[ANN] Enhanced Gentoo ebuilds for nginx 0.6.31

Grzegorz Nosek grzegorz.nosek at gmail.com
Wed May 14 12:47:28 MSD 2008

On Wed, May 14, 2008 at 10:39:52AM +0200, Manlio Perillo wrote:
> >... and possibly setuid/gid/etc. so the one to fork should probably be
> >the master process, not a worker. 
> This is not possible.

Well, you _could_ set up a bunch of pipes/sockets but it wouldn't be
pretty :)

> >Otherwise (running all CGI as the
> >nginx user) it would be pretty limited.
> >
> The solution, here, is having Nginx to call seteuid/setegid instead of 
> setuid/setgid in ngx_worker_process_init.
> In this way the child process can call seteuid(0) to become root again, 
> and then, finally, setuid(xxx) to become the effective user for the CGI.
> The problem, of course, is that an external module can call seteuid(0) 
> to become root, and this is not acceptable.

An external module can already do whatever it wishes in the master
process so this shouldn't be a big issue. However, this requires the
nginx master to run as root (which isn't the case now AFAIK, if you use
ports > 1024). Of course, forking the master process changes nothing

Best regards,
 Grzegorz Nosek

More information about the nginx mailing list