On Fri, Mar 04, 2005 at 10:52:33AM +0100, Ives Steglich wrote:
> Date: Fri, 04 Mar 2005 10:52:33 +0100
> From: Ives Steglich <[EMAIL PROTECTED]>
> Subject: Re: [OpenCA-Devel] httpd-user vs openca-user
>
> Michael Bell wrote:
>
> >openca: user root with group root
Michael Bell wrote:
openca: user root with group root
httpd: special openca user (this is the owner of the socket and daemon)
i just gave this a try, there are some file-permission problems to keep
checked if going this way:
the conf files in etc/servers are only readable by owner and group
this
On Fri, Mar 04, 2005 at 09:10:30AM +0100, Michael Bell wrote:
> Date: Fri, 04 Mar 2005 09:10:30 +0100
> From: Michael Bell <[EMAIL PROTECTED]>
> Subject: Re: [OpenCA-Devel] httpd-user vs openca-user
>
> Alexei Chetroi wrote:
>
[snip]
> > Well, that changes th
Alexei Chetroi wrote:
This is wrong and a security risk. Perhaps some comments about the user
and group terms:
openca - this is used for stuff which may not be writeable by the daemon
or http server
httpd - this is used for stuff which should be writeable for the daemon
today it is not n
Alexei Chetroi wrote:
In that case I think we should change name of these options. BTW may
we also have options for specifing path for socket and daemon pid file,
something like --with-var-run-prefix?
isn't that michaels suggestion just a post before? ;)
"--with-run-dir "
greetings
dalini
---
On Thu, Mar 03, 2005 at 09:16:08AM +0100, Michael Bell wrote:
> Date: Thu, 03 Mar 2005 09:16:08 +0100
> From: Michael Bell <[EMAIL PROTECTED]>
> To: [email protected]
> Reply-To: [email protected]
> Subject: Re: [OpenCA-Devel] httpd-user vs op
Alexei Chetroi wrote:
IMHO there's no necessity. Debian packaging configures openca with
"--with-openca-user" and "--with-openca-group" set to uid/gid of apache.
I thought there was a reason for that. Now I see that we can get rid of
that and make only openca socket owned by apache uid. Thanks fo
Piotr Wadas wrote:
About configuration (configure) parameters - options like
--with-log-dir, --with-run-dir (for socket and pids), --with-tmp-dir
would be useful for packaging, I guess not only for debian packages.
Any chances for that? :)
FYI currently in debian logs should go to /var/log/openc
On Tue, Mar 01, 2005 at 12:40:52PM +0100, Michael Bell wrote:
> Date: Tue, 01 Mar 2005 12:40:52 +0100
> From: Michael Bell <[EMAIL PROTECTED]>
> To: [email protected]
> Reply-To: [email protected]
> Subject: Re: [OpenCA-Devel] httpd-user vs op
Perhaps we should rename the httpd parameters to --with-daemon-user and
group. This is perhaps the more correct way. We cannot change the names for
0.9.2 - only the semantic. We can change the names only on CVS HEAD.
About configuration (configure) parameters - options like --with-log-dir,
--w
Hi Alexei,
Alexei Chetroi wrote:
Actually not. Current Debian packaging runs openca server with the
same uid as web server, and I didn't like idea that web-server can
access openca's data. Running them at different uids seems more
appropiate to me.
It looks like the configuration parameters does
I guess cgi scripts don't even write or read anything from/into
any kind of database (flat, sql), or openca files, and do not need access
to openca files (except some in etc/openca for reading configuration
options), however they talk to (issue commands/reading output) openca-sv
via tmp/openca_soc
>> cgi-scripts does not need write access to any directories. All write
>> actions are performed by the openca daemon. The scripts only need access
>> to etc/ because they need some configuration parameters. I assume you
>> found some erroneous rights, correct?
> Actually not. Current Debian pack
Actually not. Current Debian packaging runs openca server with the
same uid as web server, and I didn't like idea that web-server can
access openca's data. Running them at different uids seems more
appropiate to me.
You're right :) We should probably consider using --with-openca-user/group,
along
On Mon, Feb 28, 2005 at 09:02:54AM +0100, Michael Bell wrote:
> Date: Mon, 28 Feb 2005 09:02:54 +0100
> From: Michael Bell <[EMAIL PROTECTED]>
> To: [email protected]
> Reply-To: [email protected]
> Subject: Re: [OpenCA-Devel] httpd-user vs op
Hi Alexei,
Alexei Chetroi wrote:
Just wanted to clear one issue to me. Do cgi-scripts access any files
on filesystem, for example files in /var/lib/openca? I see it must
access files under /etc/openca/servers/*.conf. Do cgi-scripts need write
access to some of directories or these operations are
Hi,
Just wanted to clear one issue to me. Do cgi-scripts access any files
on filesystem, for example files in /var/lib/openca? I see it must
access files under /etc/openca/servers/*.conf. Do cgi-scripts need write
access to some of directories or these operations are performed by
openca daemon
17 matches
Mail list logo
