Adam Chlipala <[EMAIL PROTECTED]> wrote: > Christopher D. Clausen wrote: >> Adam Chlipala <[EMAIL PROTECTED]> wrote: >> >>> Christopher D. Clausen wrote: >>> >>>> I don't think its going to be possible to have resonable apache >>>> performance and still be able to have apache acquire tickets based >>>> on host headers for seperate sites. >>>> >>> I suspect it wouldn't be much of a problem to suexec without picking >>> up AFS tickets. My guess is that most dynamic content programs >>> wouldn't try to write to home directories, and database access would >>> work fine. For the (I hope) relatively few cases where this wouldn't >>> work, could we just ask members to run k5start instances? >>> >> >> You mean share AFS read access? Sounds good to me, but then any user >> could potentially read any other users database passwords, but I >> don't see a good, easy way around that. >> > No, I mean start with no AFS rights beyond what system:anyuser gets.
Well, apache is already running as a PTS user to write log files and such, if people wish to restrict their backend sites more than system:anyuser they certainly can. (When we say world readable with AFS, we really mean the entire world.) > No databases passwords are involved with Postgres, since ident > authentication is completely reliable on a network we control. Ah, right. Okay. > world of MySQL would certainly be murkier. Yeah, the mysql stuff is what worried me as well. Anyone know of any popular apps that only work with MySQL? <<CDC _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
