I hope not to open a can of worms with this posting. ;-) For the
reasoning see below.
(Perhaps this thread should continue on webware-devel? I've put a Cc
into the header.)
On Wed, 10 Jul 2002, Tavis Rudd wrote:
> how are you assigning permissions on
> /usr/local/Webware vs.
> /usr/local/webware.
/usr/local/Webware is simply a copy of the directories and files as
extracted from the tarball. I didn't change any permissions. The
owner/group of these files is root:wheel.
/usr/local/webware is generated from the AppWorkDir.py script. Here, I
also have nothing done on the permissions. However, the user/group of
the whole /usr/local/webware is webware:webware.
> In the name of privilege separation, the user running webkit should only have
> write permissions to the locations that webkit writes to during operation and
> read-only permission on everything else: config files, servlets, etc. For
> that reason, the webware user's homedir shouldn't contain the config files.
Good point.
The current listing of /usr/local/webware is
-rw-r--r-- 1 webware webware 205 Jul 10 20:56 404Text.txt
-rwxr-xr-x 1 webware webware 62 Jul 10 20:56 AppServer*
-rwxr-xr-x 1 webware webware 50 Jul 10 20:56 AppServer.bat*
drwxr-xr-x 2 webware webware 512 Jul 10 20:56 Cache/
drwxr-xr-x 2 webware webware 512 Jul 10 20:56 Cans/
drwxr-xr-x 2 webware webware 512 Jul 10 20:56 Configs/
drwxr-xr-x 2 webware webware 512 Jul 10 20:56 ErrorMsgs/
-rwxr-xr-x 1 webware webware 401 Jul 10 20:56 Launch.py*
drwxr-xr-x 2 webware webware 512 Jul 10 20:56 Logs/
drwxr-xr-x 2 webware webware 512 Jul 10 20:56 MyContext/
-rwxr-xr-x 1 webware webware 710 Jul 10 20:56 NTService.py*
-rwxr-xr-x 1 webware webware 1349 Jul 10 20:56 OneShot.cgi*
drwxr-xr-x 2 webware webware 512 Jul 10 20:56 Sessions/
-rwxr-xr-x 1 webware webware 1939 Jul 10 20:56 WebKit.cgi*
As far as I remember, the appserver must have write access to Cache,
ErrorMsgs, Logs and Sessions. Anything else?
> I'd be inclined to create a /var/run/webkit directory for all the stuff that
> changes during operation so that it is possible for paranoid sysadmins to
> mount /usr/ read-only. Putting the logs in /var/log/webkit is a good idea.
So I see these options: Either
- change the owner of the other files than Cache, ErrorMsgs, Logs and
Sessions to another user, maybe root:wheel; leave only those
particular directories to the webware user
or
- even move the webware-writable directories to /var/run/webkit and
let everything that remains in /usr/local/webware to root:wheel.
The whole thing makes me a bit uneasy, though. I have the feeling that
the resulting layout generated by the FreeBSD port shouldn't differ
too much from the main distribution. (Remember the problems due to
different Linux distributions, and on the other hand the convergence
of several LaTeX distributions to a - mostly - common directory
layout.) Rather, IMHO, the changes should go into the install.py
script in the Webware distribution. This also reminds me again of
using distutils to install the common Webware modules used by
developers.
On the other hand, Webware shouldn't become to Unix-centered or even
FreeBSD-centered. I think, there aren't comparable directories to
/var/run and /var/log on Windows, are they? I could imagine to have
different layouts under Unix and Windows (and probably then the same
for other non-Unixish platforms).
A suggestion:
- On Unix:
- Things that are imported by developers should go into Python's
site-packages.
- Parts that are specific for an individual appserver instance
should have their own directory (corresponding to the current
AppWorkDir scheme).
- Directories that must be writable by a webware user (which runs
the appserver) should - by default - be under /var/run/webkit.
It's important that it only is a default, else that would cause
problems in environments with several developers. For example, for
a project we have a CVS tree with our own application modules and
servlets, and also everyone of us has its own AppWorkDir. (I think
that on the later production server we will only have one webware
user which runs a single appserver.)
- Logs are written to /var/log/webkit by default (see former notes
on defaults).
- On Windows and other platforms:
- Things that are imported by developers should go into Python's
site-packages (as on Unix).
- Parts that are specific for an individual appserver instance
should have their own directory (corresponding to the current
AppWorkDir scheme; as on Unix).
I'm not very used to Windows as a developer, so it would be more
adequate if someone else suggested something on permissions and
directories here.
Before I possibly volunteer for changes to install.py (or other things
in Webware) I would like to hear your opinions on the above thoughts
(and/or additional ones ;-) ).
Stefan
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
PC Mods, Computing goodies, cases & more
http://thinkgeek.com/sf
_______________________________________________
Webware-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/webware-devel
