Run CGI as non-root

jcw · June 5, 2021, 3:39pm

How do I tell Caddy v2 to launch the cgit CGI script with a specific UID/GID (iso root)?
I couldn’t find this in the docs, a pointer or short answer would be very much appreciated.

YOU MUST USE THIS TEMPLATE TO GET HELP.

Latest Caddy, 64-bit Linux. Please don’t insist on “filling out a questionnaire”.

francislavoie · June 5, 2021, 8:25pm

Sorry, but we require the information in the template to help.

It’s unclear what version exactly you’re using (saying “latest” isn’t good enough). We need to see what your existing config looks like.

Caddy doesn’t run CGI scripts itself, it only supports proxying to a fastcgi server.

jcw · June 5, 2021, 8:59pm

Thanks for replying. I now realise that “latest” was not only vague, but in fact wrong: I’m running Caddy v2.30 a.t.m. - here is the config snippet I’m currently using:

  route {
    file_server /cgit.png
    file_server /favicon.ico
    file_server /cgit.css
    file_server /robots.txt
    cgi * /var/www/git.jeelabs.org/cgit.cgi
  }

As I understand it, this is not fastcgi. I couldn’t figure out from the docs how to use php_fastcgi for this case. I have to admit that my grasp of Caddy has gone down since the move to v2 (I’m not a sys admin nor a web developer, sorry).

The above works, but the cache files created by cgit are owned by root, which is a bit worrying, as this implies that it must be running at a far too high privilege level.

francislavoie · June 5, 2021, 11:11pm

So you’re using this plugin then?

You should ask on that GitHub issues board for help (to get the attention of that plugin’s developer).

jcw · June 6, 2021, 9:33am

Ok, thanks, I will. Looks like abandonware though …

matt · June 6, 2021, 5:30pm

Maybe, or maybe it works well enough for who is using it so far. It is licensed open source, so you’re (or anyone is) welcome to fork it and maintain it.

leesei · June 7, 2021, 10:39am

The template is there for a reason.
How do you start Caddy? (a question in template)
If you’re starting Caddy as root then all its plugin will also be root.
You could have started Caddy with user http (or git), consult systemd manual if you’re using it.

francislavoie · June 7, 2021, 3:12pm

Exactly. The template is there both to save time for us, and for you. Otherwise we waste time asking the questions that would have been answered anyways by you just filling it out. Please help us help you.

jcw · June 14, 2021, 10:44am

Ok, fair enough. I’ll fill in the submit form in future posts.
Yes, I’m starting as root (easier to serve on http/https ports that way).
My workaround for now is to setuid/setgid the cgit exe.
Not perfect, but it works.

Thanks.

system · July 5, 2021, 3:39pm

This topic was automatically closed after 30 days. New replies are no longer allowed.