Fcgiwrap should be started with the supplementary groups of its user. Shepherd’s make-forkexec-constructor does not currently appear to support this.
Upstream fcgiwrap ships with a systemd service with the User= setting. Systemd confers this user’s supplementary groups by default: <https://www.freedesktop.org/software/systemd/man/systemd.exec.html>: > If the User= setting is used the supplementary group list is > initialized from the specified user's default group list, as defined > in the system's user and group database. Additional groups may be > configured through the SupplementaryGroups= setting (see below). Not starting with supplementary groups sometimes causes problems. Namely the Guix manual claims for Gitolite’s umask: > A value like ‘#o0027’ will give read access to the group used > by Gitolite (by default: ‘git’). This is necessary when using > Gitolite with software like cgit or gitweb. But this does not work because giving a supplementary group git to the fcgiwrap user does not confer the supplementary group git to fcgiwrap. This is visible when looking at the fcgiwrap process in `ps -eo pid,supgrp,args`. It is also visible by configuring nginx to fastcgi_param SCRIPT_FILENAME /test/test.sh; and making test.sh a script that prints "Content-Type: text/plain\n\n" followed by the output of the id command. Regards, Florian