On Sun, Jul 13, 2003 at 12:15:00AM +0200, Christophe BAEGERT wrote:
> Le Samedi 12 Juillet 2003 22:05, Brian Candler a ?crit :
> > If not, then either you omitted --with-fcgi from the ./configure command
> > line, or configure was unable to find libfcgi or the fcgi header files when
> > you were compiling it. Try re-running ./configure but piping the output to
> > a file, and look for where it tests for the existence of fcgi.
>
> You're right, it's ok now after a ldconfig. Thanks for your help.
>
> The FastCGI script was working, but now the authentication failed with FastCGI
> (but it runs well in CGI). I have this message in the logs. It's strange
> since the 2 scripts runs under the same user (apache)
>
> Jul 13 00:10:43 ipag sqwebmail.eur: authdaemon: s_connect() failed: Permission
> denied
> Jul 13 00:10:43 ipag sqwebmail.eur: maildircache: Cache create failure -
> cannot change to bin
Clearly a uid/permissions problem:
- sqwebmail can't open the authdaemond socket
- sqwebmail can't change uid to bin, maybe because it's already changed
uid to a different user and hence lost its root privileges.
I run everything as a single user (sqwebmail is setuid to that user, not to
root) and I chowned the authdaemond socket to that user, so I don't get that
problem.
Even then, I used to get a problem where some fastcgi processes were running
as that user, and some were running as 'www' (the webserver user). This was
fixed with two extra lines in main(), which have now been incorporated into
the main codebase:
/* If we are running setuid non-root, change our real gid/uid too */
if (getegid()) setgid(getegid());
if (geteuid()) setuid(geteuid());
But I still don't fully understand the issues of running a setuid
application under fastcgi. I can't see how it could switch to a different
uid without exec'ing itself first to get its root privileges back.
Regards,
Brian.
