| 1 |
On Thursday 28 October 2004 23:52, Anthony Gorecki wrote: |
| 2 |
> On Thursday 28 October 2004 3:13 pm, Stuart Herbert wrote: |
| 3 |
> > Hrm ... I haven't made any comment on self-configuring web applications. |
| 4 |
> |
| 5 |
> "We know that webapp-config needs improvements, especially in the area of |
| 6 |
> auto-configuring web-based apps." |
| 7 |
|
| 8 |
That's auto-configuration, not self-configuration. There are web-based apps |
| 9 |
out there with their own (normally web-based) configuration support. That's |
| 10 |
what I'd call self-configuration. |
| 11 |
|
| 12 |
> And in the case of the above, the tip of a sword is as close to playing |
| 13 |
> nicely as those applications will come. |
| 14 |
> |
| 15 |
> *sighs at his application frameworks* |
| 16 |
|
| 17 |
That's true today. It'll stay true tomorrow if no-one does anything to try |
| 18 |
and change it. But if we try - who knows what we can achieve? |
| 19 |
|
| 20 |
> I personally would not trust webapp-config to reconfigure my web server or |
| 21 |
> modify web service configuration files, especially considering that I |
| 22 |
> replaced the stock configurations with my own as soon as I installed |
| 23 |
> Apache. |
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
> How would you implement an automatic open_basedir restriction in |
| 28 |
> PHP, after a web application was installed? |
| 29 |
|
| 30 |
open_basedir can only be set in php.ini or the Apache config file. |
| 31 |
|
| 32 |
It's always best to avoid setting anything other than system-wide defaults in |
| 33 |
php.ini. |
| 34 |
|
| 35 |
I'd do what I do on my boxes at work. I'd create a per-app-instance config |
| 36 |
file which contained the necessary settings, and have apache include it the |
| 37 |
next time it was SIGHUP'd. |
| 38 |
|
| 39 |
How would I decide whether an open_basedir restriction was required? That is |
| 40 |
a policy decision, which would be managed through the vhost-tools. |
| 41 |
|
| 42 |
> I certainly wouldn't want my |
| 43 |
> Apache processes receiving a SIGHUP after every software installation to |
| 44 |
> reload the configuration, which is the only place open_basedir may be |
| 45 |
> altered. |
| 46 |
|
| 47 |
The SIGHUP is required for a change to take effect. That doesn't prevent any |
| 48 |
tool from putting the configuration in place ready for a scheduled change. |
| 49 |
|
| 50 |
Again, scheduling config reloads is a policy decision, which could be managed |
| 51 |
through the vhost-tools. |
| 52 |
|
| 53 |
> Compounding the problem, many scripts heavily modify the PHP runtime |
| 54 |
> configuration directives: how would an automated tool be able to factor in |
| 55 |
> all the necessary information for every web application? This doesn't seem |
| 56 |
> realistic. |
| 57 |
|
| 58 |
You're assuming that the tool has to learn about each app, me thinks. That's |
| 59 |
not what I intend to do. I'm intending to provide tools which will generate |
| 60 |
config files for the various apps - and which will get the information from |
| 61 |
config files maintained by the local administrator. |
| 62 |
|
| 63 |
There aren't that many scripts that modify php.ini - and any script that does |
| 64 |
is (as far as I'm concerned) broken. |
| 65 |
|
| 66 |
> IMHO, an automated tool would never be suitable for securing a web |
| 67 |
> environment, composed of a non-homogeneous solution of different |
| 68 |
> applications. I simply don't see how it's possible to secure against every |
| 69 |
> possible method of script exploitation (or even a marginal majority) for |
| 70 |
> every web language (or even one web language), without knowing the specific |
| 71 |
> workings of the scripts in question. |
| 72 |
|
| 73 |
I hope to prove you wrong in time. |
| 74 |
|
| 75 |
> As an "upstream provider," I would also never waste my time providing the |
| 76 |
> specifications to any tool designed for such purposes. |
| 77 |
|
| 78 |
I'm sorry to hear that you think it's a waste of time to try and improve the |
| 79 |
ease of installation of your packages. |
| 80 |
|
| 81 |
> I can take the necessary steps to reasonably secure my web services and can |
| 82 |
> provide information that would instruct others on how to do the same, |
| 83 |
> however there is no way I could explain every possible combination of every |
| 84 |
> possible scenario to every possible user on every possible configuration. |
| 85 |
|
| 86 |
Why are there so many scenarios where your services would be insecure? |
| 87 |
|
| 88 |
> It doesn't make sense, |
| 89 |
|
| 90 |
If it's too complicated to do by hand, then it definitely needs automating |
| 91 |
|
| 92 |
> it's not practical and it's not feasible; |
| 93 |
|
| 94 |
When was the last time you installed a Windows application by hand? Or a |
| 95 |
non-web-app on Linux? Most apps in the world can be installed automatically; |
| 96 |
there's no reason why web-based apps should be treated as a special case. |
| 97 |
|
| 98 |
> Is it? A large number of hosting providers do not even allow their clients |
| 99 |
> to access a shell console, nevermind Portage derivatives. In the same way, |
| 100 |
> I would never allow one of my -client's- web applications to have any |
| 101 |
> influence whatsoever on the operations of -my- web server. Most websites |
| 102 |
> have no concept of a package manager, in the traditional sense: this is why |
| 103 |
> my web applications provide their own means of filesystem management and |
| 104 |
> software updates. At present, the only viable package management system I |
| 105 |
> see for web applications is one they provide themselves. |
| 106 |
|
| 107 |
My experience is different from yours. Aside from the '50Mb free with your |
| 108 |
dial-up account' type hosting, most of the hosting over here in the UK |
| 109 |
provides shell access. |
| 110 |
|
| 111 |
It's not possible to support non-privileged users running webapp-config with |
| 112 |
the default Apache 2 MPM, as these users can't perform the chown operations |
| 113 |
that the tool needs to do. We could provide a setuid-safe script to do this, |
| 114 |
but that's not top of my todo list. |
| 115 |
|
| 116 |
The problem with each web-based package providing its own package management |
| 117 |
is that you're left with widely varying quality. You also have the problem |
| 118 |
that it's harder to lock down a site and prevent unauthorised change. And |
| 119 |
these tools don't work too well on secured and/or disconnected intranets (and |
| 120 |
these are surprising common in the public sector at least). Tools that |
| 121 |
extend Portage - tools that allow for disconnected upgrades - still have |
| 122 |
their advantages :) |
| 123 |
|
| 124 |
What you describe is how things are today. If the tools existed to do these |
| 125 |
things for you, would you still want to live in today? Even if you do, there |
| 126 |
are plenty of people out there who do not. |
| 127 |
|
| 128 |
Best regards, |
| 129 |
Stu |
| 130 |
-- |
| 131 |
Stuart Herbert stuart@g.o |
| 132 |
Gentoo Developer http://www.gentoo.org/ |
| 133 |
http://stu.gnqs.org/diary/ |
| 134 |
|
| 135 |
GnuPG key id# F9AFC57C available from http://pgp.mit.edu |
| 136 |
Key fingerprint = 31FB 50D4 1F88 E227 F319 C549 0C2F 80BA F9AF C57C |
| 137 |
-- |
Archives