From: Ian Jackson Date: Fri, 14 Apr 2017 15:55:54 +0000 (+0100) Subject: debian/: Move ucgi into userv-utils X-Git-Tag: userv/0.6.1~30 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=userv-utils.git;a=commitdiff_plain;h=186ea161e7d144dd8e3791f174a7173e2f399346;hp=2cbcd670c5dfcda374720737fa5a5cd0be93e338 debian/: Move ucgi into userv-utils Signed-off-by: Ian Jackson --- diff --git a/.gitignore b/.gitignore index 170dde7..eb564c8 100644 --- a/.gitignore +++ b/.gitignore @@ -9,7 +9,7 @@ debian/debhelper-build-stamp debian/.debhelper debian/userv-utils -debian/userv-cgi +debian/userv-www-cgi debian/userv-dyndns debian/userv-git-daemon debian/userv-groupmanage diff --git a/debian/control b/debian/control index 02fa0cb..84378cf 100644 --- a/debian/control +++ b/debian/control @@ -15,6 +15,7 @@ Description: privsep utilities collection enabled by symlink /etc/userv/services.d/* -> ../services-available/*. . ipif - allow non-root users to create network interfaces + ucgi - run CGI programs in providing user's account mailq - allow users to view the mail queue ndc-reload - allow certain users to reload the nameserver checkpasswd-* - allow users to run a UNIX password check @@ -33,25 +34,6 @@ Description: dynamic DNS for shell account users The default configuration creates the infrastructure (including a service user) but does not allow any users to modify the DNS. -Package: userv-cgi -Architecture: any -Depends: userv, ${shlibs:Depends}, ${misc:Depends} -Recommends: httpd -Description: user-provided CGI scripts invoked by userv - This package contains ucgi, a userv service which allows CGI programs - to be provided which do not run as the webserver user, but instead - are owned by a particular other account. - . - Similar effects can be achieved with Apache's suexec; this package is - for administrators who do not trust suexec and wish to defend the - webserver from the CGI script providers, and vice versa, as much as - possible. This is achieved by using userv to do the cross-account - call, rather than a custom setuid helper. - . - The default configuration allows the webserver user to invoke users' - CGI programs from each user's ~/public-cgi, but to allow external - callers to do this, the webserver will also need to be configured. - Package: userv-groupmanage Architecture: all Depends: userv, ${perl:Depends}, ${misc:Depends} diff --git a/debian/rules b/debian/rules index 76e59ff..6ff8c3b 100755 --- a/debian/rules +++ b/debian/rules @@ -63,10 +63,16 @@ override_dh_auto_install: mv userv-ipif userv-utils; \ cd userv-utils; \ mv service.c.txt ipif.txt - - cp -al debian/userv-ipif/. debian/userv-utils/. - - mv debian/userv-www-cgi debian/userv-cgi + set -e; cd debian/userv-www-cgi/usr/share/doc; \ + mv userv-cgi userv-utils; \ + cd userv-utils; \ + rename 's/^/ucgi-/' * + cp -al debian/userv-www-cgi/. debian/userv-utils/. + cp www-cgi/www-cgi \ + debian/userv-utils/etc/userv/services.d/ucgi + - mv debian/userv-groupmanage/usr/share/doc/groupmanage \ debian/userv-groupmanage/usr/share/doc/userv-groupmanage - diff --git a/www-cgi/www-cgi b/www-cgi/www-cgi index c3dabfc..364f7e5 100644 --- a/www-cgi/www-cgi +++ b/www-cgi/www-cgi @@ -1,3 +1,18 @@ +# This service which allows CGI programs to be provided which do not +# run as the webserver user, but instead are owned by a particular +# other account. +# +# Similar effects can be achieved with Apache's suexec; this facility +# is for administrators who do not trust suexec and wish to defend the +# webserver from the CGI script providers, and vice versa, as much as +# possible. This is achieved by using userv to do the cross-account +# call, rather than a custom setuid helper. +# +# This default configuration allows the webserver user to invoke +# users' CGI programs from each user's ~/public-cgi, but to allow +# external http clients to do this, the webserver will also need to be +# configured. + if ( grep service-user-shell /etc/shells & glob calling-user www-data )