Ok, I think /afs/hcoop.net/common/etc/scripts/apache-sync-logs is all
set. Comments:
- It assumes that $USER/logs/apache exists, and that user.cgi has
wlid permissions on it. I have adjusted create-user to make sure
this is the case, but we may need to do it manually for users that
already exist.
- It assumes that (local) /var/log/apache/u/us/user/ is:
- owned by $USER
- grouped to www-data
- mode ug+rw
It will change this if it is not the case while it is still root.
Please let me know if you think that this is accurate. I think we
can relax the group=www-data restriction because Apache opens
logfiles while it's still root, right?
After doing this, it picks up the user's cgi tokens, switches to
the user's userid, and performs the actual syncing.
The actual rsyncing is done as the user's userid, holding the user's
cgi tokens. This ensures that users cannot trick the sync-logs script
into doing anything that they couldn't have done themselves (like
trampling on other users' files via symlink or mountpoint trickery).
I tested the script on adamc, and it appeared to do the right thing.
It would be cool if somebody else could run it on themselves and
provide some feedback before we put it in a crontab...
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380
_______________________________________________
HCoop-SysAdmin mailing list
[email protected]
http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
