Skip to content

Instantly share code, notes, and snippets.

@afresh1

afresh1/drop_privileges_fcgi_app.psgi

Last active July 25, 2019 03:16
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save afresh1/558fc0b4dfbeab0fbd59 to your computer and use it in GitHub Desktop.
Save afresh1/558fc0b4dfbeab0fbd59 to your computer and use it in GitHub Desktop.
Download ZIP
This is a proof of concept for an FCGI::ProcManager that will chroot into a directory and drop privileges for each child process.
Raw
drop_privileges_fcgi_app.psgi
#!/usr/bin/env plackup -s FCGIDropPrivs
use strict;
use warnings;
my ($user, $group) = qw( nobody nogroup );
my $uid = getpwnam($user);
my $gid = getgrnam($group);
my $root = '/var/empty';
package Plack::Handler::FCGIDropPrivs;
use parent 'Plack::Handler::FCGI';
sub new {
my ($class, %params) = @_;
$params{manager} = 'FCGI::ProcManager::DropPrivs'
unless exists $params{manager};
return $class->SUPER::new(%params);
}
$INC{'Plack/Handler/FCGIDropPrivs.pm'} = 1;
package FCGI::ProcManager::DropPrivs;
use parent 'FCGI::ProcManager';
use POSIX qw( setuid setgid );
sub handling_init {
my ($self) = @_;
chroot $root || die "Couldn't chroot to $root: $!";
chdir '/' || die "Couldn't chdir to '/': $!";
setgid($gid) || die "Couldn't setgid $group [$gid]: $!";
setuid($uid) || die "Couldn't setuid $user [$uid]: $!";
return $self->SUPER::handling_init();
}
$INC{'FCGI/ProcManager/DropPrivs.pm'} = 1;
package main;
sub { [ 200, [], ['Hello World'] ] }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment