11 messages in ru.sysoev.nginxRe: [ANN] Enhanced Gentoo ebuilds for...
FromSent OnAttachments
Adrian PerezMay 13, 2008 5:10 pm 
Kingsley ForemanMay 13, 2008 5:42 pm 
Manlio PerilloMay 14, 2008 12:50 am 
Phillip B OldhamMay 14, 2008 1:01 am 
Igor SysoevMay 14, 2008 1:05 am 
Manlio PerilloMay 14, 2008 1:12 am 
Grzegorz NosekMay 14, 2008 1:14 am 
Manlio PerilloMay 14, 2008 1:31 am 
Manlio PerilloMay 14, 2008 1:39 am 
Grzegorz NosekMay 14, 2008 1:47 am 
Adrian PerezMay 14, 2008 3:25 am 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: [ANN] Enhanced Gentoo ebuilds for nginx 0.6.31Actions...
From:Manlio Perillo (manl@public.gmane.org)
Date:May 14, 2008 1:39:29 am
List:ru.sysoev.nginx

Grzegorz Nosek ha scritto:

On Wed, May 14, 2008 at 12:05:29PM +0400, Igor Sysoev wrote:

On Wed, May 14, 2008 at 09:51:11AM +0200, Manlio Perillo wrote:

By the way, if someone is interested I'm starting to write a CGI module (and, of course, in a very non orthodox way)!

How do you want to implement it ? Forking entire worker it seems overkill for me: you need to close all connections or use FD_CLOEXEC for every socket/etc.

... and possibly setuid/gid/etc. so the one to fork should probably be the master process, not a worker.

This is not possible.

Otherwise (running all CGI as the nginx user) it would be pretty limited.

The solution, here, is having Nginx to call seteuid/setegid instead of setuid/setgid in ngx_worker_process_init.

In this way the child process can call seteuid(0) to become root again, and then, finally, setuid(xxx) to become the effective user for the CGI.

The problem, of course, is that an external module can call seteuid(0) to become root, and this is not acceptable.

[...]

Manlio Perillo