Re: [gentoo-dev] apache eclass - gentoo-dev - Gentoo Mailing List Archives

From:	"Robin H.Johnson" <robbat2@g.o>
To:	Ned Ludd <solar@g.o>
Cc:	gentoo-dev@g.o
Subject:	Re: [gentoo-dev] apache eclass
Date:	Fri, 13 Jun 2003 01:21:03
Message-Id:	`20030613012101.GA3132@cherenkov.orbis-terrarum.net`
In Reply to:	Re: [gentoo-dev] apache eclass by Ned Ludd

1

On Thu, Jun 12, 2003 at 01:25:23PM -0400, Ned Ludd wrote:

2

> Aside from all DocumentRoot stuff I feel that one of the most important

3

> things that needs to be addressed by any apache.eclass is what version

4

> of apache are we using 1,2 when ~arch flags are set. I was reently very

5

> unhappy to find out that apache2 got installed on one of my production

6

> servers after doing an upgrade world when -apache2 was explicitly set

7

> and the box previously had apache1 installed.

8

>

9

> A FORCE_APACHE=1|2 option was mentioned the other day here on the ml, I

10

> support that idea fully.

11

Apache IS slotted. The ONLY data that is overwritten between the two

12

installs is the default pages in /home/httpd/htdocs.

13

As such, you can have both installed quite easily. While this does add

14

some undesirable overhead, it is not an impediment to using Apache1.

15

16

> What I would like/hope to see is for carpaski to make the final decision

17

> if any sort of dynamic method should be used to gain the apache

18

> docroot,user,group, and other runtime settings. Then hopefully one of

19

> you (Brad Laue comes to mind as it looks like he was willing to step up

20

> to the plate) will parent the needed {apache,http}.eclass

21

I had already suggested and offered it write it, long before any of the

22

current work was done.

23

24

> Thus why the example code only extracted the very first case of

25

> DocumentRoot out of the conf and ensured there would be no extra

26

> whitespace/tabs something that a simple "grep | cut " can not address

27

> correctly. I also feel the logic I used is for the example code to get

28

> the docroot is sane (other than UPPER vs lower case, but that could be

29

> addressed by using grep -i). I suppose one could do more and add the

30

> extra step to ensure that the document root really does exists.

31

> [ ! -d "${DOCUMENT_ROOT}" ] && die "some clever error msg here"

> Note: I'm not 100% sure that we can die correctly from within an eclass

36

We can actually. I use it in the php.eclass with the /usr/bin/sendmail check.

37

38

> > > After discussion with others, my recommendation is that the document root

39

> > > should always be /home/httpd/htdocs. You could allow this to be overridden

40

> > > with DOCUMENT_ROOT= in /etc/make.conf if you're feeling generous.

41

> This is what I would really like to see in the end result.

42

This is easily done with the installing the web packages in a common

43

directory and building symlinks.

44

Possibly we need a framework/installer config system for the web

45

applications to abstract all of the common database setup and symlink

46

creation stuff after detecting the correct documentroot setting.

47

48

> > Actually, in a further discussion today in #gentoo-dev, we noted that

49

> > detected the DocumentRoot or allowing to be variable in any fashion

50

> > causes more serious problems with tbz2 binary tarballs.

51

> > For example:

52

> > DocumentRoot is /var/www

53

> > User builds a web application, which installs to /var/www. The tbz2

54

> > contains files with that pathname component in them.

55

> > Now DocumentRoot gets change to /home/httpd/htdocs (any number of ways,

56

> > including emerging the binary package on a different system).

57

> > User tries to install the package, telling emerge to use the

58

> > pre-existing binary.

59

> > Package is extracted to /var/www, which is never looked at by the

60

> > webserver.

61

> I feel one of the really great things about gentoo is its flexiablity,

62

> users can build there systems exactly how they want when they want.

63

> Having such variables in an eclass that can be overridden by the enduser

64

> at compile time to me seems by far the best option for our users. I have

65

> faith that "most" of gentoo's users that would edit such an option would

66

> know what there doing in reguards to there own DocumentRoot.

