CGI permissions with NGINX & FastCGI

Question

I'm running GitWeb (which is essentially a CGI script) on a server which also runs GitLab. My aim is to provide reaad-only access to GitLab repositories without registering people.

I've pointed GitWeb to my repositories folder which have permissions drwxrws--- with owner:group git:git. FastCGI wrapper is running with user:group www-data:www:data, so I added www-data to git group. I also verified access of www-data to repositories by changing to that user.

However, when I run GitWeb, CGI script cannot access to repositories and cannot get my list of repositories. Everything works fine if I add r-x permissions to other part (last triplet) but I don't want to mess with permissions of the folders because of obvious reasons.

Btw, I'm running Debian stable and didn't install SE-Linux or something similar.

Any help will be appreciated.

score 2 · Accepted Answer · answered May 27 '13 at 11:47

I've found and fixed the problem. Actually it's a bug in nginx.

Normally, under nginx.conf, there's a user directive which sets the nginx's setuid()/setgid() behavior & the syntax of the directive is user <username> <groupname>. Doucmentation[1] states that, if you omit <groupname>, <username> will be used as group. However, that's not the case and nginx defaults to group nobody. When I added the group www-data explicitly, everything started to work as it should.

[1] http://wiki.nginx.org/CoreModule#user

CGI permissions with NGINX & FastCGI

1 Answers1