Re: Installing writable configuration files for an Apache module.

[Gunnar Wolf <gwolf@gwolf.cx>]

>   I've just finished creating and testing a new package,
>  libapache-mod-virgule, this is the module which is behind the
>  Advogato.org website.
>
>   The module uses a set of .xml files for it's configuration, and
>  for storing user login details - and I'm a little unsure as to
>  where they should be installed.
>
>   Currently I create a directory '/var/lib/mod-virgule' and place
>  them there.  However I do there could be a better location to use
>  and I'm open to suggestions.

They should reside in /etc/mod-virgule, and /var/lib/mod-virgule -if you
need it to exist- should either be a symlink or contain symlinks pointing
to the relevant files - Take a look at the policy, 11.7.2:

http://www.debian.org/doc/debian-policy/ch-files.html#s11.7.2

>   One concern is that these files must be writable by the apache
>  process - to do that I've installed a new user and group and made
>  the directory +S.
>
>   The alternative is to install them nobody:nogroup, which is bad.
>
>   Now obviously anybody with a login shell upon the box can tamper
>  with these files - if there's a good solution that I've not thought
>  of I'd appreciate hearing of it..

Remember Apache runs with the user and group www-data - If you make them
normal 0644 files owned by www-data:www-data, I think you should be
safe... Unless, of course, you are using www-data for things other than
Apache itself ;-)

-- 
Gunnar Wolf - gwolf@gwolf.cx - (+52-55)5630-9700 ext. 1366
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF