Re: Package install location for 0700 Directories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul, Please excuse me for not posting something as obvious as the link to the package. http://packages.itadmins.net/debian/pool/main/h/hawk/hawk_0.5.2-0squeeze1.dsc as you can see it is currently for squeeze (my production servers) but I will be porting to wheezy as soon as I get this situation taken care of. This is just a web gui to the cluster and operates just peachy without the gui. However, that said, corosync/pacemaker/heartbeat can be a bit time consuming and the gui "can" help an admin save some of that time. The security of the cluster itsself (security between the nodes in the cluster) has nothing directly to do with the gui except that one can access the cluster through the gui. This is not unlike other web gui's which offer similar functionality (webmin, confixx & hsphere to name a few). The point is to make the install as secure as possible while retaining the ease of functionality. Chuck On 02/11/2013 01:30 PM, Paul Wise wrote: > Could you link to your source package so we can see what you are > talking about? > > I would expect a network service to use proper authentication > methods like RSA keys of some form (SSH/OpenPGP/X.509), is this > cluster thing really having no authentication and using file > permissions to protect the service? > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEY7YsACgkQIUUjp07y+ZYjJACgviHkvRHhkmJTMizgRgylqok+ O2oAnA0zEal3EoQ4RnF4ByT0qS2Xb9fS =vPzh -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5118ed91.3070...@itadmins.net
Re: Package install location for 0700 Directories
Could you link to your source package so we can see what you are talking about? I would expect a network service to use proper authentication methods like RSA keys of some form (SSH/OpenPGP/X.509), is this cluster thing really having no authentication and using file permissions to protect the service? -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAKTje6Eb=j_avubjhy7mt14l6kkngjuzb3zq1cqtrru_6ws...@mail.gmail.com
Package install location for 0700 Directories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello all, My name is Chuck and I am new to the list. I am currently working on building a package based on the ClusterLabs Hawk web GUI. Thanks to the people in #debian-mentors I have most of the package complete. It works perfectly in Squeeze and I will be starting builds for Wheezy today or tomorrow. However, I still have 1 problem. This package controls entire clusters (corosync, pacemaker, et al) and thus is designed with directory rights of 0700 for user hacluster (user used to run corosync). The problem is that 0700 directories are against policy in /usr/share. However, lighttpd is the delivery agent for the package and such apps (phpmyadmin and other web gui's) are usually installed in /usr/share. If I set the directories at 755 then there is the possibility that any service/script could execute files in the directory and thus control the cluster. I had considered moving it all to /var/lib but that doesn't seem to be correct to me. Is there a better location for the install where I can actually set 0700 permissions? Thanks for your comments and ideas, Charles Williams -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlEYvg0ACgkQIUUjp07y+Zbj0ACfY/mbVMtpIxIyouT18kETpyIy EisAoKHF0kxNOrTt2xrvGr7FICFAcvK6 =0xgA -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5118be0e.2040...@itadmins.net