Thank you, Ethan, for replying. We are seeing eye to eye on this one. OpenSSH has had nothing but problems with trying to debug and secure the privileged separation code. It has poor interaction with other authentication systems, and has been all-around buggy. Yet, like Ethan stated, there are more eyes, and the CAN bulletins are generally made AFTER a fix had been published: they're that fast. ;-)
Like Ethan, I also run my web server as an unprivileged user and don't allow suexec. Richard is right in that having a master process that runs as root to which usher talks adds complexity (but not much). It also insulates the public interface from risky tasks, such as switching process users. Of course, you wouldn't need the master process if: 1. You never host local databases 2. You're OK with usher running multiple databases as a single user. 3. You manage (launch) the servers with some other system/setup If you need the extra security of running servers as different users (Savannah), then another management solution is necessary. Running thousands of servers all the time. (Ouch) Implement some sort of firewall port-knocking swatch launcher. (Icky. Yes, I said, "Icky.") The nice thing about having a master process is that it doesn't have to be that complex. Listen to a socket. Receive a request from usher for a local database. Launch 'mtn -d DBPATH serve --bind 127.0.0.1 --port RANDPORT ...' as the appropriate user. Give usher the port or failure message. usher than works as it normally does. It just needs a new target, a socket to the master process. Anyway, it's a brain-storming feature request. Not a high priority, but if we want Monotone on Savannah, I'd hedge my bets that it would be well-received by the Savannah admins. -- Chad Walstrom <[EMAIL PROTECTED]> http://www.wookimus.net/ assert(expired(knowledge)); /* core dump */ _______________________________________________ Monotone-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/monotone-devel
