[PATH] -g option for httpd and default user

Denis Vlasenko vda.linux at googlemail.com
Tue Oct 3 20:31:37 UTC 2006


On Tuesday 03 October 2006 15:58, Luciano Miguel Ferreira Rocha wrote:
> On Mon, Oct 02, 2006 at 09:38:14PM +0200, Denis Vlasenko wrote:
> > On Monday 25 September 2006 19:58, Luciano Miguel Ferreira Rocha wrote:
> > > 
> > > Hello,
> > > 
> > > The attached patch changes httpd in the following ways when
> > > CONFIG_FEATURE_HTTPD_SETUID is set:
> > > 
> > > 1. -u now also sets the group id (from pwent->pw_gid, if found, else
> > >    same as uid)
> > 
> > Same as uid? Rationale?
> 
> Because current usage only sets uid, which I feel is broken. I expected
> it to set gid as well, and was surprised when my CGIs couldn't write to
> a directory w/ gid the one I speficied with -u. Thus, this patch.
> 
> > > 2. new -g option, defining new group id
> > > 3. setgid and setuid are always called, even in the absence of -u/-g,
> > >    and a new option for defining the default was added. Default is "-1".
> > 
> > Why they are always called? What if I want to run httpd under
> > current user/group?
> 
> Well, if your current user is root, I doubt it, but you can specify it.
> Defaulting to nobody (er, -1) is better, IMHO.
> 
> If you're not root, the calls will have no effect on the processe's ids.
> 
> > More general question: why does httpd needs -u AT ALL?
> > Should we add similar options to all other daemons now?
> 
> I didn't add it, I changed its behaviour.
> 
> > Obviously not, setuidgid utility handles that just fine:
> > 
> > setuidgid apache httpd -opt
> 
> I can't find a setuidgid applet on busybox-1.2.1.
> 
> > Or chpst from runit... (/me needs to merge that...)

It exists in svn. It was in the first drop of runit code.

Now you can start *any* applet under different user:

setuidgid www httpd ...

--
vda



More information about the busybox mailing list