GNU bug report logs - #33966
fcgiwrap: additional options for logging and unix domain sockets

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: Florian Dold <florian.dold@HIDDEN>; Keywords: security; dated Thu, 3 Jan 2019 20:03:03 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.

Message received at 33966 <at> debbugs.gnu.org:


Received: (at 33966) by debbugs.gnu.org; 25 May 2019 07:57:49 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat May 25 03:57:49 2019
Received: from localhost ([127.0.0.1]:48073 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hURYr-00060Z-C6
	for submit <at> debbugs.gnu.org; Sat, 25 May 2019 03:57:49 -0400
Received: from mugam.systemreboot.net ([139.59.75.54]:38990)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <arunisaac@HIDDEN>) id 1hURYn-00060O-Iw
 for 33966 <at> debbugs.gnu.org; Sat, 25 May 2019 03:57:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date:
 References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To:
 Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
 List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Pz9MDyNKYxdFer/i7Ym6Zxy3YjpCQRXhUpeugxcW+vY=; b=CVqNsc1K1E1raXkZiUjaqZIMF
 2IjSlNc7FEk4GqKnhRF1HttYDXUgy3cjMdET6gJRyx3g496W1I+1dCRjGEdunHTERe9Urwy6ObFfM
 WquG1UDvYGVFc2Wtaj+f6CG6BeHOdAKK+BuGxQKKJxEBS004HR5Byc7PPKxYjywTp5qHA=;
Received: from [49.206.13.26] (helo=steel)
 by systemreboot.net with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
 (Exim 4.92) (envelope-from <arunisaac@HIDDEN>)
 id 1hURYi-00033X-P3; Sat, 25 May 2019 13:27:40 +0530
From: Arun Isaac <arunisaac@HIDDEN>
To: Florian Dold <florian.dold@HIDDEN>
Subject: Re: [bug#33966] fcgiwrap: additional options for logging and unix
 domain sockets
In-Reply-To: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN>
References: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN>
Date: Sat, 25 May 2019 13:27:21 +0530
Message-ID: <cu71s0nnezi.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 33966
Cc: 33966 <at> debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain


> The configuration defaults are not ideal (a tcp socket with unrestricted
> access from any local user), but impossible to change without breaking
> existing system definitions.

I think it's ok to break existing system definitions when security is at
stake.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEf3MDQ/Lwnzx3v3nTLiXui2GAK7MFAlzo9WEACgkQLiXui2GA
K7O++Qf9GvX/SfKF/qOxoYI/9veC5+aapyuiVFAT9OAixqrKUIbqzna9Hmaydcyn
D4PviGI/nxlLP+v5SuZNwdwwOy9PmPa81giXwKocaAULCzwASilBUnuLZiUM2brn
99YG3gpF86MtDALP6t12+s3MVJhlNmnkw5f7ZvoQ9saYPq9U0FXAtbw6VUGfiIe3
JwmW1Lrax18cSk72ul0t4SmFz0yJci/zA7RcrWjqFaqjMSaUy2WAt9upBh4UShMS
WmlZI6yUl7h72h4rdytJ1NtvNbiMfCmbfidU0KsAtm37wiFxQXQgvPFCWyM6DjFa
sokSlHKxpyAovi6zhEM8irkTlpAnPA==
=CjjU
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to guix-patches@HIDDEN:
bug#33966; Package guix-patches. Full text available.
Added tag(s) security. Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 33966 <at> debbugs.gnu.org:


