap-configuration> fcgiwrap-configuration make-fcgiwrap-configuration fcgiwrap-configuration? - (package fcgiwrap-configuration-package ;<package> - (default fcgiwrap)) - (socket fcgiwrap-configuration-socket - (default "tcp:")) - (user fcgiwrap-configuration-user - (default "fcgiwrap")) - (group fcgiwrap-configuration-group - (default "fcgiwrap"))) + (package fcgiwrap-configuration-package ;<package> + (default fcgiwrap)) + (socket fcgiwrap-configuration-socket + (default "tcp:")) + (user fcgiwrap-configuration-user + (default "fcgiwrap")) + (group fcgiwrap-configuration-group + (default "fcgiwrap")) + (log-file fcgiwrap-log-file + (default #f)) + ;; boolean or octal mode integer + (adjusted-socket-permissions fcgiwrap-adjusted-socket-permissions? + (default #f)) + (ensure-socket-dir? fcgiwrap-ensure-socket-dir? + (default #f))) =20 (define fcgiwrap-accounts (match-lambda @@ -723,25 +731,98 @@ of index files." (home-directory "/var/empty") (shell (file-append shadow "/sbin/nologin"))))))))) =20 +(define (parse-fcgiwrap-socket s) + "Parse a fcgiwrap socket specification string into '(type args ...)" + (cond + ((string-prefix? "unix:" s) + (list 'unix (substring s 5))) + ((string-prefix? "tcp:" s) + (match (string-match "^tcp:([.0-9]+):([0-9]+)$" s) + ((? regexp-match? m) + (list + 'tcp + (match:substring m 1) + (string->number (match:substring m 2)))) + (_ (error "invalid tcp socket address")))) + ((string-prefix? "tcp6:" s) + (match (string-match "^tcp6:\\[(.*)\\]:([0-9]+)$" s) + ((? regexp-match? m) + (list + 'tcp6 + (match:substring m 1) + (string->number (match:substring m 2)))) + (_ (error "invalid tcp6 socket address")))) + (else (error "unrecognized socket protocol")))) + (define fcgiwrap-shepherd-service (match-lambda - (($ <fcgiwrap-configuration> package socket user group) - (list (shepherd-service - (provision '(fcgiwrap)) - (documentation "Run the fcgiwrap daemon.") - (requirement '(networking)) - (start #~(make-forkexec-constructor - '(#$(file-append package "/sbin/fcgiwrap") - "-s" #$socket) - #:user #$user #:group #$group)) - (stop #~(make-kill-destructor))))))) + (($ <fcgiwrap-configuration> package socket user group log-file perm= ensure-dir?) + (define parsed-socket (parse-fcgiwrap-socket socket)) + (list + (shepherd-service + (provision '(fcgiwrap)) + (documentation "Run the fcgiwrap daemon.") + (requirement '(networking)) + (modules `((shepherd support) (ice-9 match) ,@%default-modules)) + (start + #~(lambda args + (define (clean-up file) + (catch 'system-error + (lambda () + (delete-file file)) + (lambda args + (unless (=3D ENOENT (system-error-errno args)) + (apply throw args))))) + (define* (wait-for-file file #:key (max-delay 5)) + (define start (current-time)) + (let loop () + (cond + ((file-exists? file) #t) + ((< (current-time) (+ start max-delay)) + (sleep 1) + (loop)) + (else #f)))) + (define (adjust-permissions file mode) + (match mode + (#t (chmod file #o660)) + (n (chmod file n)) + (#f 0))) + (define (ensure-socket-dir dir user group) + (unless (file-exists? dir) + (mkdir dir) ; FIXME: use mkdir-p instead? + (let ((uid (passwd:uid (getpwnam user))) + (gid (group:gid (getgrnam group)))) + (chown dir uid gid)))) + (define start-fcgiwrap + (make-forkexec-constructor + '(#$(file-append package "/sbin/fcgiwrap") + "-s" #$socket) + #:user #$user + #:group #$group + #:log-file #$log-file)) + (match '#$parsed-socket + (('unix path) + ;; Clean up socket, otherwise fcgiwrap might not start pr= operly. + (clean-up path) + (when #$ensure-dir? + (ensure-socket-dir (dirname path) #$user #$group)) + (let ((pid (start-fcgiwrap)) + (socket-exists? (wait-for-file path))) + (if socket-exists? + (adjust-permissions path #$perm) + (local-output + #$(G_ "fcgiwrap: warning: waiting for socket ~s failed") + path)) + pid)) + (_ (start-fcgiwrap))))) + (stop #~(make-kill-destructor))))))) =20 (define fcgiwrap-service-type (service-type (name 'fcgiwrap) (extensions (list (service-extension shepherd-root-service-type fcgiwrap-shepherd-service) - (service-extension account-service-type + (service-extension account-service-type fcgiwrap-accounts))) (default-value (fcgiwrap-configuration)))) =20 --=20 2.20.1 --------------0EC48590587DD7B3CAB39C78--
X-Loop: help-debbugs@HIDDEN Subject: [bug#33966] fcgiwrap: additional options for logging and unix domain sockets Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: guix-patches@HIDDEN Resent-Date: Wed, 09 Jan 2019 16:18:01 +0000 Resent-Message-ID: <handler.33966.B33966.15470506275059 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: followup 33966 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Florian Dold <florian.dold@HIDDEN> Cc: 33966 <at> debbugs.gnu.org Received: via spool by 33966-submit <at> debbugs.gnu.org id=B33966.15470506275059 (code B ref 33966); Wed, 09 Jan 2019 16:18:01 +0000 Received: (at 33966) by debbugs.gnu.org; 9 Jan 2019 16:17:07 +0000 Received: from localhost ([]:52450 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1ghGXT-0001JX-A2 for submit <at> debbugs.gnu.org; Wed, 09 Jan 2019 11:17:07 -0500 Received: from hera.aquilenet.fr ([]:48112) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@HIDDEN>) id 1ghGXR-0001JN-9t for 33966 <at> debbugs.gnu.org; Wed, 09 Jan 2019 11:17:05 -0500 Received: from localhost (localhost []) by hera.aquilenet.fr (Postfix) with ESMTP id 8F47E11F5; Wed, 9 Jan 2019 17:17:03 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at aquilenet.fr Received: from hera.aquilenet.fr ([]) by localhost (hera.aquilenet.fr []) (amavisd-new, port 10024) with ESMTP id d6lyJGZY_7eg; Wed, 9 Jan 2019 17:17:02 +0100 (CET) Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465]) by hera.aquilenet.fr (Postfix) with ESMTPSA id A6D7CC9A; Wed, 9 Jan 2019 17:17:02 +0100 (CET) From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN> References: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN> Date: Wed, 09 Jan 2019 17:17:01 +0100 In-Reply-To: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN> (Florian Dold's message of "Thu, 3 Jan 2019 21:02:38 +0100") Message-ID: <87a7k94xhe.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 1.0 (+) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.0 (/) Hi Florian, Florian Dold <florian.dold@HIDDEN> skribis: > this patch adds additional options to the fcgiwrap service. In > particular it allows > > 1. writing the output of the fcgi process to a file (with the 'log-file' > option) > > 2. arranging for a directory to be created so that the fcgiwrap process > can create its listening socket without running into permission problems > (with the 'ensure-socket-dir?' option) > > 3. adjusting the permissions on the listening