[PATH] -g option for httpd and default user
Denis Vlasenko
vda.linux at googlemail.com
Tue Oct 3 20:31:37 UTC 2006
On Tuesday 03 October 2006 15:58, Luciano Miguel Ferreira Rocha wrote:
> On Mon, Oct 02, 2006 at 09:38:14PM +0200, Denis Vlasenko wrote:
> > On Monday 25 September 2006 19:58, Luciano Miguel Ferreira Rocha wrote:
> > >
> > > Hello,
> > >
> > > The attached patch changes httpd in the following ways when
> > > CONFIG_FEATURE_HTTPD_SETUID is set:
> > >
> > > 1. -u now also sets the group id (from pwent->pw_gid, if found, else
> > > same as uid)
> >
> > Same as uid? Rationale?
>
> Because current usage only sets uid, which I feel is broken. I expected
> it to set gid as well, and was surprised when my CGIs couldn't write to
> a directory w/ gid the one I speficied with -u. Thus, this patch.
>
> > > 2. new -g option, defining new group id
> > > 3. setgid and setuid are always called, even in the absence of -u/-g,
> > > and a new option for defining the default was added. Default is "-1".
> >
> > Why they are always called? What if I want to run httpd under
> > current user/group?
>
> Well, if your current user is root, I doubt it, but you can specify it.
> Defaulting to nobody (er, -1) is better, IMHO.
>
> If you're not root, the calls will have no effect on the processe's ids.
>
> > More general question: why does httpd needs -u AT ALL?
> > Should we add similar options to all other daemons now?
>
> I didn't add it, I changed its behaviour.
>
> > Obviously not, setuidgid utility handles that just fine:
> >
> > setuidgid apache httpd -opt
>
> I can't find a setuidgid applet on busybox-1.2.1.
>
> > Or chpst from runit... (/me needs to merge that...)
It exists in svn. It was in the first drop of runit code.
Now you can start *any* applet under different user:
setuidgid www httpd ...
--
vda
More information about the busybox
mailing list