-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Adam Chlipala <[EMAIL PROTECTED]> writes:
> I've returned today to working on getting the web portal running on > deleuze, and I've hit another snag early on. By default, the Apache > suexec program has its suexec root set to /var/www, which means that > it won't accept suexec execution of CGI programs outside that > directory, unless they are accessed via http://host/~user/.... Our > general policy has been that users be given no way to run programs > as other users, including any generic web server users like > www-data. This means that we need suexec if we're going to provide > standard CGI services. > > On fyodor, we have a suexec binary that I compiled manually with a > broader suexec root that contains all user home directories. This > is a pretty small program, and the only change needed is to a string > macro definition in one place. That means that, especially sticking > with Debian stable and its infrequent updates, it is quite > reasonable to compile a new suexec every time the underlying package > source version increases. Even better, let's go with a custom-compiled Apache Debian package which contains this modified suexec binary -- I'll re-get the source and apply the change each time our version of Apache changes. Where can I find the changed source code? > So, what do y'all think? Should we take the same route on deleuze > and mire? Going by the task assignments, I think this falls under > mwolson's purview, but anyone's input is valuable. I'm blocked on > this ATM, wanting to test the portal, which should run as a > different user. If necessary, we could stick to a suexec-free > Apache set-up on deleuze, since only admins will be able to > configure it. That would unblock me, but would leave the problem to > be solved for mire. Any thoughts on this decision? I'm not sure that we want an suexec-free apache instance, especially on mire. > There's also the issue of how we're going to handle AFS ticket > grabbing for CGI and PHP programs run by Apache. Suggestions > welcome, though my understanding is that mwolson is in charge of > this now and looking into it. I'd like to hear what cclausen has to say about this. For now, here are my recommendations. Based on the changes we had to make for Exim, the best thing would probably to make deleuze's apache work with some generic AFS ticket and a thread-based Apache. For mire, we would probably want a non-threaded Apache so that each process can have a user-specific ticket. Performance would probably be decreased because of lack of a thread pool, though. As for how to acquire a per-user ticket, I would have to peruse the Apache documentation further before suggesting anything. - -- Michael Olson -- FSF Associate Member #652 -- http://www.mwolson.org/ Interests: Lisp, text markup, protocols -- Jabber: mwolson_at_hcoop.net /` |\ | | | Projects: Emacs, Muse, ERC, EMMS, Planner, ErBot, DVC |_] | \| |_| Reclaim your digital rights by eliminating DRM. See http://www.defectivebydesign.org/what_is_drm for details. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF14g2+1Ho2POo0xkRAl6dAJsFHu/x9r4KnQDCwLclfHQ/WBZfHQCfWYNR LhpQZDOet4vhUQlfEiWWprY= =YNxL -----END PGP SIGNATURE----- _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
