On Sat, Feb 17, 2007 at 12:46:19PM -0800, Adam Chlipala wrote: > I've returned today to working on getting the web portal running on > deleuze, and I've hit another snag early on. By default, the Apache > suexec program has its suexec root set to /var/www, which means that it > won't accept suexec execution of CGI programs outside that directory, > unless they are accessed via http://host/~user/.... Our general policy > has been that users be given no way to run programs as other users, > including any generic web server users like www-data. This means that > we need suexec if we're going to provide standard CGI services. > > On fyodor, we have a suexec binary that I compiled manually with a > broader suexec root that contains all user home directories. This is a > pretty small program, and the only change needed is to a string macro > definition in one place. That means that, especially sticking with > Debian stable and its infrequent updates, it is quite reasonable to > compile a new suexec every time the underlying package source version > increases. > > So, what do y'all think? Should we take the same route on deleuze and > mire? Going by the task assignments, I think this falls under mwolson's > purview, but anyone's input is valuable. I'm blocked on this ATM, > wanting to test the portal, which should run as a different user. If > necessary, we could stick to a suexec-free Apache set-up on deleuze, > since only admins will be able to configure it. That would unblock me, > but would leave the problem to be solved for mire. Any thoughts on this > decision?
I think we should go this way. One thing I was planning to do for HCoop and myself as well anyway, is setting an automated way that packages we compile manually are always automatically recompiled & patched when updates arrive. So for the first few times, mwolson could do it manually, then we'll improve the procedure. > > There's also the issue of how we're going to handle AFS ticket grabbing > for CGI and PHP programs run by Apache. Suggestions welcome, though my > understanding is that mwolson is in charge of this now and looking into it. > > _______________________________________________ > HCoop-SysAdmin mailing list > [email protected] > http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