Received: (at 33966) by debbugs.gnu.org; 9 Jan 2019 16:17:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jan 09 11:17:07 2019
Received: from localhost ([127.0.0.1]:52450 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ghGXT-0001JX-A2
	for submit <at> debbugs.gnu.org; Wed, 09 Jan 2019 11:17:07 -0500
Received: from hera.aquilenet.fr ([185.233.100.1]:48112)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1ghGXR-0001JN-9t
 for 33966 <at> debbugs.gnu.org; Wed, 09 Jan 2019 11:17:05 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 8F47E11F5;
 Wed,  9 Jan 2019 17:17:03 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id d6lyJGZY_7eg; Wed,  9 Jan 2019 17:17:02 +0100 (CET)
Received: from ribbon (unknown [IPv6:2a01:e0a:1d:7270:af76:b9b:ca24:c465])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id A6D7CC9A;
 Wed,  9 Jan 2019 17:17:02 +0100 (CET)
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Florian Dold <florian.dold@HIDDEN>
Subject: Re: [bug#33966] fcgiwrap: additional options for logging and unix
 domain sockets
References: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN>
Date: Wed, 09 Jan 2019 17:17:01 +0100
In-Reply-To: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN> (Florian Dold's
 message of "Thu, 3 Jan 2019 21:02:38 +0100")
Message-ID: <87a7k94xhe.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: 33966
Cc: 33966 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

Hi Florian,

Florian Dold <florian.dold@HIDDEN> skribis:

> this patch adds additional options to the fcgiwrap service.  In
> particular it allows
>
> 1. writing the output of the fcgi process to a file (with the 'log-file'
> option)
>
> 2. arranging for a directory to be created so that the fcgiwrap process
> can create its listening socket without running into permission problems
> (with the 'ensure-socket-dir?' option)
>
> 3. adjusting the permissions on the listening unix domain socket,
> typically so that users in the fcgiwrap group have read and write access
> to that socket (with the 'adjusted-socket-permissions' option)
>
> Additionally, a potentially left-over fcgiwrap socket is cleaned up
> before starting the service, which would otherwise lead to the process
> refusing to run.
>
> The documentation is also changed to address a potential security issue,
> now recommending against running fcgiwrap as root.

Thanks for working on it!

> The configuration defaults are not ideal (a tcp socket with unrestricted
> access from any local user), but impossible to change without breaking
> existing system definitions.

Yeah.  Perhaps we could print a warning or something to encourage users
to switch?

Overall LGTM.  Some minor comments below:

> From 3ac9c6fa536faff23291b21d4e649b85386fedfc Mon Sep 17 00:00:00 2001
> From: Florian Dold <flo@HIDDEN>
> Date: Thu, 3 Jan 2019 14:22:49 +0100
> Subject: [PATCH] services: fcgiwrap: Implement additional options
>
> The fcgiwrap service now supports logging and can be run
> on a unix domain socket as unprivileged user.
>
> * doc/guix.texi (Web Services): Document new options and replace
> dangerous advice about running fcgiwrap as root.
> * gnu/services/web.scm: Add the options 'log-file',
> 'adjusted-socket-permissions' and 'ensure-socket-dir?'.

It=E2=80=99d be great if you could list the modified variables for web.scm;
otherwise I can do it for you.

>  (define-record-type* <fcgiwrap-configuration> fcgiwrap-configuration
>    make-fcgiwrap-configuration
>    fcgiwrap-configuration?
> -  (package       fcgiwrap-configuration-package ;<package>
> -                 (default fcgiwrap))
> -  (socket        fcgiwrap-configuration-socket
> -                 (default "tcp:127.0.0.1:9000"))
> -  (user          fcgiwrap-configuration-user
> -                 (default "fcgiwrap"))
> -  (group         fcgiwrap-configuration-group
> -                 (default "fcgiwrap")))
> +  (package fcgiwrap-configuration-package ;<package>
> +           (default fcgiwrap))
> +  (socket fcgiwrap-configuration-socket
> +          (default "tcp:127.0.0.1:9000"))
> +  (user fcgiwrap-configuration-user
> +        (default "fcgiwrap"))
> +  (group fcgiwrap-configuration-group
> +         (default "fcgiwrap"))
> +  (log-file fcgiwrap-log-file
> +            (default #f))
> +  ;; boolean or octal mode integer
> +  (adjusted-socket-permissions fcgiwrap-adjusted-socket-permissions?
> +                               (default #f))

Maybe just =E2=80=98socket-permissions=E2=80=99 and also leave out interpre=
tation of #t
as #o666?

Also the accessor should then be =E2=80=98fcgiwrap-socket-permissions=E2=80=
=99.

