Project

General

Profile

Bug #2819

-M option limited by umask

Added by hadmut 3 months ago. Updated 3 months ago.

Status:
Invalid
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
2017-08-14
Due date:
% Done:

0%

Estimated time:

Description

spawn-fcgi allows to give a mode value to be used for the unix domain socket, but (even the manpage mentions) only within the umask limits.

This raises the problem that one cannot run the fcgi job with umasks like 077 or 027 (like most linux distribs do), and still have the unix domain socket open for a different group.

E.g. could be necessary to run the fcgi daemon as someservice with a group of somegroup, but still give the unix domain socket to the group www-data (option -G) to allow others (e.g. webservers) to access it. Doesn't work without manually changing the socket later, because the socket mode is masked by umask and be not group writable, i.e. can't be opened by other programs.

Solution: If an -M is given, assume that the admin knows what he is doing and perform a chmod to give the socket re requested rights. (Means: Allow to set the rights of the unix domain socket and the umask of the process independently.)

History

#1

Updated by gstrauss 3 months ago

This is most definitely not a bug. Please file feature requests as feature requests.

Is there some reason that you can execute spawn-fcgi, but are unable to execute your own wrapper script which sets a more permissive umask prior to exec of spawn-fcgi? That is the most straightforward way to say "I know what I am doing" without suggesting other code changes.

#2

Updated by stbuehler 3 months ago

  • Status changed from New to Invalid

That is exactly the way spawn-fcgi works now: only the default uses umask, if you specify -M you can set whatever you want.

Apart from that the main point of spawn-fcgi is to have the socket owned by the webserver (i.e. the "FastCGI client"), and to run the app ("FastCGI server") as a different user - you need to start spawn-fcgi as root for this of course; you won't need group or other access in this usage scenario.

#3

Updated by hadmut 3 months ago

Well, I'm a Linux sysadmin since the very first days of Linux, and have been Unix/SunOS/Solaris sysadmin plenty of years before, so I guess I might have some sort of clue about what I'm doing.

And sure, I am pretty well able to execute my own wrapper script.

But if something like spawn-fcgi requires a "wrapper script" (i.e. another wrapper), then something is broken by design. A clean installation should work straight forward with the tools coming with the distribution and not require additional hacks like wrapper scripts.

And yeah, it is a bug and not a feature request, since it breaks security requirements.

#4

Updated by stbuehler 3 months ago

You didn't give an example that doesn't work; I tested it and it works exactly the way you requested it should.

Also available in: Atom