Re: [PHP] Placement of PHP programs?

To: Nick Phillips <nwp@nz.lemon-computing.com>
Cc: Debian Development <debian-devel@lists.debian.org>
Subject: Re: [PHP] Placement of PHP programs?
From: Matthew Palmer <mpalmer@debian.org>
Date: Sat, 7 Sep 2002 12:34:00 +1000 (EST)
Message-id: <[🔎] Pine.LNX.4.10.10209071211170.27892-100000@magnetron.ieee.uow.edu.au>
In-reply-to: <[🔎] 20020907020336.GB1921@hoiho.nz.lemon-computing.com>

On Sat, 7 Sep 2002, Nick Phillips wrote:

> > This is something which has had a bit of debate - whether /var/www is for
> > the admin or the distribution.  I'm inclined to go with your view - that
> > it's for the admin, but I can't find any documentation which codifies that
> > view.
> 
> We don't have a sane policy on this, AFAICT. To date, packages (including
> Apache itself in particular) have done pretty much whatever they like with
> /var/www, to the extent that it's not been a useful/useable location for
> an admin to use as a real webroot. There was some discussion about how best

The main website where I work (well, one of the places, anyway) is in
/var/www, although I wasn't the one who chose it, I probably would have
stuck it there too.  We've never had a problem with it, although we don't
install many webapps there.

> It does appear that packages have been gradually shying away from putting
> stuff into /var/www directly, in favour of tactics such as you mentioned
> (sticking everything they need in /usr/share somewhere and providing and
> apache config-chunk to be included by your httpd.conf as appropriate. This
> is a Good Thing, but I don't think we've arrived yet.

Would some sort of policy clarification help, do you think?  I don't see a
big problem with amending policy to say "/var/www is under local admin
control, packages shall not put anything there except under the specific
circumstance of an initial web server install".  The last bit is to cover
Apache putting it's greeting page in when it first gets installed.

> I haven't looked at apache 2 yet, but it seems to me that it might be a
> good idea to generalise this discussion into 'how do we handle packaging
> web applications' and come up with a good overall solution rather than
> one just for PHP, which could be rendered obsolete when we finally do
> come up with an overall answer.

I'm happy to discuss that, if people think it would be worthwhile.  My main
aim in starting this discussion was to work out these sorts of kinks in a
language I'm familiar with some of the issues of.  But yes, a common "how to
do it" would be a good idea.

> I'd note here that a common problem with packages of web applications
> seems to be "OK, I've installed it, now where the hell is it?"; debconf
> notes and all sorts are (mis)used to tell the admin where to find their
> new software. Then there's the security question; if a web-based app is
> automatically configured to run (e.g. with CGI scripts is /usr/lib/cgi-bin),
> it's great that it "just works", but likely to be pisspoor that suddenly
> the whole world can see, for example, all your CVS repositories (I'm not
> suggesting that this actually does happen with either cvsweb or viewcvs,
> but it's an example of what could happen).

Indeed.  Perhaps the default ACL on any newly installed webapp should be
localhost, with a note to the admin to fix it up themselves.  I'd be happier
with a config question like "Do you want this application visible: localhost
only, localnet, or global?" and modify the apache config fragment from
there.

> Webserver packages could also optionally provide an interface for such
> application packages to add their extra config -- for example apache
> could provide a directory into which apps could dump config fragments
> to be included into the default server setup, and a script to regenerate
> the config to include them.

/etc/apache.d?  Not a bad idea.

for i in /etc/apache.d/*; do if ! grep -q $i /etc/apache/httpd.conf; then
echo IncludeFile $i >> /etc/apache/httpd.conf; fi; done

Or something like that.  Alternately, we could put IncludeFile
/etc/apache/includes.conf at the bottom of apache.conf and automatically
rebuild that in it's entireity whenever we run apache-update-includes or
something.

> The big snag is that /var/www is rendered pretty much unusable by the
> legacy of the last several years, and the use to which admins may currently
> be putting it.

Discussing this with any maintainer whose packages have anything in /var/www
(except perhaps apache's default pages) and getting them to agree on some
other scheme would probably help.  Then we can amend policy to make it a
no-no for a webapp to stick *anything* in /var/www, and then it can go back
to being the admin's default website repository.

> At any rate, it's something that we should certainly sort out. I guess now I
> should go & install apache2 and see whether and how much that has improved
> things...

I'm a wimp - I'm sticking with 1.3 for the foreseeable future.

> 
> 
> Cheers,
> 
> 
> Nick
> 

-- 
Matthew Palmer, Debian Developer
mpalmer@debian.org     http://www.debian.org

Reply to:

References:
- Re: [PHP] Placement of PHP programs?
  - From: Nick Phillips <nwp@nz.lemon-computing.com>

Prev by Date: Re: *term -ls, a summary
Next by Date: Re: *term -ls, a summary
Previous by thread: Re: [PHP] Placement of PHP programs?
Next by thread: Re: [PHP] Placement of PHP programs?
Index(es):
- Date
- Thread