fcgiwrap icon indicating copy to clipboard operation
fcgiwrap copied to clipboard

Published 20 hours ago verified publisher icon gnosek

Improve systemd units

Open seblu opened this issue 11 years ago • 12 comments

seblu avatar Aug 02 '13 01:08 seblu

The current https://github.com/gnosek/fcgiwrap/blob/master/systemd/fcgiwrap.service#L6 does not work on a Archlinux system. I spent HOURS over nginx 403 Forbidden errors. Eventually I came up with: http://ix.io/7kP

And to my surprise I found a service file in the Arch packaging that isn't utilised: https://projects.archlinux.org/svntogit/community.git/tree/trunk/fcgiwrap.service?h=packages/fcgiwrap

I don't know who to blame, though I guess I will report a bug on Archlinux now too.

kaihendry avatar Aug 16 '13 14:08 kaihendry

does not work on a Archlinux system.

I disagree. http://code.falconindy.com is using the upstream fcgiwrap.service and fcgiwrap.socket without any problems. You'll need to be a more specific than "does not work."

Being the original author of these units and someone who's reliant on them, I strongly oppose simply deleting the old units as it will break existing setups.

falconindy avatar Aug 16 '13 15:08 falconindy

I get "502 Bad Gateway" with your default http://ix.io/7kQ

However if I use my own spawn-fcgi invocation, it works: http://ix.io/7kP

My nginx.conf is http://sprunge.us/hEZT

Any ideas how to debug this?

kaihendry avatar Aug 16 '13 15:08 kaihendry

Ok nevermind @falconindy, you service file does seem to work after after all. http://ix.io/7x8

I'm using it upon http://cam.hackerspace.sg/

Thanks for your time,

kaihendry avatar Aug 24 '13 03:08 kaihendry

Any change to have this merged?

Old file can easily be moved to new one by a systemctl enable [email protected].

If upstream still want maintain arch specific files, I can push a new version which don't touch old files.

seblu avatar Feb 27 '14 02:02 seblu

Any progress on this?

seblu avatar Oct 27 '14 19:10 seblu

@seblu I'm not sure what the benefit is for folks to use non-http user convention? It's bad enough that it's different from Debian's www-data and dealing with all the annoying perms.

kaihendry avatar Oct 30 '14 00:10 kaihendry

@kaihendry Privilege separation, defence in depth? The web user has no rights to read "private" git dirs of cgit for example?

Lekensteyn avatar Oct 30 '14 09:10 Lekensteyn

Looks good to me, please apply @Lekensteyn 's suggestions and I'll (finally!) merge it.

gnosek avatar Apr 19 '15 08:04 gnosek

Suggestions applied. Should be ok.

seblu avatar Apr 19 '15 22:04 seblu

LGTM for user-specific fcgiwraps (personally I use -p to further restrict executable programs, introduced by 3a94c23aed0f687940a0442d318359699e00015e)

Lekensteyn avatar May 01 '15 19:05 Lekensteyn

@seblu to improve upon this pull request, could you apply the following changes?

Group socket files in a subdirectory, and make them accessible by the httpd user/group only:

# [email protected]
[Socket]
ListenStream=/run/fcgiwrap/%I.socket
SocketUser=@socketuser@
SocketGroup=@socketgroup@
SocketMode=0660

Create the shared runtime directory at boot using tmpfiles.d:

# @tmpfilesdir@/fcgiwrap.conf
d /run/fcgiwrap 0550 @socketuser@ @socketgroup@ - -

Add configure options to set the httpd user/group:

# configure.ac
AC_ARG_WITH([socket-user],
        AC_HELP_STRING( [--with-socket-user=USER], [User for socket files (defaults to httpd)]),
        [socketuser=$withval], [socketuser=httpd])
AC_SUBST(socketuser)

AC_ARG_WITH([socket-group],
        AC_HELP_STRING( [--with-socket-group=GROUP], [Group for socket files (defaults to httpd)]),
        [socketgroup=$withval], [socketgroup=httpd])
AC_SUBST(socketgroup)

petercolberg avatar Aug 07 '16 21:08 petercolberg