On Thu, 13 Oct 2011, Cristian Bacchi wrote:
> The user 'invenio' is the standard CLI user, and 'invenio' is also
> present in the group 'www-data'.
>
> Is this setup correct ?
>
> Or do you prefer all under 'www-data' ?
Nope, all-under-www-data technique that we advertise in the INSTALL file
is mostly a shortcut used to make things simple. It is not the
preference for production sites. If you want to split the setup into an
`invenio' user for CLI needs and a `www-data' user for WSGI needs, then
this is a good thing to do.
Your setup looks nice overall. Some comments:
- the WSGI application may want to write sometimes in `etc' as well,
e.g. if you use BibFormat Admin Interface in order to develop your
format templates over web, rather than developing them elsewhere and
deploying them via CLI. So if you do, you may want to make
`etc/bibformat' writable. Otherwise it can stay read only.
- the WSGI application does not need to write under `var' everywhere,
only partially. E.g. `var/cache/collection' is written to by CLI
application, and WSGI application only has to read it. So if you
want to make the site less vulnerable to web break-ins, you could
make only some parts of var writeable to www-user.
- note also that WSGI user can be different than Apache user. So in
principle you can have more layers: `www-data' as regular Apache
user, `inveniowsgi' as Invenio WSGI user, `inveniocli' as Invenio
bibsched user, etc. This may be perhaps of interest in case you
have more WSGI applications hosted on the same box, not only
Invenio, and you want to distinguish between WSGI and non-WSGI
executions.
I guess we should make a concrete setup recipe and put it on the `howto'
wiki section.
Best regards
--
Tibor Simko
