[ANN] Enhanced Gentoo ebuilds for nginx 0.6.31
Manlio Perillo
manlio_perillo at libero.it
Wed May 14 12:39:52 MSD 2008
Grzegorz Nosek ha scritto:
> On Wed, May 14, 2008 at 12:05:29PM +0400, Igor Sysoev wrote:
>> On Wed, May 14, 2008 at 09:51:11AM +0200, Manlio Perillo wrote:
>>
>>> By the way, if someone is interested I'm starting to write a CGI module
>>> (and, of course, in a very non orthodox way)!
>> How do you want to implement it ? Forking entire worker it seems overkill
>> for me: you need to close all connections or use FD_CLOEXEC for every
>> socket/etc.
>
> ... and possibly setuid/gid/etc. so the one to fork should probably be
> the master process, not a worker.
This is not possible.
> Otherwise (running all CGI as the
> nginx user) it would be pretty limited.
>
The solution, here, is having Nginx to call seteuid/setegid instead of
setuid/setgid in ngx_worker_process_init.
In this way the child process can call seteuid(0) to become root again,
and then, finally, setuid(xxx) to become the effective user for the CGI.
The problem, of course, is that an external module can call seteuid(0)
to become root, and this is not acceptable.
> [...]
Manlio Perillo
More information about the nginx
mailing list