67

This ignores the issue of the tarball problem. The best solution is to

68

move it away from compile time, to config/postinst instead.

69

70

> > In cases where users want a different DocumentRoot, I would suggest that

71

> > the packages are all installed in a fixed location (not nessicarily even

72

> > in the DocumentRoot directory), and then the user can symlink them into

73

> > their own DocumentRoot.

74

> > A possible solution:

75

> > All webapps install to something NOT inside DocumentRoot.

76

> > 'ebuild /usr/portage/.../foo.ebuild config' sets up the application

77

> > (needed in most cases already) AND puts in a symlink to the

78

> > DocumentRoot.

79

> > This also makes it easier to support virtualhost configurations that all

80

> > have access to a common tool, and makes temporarily disabling an

81

> > application for security reasons much easier to do.

82

> For security reasons I see that as having both pros and cons.

83

> You addressed the pros, I will address the only con I can think of off

84

> the top of my head. This type of setup would require that FollowSymLinks

85

> must always be set which could potentionaly introduce new security holes

86

> depending on the app thats being installed.

87

Symlinks to outside the DocumentRoot structure as should already be

88

taken care of due to the "<Directory />" settings which deny everybody.

89

90

To minimize any further impact however, is there any way we can set an

91

option and NOT have it inherit?  eg I want "Options +FollowSymlinks" in

92

/home/httpd/htdocs but not in any of it's subdirectories?

93

94

Failing that, we just need to take more care with symlinks. Not too

95

difficult based on the "<Directory />" settings.

96

97

> Another thing which was not addressed by the example eclass is what

98

> permissions should webapps install as. I notice a few ebuilds are making

99

[snip]

100

> would improve the overall security of installed files.

101

I'd agree that root.apache(u=rw,g=r) as the permissions would be a good

102

move for security, without adversely affecting things.

103

104

> And when a webapp says its needs to be mode 666 (laugh to yourself and

105

> try to make the file apache owned with 0600 or 0660)

106

I have seen a few that need this. Most notably the horde config system,

107

and anything that wants to write back to it's own config files.

