Project

General

Profile

Basic Ideas » History » Revision 2

Revision 1 (stbuehler, 2009-02-08 19:23) → Revision 2/3 (stbuehler, 2009-06-05 09:12)

h1. Basic Ideas 

 spawn-fcgi drops priviledges (i.e. does setuid/setgid to the specified user/group) before creating the socket; that means 
 * You cannot listen on ports < 1024 (tcp mode) 
 * The recommended way to socket will be created with the user/group you gave as parameter 

 Now, one nice thing about fastcgi is, that you can run FastCGI the fastcgi application is supervising them and the webserver with daemontools or runit. For this different users (priviledge separation); but lighttpd needs access to your socket. So if you are not using the tcp mode and don't want to give everyone read/write access to your sockets, you need a simple ./run little trick: 

 Use a wrapper script in your service directory like this: 

 this ("./php"): (needs setuidgid from daemontools) 
 <pre> 
 #!/bin/sh 

 exec 2>&1 # chown socket so webserver can access it 
 chown www-data:www-data /var/run/lighttpd/yourphpsocketname.sock 
 # change user for target application 
 exec /usr/bin/spawn-fcgi -n -s /var/run/lighttpd/yourphpsocketname.sock -u fastcgi-user -U webserver-user -- setuidgid yourphpuser /usr/bin/php5-cgi 
 </pre> 

 For debugging purposes Now you can of course start your FastCGI php (or whatever fastcgi application from your shell you are using) like this this: (you need must be root privileges for this): of course, as only root will be able to chown/setuidgid) 
 <pre> 
 /usr/bin/spawn-fcgi /usr/sbin/spawn-fcgi -f./php -s /var/run/lighttpd/yourphpsocketname.sock -u fastcgi-user -U webserver-user -- /usr/bin/php5-cgi -n 
 </pre> 

 With daemontools/runit you could use this "./run" script: 
 <pre> 
 #!/bin/sh 

 exec 2>&1 
 # do not change user here, as we need to be root to chown the socket! 
 exec /usr/sbin/spawn-fcgi -f./php -s /var/run/lighttpd/yourphpsocketname.sock -n 
 </pre>