> +  (ensure-socket-dir? fcgiwrap-ensure-socket-dir?
> +                      (default #f)))

s/dir/directory/ please.  :-)

Also please remove tabs from the file.

Could you make sure =E2=80=9Cmake check-system TESTS=3Dcgit=E2=80=9D still =
passes after
the change?

The rest LGTM.  Could you send an updated patch?

Thank you!

Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#33966; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 3 Jan 2019 20:02:51 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jan 03 15:02:51 2019
Received: from localhost ([127.0.0.1]:45987 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1gf9Cd-0007Ci-9c
	for submit <at> debbugs.gnu.org; Thu, 03 Jan 2019 15:02:51 -0500
Received: from eggs.gnu.org ([208.118.235.92]:38640)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <florian.dold@HIDDEN>) id 1gf9Cb-0007CZ-4k
 for submit <at> debbugs.gnu.org; Thu, 03 Jan 2019 15:02:49 -0500
Received: from lists.gnu.org ([208.118.235.17]:51372)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <florian.dold@HIDDEN>)
 id 1gf9Ca-0005wr-V9
 for submit <at> debbugs.gnu.org; Thu, 03 Jan 2019 15:02:49 -0500
Received: from eggs.gnu.org ([208.118.235.92]:59143)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <florian.dold@HIDDEN>) id 1gf9CZ-0001uD-E3
 for guix-patches@HIDDEN; Thu, 03 Jan 2019 15:02:48 -0500
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,FREEMAIL_FROM
 autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <florian.dold@HIDDEN>) id 1gf9CV-0005tg-9v
 for guix-patches@HIDDEN; Thu, 03 Jan 2019 15:02:47 -0500
Received: from mail-wm1-x32f.google.com ([2a00:1450:4864:20::32f]:37457)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <florian.dold@HIDDEN>)
 id 1gf9CU-0005sm-V0
 for guix-patches@HIDDEN; Thu, 03 Jan 2019 15:02:43 -0500
Received: by mail-wm1-x32f.google.com with SMTP id g67so31332383wmd.2
 for <guix-patches@HIDDEN>; Thu, 03 Jan 2019 12:02:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=to:from:openpgp:autocrypt:subject:message-id:date:user-agent
 :mime-version:content-language;
 bh=dA2Nabope81by/pztAh9HwURADXuXjjsX/kJFzZ7lLY=;
 b=juR8jT/KKPK2hL//oCjMSKm+pCflOcAQYsXRFjVJl9PHq1VbO0296CfCn6ZS7gmAjN
 laktG9iNK8hJhoIWafy2Fjl4zEW0YZt2R833+TSFuVIczXF9vo8yWBLSs2uqqAmsQNeJ
 3t0Y5tJnZsXjBiIjSITbtmS2eBhoJpsdBroBp1maSIVTuSLZhVHqHIxMVC8kWzZ4RxuE
 VFHSTbS40xPX4VOBBmsOoezBgj9ZbH1Cj982vz4KaQinA17tHOcsrLql0PBtzC6uGZ59
 W7I9XHxcLFsX8LYWYe6usDNYTRkgW+QVAzE6iOtTrunA2EAXpNrzKQkvleD7QeMbUKMc
 tcHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:to:from:openpgp:autocrypt:subject:message-id
 :date:user-agent:mime-version:content-language;
 bh=dA2Nabope81by/pztAh9HwURADXuXjjsX/kJFzZ7lLY=;
 b=Ktb7kJbQ12FJ0nJp6CAjo+HUaHOPOXcB4ktvTbv1w68ngO7KVduoiP5QOGrbOX4v7C
 hgui7tr9uXy0ZqNzUGpK9oAR5x0y8ZstqIZeczpUsNzontZEWH8Y6M7Rv9XUhgHavjOT
 JOOohjVqfaGHUju7zxUTlGwQXJztnet77evrfjGvevYAj72Rt0rRndq3jTTYdxdKojci
 UrsUzffmWiUcdYefHIwRh7zoZGfx/rl1wEvHmDmO7HFvMTEIOt1JXvZWCe3mrGDQNgOh
 HKc4dO8cXBWVyi/SU67U6EBCRobZiBVmmJFPVbfJ6OeeurmpjrZsm4gsHe3cFn1hlb+d
