nginx+fcgiwrap versus mercurial

Robin Becker robin at reportlab.com
Wed Mar 18 08:35:54 UTC 2020


I am trying to use a simple bash cgi script with nginx+fcgiwrap under ubuntu 18.04.
The script runs as a non www-data user (using a setuid/setgid method).

When I try
   hg pull

or the more complex
   /usr/bin/ssh myhost /bin/sh -l -c "'cd $(pwd) && hg pull'"

which work fine as the user when run from a shell I find that the cgi just hangs.
In the shell neither of the above methods needs a user/pasword.

I tried this as well
socat - EXEC:'hg pull',pty,setsid,ctty

and the hg pull starts to work with a message saying where it's pulling from, but I then see immediately after a message 
(killed) in the script output.

I used the simple hg pull in a script some 5 years ago, but I guess the way fcgiwrap works has changed to become more 
secure.

Anyone got any understanding of what's going on?

I have a work around by using a url like ssh://myhost//path-to-repo
-- 
Robin Becker


More information about the Mercurial mailing list