debian/0000755000000000000000000000000012261246174007173 5ustar debian/copyright0000644000000000000000000000330412261240553011121 0ustar This package was debianized by Jordi Mallach on Wed, 04 Mar 2009 19:02:38 +0100. It was downloaded from Upstream author: Grzegorz Nosek Copyright: Copyright © 2007, 2008, 2009, 2010 Grzegorz Nosek License: fcgiwrap is licenced under the terms of the MIT licence: Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The Debian packaging is copyright © 2009, Jordi Mallach and Sergio Talens-Oliag , licensed under the terms of the GPL version 3, or any later version as published by the Free Software Foundation; see `/usr/share/common-licenses/GPL-3'. debian/watch0000644000000000000000000000021512261240553010215 0ustar version=3 opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/fcgiwrap-$1.tar.gz/ \ https://github.com/gnosek/fcgiwrap/tags .*/v?(\d\S*)\.tar\.gz debian/source/0000755000000000000000000000000012261246174010473 5ustar debian/source/format0000644000000000000000000000001412261240553011674 0ustar 3.0 (quilt) debian/patches/0000755000000000000000000000000012261246174010622 5ustar debian/patches/fix_mandir.patch0000644000000000000000000000104512261240553013756 0ustar Author: Jordi Mallach Description: Install manpages in the FHS directory. Forwarded: no Index: fcgiwrap-1.1.0/Makefile.in =================================================================== --- fcgiwrap-1.1.0.orig/Makefile.in 2013-02-03 14:25:17.000000000 +0100 +++ fcgiwrap-1.1.0/Makefile.in 2013-12-19 19:03:21.717676200 +0100 @@ -1,6 +1,6 @@ targetdir = $(DESTDIR)@prefix@@sbindir@ -man8dir = $(DESTDIR)@prefix@@mandir@/man8 +man8dir = $(DESTDIR)@prefix@@datarootdir@@mandir@/man8 datarootdir = .PHONY: clean distclean debian/patches/series0000644000000000000000000000012312261240553012026 0ustar GIT-Add-p-path-option-to-restrict-scripts.patch fix_systemd.patch fix_mandir.patch debian/patches/fix_systemd.patch0000644000000000000000000000112412261240553014172 0ustar Author: Sergio Talens-Oliag Description: Modify default user/group and socket path to match sysvinit. Forwarded: no --- a/systemd/fcgiwrap.service +++ b/systemd/fcgiwrap.service @@ -4,8 +4,8 @@ After=nss-user-lookup.target [Service] ExecStart=/usr/sbin/fcgiwrap -User=http -Group=http +User=www-data +Group=www-data [Install] Also=fcgiwrap.socket --- a/systemd/fcgiwrap.socket +++ b/systemd/fcgiwrap.socket @@ -2,7 +2,7 @@ Description=fcgiwrap Socket [Socket] -ListenStream=/run/fcgiwrap.sock +ListenStream=/run/fcgiwrap.socket [Install] WantedBy=sockets.target debian/patches/GIT-Add-p-path-option-to-restrict-scripts.patch0000644000000000000000000000664612261240553021422 0ustar From 3a94c23aed0f687940a0442d318359699e00015e Mon Sep 17 00:00:00 2001 From: Peter Wu Date: Sat, 13 Apr 2013 11:35:26 +0200 Subject: [PATCH 2/3] Add `-p path` option to restrict scripts If the purpose of fcgiwrap is to wrap cgit, then I want to be sure that no other program can be executed under the privileges of the fcgiwrap user. When the option `-p path` is given, only the programs specified by `path` are allowed to execute (multiple occurrences of `-p` are merged to form a list of allowed programs). Note that this value will be matched literally, no attempt is done to canonicalize the path. This also implies that glob patterns or directories will never match. --- fcgiwrap.c | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/fcgiwrap.c b/fcgiwrap.c index 81c5062..e86ff9d 100644 --- a/fcgiwrap.c +++ b/fcgiwrap.c @@ -58,6 +58,8 @@ extern char **environ; static char * const * inherited_environ; +static const char **allowed_programs; +static size_t allowed_programs_count; static const char * blacklisted_env_vars[] = { "AUTH_TYPE", @@ -485,6 +487,19 @@ static void inherit_environment(void) } } +static bool is_allowed_program(const char *program) { + size_t i; + if (!allowed_programs_count) + return true; + + for (i = 0; i < allowed_programs_count; i++) { + if (!strcmp(allowed_programs[i], program)) + return true; + } + + return false; +} + static void cgi_error(const char *message, const char *reason, const char *filename) { printf("Status: %s\r\nContent-Type: text/plain\r\n\r\n%s\r\n", @@ -541,6 +556,9 @@ static void handle_fcgi_request(void) if (!filename) cgi_error("403 Forbidden", "Cannot get script name, are DOCUMENT_ROOT and SCRIPT_NAME (or SCRIPT_FILENAME) set and is the script executable?", NULL); + if (!is_allowed_program(filename)) + cgi_error("403 Forbidden", "The given script is not allowed to execute", filename); + last_slash = strrchr(filename, '/'); if (!last_slash) cgi_error("403 Forbidden", "Script name must be a fully qualified path", filename); @@ -760,7 +778,7 @@ int main(int argc, char **argv) char *socket_url = NULL; int c; - while ((c = getopt(argc, argv, "c:hfs:")) != -1) { + while ((c = getopt(argc, argv, "c:hfs:p:")) != -1) { switch (c) { case 'f': stderr_to_fastcgi++; @@ -773,6 +791,7 @@ int main(int argc, char **argv) " -c \t\tNumber of processes to prefork\n" " -s \tSocket to bind to (say -s help for help)\n" " -h\t\t\tShow this help message and exit\n" + " -p \t\tRestrict execution to this script. (repeated options will be merged)\n" "\nReport bugs to Grzegorz Nosek <"PACKAGE_BUGREPORT">.\n" PACKAGE_NAME" home page: \n", argv[0] @@ -784,8 +803,14 @@ int main(int argc, char **argv) case 's': socket_url = strdup(optarg); break; + case 'p': + allowed_programs = realloc(allowed_programs, (allowed_programs_count + 1) * sizeof (char *)); + if (!allowed_programs) + abort(); + allowed_programs[allowed_programs_count++] = strdup(optarg); + break; case '?': - if (optopt == 'c' || optopt == 's') + if (optopt == 'c' || optopt == 's' || optopt == 'p') fprintf(stderr, "Option -%c requires an argument.\n", optopt); else if (isprint(optopt)) fprintf(stderr, "Unknown option `-%c'.\n", optopt); -- 1.7.10.4 debian/control0000644000000000000000000000200712261240665010574 0ustar Source: fcgiwrap Section: web Priority: extra Maintainer: Jordi Mallach Uploaders: Sergio Talens-Oliag Build-Depends: autoconf (>= 2.61), automake, debhelper (>= 9), libfcgi-dev, libsystemd-daemon-dev [linux-any], pkg-config Standards-Version: 3.9.5 Vcs-Svn: svn://anonscm.debian.org/collab-maint/deb-maint/fcgiwrap/trunk Vcs-Browser: http://anonscm.debian.org/viewvc/collab-maint/deb-maint/fcgiwrap/trunk/ Homepage: http://nginx.localdomain.pl/wiki/FcgiWrap Package: fcgiwrap Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, spawn-fcgi (>= 1.6.1) Enhances: nginx Description: simple server to run CGI applications over FastCGI fcgiwrap is a simple server for running CGI applications over FastCGI. Its goal is to provide clean CGI support to the nginx webserver, although can be used with others. . fcgiwrap is lightweight and has no configuration, making it possible to use the same pool to run different sites. debian/ex/0000755000000000000000000000000012261246174007607 5ustar debian/ex/monitrc0000644000000000000000000000034512261240553011202 0ustar # Check fcgiwrap check process fcgiwrap with pidfile /var/run/fcgiwrap.pids group www start program = "/etc/init.d/fcgiwrap start" stop program = "/etc/init.d/fcgiwrap stop" if 5 restarts within 5 cycles then timeout debian/ex/default0000644000000000000000000000076512261240553011161 0ustar # Defaults for fcgiwrap (if not declared, hardcoded values from the # init script are used). # Number of instances to launch #DAEMON_OPTS="-f -c 1" # Socket location #FCGI_SOCKET="/path/to/socket" # User and group for the daemon processes #FCGI_USER="www-data" #FCGI_GROUP="www-data" # Owner of the socket, if available (defaults to $FCGI_USER/$FCGI_GROUP) # Use this of you want to run scritps as a different user that the # webserver. #FCGI_SOCKET_OWNER="someuser" #FCGI_SOCKET_GROUP="someuser" debian/ex/nginx.conf0000644000000000000000000000121012261240553011566 0ustar # Include this file on your nginx.conf to support debian cgi-bin scripts using # fcgiwrap location /cgi-bin/ { # Disable gzip (it makes scripts feel slower since they have to complete # before getting gzipped) gzip off; # Set the root to /usr/lib (inside this location this means that we are # giving access to the files under /usr/lib/cgi-bin) root /usr/lib; # Fastcgi socket fastcgi_pass unix:/var/run/fcgiwrap.socket; # Fastcgi parameters, include the standard ones include /etc/nginx/fastcgi_params; # Adjust non standard parameters (SCRIPT_FILENAME) fastcgi_param SCRIPT_FILENAME /usr/lib$fastcgi_script_name; } debian/init0000644000000000000000000001607712261240553010067 0ustar #!