 OxkQ==
X-Gm-Message-State: AA+aEWbFz86lYbHs3BOPmon7R49aVetD01XYvaSP6nEOBLrtbRfjRLDg
 i61UC0QdDjgr9eySsHICnioanTMJ
X-Google-Smtp-Source: AFSGD/WsZnCbJXyZzEmS0Ia3r5c8oAq+94rcx8aGT1J3Qe5lMCPoCuwWnyYVcUsohiGGL0bua22bBw==
X-Received: by 2002:a1c:83c8:: with SMTP id
 f191mr39193639wmd.134.1546545761369; 
 Thu, 03 Jan 2019 12:02:41 -0800 (PST)
Received: from [192.168.178.64] (p508876EC.dip0.t-ipconnect.de.
 [80.136.118.236])
 by smtp.gmail.com with ESMTPSA id l6sm42366499wrv.70.2019.01.03.12.02.40
 for <guix-patches@HIDDEN>
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 03 Jan 2019 12:02:40 -0800 (PST)
To: guix-patches@HIDDEN
From: Florian Dold <florian.dold@HIDDEN>
Openpgp: preference=signencrypt
Autocrypt: addr=florian.dold@HIDDEN; keydata=
 mQENBFr0DFABCADIf6L8MOVfrvjN8vTPngMjxGk4gpaRAYydTYMt8I7A746E8fI4vIp66b7x
 ZmT+RwnR+nydTLdAMEpwsqxOUtBLBG+63v/pOFEqHaWWjoWB9tC2GKa23o5accKdeVwZAUSC
 d8PMCTY0An25yjspAPFeSuS8OVhNcJgqwMRLrGAeb6nOiHzNgbcH3x+z8pvZ6uEmfxOmnPxz
 eJ2YkRB8EZtdz2kVSAs8hnDXXhA2kPYu299N42iOnsAI/ZQLw4L4CciFD9g7yHyjSGf2ugLd
 v2MY/e7bg2MbrpOjl9F6tkWcMG47Q15Zg5h5i1TUWb5u6BYwTWegxjoF8aghsD4YmlDdABEB
 AAG0JUZsb3JpYW4gRG9sZCA8Zmxvcmlhbi5kb2xkQGdtYWlsLmNvbT6JAVQEEwEIAD4WIQTS
 icR018Yz2C9+q1hf73L/w6CZwgUCWvQMUQIbAwUJAeEzgAULCQgHAgYVCgkICwIEFgIDAQIe
 AQIXgAAKCRBf73L/w6CZwsutCACiK6SMco78RVXS0zx7nQZl5BwHr8hVj4NjMT2PgMy/HvBN
 kgE6QZ+nCyu4Oc25xg7Rzj0Msp66eFGJzDI9EHM0yNOvWuIrySihESd9cp8kn5oe27Wds356
 MW/TVYn/S2qKAiEFzAa+pq4H7kYqOfcG3uqNH5wf1DfCKQFW3+1CBR5H2lATLqJLHDybr4S9
 h+9+8LUw3KBw99mwi4UjYYyCApmXH1IuOMOMDG0r8zGxyT6SNb/A1BcCD6bjcfy8IXrNgq00
 trnLEYqil17lWwV3TcHQVsMWDU2NzwX4+4rBELlLR/TOYK+XRZhgFiBH9OlvKQ+iMSdDf1SS
 G8YxoBP+uQENBFr0DFABCADBYR9GXjzz2FoWRTPUM9IpHBwJuBfxo/ITjwjY1+4LMnoZQjV1
 TugJJoDFRQdTXod+w1iGtLCpZnWc8cgatmEPv7U6X9++X/RjrOtP/RBFRIx2gFg+QNXluxut
 U6aX4ag2EQSrst4CGtAJIXZvpNqv6GP11NO9aqTkrHnjAMLyO1MbtSXv3wohGtBPjGOCXmhG
 kOu0o27edqMPyoTjntksg6gTQoh1I1jQLVH5W1HWr0TxQnzSTloqHGf+rRYBlu5F4COeb2JD
 c1bqxaJMpXzA0IMGEFOeUPN6k6fvaadAcdGN6apLmU4jhhizAC0FvQNEWChd5WTVWR7DP5Uc
 gOSHABEBAAGJATwEGAEIACYWIQTSicR018Yz2C9+q1hf73L/w6CZwgUCWvQMUAIbDAUJAeEz
 gAAKCRBf73L/w6CZwjXsB/0QCZvO+chvdd719yAFLEAkhGxPeolvJaGudg1AY37dx0NaeBhG
 DzE6kWXCSD0Sp/1+36hTv680+I+L9gQW9p3mZRyT/syI63aEMIPAWCCVy7OokujVs0F8oozI
 CJexqdMP7jho5zDU9ecIMNo7zOo7+U4mfNPnS70wJmdBO2s9edVmXkfkEzuL6fGuDFdjC3le
 AfLLDlYsZ/7jUWX9UF+U05mjSI+1w3vmUigufKdf3h65s4xcgRr+BR0uuAG81oJ+/eiEyv+i
 yo2U+n+RaH9yqO4rrMgQFnMrfr0JQ6CDSklup4LRPjpjvdqX900QkVWErvMxDnC66pyur0o/ 3rSx
Subject: fcgiwrap: additional options for logging and unix domain sockets
Message-ID: <624ba072-d5fe-b159-46af-61e79caf22f1@HIDDEN>
Date: Thu, 3 Jan 2019 21:02:38 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.3
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------0EC48590587DD7B3CAB39C78"
Content-Language: en-US-large
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
 recognized.
X-Received-From: 2a00:1450:4864:20::32f
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -5.0 (-----)

This is a multi-part message in MIME format.
--------------0EC48590587DD7B3CAB39C78
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Hi Guix,

this patch adds additional options to the fcgiwrap service.  In
particular it allows

1. writing the output of the fcgi process to a file (with the 'log-file'
option)

2. arranging for a directory to be created so that the fcgiwrap process
can create its listening socket without running into permission problems
(with the 'ensure-socket-dir?' option)

3. adjusting the permissions on the listening unix domain socket,
typically so that users in the fcgiwrap group have read and write access
to that socket (with the 'adjusted-socket-permissions' option)

Additionally, a potentially left-over fcgiwrap socket is cleaned up
before starting the service, which would otherwise lead to the process
refusing to run.

The documentation is also changed to address a potential security issue,
now recommending against running fcgiwrap as root.

The configuration defaults are not ideal (a tcp socket with unrestricted
access from any local user), but impossible to change without breaking
existing system definitions.

- Florian

--------------0EC48590587DD7B3CAB39C78
Content-Type: text/x-patch;
 name="0001-services-fcgiwrap-Implement-additional-options.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
 filename*0="0001-services-fcgiwrap-Implement-additional-options.patch"

=46rom 3ac9c6fa536faff23291b21d4e649b85386fedfc Mon Sep 17 00:00:00 2001
From: Florian Dold <flo@HIDDEN>
Date: Thu, 3 Jan 2019 14:22:49 +0100
Subject: [PATCH] services: fcgiwrap: Implement additional options

The fcgiwrap service now supports logging and can be run
on a unix domain socket as unprivileged user.

