1 |
On Thursday 28 October 2004 23:52, Anthony Gorecki wrote: |
2 |
> On Thursday 28 October 2004 3:13 pm, Stuart Herbert wrote: |
3 |
> > Hrm ... I haven't made any comment on self-configuring web applications. |
4 |
> |
5 |
> "We know that webapp-config needs improvements, especially in the area of |
6 |
> auto-configuring web-based apps." |
7 |
|
8 |
That's auto-configuration, not self-configuration. There are web-based apps |
9 |
out there with their own (normally web-based) configuration support. That's |
10 |
what I'd call self-configuration. |
11 |
|
12 |
> And in the case of the above, the tip of a sword is as close to playing |
13 |
> nicely as those applications will come. |
14 |
> |
15 |
> *sighs at his application frameworks* |
16 |
|
17 |
That's true today. It'll stay true tomorrow if no-one does anything to try |
18 |
and change it. But if we try - who knows what we can achieve? |
19 |
|
20 |
> I personally would not trust webapp-config to reconfigure my web server or |
21 |
> modify web service configuration files, especially considering that I |
22 |
> replaced the stock configurations with my own as soon as I installed |
23 |
> Apache. |
24 |
|
25 |
|
26 |
|
27 |
> How would you implement an automatic open_basedir restriction in |
28 |
> PHP, after a web application was installed? |
29 |
|
30 |
open_basedir can only be set in php.ini or the Apache config file. |
31 |
|
32 |
It's always best to avoid setting anything other than system-wide defaults in |
33 |
php.ini. |
34 |
|
35 |
I'd do what I do on my boxes at work. I'd create a per-app-instance config |
36 |
file which contained the necessary settings, and have apache include it the |
37 |
next time it was SIGHUP'd. |
38 |
|
39 |
How would I decide whether an open_basedir restriction was required? That is |
40 |
a policy decision, which would be managed through the vhost-tools. |
41 |
|
42 |
> I certainly wouldn't want my |
43 |
> Apache processes receiving a SIGHUP after every software installation to |
44 |
> reload the configuration, which is the only place open_basedir may be |
45 |
> altered. |
46 |
|
47 |
The SIGHUP is required for a change to take effect. That doesn't prevent any |
48 |
tool from putting the configuration in place ready for a scheduled change. |
49 |
|
50 |
Again, scheduling config reloads is a policy decision, which could be managed |
51 |
through the vhost-tools. |
52 |
|
53 |
> Compounding the problem, many scripts heavily modify the PHP runtime |
54 |
> configuration directives: how would an automated tool be able to factor in |
55 |
> all the necessary information for every web application? This doesn't seem |
56 |
> realistic. |
57 |
|
58 |
You're assuming that the tool has to learn about each app, me thinks. That's |
59 |
not what I intend to do. I'm intending to provide tools which will generate |
60 |
config files for the various apps - and which will get the information from |
61 |
config files maintained by the local administrator. |
62 |
|
63 |
There aren't that many scripts that modify php.ini - and any script that does |
64 |
is (as far as I'm concerned) broken. |
65 |
|
66 |
> IMHO, an automated tool would never be suitable for securing a web |
67 |
> environment, composed of a non-homogeneous solution of different |
68 |
> applications. I simply don't see how it's possible to secure against every |
69 |
> possible method of script exploitation (or even a marginal majority) for |
70 |
> every web language (or even one web language), without knowing the specific |
71 |
> workings of the scripts in question. |
72 |
|
73 |
I hope to prove you wrong in time. |
74 |
|
75 |
> As an "upstream provider," I would also never waste my time providing the |
76 |
> specifications to any tool designed for such purposes. |
77 |
|
78 |
I'm sorry to hear that you think it's a waste of time to try and improve the |
79 |
ease of installation of your packages. |
80 |
|
81 |
> I can take the necessary steps to reasonably secure my web services and can |
82 |
> provide information that would instruct others on how to do the same, |
83 |
> however there is no way I could explain every possible combination of every |
84 |
> possible scenario to every possible user on every possible configuration. |
85 |
|
86 |
Why are there so many scenarios where your services would be insecure? |
87 |
|
88 |
> It doesn't make sense, |
89 |
|
90 |
If it's too complicated to do by hand, then it definitely needs automating |
91 |
|
92 |
> it's not practical and it's not feasible; |
93 |
|
94 |
When was the last time you installed a Windows application by hand? Or a |
95 |
non-web-app on Linux? Most apps in the world can be installed automatically; |
96 |
there's no reason why web-based apps should be treated as a special case. |
97 |
|
98 |
> Is it? A large number of hosting providers do not even allow their clients |
99 |
> to access a shell console, nevermind Portage derivatives. In the same way, |
100 |
> I would never allow one of my -client's- web applications to have any |
101 |
> influence whatsoever on the operations of -my- web server. Most websites |
102 |
> have no concept of a package manager, in the traditional sense: this is why |
103 |
> my web applications provide their own means of filesystem management and |
104 |
> software updates. At present, the only viable package management system I |
105 |
> see for web applications is one they provide themselves. |
106 |
|
107 |
My experience is different from yours. Aside from the '50Mb free with your |
108 |
dial-up account' type hosting, most of the hosting over here in the UK |
109 |
provides shell access. |
110 |
|
111 |
It's not possible to support non-privileged users running webapp-config with |
112 |
the default Apache 2 MPM, as these users can't perform the chown operations |
113 |
that the tool needs to do. We could provide a setuid-safe script to do this, |
114 |
but that's not top of my todo list. |
115 |
|
116 |
The problem with each web-based package providing its own package management |
117 |
is that you're left with widely varying quality. You also have the problem |
118 |
that it's harder to lock down a site and prevent unauthorised change. And |
119 |
these tools don't work too well on secured and/or disconnected intranets (and |
120 |
these are surprising common in the public sector at least). Tools that |
121 |
extend Portage - tools that allow for disconnected upgrades - still have |
122 |
their advantages :) |
123 |
|
124 |
What you describe is how things are today. If the tools existed to do these |
125 |
things for you, would you still want to live in today? Even if you do, there |
126 |
are plenty of people out there who do not. |
127 |
|
128 |
Best regards, |
129 |
Stu |
130 |
-- |
131 |
Stuart Herbert stuart@g.o |
132 |
Gentoo Developer http://www.gentoo.org/ |
133 |
http://stu.gnqs.org/diary/ |
134 |
|
135 |
GnuPG key id# F9AFC57C available from http://pgp.mit.edu |
136 |
Key fingerprint = 31FB 50D4 1F88 E227 F319 C549 0C2F 80BA F9AF C57C |
137 |
-- |