On Fri, Mar 04, 2005 at 10:52:33AM +0100, Ives Steglich wrote:
> Date: Fri, 04 Mar 2005 10:52:33 +0100
> From: Ives Steglich <[EMAIL PROTECTED]>
> Subject: Re: [OpenCA-Devel] httpd-user vs openca-user
>
> Michael Bell wrote:
>
> >openca: user root with group root
> >httpd: special openca user (this is the owner of the socket and daemon)
> >
> i just gave this a try, there are some file-permission problems to keep
> checked if going this way:
>
> the conf files in etc/servers are only readable by owner and group
> this must be changed
Yes, cgi scripts need to read configuration from
etc/servers/{ca,ra,node}.conf so we must give them group of http server
or make them world readable. IMHO these files doesn't contain sensitive
information. Also etc/rbac and etc/openssl must writeable by daemon.
I've tried to export ALL from CA to RA. on RA machine daemon complained
that it could write to rbac and openssl directory.
>
> and the var/tmp/openca_socket is only writeable by owner (which of
> course is not the apache-user anymore then ;) - furthermore the var and
> tmp ist only group readable/executable, this must be changed too and i
> set the group of the socket to the apache group and gave this group
> writepermissions to the socket, so the cgis can write to the socket ;)
> (i modified openca_rc for this and put some chown and chmod lines into
> this, since you have to do this every time the daemon restarts)
I also stepped on this proble, but only chmod it post_bind_hook of
Net::Server. Modified src/common/lib/functions/initServer for this.
Actually I made a patch for openca_0_9_2_1 for debian packages which
adds --with-run-dir and --with-log-dir. I keep pids in $run-dir and
sockets in $run-dir/socket which has group of http server and mode 0750.
It also changes default log directory. I change only path for
stderr.log, xml_cache.log and XML dir log. But beware: it doesn't create
neccessary directory structure for xml logging. Currently I create it
with debian packaging tools.
See attached patch, but I'm still testing it.
Best wishes
--
Alexei Chetroi
Smile... Tomorrow will be worse. (c) Murphy's Law
#! /bin/sh /usr/share/dpatch/dpatch-run
## 20_var_run_dir.dpatch by <[EMAIL PROTECTED]>
## $Id: 20_var_run_dir 46 2005-03-06 21:27:29Z lex $
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: move sockets/pids to /var/run/openca directory
@DPATCH@
diff -ruN openca-0.9.2.1.orig/configure.in openca-0.9.2.1.lex/configure.in
--- openca-0.9.2.1.orig/configure.in 2005-03-05 01:55:59.000000000 +0200
+++ openca-0.9.2.1.lex/configure.in 2005-03-05 18:46:44.000000000 +0200
@@ -210,6 +210,16 @@
scep_prefix=$withval, scep_prefix=scep)
AC_SUBST( scep_prefix)
+ AC_ARG_WITH( run-dir,
+ AC_HELP_STRING( [--with-run-dir=DIR], [sets run directory
default is VARPREFIX/run)]),
+ var_run_dir=$withval, var_run_dir=${var_prefix}/run)
+ AC_SUBST( var_run_dir)
+
+ AC_ARG_WITH( log-dir,
+ AC_HELP_STRING( [--with-log-dir=DIR], [sets log directory
default is VARPREFIX/log)]),
+ var_log_dir=$withval, var_log_dir=${var_prefix}/log)
+ AC_SUBST( var_log_dir)
+
dnl directory-structure of OpenCA
dnl ############################## END #############################
diff -ruN openca-0.9.2.1.orig/src/common/etc/config.xml.in
openca-0.9.2.1.lex/src/common/etc/config.xml.in