/bin/sh ### BEGIN INIT INFO # Provides: fcgiwrap # Required-Start: $remote_fs # Required-Stop: $remote_fs # Should-Start: # Should-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: FastCGI wrapper # Description: Simple server for running CGI applications over FastCGI ### END INIT INFO PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin SPAWN_FCGI="/usr/bin/spawn-fcgi" DAEMON="/usr/sbin/fcgiwrap" NAME="fcgiwrap" DESC="FastCGI wrapper" PIDFILE="/var/run/$NAME.pid" test -x $SPAWN_FCGI || exit 0 test -x $DAEMON || exit 0 # FCGI_APP Variables FCGI_CHILDREN="1" FCGI_SOCKET="/var/run/$NAME.socket" FCGI_USER="www-data" FCGI_GROUP="www-data" # Socket owner/group (will default to FCGI_USER/FCGI_GROUP if not defined) FCGI_SOCKET_OWNER="www-data" FCGI_SOCKET_GROUP="www-data" . /lib/lsb/init-functions # Default options, these can be overriden by the information # at /etc/default/$NAME DAEMON_OPTS="-f" # By default we redirect STDERR output from executed # CGI through FastCGI, to disable this behaviour set # DAEMON_OPTS to an empty value in the default's file ENV_VARS="PATH='$PATH'" # We reset the environ for spawn-fcgi, but we use the # contents of this variable as a prefix when calling it # to export some variables (currently just the PATH) DIETIME=10 # Time to wait for the server to die, in seconds # If this value is set too low you might not # let some servers to die gracefully and # 'restart' will not work QDIETIME=0.5 # The same as DIETIME, but a lot shorter for the # stop case. #STARTTIME=2 # Time to wait for the server to start, in seconds # If this value is set each time the server is # started (on start or restart) the script will # stall to try to determine if it is running # If it is not set and the server takes time # to setup a pid file the log message might # be a false positive (says it did not start # when it actually did) # Include defaults if available if [ -f /etc/default/$NAME ] ; then . /etc/default/$NAME fi set -e running_pid() { # Check if a given process pid's cmdline matches a given name pid=$1 name=$2 [ -z "$pid" ] && return 1 [ ! -d /proc/$pid ] && return 1 cmd="$(cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1)" # Is this the expected server [ "$cmd" != "$name" ] && return 1 return 0 } running() { # Check if the process is running looking at /proc # (works for all users) # No pidfile, probably no daemon present [ ! -f "$PIDFILE" ] && return 1 PIDS="$(cat "$PIDFILE")" for pid in $PIDS; do if [ -n "$pid" ]; then running_pid $pid $DAEMON && return 0 || true fi done return 1 } start_server() { ARGS="-P $PIDFILE" # Adjust NUMBER of processes if [ -n "$FCGI_CHILDREN" ]; then ARGS="$ARGS -F '$FCGI_CHILDREN'" fi # Adjust SOCKET or PORT and ADDR if [ -n "$FCGI_SOCKET" ]; then ARGS="$ARGS -s '$FCGI_SOCKET'" elif [ -n "$FCGI_PORT" ]; then if [ -n "$FCGI_ADDR" ]; then ARGS="$ARGS -a '$FCGI_ADDR'" fi ARGS="$ARGS -p '$FCGI_PORT'" fi # Adjust user if [ -n "$FCGI_USER" ]; then ARGS="$ARGS -u '$FCGI_USER'" if [ -n "$FCGI_SOCKET" ]; then if [ -n "$FCGI_SOCKET_OWNER" ]; then ARGS="$ARGS -U '$FCGI_SOCKET_OWNER'" else ARGS="$ARGS -U '$FCGI_USER'" fi fi fi # Adjust group if [ -n "$FCGI_GROUP" ]; then ARGS="$ARGS -g '$FCGI_GROUP'" if [ -n "$FCGI_SOCKET" ]; then if [ -n "$FCGI_SOCKET_GROUP" ]; then ARGS="$ARGS -G '$FCGI_SOCKET_GROUP'" else ARGS="$ARGS -G '$FCGI_GROUP'" fi fi fi eval $(echo env -i $ENV_VARS $SPAWN_FCGI $ARGS -- $DAEMON $DAEMON_OPTS) \ > /dev/null errcode="$?" return $errcode } stop_server() { # Force the process to die killing it manually [ ! -e "$PIDFILE" ] && return PIDS="$(cat "$PIDFILE")" for pid in $PIDS; do if running_pid $pid $DAEMON; then kill -15 $pid # Is it really dead? sleep "$QDIETIME"s if running_pid $pid $DAEMON; then kill -9 $pid sleep "$QDIETIME"s if running_pid $pid $DAEMON; then echo "Cannot kill $NAME (pid=$pid)!" exit 1 fi fi fi done rm -f "$PIDFILE" if [ -n "$FCGI_SOCKET" ]; then rm -f "$FCGI_SOCKET" fi } case "$1" in start) log_daemon_msg "Starting $DESC" "$NAME" # Check if it's running first if running ; then log_progress_msg "apparently already running" log_end_msg 0 exit 0 fi if start_server ; then # NOTE: Some servers might die some time after they start, # this code will detect this issue if STARTTIME is set # to a reasonable value [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time if running ; then # It's ok, the server started and is running log_end_msg 0 else # It is not running after we did start log_end_msg 1 fi else # Either we could not start it log_end_msg 1 fi ;; stop|force-stop) log_daemon_msg "Stopping $DESC" "$NAME" if running ; then # Only stop the server if we see it running errcode=0 stop_server || errcode=$? log_end_msg $errcode else # If it's not running don't do anything log_progress_msg "apparently not running" log_end_msg 0 exit 0 fi ;; restart|force-reload) log_daemon_msg "Restarting $DESC" "$NAME" errcode=0 stop_server || errcode=$? # Wait some sensible amount, some server need this [ -n "$DIETIME" ] && sleep $DIETIME start_server || errcode=$? [ -n "$STARTTIME" ] && sleep $STARTTIME running || errcode=$? log_end_msg $errcode ;; status) log_daemon_msg "Checking status of $DESC" "$NAME" if running ; then log_progress_msg "running" log_end_msg 0 else log_progress_msg "apparently not running" log_end_msg 1 exit 1 fi ;; # Use this if the daemon cannot reload reload) log_warning_msg "Reloading $NAME daemon: not implemented, as the daemon" log_warning_msg "cannot re-read the config file (use restart)." ;; *) N=/etc/init.d/$NAME echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2 exit 1 ;; esac exit 0 debian/compat0000644000000000000000000000000212261240553010364 0ustar 9 debian/examples0000644000000000000000000000007112261240553010725 0ustar debian/ex/default debian/ex/monitrc debian/ex/nginx.conf debian/rules0000755000000000000000000000050712261241502010243 0ustar #!/usr/bin/make -f %: dh $@ CONFIGURE_FLAGS := --prefix /usr ifeq (linux,$(DEB_HOST_ARCH_OS)) CONFIGURE_FLAGS += --with-systemd \ --with-systemdsystemunitdir=/lib/systemd/system endif override_dh_auto_build: autoreconf -i ./configure $(CONFIGURE_FLAGS) $(MAKE) override_dh_clean: rm -f aclocal.m4 dh_clean debian/changelog0000644000000000000000000001105112261246045011040 0ustar fcgiwrap (1.1.0-2) unstable; urgency=medium * Enable systemd support only on Linux architectures. -- Jordi Mallach Thu, 02 Jan 2014 12:23:16 +0100 fcgiwrap (1.1.0-1) unstable; urgency=low [ Jordi Mallach ] * New upstream release (closes: #721518). * Remove all patches, all were applied upstream. * Add pkg-config to Build-Depends, as per configure.ac. * Minor tabs-vs-spaces cosmetic fix in init. * Pull post-1.1.0 patches from Git: - debian/patches/0002-Add-p-path-option-to-restrict-scripts.patch: restricts fcgiwrap to a literal path match. * Pass --with-systemdsystemunitdir=/lib/systemd/system. * Build-Depend on libsystemd-daemon-dev and pass --with-systemd to enable systemd socket activation. * Update to debhelper compat v9. * Use canonical Vcs URLs. * Bump Standards-Version to 3.9.5 (no changes needed). [ Sergio Talens-Oliag ] * Update watch file as suggested by Haha Warosu (closes: #720912). * Added -f option to fcgiwrap to redirect stderr (closes: #633116). * Modified init file to remove the use of DAEMON_USER and DAEMON_GID, as spawn-fcgi already does the check and fails if the user does not exist and also