Re: a couple (cgi) packaging issues

To: Debian Mentors <debian-mentors@lists.debian.org>
Subject: Re: a couple (cgi) packaging issues
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 9 Mar 2003 18:38:30 +0000
Message-id: <[🔎] 20030309183830.GC27484@riva.ucam.org>
Mail-followup-to: Debian Mentors <debian-mentors@lists.debian.org>
In-reply-to: <[🔎] 20030309103655.A14270@sccs.swarthmore.edu>
References: <[🔎] 20030309103655.A14270@sccs.swarthmore.edu>

On Sun, Mar 09, 2003 at 10:36:56AM -0500, sean finney wrote:
> - do cgi programs need man pages as well?  techinically they're
>   executables, but i don't know what i'd put there, and they do
>   live in /usr/lib, so it's a bit ambiguous to me.  i looked at
>   some other packages and none of the few i looked at had manpages,
>   but i just want to make sure...

It doesn't do any harm to have one if you have some bright ideas for
what should go in there, but I don't think it's necessary, no.

> - is it a policy violation to ship an empty logfile?

I doubt it's covered by policy (although I haven't checked), but I think
it's a bad idea. You don't want to have the log file zeroed when the
package is upgraded. It would be better to touch it in the postinst with
the appropriate permissions, and possibly have logrotate deal with it
appropriately.

(Doesn't the stderr from CGI scripts go to the web server's error log
file anyway? I don't recall seeing a CGI script with its own log file
before, but I suppose it could make sense if a lot of data is being
logged.)

> - is it a policy violation to ship it 660 root:www-data?  the cgi script
>   in question isn't run setuid, so it can't write unless the owner
>   or group field is changed, and in the latter case only if the group
>   permissions are changed.  also, the script can't write to the log if
>   it doesn't exist because it doesn't have permissions to create a file
>   in /var/log otherwise.

Tricky. What happens if the admin has chosen to run the web server under
some different uid/gid? Maybe the CGI script should be setgid to a
special-purpose group and drop that gid for everything other than
writing to the log file (which could be in /var/log/sugarplum writeable
by the appropriate group so that you wouldn't have to worry about
touching log files in the postinst). I'm not sure whether that's a good
idea or not though.

> - would it be better for a logfile to go in /var/log, or
>   /var/log/packagename?  it's a single logfile, but it gets logrotated,
>   so i can see people getting grumpy about it in /var/log/sugarplum.*
>   after a couple of months...

You could always tell logrotate to keep only so many rotations. Since
logrotate configuration files are typically conffiles in /etc, people
can always change the number if they want to do so.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Follow-Ups:
- Re: a couple (cgi) packaging issues
  - From: sean finney <seanius@seanius.net>

References:
- a couple (cgi) packaging issues
  - From: sean finney <seanius@seanius.net>

Prev by Date: Re: RFC: Merging sponsoring system with wnpp
Next by Date: Re: RFC: Merging sponsoring system with wnpp
Previous by thread: a couple (cgi) packaging issues
Next by thread: Re: a couple (cgi) packaging issues
Index(es):
- Date
- Thread