diff options
author | florian <florian@openbsd.org> | 2014-06-10 14:38:27 +0000 |
---|---|---|
committer | florian <florian@openbsd.org> | 2014-06-10 14:38:27 +0000 |
commit | a3b046bcb4d4141926eeeefaa1080c8457bd49b9 (patch) | |
tree | 0770101ea014ad3a4bf90aff755127cd487d41be /usr.sbin/slowcgi | |
parent | Cleanup socket creation. (diff) | |
download | wireguard-openbsd-a3b046bcb4d4141926eeeefaa1080c8457bd49b9.tar.xz wireguard-openbsd-a3b046bcb4d4141926eeeefaa1080c8457bd49b9.zip |
Implement -u (user to drop privs to) and -p flag (path to chroot to).
This allows to run slowcgi non-chrooted with -p /, requested by at
least ratchov@ and henning@.
Input by many, OK ratchov@ on a previous diff, "looks good" millert@,
man page bits tweak and OK schwarze@ (all some time ago); OK henning@
Diffstat (limited to 'usr.sbin/slowcgi')
-rw-r--r-- | usr.sbin/slowcgi/slowcgi.8 | 17 | ||||
-rw-r--r-- | usr.sbin/slowcgi/slowcgi.c | 41 |
2 files changed, 45 insertions, 13 deletions
diff --git a/usr.sbin/slowcgi/slowcgi.8 b/usr.sbin/slowcgi/slowcgi.8 index 9f1b4f99628..9d26af0f40c 100644 --- a/usr.sbin/slowcgi/slowcgi.8 +++ b/usr.sbin/slowcgi/slowcgi.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: slowcgi.8,v 1.8 2014/06/10 14:33:01 florian Exp $ +.\" $OpenBSD: slowcgi.8,v 1.9 2014/06/10 14:38:27 florian Exp $ .\" .\" Copyright (c) 2013 Florian Obser <florian@openbsd.org> .\" @@ -23,7 +23,9 @@ .Sh SYNOPSIS .Nm .Op Fl d +.Op Fl p Ar path .Op Fl s Ar socket +.Op Fl u Ar user .Sh DESCRIPTION .Nm is a server which implements the FastCGI Protocol to execute CGI scripts. @@ -65,9 +67,22 @@ Do not daemonize. If this option is specified, .Nm will run in the foreground and log to stderr. +.It Fl p Ar path +.Xr chroot 2 +to +.Ar path . +A +.Ar path +of +.Pa / +effectively disables the chroot. .It Fl s Ar socket Create and bind to alternative local socket at .Ar socket . +.It Fl u Ar user +Drop privileges to +.Ar user +instead of default user www. .El .\" .Sh SEE ALSO .Sh STANDARDS diff --git a/usr.sbin/slowcgi/slowcgi.c b/usr.sbin/slowcgi/slowcgi.c index 846c1b1e6f1..769df0361b5 100644 --- a/usr.sbin/slowcgi/slowcgi.c +++ b/usr.sbin/slowcgi/slowcgi.c @@ -1,4 +1,4 @@ -/* $OpenBSD: slowcgi.c,v 1.32 2014/06/10 14:33:01 florian Exp $ */ +/* $OpenBSD: slowcgi.c,v 1.33 2014/06/10 14:38:27 florian Exp $ */ /* * Copyright (c) 2013 David Gwynne <dlg@openbsd.org> * Copyright (c) 2013 Florian Obser <florian@openbsd.org> @@ -238,7 +238,8 @@ __dead void usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-d] [-s socket]\n", __progname); + fprintf(stderr, "usage: %s [-d] [-p path] [-s socket] [-u user]\n", + __progname); exit(1); } @@ -255,6 +256,8 @@ main(int argc, char *argv[]) struct passwd *pw; struct stat sb; int c, fd; + const char *chrootpath = NULL; + const char *slowcgi_user = SLOWCGI_USER; /* * Ensure we have fds 0-2 open so that we have no fd overlaps @@ -273,14 +276,20 @@ main(int argc, char *argv[]) } } - while ((c = getopt(argc, argv, "ds:")) != -1) { + while ((c = getopt(argc, argv, "dp:s:u:")) != -1) { switch (c) { case 'd': debug = 1; break; + case 'p': + chrootpath = optarg; + break; case 's': fcgi_socket = optarg; break; + case 'u': + slowcgi_user = optarg; + break; default: usage(); /* NOTREACHED */ @@ -290,10 +299,6 @@ main(int argc, char *argv[]) if (geteuid() != 0) errx(1, "need root privileges"); - pw = getpwnam(SLOWCGI_USER); - if (pw == NULL) - err(1, "no %s user", SLOWCGI_USER); - if (!debug && daemon(1, 0) == -1) err(1, "daemon"); @@ -304,15 +309,27 @@ main(int argc, char *argv[]) event_init(); + pw = getpwnam(SLOWCGI_USER); + if (pw == NULL) + errx(1, "no %s user", SLOWCGI_USER); + slowcgi_listen(fcgi_socket, pw); - if (chroot(pw->pw_dir) == -1) - lerr(1, "chroot(%s)", pw->pw_dir); + lwarnx("slowcgi_user: %s", slowcgi_user); + pw = getpwnam(slowcgi_user); + if (pw == NULL) + errx(1, "no %s user", slowcgi_user); - if (chdir("/") == -1) - lerr(1, "chdir(%s)", pw->pw_dir); + if (chrootpath == NULL) + chrootpath = pw->pw_dir; - ldebug("chroot: %s", pw->pw_dir); + if (chroot(chrootpath) == -1) + lerr(1, "chroot(%s)", chrootpath); + + ldebug("chroot: %s", chrootpath); + + if (chdir("/") == -1) + lerr(1, "chdir(/)"); if (setgroups(1, &pw->pw_gid) || setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || |