use lib '..'; # fixme
use strict;
+use English;
use Getopt::Long;
use POSIX ":sys_wait_h";
use Socket;
use Data::Dumper;
-my $pidfile = "/var/run/pveproxy.pid";
+my $pidfile = "/var/run/pveproxy/pveproxy.pid";
my $lockfile = "/var/lock/pveproxy.lck";
my $opt_debug;
$0 = "pveproxy";
+# run as www-data
+my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
+POSIX::setgid($gid) || die "setgid $gid failed - $!\n";
+$EGID = "$gid $gid"; # this calls setgroups
+my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n";
+POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
+
+# just to be sure
+die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
+
PVE::APIDaemon::enable_debug() if $opt_debug;
sub add_dirs {
max_conn => 500,
max_requests => 1000,
trusted_env => 0, # not trusted, anyone can connect
- logfile => '/var/log/pve/access.log',
+ logfile => '/var/log/pveproxy/access.log',
lockfile => $lockfile,
ssl => {
key_file => '/etc/pve/local/pve-ssl.key',
exit (-1);
}
+
if ($opt_debug || !($cpid = fork ())) {
$SIG{PIPE} = 'IGNORE';