>> cgi-scripts does not need write access to any directories. All write >> actions are performed by the openca daemon. The scripts only need access >> to etc/ because they need some configuration parameters. I assume you >> found some erroneous rights, correct? > Actually not. Current Debian packaging runs openca server with the > same uid as web server, and I didn't like idea that web-server can > access openca's data. Running them at different uids seems more > appropiate to me.
I'm trying to get all working with appropriate (separate) privileges/uids. I guess the whole thing is supposed to be working in following way: user->webserver->cgi-script->openca_socket->openca-sv server and opposite direction openca-sv -> openca_socket -> cgi-script -> webserver -> user I guess cgi scripts don't even write or read anything from/into any kind of database (flat, sql), or openca files, and do not need access to openca files (except some in etc/openca for reading configuration options), however they talk to (issue commands/reading output) openca-sv via tmp/openca_socket, and openca-sv does all operations for scripts, including file reading/saving and updating databases. so they (scripts) need write access to this socket, am I right? Is it really that way like I think? Including ldap script? Piotr ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ OpenCA-Devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-devel