changed the PID file extension (closes: #697856). * Use env -i when calling spawn-fcgi to have a clean environment when executing the scripts (closes: #621754), but enabling the option of exporting some variables if desired (ENV_VARS). * Add fix_systemd.patch: change user/group and socket name definitions in service file to match the Debian-suitable sysvinit values. * Cleanup autotools files on clean. -- Jordi Mallach Thu, 19 Dec 2013 19:27:31 +0100 fcgiwrap (1.0.3-3) unstable; urgency=low * Remove Replaces on old package name that never hit the official archive. * Actually use $DAEMON_OPTS when spawning the server (closes: #616551). * Add support for FCGI_SOCKET_USER & FCGI_SOCKET_GROUP, as suggested by Maik Zumstrull (closes: #616552). * Add an example default file. -- Jordi Mallach Fri, 01 Apr 2011 22:08:52 +0200 fcgiwrap (1.0.3-2.1) unstable; urgency=low [ Jordi Mallach ] * Unquote $pid and $DAEMON on stop_daemon() so it actually stops (closes: #602199). * Reduce the wait when just stopping (closes: #602200). * Change priority to extra. * Add ldflags.patch to add support for LDFLAGS in Makefile.in (stolen from Git 58ec209478f50b2048cf). [ Philipp Kern ] * Current state taken from the VCS and uploaded as a LowThresholdNmu. -- Philipp Kern Tue, 29 Mar 2011 13:19:19 +0200 fcgiwrap (1.0.3-1) unstable; urgency=low * New upstream release. * Use my debian.org address all over the packaging files. * Drop our manpage, which was accepted upstream. * Remove obsolete comment about lack of formal fcgiwrap releases and versioning of git snapshots. * Add a call to `autoreconf -i` on build. * Add automake to Build-Depends, and wrap them. * Bump Standards-Version to 3.9.1 (no changes needed). * Add manpage_minus_escaping.patch to fix a pair of unescaped minus signs in the manpage. -- Jordi Mallach Wed, 01 Sep 2010 20:47:37 +0200 fcgiwrap (1.0-1) unstable; urgency=low * New upstream release. * Rename source and binary, as agreed with upstream. * Minor cosmetic fix to the init script start message. * Bump Standards-Version to 3.8.4 (no changes needed). * Move to dh7. * Switch to Source format 3.0 (quilt). * Build-Depend on autoconf. * Make the init script depend on $remote_fs (lintian). * Move to collab-maint SVN; add appropriate Vcs headers. * Initial upload to Debian (closes: #544702). -- Jordi Mallach Tue, 25 May 2010 21:27:00 +0200 gnosek-fcgiwrap (0.0.20090717.28ac6f9-1) unstable; urgency=low * New upstream git pull. + explicitly licenced under the MIT licence. * Add new licensing information in debian/copyright. * Add a note about the Debian versioning scheme to README.Debian. -- Jordi Mallach Wed, 02 Sep 2009 08:38:09 +0200 gnosek-fcgiwrap (0.0.20090304.cdd6b84-3) unstable; urgency=low * Renamed monit example to monitrc. -- Sergio Talens-Oliag Thu, 02 Apr 2009 15:42:34 +0200 gnosek-fcgiwrap (0.0.20090304.cdd6b84-2) unstable; urgency=low * Added monit.conf example. -- Sergio Talens-Oliag Thu, 02 Apr 2009 15:38:10 +0200 gnosek-fcgiwrap (0.0.20090304.cdd6b84-1) unstable; urgency=low * Initial release (April Fools). -- Sergio Talens-Oliag Wed, 01 Apr 2009 11:57:46 +0200 debian/README.Debian0000644000000000000000000000147112261240553011232 0ustar fcgiwrap for Debian ========================== Number of processes ------------------- By default the package starts one wrapper, if you need more than that you can add the variable 'FCGI_CHILDREN' to the /etc/default/fcgiwrap file; i.e. to launch 3 processes do the following: echo "FCGI_CHILDREN=3" > /etc/default/fcgiwrap /etc/init.d/fcgiwrap restart Nginx configuration ------------------- To support debian cgi-bin scripts on nginx add the following to your server configuration: include /usr/share/doc/fcgiwrap/examples/nginx.conf; Monit configuration ------------------- To monitor the fcgiwrap daemon with the monit program add the following to your /etc/monit/monitrc file: include /usr/share/doc/fcgiwrap/examples/monitrc; -- Sergio Talens-Oliag Thu, 02 Apr 2009 15:44:10 +0200