--- openca-0.9.2.1.orig/src/common/etc/config.xml.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/common/etc/config.xml.in 2005-03-05
18:47:52.000000000 +0200
@@ -396,6 +396,14 @@
<value>@var_prefix@</value>
</option>
<option>
+ <name>var_run_dir</name>
+ <value>@var_run_dir@</value>
+ </option>
+ <option>
+ <name>var_log_dir</name>
+ <value>@var_log_dir@</value>
+ </option>
+ <option>
<name>batch_prefix</name>
<value>@batch_prefix@</value>
</option>
diff -ruN openca-0.9.2.1.orig/src/common/etc/log.xml.in
openca-0.9.2.1.lex/src/common/etc/log.xml.in
--- openca-0.9.2.1.orig/src/common/etc/log.xml.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/common/etc/log.xml.in 2005-03-05
18:52:07.000000000 +0200
@@ -1,6 +1,6 @@
<openca>
<debug>0</debug>
- <stderr>@var_prefix@/log/stderr.log</stderr>
+ <stderr>@var_log_dir@/stderr.log</stderr>
<log>
<debug>0</debug>
<slots>
@@ -20,7 +20,7 @@
<class>*</class>
<level>*</level>
<logger>XML</logger>
- <dir>@var_prefix@/log/xml</dir>
+ <dir>@var_log_dir@/xml</dir>
</slot>
</slots>
</log>
diff -ruN openca-0.9.2.1.orig/src/common/etc/openca_start.template.in
openca-0.9.2.1.lex/src/common/etc/openca_start.template.in
--- openca-0.9.2.1.orig/src/common/etc/openca_start.template.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/common/etc/openca_start.template.in 2005-03-05
18:48:53.000000000 +0200
@@ -21,11 +21,13 @@
$AUTOCONF {"lib_prefix"} = "@lib_prefix@";
$AUTOCONF {"etc_prefix"} = "@etc_prefix@";
$AUTOCONF {"var_prefix"} = "@var_prefix@";
+$AUTOCONF {"var_run_dir"} = "@var_run_dir@";
+$AUTOCONF {"var_log_dir"} = "@var_log_dir@";
$AUTOCONF {"config_prefix"} = "common";
$AUTOCONF {"VERSION"} = "@VERSION@";
$AUTOCONF {"PROGRAM"} = "OpenCA Server";
-$AUTOCONF {"httpd_user"} = "@httpd_user@";
-$AUTOCONF {"httpd_group"} = "@httpd_group@";
+$AUTOCONF {"httpd_user"} = "openca";
+$AUTOCONF {"httpd_group"} = "openca";
## if common.conf is missing then we link common.conf
## to a random configuration file of an OpenCA interface
diff -ruN openca-0.9.2.1.orig/src/common/etc/openca_stop.template
openca-0.9.2.1.lex/src/common/etc/openca_stop.template
--- openca-0.9.2.1.orig/src/common/etc/openca_stop.template 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/common/etc/openca_stop.template 2005-03-05
18:49:35.000000000 +0200
@@ -1,11 +1,11 @@
#!/bin/sh
echo -n Stopping XML cache ...
-PID=`cat @var_prefix@/tmp/xml_cache.pid 2>/dev/null`;
+PID=`cat @var_run_dir@/xml_cache.pid 2>/dev/null`;
[ -n "$PID" ] && kill $PID
echo done
echo -n Stopping openca server ...
-PID=`cat @var_prefix@/tmp/openca_socket.pid 2>/dev/null`;
+PID=`cat @var_run_dir@/openca_socket.pid 2>/dev/null`;
[ -n "$PID" ] && kill $PID
echo done
diff -ruN openca-0.9.2.1.orig/src/common/lib/functions/initCGI
openca-0.9.2.1.lex/src/common/lib/functions/initCGI
--- openca-0.9.2.1.orig/src/common/lib/functions/initCGI 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/common/lib/functions/initCGI 2005-03-05
18:34:43.000000000 +0200
@@ -113,7 +113,7 @@
## connect to server
-my $socket_name = $AUTOCONF {"var_prefix"}."/tmp/openca_socket";
+my $socket_name = $AUTOCONF {"var_run_dir"}."/socket/openca_socket";
socket(SOCK, PF_UNIX, SOCK_STREAM, 0) || sendError ("Cannot create new client
socket ($socket_name).");
connect(SOCK, sockaddr_un($socket_name)) || sendError ("Server is not online
or does not accept requests ($socket_name - ".sockaddr_un($socket_name).").
$?");
--- openca-0.9.2.1.orig/src/common/lib/functions/initServer 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/common/lib/functions/initServer 2005-03-06
07:58:58.000000000 +0200
@@ -137,17 +137,23 @@
## 6. activate server process
-unlink ($AUTOCONF{"var_prefix"}."/tmp/openca_socket");
+unlink ($AUTOCONF{"var_run_dir"}."/socket/openca_socket");
OpenCA::Server->run (
user => $AUTOCONF{"httpd_user"},
group => $AUTOCONF{"httpd_group"},
proto => "unix",
- port => $AUTOCONF{"var_prefix"}."/tmp/openca_socket|unix",
+ port => $AUTOCONF{"var_run_dir"}."/socket/openca_socket|unix",
background => 1,
- pid_file => $AUTOCONF{"var_prefix"}."/tmp/openca_socket.pid");
+ pid_file => $AUTOCONF{"var_run_dir"}."/openca_socket.pid");
################################end of global
main#################################
+sub post_bind_hook
+{
+ chmod 0777, $AUTOCONF{"var_run_dir"}."/socket/openca_socket";
+ umask 0027;
+}
+
sub process_request
{
our $LANGUAGE;
@@ -440,7 +446,7 @@
our $DEBUG;
$xml_cache = OpenCA::XML::Cache->new (
- "SOCKETFILE" => getRequired
("tempDir")."/openca_xml_cache",
+ "SOCKETFILE" =>
$AUTOCONF{"var_run_dir"}."/socket/openca_xml_cache",
"IPC_USER" => $AUTOCONF{"httpd_user"},
"IPC_GROUP" => $AUTOCONF{"httpd_group"});
if (not $xml_cache)
@@ -450,7 +456,7 @@
}
$xml_cache->startDaemon(
LOGFILE => getRequired ('LOG_DIR')."/xml_cache.log",
- PIDFILE => getRequired ('TempDir')."/xml_cache.pid"
+ PIDFILE => $AUTOCONF{"var_run_dir"}."/xml_cache.pid"
);
setPerformancePoint ("xml cache activated");
diff -ruN openca-0.9.2.1.orig/src/web-interfaces/batch/batch.in
openca-0.9.2.1.lex/src/web-interfaces/batch/batch.in
--- openca-0.9.2.1.orig/src/web-interfaces/batch/batch.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/web-interfaces/batch/batch.in 2005-03-05
18:55:40.000000000 +0200
@@ -17,6 +17,8 @@
$AUTOCONF {"lib_prefix"} = "@lib_prefix@";
$AUTOCONF {"etc_prefix"} = "@etc_prefix@";
$AUTOCONF {"var_prefix"} = "@var_prefix@";
+$AUTOCONF {"var_run_dir"} = "@var_run_dir@";
+$AUTOCONF {"var_log_dir"} = "@var_log_dir@";
$AUTOCONF {"config_prefix"} = "@batch_prefix@";
$AUTOCONF {"VERSION"} = "@VERSION@";
$AUTOCONF {"PROGRAM"} = "Batch System";
diff -ruN openca-0.9.2.1.orig/src/web-interfaces/ca/ca.in
openca-0.9.2.1.lex/src/web-interfaces/ca/ca.in
--- openca-0.9.2.1.orig/src/web-interfaces/ca/ca.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/web-interfaces/ca/ca.in 2005-03-05
18:55:55.000000000 +0200
@@ -17,6 +17,8 @@
$AUTOCONF {"lib_prefix"} = "@lib_prefix@";
$AUTOCONF {"etc_prefix"} = "@etc_prefix@";
$AUTOCONF {"var_prefix"} = "@var_prefix@";
+$AUTOCONF {"var_run_dir"} = "@var_run_dir@";
+$AUTOCONF {"var_log_dir"} = "@var_log_dir@";
$AUTOCONF {"config_prefix"} = "@ca_prefix@";
$AUTOCONF {"VERSION"} = "@VERSION@";
$AUTOCONF {"PROGRAM"} = "CA Manager";
diff -ruN openca-0.9.2.1.orig/src/web-interfaces/ldap/ldap.in
openca-0.9.2.1.lex/src/web-interfaces/ldap/ldap.in
--- openca-0.9.2.1.orig/src/web-interfaces/ldap/ldap.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/web-interfaces/ldap/ldap.in 2005-03-05
18:56:04.000000000 +0200
@@ -17,6 +17,8 @@
$AUTOCONF {"lib_prefix"} = "@lib_prefix@";
$AUTOCONF {"etc_prefix"} = "@etc_prefix@";
$AUTOCONF {"var_prefix"} = "@var_prefix@";
+$AUTOCONF {"var_run_dir"} = "@var_run_dir@";
+$AUTOCONF {"var_log_dir"} = "@var_log_dir@";
