[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sane packaging of separate apache iteration

Quoth David LaBissoniere:
> I am working on packaging freeside, a web-based isp administration
> system. One issue I've encountered is that the web interface (using
> either HTML::Mason or Apache::ASP) must be run as the freeside user,
> and thus a separate iteration of apache. What is the sanest method
> of handling this in debian? The upstream author suggested prompting
> the user for an ip address and port number and creating the apache
> config files and init script from that.. But that doesn't seem like
> the most elegant solution.
> It would be nice to get something ironed out in policy for this as
> I can't imagine this is the only package in this situation.

The proposed Debian-Apache policy[1] did not, at last glance, cover the
concept of a dedicated application server (which is how I would classify
this).  I actually think the suggestion from the upstream author is a
good one: generate a very minimal httpd.conf (loading only those modules
necessary for your application), set the log/pid/scoreboard files to not
conflict with the Debian Apache install, and bind to a port and address
as determined by the user at installation time.

The need to run certain services as a different user is, I would think,
also a fairly common requirement in a hosting situation - you might want
to provide unfettered PHP and mod_perl services to your clients, but of
course don't want each client's PHP scripts etc all running as the same
local system user.

Apache 1.3 can't switch user when serving requests (although external
applications such as CGI scripts can be run as a different user of
course).  Does anyone know if this situation has changed at all with
2.0?  I realise that without running server as root on a conventional[2]
system the server children won't be able to setuid() to the various
vhost uids, but it's always possible that someone's thought up something
clever that hasn't occurred to me.  =)

These are just my thoughts and I'd certainly appreciate hearing some
other peoples' opinions on the matter.


[1]  http://www.opal.dhs.org/involved/debian/apache/index.oml

[2]  I might be incorrect, but on a situation with 'capabilities' the
     server children running as www-data could be allowed to change uid
     to another uid that is a member of a special group, eg vhost.

Andrew Shugg <andrew@neep.com.au>                   http://www.neep.com.au/

"Just remember, Mr Fawlty, there's always someone worse off than yourself."
"Is there?  Well I'd like to meet him.  I could do with a good laugh."

To UNSUBSCRIBE, email to debian-apache-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: