Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve systemd units #17

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Improve systemd units #17

wants to merge 2 commits into from

Conversation

seblu
Copy link

@seblu seblu commented Aug 2, 2013

No description provided.

@kaihendry
Copy link

The current https://github.com/gnosek/fcgiwrap/blob/master/systemd/fcgiwrap.service#L6 does not work on a Archlinux system. I spent HOURS over nginx 403 Forbidden errors. Eventually I came up with: http://ix.io/7kP

And to my surprise I found a service file in the Arch packaging that isn't utilised: https://projects.archlinux.org/svntogit/community.git/tree/trunk/fcgiwrap.service?h=packages/fcgiwrap

I don't know who to blame, though I guess I will report a bug on Archlinux now too.

@falconindy
Copy link
Contributor

does not work on a Archlinux system.

I disagree. http://code.falconindy.com is using the upstream fcgiwrap.service and fcgiwrap.socket without any problems. You'll need to be a more specific than "does not work."

Being the original author of these units and someone who's reliant on them, I strongly oppose simply deleting the old units as it will break existing setups.

@kaihendry
Copy link

I get "502 Bad Gateway" with your default http://ix.io/7kQ

However if I use my own spawn-fcgi invocation, it works: http://ix.io/7kP

My nginx.conf is http://sprunge.us/hEZT

Any ideas how to debug this?

@kaihendry
Copy link

Ok nevermind @falconindy, you service file does seem to work after after all.
http://ix.io/7x8

I'm using it upon http://cam.hackerspace.sg/

Thanks for your time,

@seblu
Copy link
Author

seblu commented Feb 27, 2014

Any change to have this merged?

Old file can easily be moved to new one by a systemctl enable [email protected].

If upstream still want maintain arch specific files, I can push a new version which don't touch old files.

@seblu
Copy link
Author

seblu commented Oct 27, 2014

Any progress on this?

@kaihendry
Copy link

@seblu I'm not sure what the benefit is for folks to use non-http user convention? It's bad enough that it's different from Debian's www-data and dealing with all the annoying perms.

@@ -21,9 +21,16 @@ CFLAGS = @AM_CFLAGS@

fcgiwrap: fcgiwrap.c

systemd/[email protected]: systemd/[email protected]
sed -e 's,[@]sbindir[@],@sbindir@,g' < $< > $@
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be $(SED) when using AC_PROG_SED?

@Lekensteyn
Copy link
Contributor

@kaihendry Privilege separation, defence in depth? The web user has no rights to read "private" git dirs of cgit for example?

@gnosek
Copy link
Owner

gnosek commented Apr 19, 2015

Looks good to me, please apply @Lekensteyn 's suggestions and I'll (finally!) merge it.

seblu added 2 commits April 20, 2015 00:18
Instead of having a socket for a static and predefined user http, this
patch allow to easily setup multiple sockets with your needed users.

This is particulary useful when you want have socket for dedicated user.

You can create an http socket (in /run/fcgiwrap-http.sock) with:
$ systemctl enable [email protected]

and if you need a socket for munin (in /run/fcgiwrap-munin.sock):
$ systemctl enable [email protected]
@seblu
Copy link
Author

seblu commented Apr 19, 2015

Suggestions applied. Should be ok.

@Lekensteyn
Copy link
Contributor

LGTM for user-specific fcgiwraps (personally I use -p to further restrict executable programs, introduced by 3a94c23)

@petercolberg
Copy link

petercolberg commented Aug 7, 2016

@seblu to improve upon this pull request, could you apply the following changes?

Group socket files in a subdirectory, and make them accessible by the httpd user/group only:

# [email protected]
[Socket]
ListenStream=/run/fcgiwrap/%I.socket
SocketUser=@socketuser@
SocketGroup=@socketgroup@
SocketMode=0660

Create the shared runtime directory at boot using tmpfiles.d:

# @tmpfilesdir@/fcgiwrap.conf
d /run/fcgiwrap 0550 @socketuser@ @socketgroup@ - -

Add configure options to set the httpd user/group:

# configure.ac
AC_ARG_WITH([socket-user],
        AC_HELP_STRING( [--with-socket-user=USER], [User for socket files (defaults to httpd)]),
        [socketuser=$withval], [socketuser=httpd])
AC_SUBST(socketuser)

AC_ARG_WITH([socket-group],
        AC_HELP_STRING( [--with-socket-group=GROUP], [Group for socket files (defaults to httpd)]),
        [socketgroup=$withval], [socketgroup=httpd])
AC_SUBST(socketgroup)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants