Hi Kieran, App's .woa and .frameworks only need to be readable (executable for the directories) for the group appserveradm (or the one under which the wotaskd is running). (the app.woa/app need to be executable too if you haven't tweaked the wotaskd.woa/Contents/Resources/SpawnOfWotaskd.sh ) As a result you can create a own non-privileged user with appserveradm as primary group , no chown/chmod to do then. Only thing to keep in mind is that if the application have to create temporary files, the default directory is the app.woa where the group / appserver hasn't the right to write.
Also as the user (appserver) which is running applications doesn't own them (can't overwrite, write or delete file), it's a little bit more secure. Aurélien On 11/17/2010 03:03 PM, Kieran Kelleher wrote: > Hi all, > > Like many of you, I have custom scripts that use ssh to deploy woa apps. > Scripts issue remote commands via ssh and script exec user's id_dsa has > corresponding id_dsa.pub in the remote server's auth keys for admin and root. > The problem is that root (apparently) is needed to set the chown on the woa > bundles to appserver:appserveradm, however I would like to get away from > needing root user remote ssh commands for security reasons. > > Assuming you all use chown of appserver:appserveradm and chmod of 550 on your > deployed woa bundles (are you?), then the question is with respect to > non-interactive, passwordless, secure remote deployment (copy, untar, chown, > chmod) of WOAs, what user/ssh setup are you all using besides r...@remote, or > is r...@remote the only way? > > Regards, Kieran > > PS. > I deploy to OS X client, OS X Server and Centos Linux _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-deploy mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-deploy/archive%40mail-archive.com This email sent to [email protected]
