Adam Wheeler wrote: > I've built a dedicated backup server with TSL 3.0 and > backuppc. What is the suggested configuration? > > Should I run apache as user backuppc?
no > > Shall I allow SetUID perl to change user ID? no > > Shall I run apache as user httpd and configure apache > to SuEXEC as user backuppc? If so, what is the preferred > "TSL" way of doing this? Yes. :) I like to do minimal change to the system. Thus to change who runs httpd is not what you need. The package should include a configuration file for the cgi interface, placed in /etc/httpd/conf.d/ and is included when apache is restarted. If that file is not part of the current backuppc package, you need to create it, and/or file a bug report against the backuppc package. The configuration should be that /home/httpd/backuppc/cgi-bin does for backuppc what /home/users/foobar/public_html/cgi-bin/ would do for a normal user. That way the backuppc stuff is executed as user backuppc, and you are safe and secure. Also, all ssh keys should be created and used by the backuppc user, so you might want to 'su - backuppc' and generate keys, ssh into the clients etc. The httpd configuration extention file should also probably point http://yourhost/backuppc/ to /home/httpd/backuppc/cgi-bin/ > > The package is installed in /var/lib as user/group backuppc. Sounds sane. > > The CGI interface is installed to /home/httpd/backuppc/cgi-bin > as user/group root. Sounds sane as well > > Yes, I am willing to write a mini-faq. > cool. -- Christian Haugan Toldnes Trustix Developer _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