* doc/guix.texi (Web Services): Document new options and replace
dangerous advice about running fcgiwrap as root.
* gnu/services/web.scm: Add the options 'log-file',
'adjusted-socket-permissions' and 'ensure-socket-dir?'.
---
 doc/guix.texi        |  26 +++++++---
 gnu/services/web.scm | 119 ++++++++++++++++++++++++++++++++++++-------
 2 files changed, 120 insertions(+), 25 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index fcb5b8c08..608dd26ca 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17756,12 +17756,26 @@ The user and group names, as strings, under whi=
ch to run the
 the user asks for the specific user or group names @code{fcgiwrap} that
 the corresponding user and/or group is present on the system.
=20
-It is possible to configure a FastCGI-backed web service to pass HTTP
-authentication information from the front-end to the back-end, and to
-allow @code{fcgiwrap} to run the back-end process as a corresponding
-local user.  To enable this capability on the back-end., run
-@code{fcgiwrap} as the @code{root} user and group.  Note that this
-capability also has to be configured on the front-end as well.
+Note that whoever can write to the fcgiwrap socket is effectively able t=
o
+execute programs as the user/group running the fcgiwrap process.  It is =
thus
+strongly discouraged to run fcgiwrap as the @code{root} user or group.
+
+@item @code{log-file} (default: @code{#f})
+File where @command{fcgiwrap}'s output is written, or @code{#f} to not
+store the output.
+
+@item @code{adjusted-socket-permissions} (default: @code{#f})
+Only applies to @code{unix} sockets.  Adjusts the permissions of the soc=
ket
+after it has been created.  If set to an integer, it is interpreted as a=

