lhw · September 21, 2015 14:06
diff --git a/fcgiwrap.diff b/fcgiwrap.diff
 commit 58513c0528a991c0ba0be17adb0fb26407a66742
 Author: Lennart Weller <[email protected]>
 Date:   Thu May 21 13:27:54 2015 +0000

    userswitch

 --- a/fcgiwrap.c
 +++ b/fcgiwrap.c
 @@ -61,6 +61,9 @@
 static const char **allowed_programs;
 static size_t allowed_programs_count;
 
 +static size_t min_uid = 0;
 +static size_t min_gid = 0;
 +
 static const char * blacklisted_env_vars[] = {
 	"AUTH_TYPE",
 	"CONTENT_LENGTH",
 @@ -522,6 +525,7 @@
 	char *filename;
 	char *last_slash;
 	pid_t pid;
 +	struct stat fileinfo;
 
 	struct fcgi_context fc;
 
 @@ -553,6 +557,7 @@
 
 			filename = get_cgi_filename();
 			inherit_environment();
 +
 			if (!filename)
 				cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL);
 
 @@ -568,6 +573,13 @@
 				cgi_error("403 Forbidden", "Cannot chdir to script directory", filename);
 
 			*last_slash = '/';
 +
 +			stat(filename, &fileinfo);
 +			if (fileinfo.st_uid > min_uid && fileinfo.st_gid > min_gid) {
 +				if (setgid(fileinfo.st_gid) > 0) cgi_error ("403 Forbidden", "Could not switch gid", NULL);
 +				if (setuid(fileinfo.st_uid) > 0) cgi_error ("403 Forbidden", "Could not switch uid", NULL);
 +			}
 
 			execl(filename, filename, (void *)NULL);
 			cgi_error("502 Bad Gateway", "Cannot execute script", filename);
 @@ -778,7 +790,7 @@
 	char *socket_url = NULL;
 	int c;
 
 -	while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) {
 +	while ((c = getopt(argc, argv, "c:hfs:g:u:")) != -1) {
 		switch (c) {
 			case 'f':
 				stderr_to_fastcgi++;
 @@ -790,6 +802,8 @@
 					"  -f\t\t\tSend CGI's stderr over FastCGI\n"
 					"  -c <number>\t\tNumber of processes to prefork\n"
 					"  -s <socket_url>\tSocket to bind to (say -s help for help)\n"
 +					"  -g <gid>\t\tMinimum GID for spawned CGI\n"
 +					"  -u <uid>\t\t Minimum UID for spawned CGI\n"
 					"  -h\t\t\tShow this help message and exit\n"
 					"  -p <path>\t\tRestrict execution to this script. (repeated options will be merged)\n"
 					"\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n"
 @@ -809,6 +823,12 @@
 					abort();
 				allowed_programs[allowed_programs_count++] = strdup(optarg);
 				break;
 +			case 'g':
 +				min_gid = atoi(optarg);
 +				break;
 +			case 'u':
 +				min_uid = atoi(optarg);
 +				break;
 			case '?':
 				if (optopt == 'c' || optopt == 's' || optopt == 'p')
 					fprintf(stderr, "Option -%c requires an argument.\n", optopt);
 --- a/systemd/fcgiwrap.service
 +++ b/systemd/fcgiwrap.service
 @@ -4,9 +4,9 @@
 Requires=fcgiwrap.socket
 
 [Service]
 -ExecStart=/usr/sbin/fcgiwrap
 -User=www-data
 -Group=www-data
 +ExecStart=/usr/sbin/fcgiwrap -u 1000 -g 1000
 +User=root
 +Group=root
 
 [Install]
 Also=fcgiwrap.socket
	commit 58513c0528a991c0ba0be17adb0fb26407a66742
	Author: Lennart Weller <[email protected]>
	Date: Thu May 21 13:27:54 2015 +0000

	userswitch

	--- a/fcgiwrap.c
	+++ b/fcgiwrap.c
	@@ -61,6 +61,9 @@
	static const char **allowed_programs;
	static size_t allowed_programs_count;

	+static size_t min_uid = 0;
	+static size_t min_gid = 0;
	+
	static const char * blacklisted_env_vars[] = {
	"AUTH_TYPE",
	"CONTENT_LENGTH",
	@@ -522,6 +525,7 @@
	char *filename;
	char *last_slash;
	pid_t pid;
	+ struct stat fileinfo;

	struct fcgi_context fc;

	@@ -553,6 +557,7 @@

	filename = get_cgi_filename();
	inherit_environment();
	+
	if (!filename)
	cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL);

	@@ -568,6 +573,13 @@
	cgi_error("403 Forbidden", "Cannot chdir to script directory", filename);

	*last_slash = '/';
	+
	+ stat(filename, &fileinfo);
	+ if (fileinfo.st_uid > min_uid && fileinfo.st_gid > min_gid) {
	+ if (setgid(fileinfo.st_gid) > 0) cgi_error ("403 Forbidden", "Could not switch gid", NULL);
	+ if (setuid(fileinfo.st_uid) > 0) cgi_error ("403 Forbidden", "Could not switch uid", NULL);
	+ }

	execl(filename, filename, (void *)NULL);
	cgi_error("502 Bad Gateway", "Cannot execute script", filename);
	@@ -778,7 +790,7 @@
	char *socket_url = NULL;
	int c;

	- while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) {
	+ while ((c = getopt(argc, argv, "c:hfs:g:u:")) != -1) {
	switch (c) {
	case 'f':
	stderr_to_fastcgi++;
	@@ -790,6 +802,8 @@
	" -f\t\t\tSend CGI's stderr over FastCGI\n"
	" -c <number>\t\tNumber of processes to prefork\n"
	" -s <socket_url>\tSocket to bind to (say -s help for help)\n"
	+ " -g <gid>\t\tMinimum GID for spawned CGI\n"
	+ " -u <uid>\t\t Minimum UID for spawned CGI\n"
	" -h\t\t\tShow this help message and exit\n"
	" -p <path>\t\tRestrict execution to this script. (repeated options will be merged)\n"
	"\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n"
	@@ -809,6 +823,12 @@
	abort();
	allowed_programs[allowed_programs_count++] = strdup(optarg);
	break;
	+ case 'g':
	+ min_gid = atoi(optarg);
	+ break;
	+ case 'u':
	+ min_uid = atoi(optarg);
	+ break;
	case '?':
	if (optopt == 'c' \|\| optopt == 's' \|\| optopt == 'p')
	fprintf(stderr, "Option -%c requires an argument.\n", optopt);
	--- a/systemd/fcgiwrap.service
	+++ b/systemd/fcgiwrap.service
	@@ -4,9 +4,9 @@
	Requires=fcgiwrap.socket

	[Service]
	-ExecStart=/usr/sbin/fcgiwrap
	-User=www-data
	-Group=www-data
	+ExecStart=/usr/sbin/fcgiwrap -u 1000 -g 1000
	+User=root
	+Group=root

	[Install]
	Also=fcgiwrap.socket