unix domain socket, > typically so that users in the fcgiwrap group have read and write access > to that socket (with the 'adjusted-socket-permissions' option) > > Additionally, a potentially left-over fcgiwrap socket is cleaned up > before starting the service, which would otherwise lead to the process > refusing to run. > > The documentation is also changed to address a potential security issue, > now recommending against running fcgiwrap as root. Thanks for working on it! > The configuration defaults are not ideal (a tcp socket with unrestricted > access from any local user), but impossible to change without breaking > existing system definitions. Yeah. Perhaps we could print a warning or something to encourage users to switch? Overall LGTM. Some minor comments below: > From 3ac9c6fa536faff23291b21d4e649b85386fedfc Mon Sep 17 00:00:00 2001 > From: Florian Dold <flo@HIDDEN> > Date: Thu, 3 Jan 2019 14:22:49 +0100 > Subject: [PATCH] services: fcgiwrap: Implement additional options > > The fcgiwrap service now supports logging and can be run > on a unix domain socket as unprivileged user. > > * doc/guix.texi (Web Services): Document new options and replace > dangerous advice about running fcgiwrap as root. > * gnu/services/web.scm: Add the options 'log-file', > 'adjusted-socket-permissions' and 'ensure-socket-dir?'. It=E2=80=99d be great if you could list the modified variables for web.scm; otherwise I can do it for you. > (define-record-type* <fcgiwrap-configuration> fcgiwrap-configuration > make-fcgiwrap-configuration > fcgiwrap-configuration? > - (package fcgiwrap-configuration-package ;<package> > - (default fcgiwrap)) > - (socket fcgiwrap-configuration-socket > - (default "tcp:")) > - (user fcgiwrap-configuration-user > - (default "fcgiwrap")) > - (group fcgiwrap-configuration-group > - (default "fcgiwrap"))) > + (package fcgiwrap-configuration-package ;<package> > + (default fcgiwrap)) > + (socket fcgiwrap-configuration-socket > + (default "tcp:")) > + (user fcgiwrap-configuration-user > + (default "fcgiwrap")) > + (group fcgiwrap-configuration-group > + (default "fcgiwrap")) > + (log-file fcgiwrap-log-file > + (default #f)) > + ;; boolean or octal mode integer > + (adjusted-socket-permissions fcgiwrap-adjusted-socket-permissions? > + (default #f)) Maybe just =E2=80=98socket-permissions=E2=80=99 and also leave out interpre= tation of #t as #o666? Also the accessor should then be =E2=80=98fcgiwrap-socket-permissions=E2=80= =99. > + (ensure-socket-dir? fcgiwrap-ensure-socket-dir? > + (default #f))) s/dir/directory/ please. :-) Also please remove tabs from the file. Could you make sure =E2=80=9Cmake check-system TESTS=3Dcgit=E2=80=9D still = passes after the change? The rest LGTM. Could you send an updated patch? Thank you! Ludo=E2=80=99.
X-Loop: help-debbugs@HIDDEN Subject: [bug#33966] fcgiwrap: additional options for logging and unix domain sockets Resent-From: Arun Isaac <arunisaac@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: guix-patches@HIDDEN Resent-Date: Sat, 25 May 2019 07:58:02 +0000 Resent-Message-ID: <handler.33966.B33966.155877106923103 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: followup 33966 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: security To: Florian Dold <florian.dold@HIDDEN> Cc: 33966 <at> debbugs.gnu.org, Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@HIDDEN> Received: via spool by 33966-submit <at> debbugs.gnu.org id=B33966.155877106923103 (code B ref 33966); Sat, 25 May 2019 07:58:02 +0000 Received: (at 33966) by debbugs.gnu.org; 25 May 2019 07:57:49 +0000 Received: from localhost ([]:48073 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1hURYr-00060Z-C6 for submit <at> debbugs.gnu.org; Sat, 25 May 2019 03:57:49 -0400 Received: from mugam.systemreboot.net ([]:38990) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <arunisaac@HIDDEN>) id 1hURYn-00060O-Iw for 33966 <at> debbugs.gnu.org; Sat, 25 May 2019 03:57:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Pz9MDyNKYxdFer/i7Ym6Zxy3YjpCQRXhUpeugxcW+vY=; b=CVqNsc1K1E1raXkZiUjaqZIMF 2IjSlNc7FEk4GqKnhRF1HttYDXUgy3cjMdET6gJRyx3g496W1I+1dCRjGEdunHTERe9Urwy6ObFfM WquG1UDvYGVFc2Wtaj+f6CG6BeHOdAKK+BuGxQKKJxEBS004HR5Byc7PPKxYjywTp5qHA=; Received: from [] (helo=steel) by systemreboot.net with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <arunisaac@HIDDEN>) id 1hURYi-00033X-P3; Sat, 25 May 2019 13:27:40 +0530 From: Arun Isaac <arunisaac@HIDDEN> In-Reply-To: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN> References: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN> Date: Sat, 25 May 2019 13:27:21 +0530 Message-ID: <cu71s0nnezi.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain > The configuration defaults are not ideal (a tcp socket with unrestricted > access from any local user), but impossible to change without breaking > existing system definitions. I think it's ok to break existing system definitions when security is at stake. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEf3MDQ/Lwnzx3v3nTLiXui2GAK7MFAlzo9WEACgkQLiXui2GA K7O++Qf9GvX/SfKF/qOxoYI/9veC5+aapyuiVFAT9OAixqrKUIbqzna9Hmaydcyn D4PviGI/nxlLP+v5SuZNwdwwOy9PmPa81giXwKocaAULCzwASilBUnuLZiUM2brn 99YG3gpF86MtDALP6t12+s3MVJhlNmnkw5f7ZvoQ9saYPq9U0FXAtbw6VUGfiIe3 JwmW1Lrax18cSk72ul0t4SmFz0yJci/zA7RcrWjqFaqjMSaUy2WAt9upBh4UShMS WmlZI6yUl7h72h4rdytJ1NtvNbiMfCmbfidU0KsAtm37wiFxQXQgvPFCWyM6DjFa sokSlHKxpyAovi6zhEM8irkTlpAnPA== =CjjU -----END PGP SIGNATURE----- --=-=-=--
X-Loop: help-debbugs@HIDDEN Subject: [bug#33966] fcgiwrap: additional options for logging and unix domain sockets Resent-From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> Resent-CC: guix-patches@HIDDEN Resent-Date: Mon, 11 Nov 2024 12:43:01 +0000 Resent-Message-ID: <handler.33966.B33966.173132894124759 <at> debbugs.gnu.org> Resent-Sender: help-debbugs@HIDDEN X-GNU-PR-Message: followup 33966 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: security To: Florian Dold <florian.dold@HIDDEN> Cc: 33966 <at> debbugs.gnu.org Received: via spool by 33966-submit <at> debbugs.gnu.org id=B33966.173132894124759 (code B ref 33966); Mon, 11 Nov 2024 12:43:01 +0000 Received: (at 33966) by debbugs.gnu.org; 11 Nov 2024 12:42:21 +0000 Received: from localhost ([]:58590 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1tATkK-0006RH-Iv for submit <at> debbugs.gnu.org; Mon, 11 Nov 2024 07:42:20 -0500 Received: from mail-pl1-f181.google.com ([]:51317) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <maxim.cournoyer@HIDDEN>) id 1tATkI-0006R4-Sk for 33966 <at> debbugs.gnu.org; Mon, 11 Nov 2024 07:42:19 -0500 Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-20ca1b6a80aso47653135ad.2 for <33966 <at> debbugs.gnu.org>; Mon, 11 Nov 2024 04:42:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731328878; x=1731933678; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=/mC35WSr43vW9psA/Gck5MYeMpjBptdlv6C02XE/Dmw=; b=KXgG+NDmRVv+OUAJ2+hdxr0M/m0+0PDxthIwAtD/fMeK+4TwGn0lpLekwJhND0Fh+s ls11Lx21yKdZJG2eiGHwk8gOWx9y6e3w/Y0SikhHac0ZPqdt55TJe/9BgYhzgK4MoeO7 fv1Eqqn4Xngf2oGQ4+BJMqrt7msU5Rvq8RhQybwUfEamtJkqbDlh+Ais20AGVM97l8u8 tKEW+9cQTX1kJvoMtlqWb2+O9fh3+Z2s1IqM8jqg1P+UHvXiGE5tDkHi+yvgsLqPyRFS B/Za86jUQr9oE8h45wCMPFgyaXebztPtbewFSgtIPKbZ9hErqdxijxlmvcFBT+sEREz3 VaWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731328878; x=1731933678; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/mC35WSr43vW9psA/Gck5MYeMpjBptdlv6C02XE/Dmw=; b=vpg3qhn/IVVSzCvWwCUZTD5kOHg7WqepVUVUG5ivMDisIDDE/+fHp7l03j3XLsRHHD SHm78Nd2FCCh5OjHUm78b0ZKr2Pj1UxrZPI5D0how4FjutYRl65DgKzXzM7C0UwxjTP2 rbBqvoA272FhoF5cC47CyrzmyvTU5TKVpEBgDTIDRw6OK7rxqFexQZVsPXdJmX2Bxc36 yHLdjaHfYGUOb/r86/Bs2vLVy5wCtdLuoZl/FGaPjlGFPrXvnpjiKJqrKrbjIbeZmAzm Y/hzb2Oy0uXI9Ea56+03GdC3wyZrmZK1FKS9SqPemue3ApplZPx9vZbHDmvvsWvU5V72 ZdpA== X-Gm-Message-State: AOJu0Yxb4J8+ErWaH4Gp8F6M9SYFi1uSCpVPmJvPhqytRBoUJKLeUNUd ACgcUik75wrSdQHr256rQdEbzzAjll4hAyODPwiwMQfQu4/hEElNlHtbIhJU X-Google-Smtp-Source: AGHT+IHmO/L1tr83XdJj9ZFzSOCdsewiNTFmSZnsq7l6Si6vVxAxTe0u+AXeCVjEPeXVZ4RWvBrf8Q== X-Received: by 2002:a17:903:2306:b0:20b:80e6:bcdf with SMTP id d9443c01a7336-21183ccc32cmr170284915ad.23.1731328877768; Mon, 11 Nov 2024 04:41:17 -0800 (PST) Received: from terra ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-21177e580easm74999675ad.180.2024. (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Nov 2024 04:41:17 -0800 (PST) From: Maxim Cournoyer <maxim.cournoyer@HIDDEN> In-Reply-To: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN> (Florian Dold's message of "Thu, 3 Jan 2019 21:02:38 +0100") References: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN> Date: Mon, 11 Nov 2024 21:41:11 +0900 Message-ID: <87ed3i9c48.fsf@HIDDEN> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -1.0 (-) Hi Florian, Florian Dold <florian.dold@HIDDEN> writes: > Hi Guix, > > this patch adds additional options to the fcgiwrap service. In > particular it allows > > 1. writing the output of the fcgi process to a file (with the 'log-file' > option) > > 2. arranging for a directory to be created so that the fcgiwrap process > can create its listening socket without running into permission problems > (with the 'ensure-socket-dir?' option) > > 3. adjusting the permissions on the listening unix domain socket, > typically so that users in the fcgiwrap group have read and write access > to that socket (with the 'adjusted-socket-permissions' option) > > Additionally, a potentially left-over fcgiwrap socket is cleaned up > before starting the service, which would otherwise lead to the process > refusing to run. > > The documentation is also changed to address a potential security issue, > now recommending against running fcgiwrap as root. > > The configuration defaults are not ideal (a tcp socket with unrestricted > access from any local user), but impossible to change without breaking > existing system definitions. Unfortunately this great patch no longer applies cleanly (there are conflicts in the doc). Would you be so kind as to resend an updated version? -- Thanks, Maxim