+numeric file mode.  If set to @code{#t}, it is interpreted as mode @code=
{#o660}
+(read and write permissions for user and group).  If set to the default
+@code{#f}, no adjustments are made.
+
+@item @code{ensure-socket-dir?} (default: @code{#f})
+Only applies to @code{unix} sockets.  If set to @code{#t} and the direct=
ory
+component of the socket path in @code{socket} does not exist yet, the
+directory is created with ownership set to the user and group running th=
e
+fcgiwrap process.
 @end table
 @end deftp
=20
diff --git a/gnu/services/web.scm b/gnu/services/web.scm
index d71fed20e..a3d435489 100644
--- a/gnu/services/web.scm
+++ b/gnu/services/web.scm
@@ -39,6 +39,7 @@
   #:use-module (guix records)
   #:use-module (guix modules)
   #:use-module (guix gexp)
+  #:use-module (guix i18n)
   #:use-module ((guix store) #:select (text-file))
   #:use-module ((guix utils) #:select (version-major))
   #:use-module ((guix packages) #:select (package-version))
@@ -696,14 +697,21 @@ of index files."
 (define-record-type* <fcgiwrap-configuration> fcgiwrap-configuration
   make-fcgiwrap-configuration
   fcgiwrap-configuration?
-  (package       fcgiwrap-configuration-package ;<package>
-                 (default fcgiwrap))
-  (socket        fcgiwrap-configuration-socket
-                 (default "tcp:127.0.0.1:9000"))
-  (user          fcgiwrap-configuration-user
-                 (default "fcgiwrap"))
-  (group         fcgiwrap-configuration-group
-                 (default "fcgiwrap")))
+  (package fcgiwrap-configuration-package ;<package>
+           (default fcgiwrap))
+  (socket fcgiwrap-configuration-socket
+          (default "tcp:127.0.0.1:9000"))
+  (user fcgiwrap-configuration-user
+        (default "fcgiwrap"))
+  (group fcgiwrap-configuration-group
+         (default "fcgiwrap"))
+  (log-file fcgiwrap-log-file
+            (default #f))
+  ;; boolean or octal mode integer
+  (adjusted-socket-permissions fcgiwrap-adjusted-socket-permissions?
+                               (default #f))
+  (ensure-socket-dir? fcgiwrap-ensure-socket-dir?
+                      (default #f)))
=20
 (define fcgiwrap-accounts
   (match-lambda
@@ -723,25 +731,98 @@ of index files."
                     (home-directory "/var/empty")
                     (shell (file-append shadow "/sbin/nologin")))))))))
=20
+(define (parse-fcgiwrap-socket s)
+  "Parse a fcgiwrap socket specification string into '(type args ...)"
+  (cond
+   ((string-prefix? "unix:" s)
+    (list 'unix (substring s 5)))
+   ((string-prefix? "tcp:" s)
+    (match (string-match "^tcp:([.0-9]+):([0-9]+)$" s)
+      ((? regexp-match? m)
+       (list
+        'tcp
+        (match:substring m 1)
+        (string->number (match:substring m 2))))
+      (_ (error "invalid tcp socket address"))))
+   ((string-prefix? "tcp6:" s)
+    (match (string-match "^tcp6:\\[(.*)\\]:([0-9]+)$" s)
+      ((? regexp-match? m)
+       (list
+        'tcp6
+        (match:substring m 1)
+        (string->number (match:substring m 2))))
+      (_ (error "invalid tcp6 socket address"))))
+   (else (error "unrecognized socket protocol"))))
+
 (define fcgiwrap-shepherd-service
   (match-lambda
-    (($ <fcgiwrap-configuration> package socket user group)
-     (list (shepherd-service
-            (provision '(fcgiwrap))
-            (documentation "Run the fcgiwrap daemon.")
-            (requirement '(networking))
-            (start #~(make-forkexec-constructor
-                      '(#$(file-append package "/sbin/fcgiwrap")
-			  "-s" #$socket)
-		      #:user #$user #:group #$group))
-            (stop #~(make-kill-destructor)))))))
+    (($ <fcgiwrap-configuration> package socket user group log-file perm=
 ensure-dir?)
+     (define parsed-socket (parse-fcgiwrap-socket socket))
+     (list
+      (shepherd-service
+       (provision '(fcgiwrap))
+       (documentation "Run the fcgiwrap daemon.")
+       (requirement '(networking))
+       (modules `((shepherd support) (ice-9 match) ,@%default-modules))
+       (start
+        #~(lambda args
+            (define (clean-up file)
+              (catch 'system-error
+                (lambda ()
+                  (delete-file file))
+                (lambda args
+                  (unless (=3D ENOENT (system-error-errno args))
+                    (apply throw args)))))
+            (define* (wait-for-file file #:key (max-delay 5))
+              (define start (current-time))
+              (let loop ()
+                (cond
+                 ((file-exists? file) #t)
+                 ((< (current-time) (+ start max-delay))
+                  (sleep 1)
+                  (loop))
+                 (else #f))))
+            (define (adjust-permissions file mode)
+              (match mode
+                (#t (chmod file #o660))
+                (n (chmod file n))
+                (#f 0)))
+            (define (ensure-socket-dir dir user group)
+              (unless (file-exists? dir)
+                (mkdir dir) ; FIXME: use mkdir-p instead?
+                (let ((uid (passwd:uid (getpwnam user)))
+                      (gid (group:gid (getgrnam group))))
+                  (chown dir uid gid))))
+            (define start-fcgiwrap
+              (make-forkexec-constructor
+               '(#$(file-append package "/sbin/fcgiwrap")
+                   "-s" #$socket)
+               #:user #$user
+               #:group #$group
+               #:log-file #$log-file))
+            (match '#$parsed-socket
+              (('unix path)
+               ;; Clean up socket, otherwise fcgiwrap might not start pr=
operly.
+               (clean-up path)
+               (when #$ensure-dir?
+                 (ensure-socket-dir (dirname path) #$user #$group))
+               (let ((pid (start-fcgiwrap))
+		     (socket-exists? (wait-for-file path)))
+		 (if socket-exists?
+		     (adjust-permissions path #$perm)
+		     (local-output
+		       #$(G_ "fcgiwrap: warning: waiting for socket ~s failed")
+		       path))
+		 pid))
+              (_ (start-fcgiwrap)))))
+       (stop #~(make-kill-destructor)))))))
=20
 (define fcgiwrap-service-type
   (service-type (name 'fcgiwrap)
                 (extensions
                  (list (service-extension shepherd-root-service-type
                                           fcgiwrap-shepherd-service)
-		       (service-extension account-service-type
+                       (service-extension account-service-type
                                           fcgiwrap-accounts)))
                 (default-value (fcgiwrap-configuration))))
=20
--=20
2.20.1


--------------0EC48590587DD7B3CAB39C78--




Acknowledgement sent to Florian Dold <florian.dold@HIDDEN>:
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#33966; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 25 Nov 2019 12:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.