$AUTOCONF {"config_prefix"} = "@ldap_prefix@";
$AUTOCONF {"VERSION"} = "@VERSION@";
$AUTOCONF {"PROGRAM"} = "LDAP Administration Gateway";
diff -ruN openca-0.9.2.1.orig/src/web-interfaces/node/node.conf.in
openca-0.9.2.1.lex/src/web-interfaces/node/node.conf.in
--- openca-0.9.2.1.orig/src/web-interfaces/node/node.conf.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/web-interfaces/node/node.conf.in 2005-03-05
19:03:58.000000000 +0200
@@ -49,7 +49,7 @@
CertDir "@var_prefix@/crypto/certs"
TempDir "@var_prefix@/tmp"
-LOG_DIR "@var_prefix@/log"
+LOG_DIR "@var_log_dir@"
BP_DIR "@var_prefix@/batch"
BP_EXPORT_PKCS12_DIR "@var_prefix@/bp/dataexchange/pkcs12"
MaxReturnedItems 20
diff -ruN openca-0.9.2.1.orig/src/web-interfaces/node/node.in
openca-0.9.2.1.lex/src/web-interfaces/node/node.in
--- openca-0.9.2.1.orig/src/web-interfaces/node/node.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/web-interfaces/node/node.in 2005-03-05
18:56:10.000000000 +0200
@@ -17,6 +17,8 @@
$AUTOCONF {"lib_prefix"} = "@lib_prefix@";
$AUTOCONF {"etc_prefix"} = "@etc_prefix@";
$AUTOCONF {"var_prefix"} = "@var_prefix@";
+$AUTOCONF {"var_run_dir"} = "@var_run_dir@";
+$AUTOCONF {"var_log_dir"} = "@var_log_dir@";
$AUTOCONF {"config_prefix"} = "@node_prefix@";
$AUTOCONF {"VERSION"} = "@VERSION@";
$AUTOCONF {"PROGRAM"} = "Server Management";
diff -ruN openca-0.9.2.1.orig/src/web-interfaces/pub/pki.in
openca-0.9.2.1.lex/src/web-interfaces/pub/pki.in
--- openca-0.9.2.1.orig/src/web-interfaces/pub/pki.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/web-interfaces/pub/pki.in 2005-03-05
18:56:46.000000000 +0200
@@ -17,6 +17,8 @@
$AUTOCONF {"lib_prefix"} = "@lib_prefix@";
$AUTOCONF {"etc_prefix"} = "@etc_prefix@";
$AUTOCONF {"var_prefix"} = "@var_prefix@";
+$AUTOCONF {"var_run_dir"} = "@var_run_dir@";
+$AUTOCONF {"var_log_dir"} = "@var_log_dir@";
$AUTOCONF {"config_prefix"} = "@pub_prefix@";
$AUTOCONF {"VERSION"} = "@VERSION@";
$AUTOCONF {"PROGRAM"} = "PKI Public Server";
diff -ruN openca-0.9.2.1.orig/src/web-interfaces/ra/RAServer.in
openca-0.9.2.1.lex/src/web-interfaces/ra/RAServer.in
--- openca-0.9.2.1.orig/src/web-interfaces/ra/RAServer.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/web-interfaces/ra/RAServer.in 2005-03-05
18:57:48.000000000 +0200
@@ -17,6 +17,8 @@
$AUTOCONF {"lib_prefix"} = "@lib_prefix@";
$AUTOCONF {"etc_prefix"} = "@etc_prefix@";
$AUTOCONF {"var_prefix"} = "@var_prefix@";
+$AUTOCONF {"var_run_dir"} = "@var_run_dir@";
+$AUTOCONF {"var_log_dir"} = "@var_log_dir@";
$AUTOCONF {"config_prefix"} = "@ra_prefix@";
$AUTOCONF {"VERSION"} = "@VERSION@";
$AUTOCONF {"PROGRAM"} = "RA Server";
diff -ruN openca-0.9.2.1.orig/src/web-interfaces/scep/scep.in
openca-0.9.2.1.lex/src/web-interfaces/scep/scep.in
--- openca-0.9.2.1.orig/src/web-interfaces/scep/scep.in 2005-03-05
01:56:00.000000000 +0200
+++ openca-0.9.2.1.lex/src/web-interfaces/scep/scep.in 2005-03-05
18:56:27.000000000 +0200
@@ -17,6 +17,8 @@
$AUTOCONF {"lib_prefix"} = "@lib_prefix@";
$AUTOCONF {"etc_prefix"} = "@etc_prefix@";
$AUTOCONF {"var_prefix"} = "@var_prefix@";
+$AUTOCONF {"var_run_dir"} = "@var_run_dir@";
+$AUTOCONF {"var_log_dir"} = "@var_log_dir@";
$AUTOCONF {"config_prefix"} = "@scep_prefix@";
$AUTOCONF {"VERSION"} = "@VERSION@";
$AUTOCONF {"PROGRAM"} = "SCEP Server";