108

109

--

110

Robin Hugh Johnson

111

E-Mail     : robbat2@××××××××××××××.net

112

Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2

113

ICQ#       : 30269588 or 41961639

114

GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

Gentoo Archives: gentoo-dev

Replies

1	On Thu, Jun 12, 2003 at 01:25:23PM -0400, Ned Ludd wrote:
2	> Aside from all DocumentRoot stuff I feel that one of the most important
3	> things that needs to be addressed by any apache.eclass is what version
4	> of apache are we using 1,2 when ~arch flags are set. I was reently very
5	> unhappy to find out that apache2 got installed on one of my production
6	> servers after doing an upgrade world when -apache2 was explicitly set
7	> and the box previously had apache1 installed.
8	>
9	> A FORCE_APACHE=1\|2 option was mentioned the other day here on the ml, I
10	> support that idea fully.
11	Apache IS slotted. The ONLY data that is overwritten between the two
12	installs is the default pages in /home/httpd/htdocs.
13	As such, you can have both installed quite easily. While this does add
14	some undesirable overhead, it is not an impediment to using Apache1.
15
16	> What I would like/hope to see is for carpaski to make the final decision
17	> if any sort of dynamic method should be used to gain the apache
18	> docroot,user,group, and other runtime settings. Then hopefully one of
19	> you (Brad Laue comes to mind as it looks like he was willing to step up
20	> to the plate) will parent the needed {apache,http}.eclass
21	I had already suggested and offered it write it, long before any of the
22	current work was done.
23
24	> Thus why the example code only extracted the very first case of
25	> DocumentRoot out of the conf and ensured there would be no extra
26	> whitespace/tabs something that a simple "grep \| cut " can not address
27	> correctly. I also feel the logic I used is for the example code to get
28	> the docroot is sane (other than UPPER vs lower case, but that could be
29	> addressed by using grep -i). I suppose one could do more and add the
30	> extra step to ensure that the document root really does exists.
31	> [ ! -d "${DOCUMENT_ROOT}" ] && die "some clever error msg here"
32
33
34
35	> Note: I'm not 100% sure that we can die correctly from within an eclass
36	We can actually. I use it in the php.eclass with the /usr/bin/sendmail check.
37
38	> > > After discussion with others, my recommendation is that the document root
39	> > > should always be /home/httpd/htdocs. You could allow this to be overridden
40	> > > with DOCUMENT_ROOT= in /etc/make.conf if you're feeling generous.
41	> This is what I would really like to see in the end result.
42	This is easily done with the installing the web packages in a common
43	directory and building symlinks.
44	Possibly we need a framework/installer config system for the web
45	applications to abstract all of the common database setup and symlink
46	creation stuff after detecting the correct documentroot setting.
47
48	> > Actually, in a further discussion today in #gentoo-dev, we noted that
49	> > detected the DocumentRoot or allowing to be variable in any fashion
50	> > causes more serious problems with tbz2 binary tarballs.
51	> > For example:
52	> > DocumentRoot is /var/www
53	> > User builds a web application, which installs to /var/www. The tbz2
54	> > contains files with that pathname component in them.
55	> > Now DocumentRoot gets change to /home/httpd/htdocs (any number of ways,
56	> > including emerging the binary package on a different system).
57	> > User tries to install the package, telling emerge to use the
58	> > pre-existing binary.
59	> > Package is extracted to /var/www, which is never looked at by the
60	> > webserver.
61	> I feel one of the really great things about gentoo is its flexiablity,
62	> users can build there systems exactly how they want when they want.
63	> Having such variables in an eclass that can be overridden by the enduser
64	> at compile time to me seems by far the best option for our users. I have
65	> faith that "most" of gentoo's users that would edit such an option would
66	> know what there doing in reguards to there own DocumentRoot.
67	This ignores the issue of the tarball problem. The best solution is to
68	move it away from compile time, to config/postinst instead.
69
70	> > In cases where users want a different DocumentRoot, I would suggest that
71	> > the packages are all installed in a fixed location (not nessicarily even
72	> > in the DocumentRoot directory), and then the user can symlink them into
73	> > their own DocumentRoot.
74	> > A possible solution:
75	> > All webapps install to something NOT inside DocumentRoot.
76	> > 'ebuild /usr/portage/.../foo.ebuild config' sets up the application
77	> > (needed in most cases already) AND puts in a symlink to the
78	> > DocumentRoot.
79	> > This also makes it easier to support virtualhost configurations that all
80	> > have access to a common tool, and makes temporarily disabling an
81	> > application for security reasons much easier to do.
82	> For security reasons I see that as having both pros and cons.
83	> You addressed the pros, I will address the only con I can think of off
84	> the top of my head. This type of setup would require that FollowSymLinks
85	> must always be set which could potentionaly introduce new security holes
86	> depending on the app thats being installed.
87	Symlinks to outside the DocumentRoot structure as should already be
88	taken care of due to the "<Directory />" settings which deny everybody.
89
90	To minimize any further impact however, is there any way we can set an
91	option and NOT have it inherit? eg I want "Options +FollowSymlinks" in
92	/home/httpd/htdocs but not in any of it's subdirectories?
93
94	Failing that, we just need to take more care with symlinks. Not too
95	difficult based on the "<Directory />" settings.
96
97	> Another thing which was not addressed by the example eclass is what
98	> permissions should webapps install as. I notice a few ebuilds are making
99	[snip]
100	> would improve the overall security of installed files.
101	I'd agree that root.apache(u=rw,g=r) as the permissions would be a good
102	move for security, without adversely affecting things.
103
104	> And when a webapp says its needs to be mode 666 (laugh to yourself and
105	> try to make the file apache owned with 0600 or 0660)
106	I have seen a few that need this. Most notably the horde config system,
107	and anything that wants to write back to it's own config files.
108
109	--
110	Robin Hugh Johnson
111	E-Mail : robbat2@××××××××××××××.net
112	Home Page : http://www.orbis-terrarum.net/?l=people.robbat2
113	ICQ# : 30269588 or 41961639
114	GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85