[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#38438: Fcgiwrap service has no supplementary groups
|
From: |
pelzflorian (Florian Pelz) |
|
Subject: |
bug#38438: Fcgiwrap service has no supplementary groups |
|
Date: |
Sat, 30 Nov 2019 19:49:24 +0100 |
Fcgiwrap should be started with the supplementary groups of its user.
Shepherd’s make-forkexec-constructor does not currently appear to
support this.
Upstream fcgiwrap ships with a systemd service with the User= setting.
Systemd confers this user’s supplementary groups by default:
<https://www.freedesktop.org/software/systemd/man/systemd.exec.html>:
> If the User= setting is used the supplementary group list is
> initialized from the specified user's default group list, as defined
> in the system's user and group database. Additional groups may be
> configured through the SupplementaryGroups= setting (see below).
Not starting with supplementary groups sometimes causes problems.
Namely the Guix manual claims for Gitolite’s umask:
> A value like ‘#o0027’ will give read access to the group used
> by Gitolite (by default: ‘git’). This is necessary when using
> Gitolite with software like cgit or gitweb.
But this does not work because giving a supplementary group git to the
fcgiwrap user does not confer the supplementary group git to fcgiwrap.
This is visible when looking at the fcgiwrap process in
`ps -eo pid,supgrp,args`. It is also visible by configuring nginx to
fastcgi_param SCRIPT_FILENAME /test/test.sh;
and making test.sh a script that prints "Content-Type: text/plain\n\n"
followed by the output of the id command.
Regards,
Florian
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#38438: Fcgiwrap service has no supplementary groups,
pelzflorian (Florian Pelz) <=