Skip to content

Improve systemd units #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
seblu wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Improve systemd units #17

seblu wants to merge 2 commits into from

Conversation

@seblu
Copy link

@seblu seblu commented Aug 2, 2013

No description provided.

@kaihendry
Copy link

kaihendry commented Aug 16, 2013

The current https://github.com/gnosek/fcgiwrap/blob/master/systemd/fcgiwrap.service#L6 does not work on a Archlinux system. I spent HOURS over nginx 403 Forbidden errors. Eventually I came up with: http://ix.io/7kP

And to my surprise I found a service file in the Arch packaging that isn't utilised: https://projects.archlinux.org/svntogit/community.git/tree/trunk/fcgiwrap.service?h=packages/fcgiwrap

I don't know who to blame, though I guess I will report a bug on Archlinux now too.

@falconindy
Copy link
Contributor

falconindy commented Aug 16, 2013

does not work on a Archlinux system.

I disagree. http://code.falconindy.com is using the upstream fcgiwrap.service and fcgiwrap.socket without any problems. You'll need to be a more specific than "does not work."

Being the original author of these units and someone who's reliant on them, I strongly oppose simply deleting the old units as it will break existing setups.

@kaihendry
Copy link

kaihendry commented Aug 16, 2013

I get "502 Bad Gateway" with your default http://ix.io/7kQ

However if I use my own spawn-fcgi invocation, it works: http://ix.io/7kP

My nginx.conf is http://sprunge.us/hEZT

Any ideas how to debug this?

@kaihendry
Copy link

kaihendry commented Aug 24, 2013

Ok nevermind @falconindy, you service file does seem to work after after all.
http://ix.io/7x8

I'm using it upon http://cam.hackerspace.sg/

Thanks for your time,

@seblu
Copy link
Author

seblu commented Feb 27, 2014

Any change to have this merged?

Old file can easily be moved to new one by a systemctl enable fcgiwrap@http.socket.

If upstream still want maintain arch specific files, I can push a new version which don't touch old files.

@seblu
Copy link
Author

seblu commented Oct 27, 2014

Any progress on this?

@kaihendry
Copy link

kaihendry commented Oct 30, 2014

@seblu I'm not sure what the benefit is for folks to use non-http user convention? It's bad enough that it's different from Debian's www-data and dealing with all the annoying perms.

Lekensteyn
Lekensteyn reviewed Oct 30, 2014
View reviewed changes
Makefile.in Outdated
Copy link
Contributor

@Lekensteyn Lekensteyn Oct 30, 2014

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be $(SED) when using AC_PROG_SED?

@Lekensteyn
Copy link
Contributor

Lekensteyn commented Oct 30, 2014

@kaihendry Privilege separation, defence in depth? The web user has no rights to read "private" git dirs of cgit for example?

@gnosek
Copy link
Owner

gnosek commented Apr 19, 2015

Looks good to me, please apply @Lekensteyn 's suggestions and I'll (finally!) merge it.

@gnosek gnosek mentioned this pull request Apr 19, 2015
Open
seblu added 2 commits April 20, 2015 00:18
@seblu
By user systemd service/socket
f74595c 
Instead of having a socket for a static and predefined user http, this
patch allow to easily setup multiple sockets with your needed users.

This is particulary useful when you want have socket for dedicated user.

You can create an http socket (in /run/fcgiwrap-http.sock) with:
$ systemctl enable fcgiwrap@http.socket

and if you need a socket for munin (in /run/fcgiwrap-munin.sock):
$ systemctl enable fcgiwrap@munin.socket
@seblu
Use autoconf sbindir in systemd units
632064d
@seblu
Copy link
Author

seblu commented Apr 19, 2015

Suggestions applied. Should be ok.

@Lekensteyn
Copy link
Contributor

Lekensteyn commented May 1, 2015

LGTM for user-specific fcgiwraps (personally I use -p to further restrict executable programs, introduced by 3a94c23)

@petercolberg petercolberg mentioned this pull request Aug 7, 2016
Open
@petercolberg
Copy link

petercolberg commented Aug 7, 2016
edited
Loading

@seblu to improve upon this pull request, could you apply the following changes?

Group socket files in a subdirectory, and make them accessible by the httpd user/group only:

# fcgiwrap@.socket
[Socket]
ListenStream=/run/fcgiwrap/%I.socket
SocketUser=@socketuser@
SocketGroup=@socketgroup@
SocketMode=0660

Create the shared runtime directory at boot using tmpfiles.d:

# @tmpfilesdir@/fcgiwrap.conf
d /run/fcgiwrap 0550 @socketuser@ @socketgroup@ - -

Add configure options to set the httpd user/group:

# configure.ac
AC_ARG_WITH([socket-user],
        AC_HELP_STRING( [--with-socket-user=USER], [User for socket files (defaults to httpd)]),
        [socketuser=$withval], [socketuser=httpd])
AC_SUBST(socketuser)

AC_ARG_WITH([socket-group],
        AC_HELP_STRING( [--with-socket-group=GROUP], [Group for socket files (defaults to httpd)]),
        [socketgroup=$withval], [socketgroup=httpd])
AC_SUBST(socketgroup)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@seblu @kaihendry @falconindy @Lekensteyn @gnosek @petercolberg