1 |
On Thu, Jun 12, 2003 at 01:25:23PM -0400, Ned Ludd wrote: |
2 |
> Aside from all DocumentRoot stuff I feel that one of the most important |
3 |
> things that needs to be addressed by any apache.eclass is what version |
4 |
> of apache are we using 1,2 when ~arch flags are set. I was reently very |
5 |
> unhappy to find out that apache2 got installed on one of my production |
6 |
> servers after doing an upgrade world when -apache2 was explicitly set |
7 |
> and the box previously had apache1 installed. |
8 |
> |
9 |
> A FORCE_APACHE=1|2 option was mentioned the other day here on the ml, I |
10 |
> support that idea fully. |
11 |
Apache IS slotted. The ONLY data that is overwritten between the two |
12 |
installs is the default pages in /home/httpd/htdocs. |
13 |
As such, you can have both installed quite easily. While this does add |
14 |
some undesirable overhead, it is not an impediment to using Apache1. |
15 |
|
16 |
> What I would like/hope to see is for carpaski to make the final decision |
17 |
> if any sort of dynamic method should be used to gain the apache |
18 |
> docroot,user,group, and other runtime settings. Then hopefully one of |
19 |
> you (Brad Laue comes to mind as it looks like he was willing to step up |
20 |
> to the plate) will parent the needed {apache,http}.eclass |
21 |
I had already suggested and offered it write it, long before any of the |
22 |
current work was done. |
23 |
|
24 |
> Thus why the example code only extracted the very first case of |
25 |
> DocumentRoot out of the conf and ensured there would be no extra |
26 |
> whitespace/tabs something that a simple "grep | cut " can not address |
27 |
> correctly. I also feel the logic I used is for the example code to get |
28 |
> the docroot is sane (other than UPPER vs lower case, but that could be |
29 |
> addressed by using grep -i). I suppose one could do more and add the |
30 |
> extra step to ensure that the document root really does exists. |
31 |
> [ ! -d "${DOCUMENT_ROOT}" ] && die "some clever error msg here" |
32 |
|
33 |
|
34 |
|
35 |
> Note: I'm not 100% sure that we can die correctly from within an eclass |
36 |
We can actually. I use it in the php.eclass with the /usr/bin/sendmail check. |
37 |
|
38 |
> > > After discussion with others, my recommendation is that the document root |
39 |
> > > should always be /home/httpd/htdocs. You could allow this to be overridden |
40 |
> > > with DOCUMENT_ROOT= in /etc/make.conf if you're feeling generous. |
41 |
> This is what I would really like to see in the end result. |
42 |
This is easily done with the installing the web packages in a common |
43 |
directory and building symlinks. |
44 |
Possibly we need a framework/installer config system for the web |
45 |
applications to abstract all of the common database setup and symlink |
46 |
creation stuff after detecting the correct documentroot setting. |
47 |
|
48 |
> > Actually, in a further discussion today in #gentoo-dev, we noted that |
49 |
> > detected the DocumentRoot or allowing to be variable in any fashion |
50 |
> > causes more serious problems with tbz2 binary tarballs. |
51 |
> > For example: |
52 |
> > DocumentRoot is /var/www |
53 |
> > User builds a web application, which installs to /var/www. The tbz2 |
54 |
> > contains files with that pathname component in them. |
55 |
> > Now DocumentRoot gets change to /home/httpd/htdocs (any number of ways, |
56 |
> > including emerging the binary package on a different system). |
57 |
> > User tries to install the package, telling emerge to use the |
58 |
> > pre-existing binary. |
59 |
> > Package is extracted to /var/www, which is never looked at by the |
60 |
> > webserver. |
61 |
> I feel one of the really great things about gentoo is its flexiablity, |
62 |
> users can build there systems exactly how they want when they want. |
63 |
> Having such variables in an eclass that can be overridden by the enduser |
64 |
> at compile time to me seems by far the best option for our users. I have |
65 |
> faith that "most" of gentoo's users that would edit such an option would |
66 |
> know what there doing in reguards to there own DocumentRoot. |
67 |
This ignores the issue of the tarball problem. The best solution is to |
68 |
move it away from compile time, to config/postinst instead. |
69 |
|
70 |
> > In cases where users want a different DocumentRoot, I would suggest that |
71 |
> > the packages are all installed in a fixed location (not nessicarily even |
72 |
> > in the DocumentRoot directory), and then the user can symlink them into |
73 |
> > their own DocumentRoot. |
74 |
> > A possible solution: |
75 |
> > All webapps install to something NOT inside DocumentRoot. |
76 |
> > 'ebuild /usr/portage/.../foo.ebuild config' sets up the application |
77 |
> > (needed in most cases already) AND puts in a symlink to the |
78 |
> > DocumentRoot. |
79 |
> > This also makes it easier to support virtualhost configurations that all |
80 |
> > have access to a common tool, and makes temporarily disabling an |
81 |
> > application for security reasons much easier to do. |
82 |
> For security reasons I see that as having both pros and cons. |
83 |
> You addressed the pros, I will address the only con I can think of off |
84 |
> the top of my head. This type of setup would require that FollowSymLinks |
85 |
> must always be set which could potentionaly introduce new security holes |
86 |
> depending on the app thats being installed. |
87 |
Symlinks to outside the DocumentRoot structure as should already be |
88 |
taken care of due to the "<Directory />" settings which deny everybody. |
89 |
|
90 |
To minimize any further impact however, is there any way we can set an |
91 |
option and NOT have it inherit? eg I want "Options +FollowSymlinks" in |
92 |
/home/httpd/htdocs but not in any of it's subdirectories? |
93 |
|
94 |
Failing that, we just need to take more care with symlinks. Not too |
95 |
difficult based on the "<Directory />" settings. |
96 |
|
97 |
> Another thing which was not addressed by the example eclass is what |
98 |
> permissions should webapps install as. I notice a few ebuilds are making |
99 |
[snip] |
100 |
> would improve the overall security of installed files. |
101 |
I'd agree that root.apache(u=rw,g=r) as the permissions would be a good |
102 |
move for security, without adversely affecting things. |
103 |
|
104 |
> And when a webapp says its needs to be mode 666 (laugh to yourself and |
105 |
> try to make the file apache owned with 0600 or 0660) |
106 |
I have seen a few that need this. Most notably the horde config system, |
107 |
and anything that wants to write back to it's own config files. |
108 |
|
109 |
-- |
110 |
Robin Hugh Johnson |
111 |
E-Mail : robbat2@××××××××××××××.net |
112 |
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 |
113 |
ICQ# : 30269588 or 41961639 |
114 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |