[Mageia-dev] Proofreading web applications policy

Michael scherer misc at zarb.org
Wed Jan 19 00:38:57 CET 2011 

On Tue, Jan 18, 2011 at 07:07:00PM +0100, Remy CLOUARD wrote:
> Hello there,
> 
> I started to have a look at the webapps policy.
> 
> There’s something that has been bugging me for a while, that’s the
> apache-centric way of thinking of this policy.
> 
> To me, there are valuable alternatives to apache that deserve to be
> treated equally.
> Here are the packages that provides webserver
> 
> apache-ssl|apache-mpm-event|apache-mpm-peruser|nginx|lighttpd|
> cherokee|apache-mpm-itk|apache-mpm-worker|thttpd|apache-mpm-rsbac|
> apache-mpm-prefork|boa
> 
> “These are the files that are susceptible to change during the
> application's lifetime. They go in /var/lib/foo. If they are supposed to
> be editable by the application directly from the web interface, they
> should be owned by apache user and apache group.”
> 
> Could we create a generic group (webserver for instance) to allow
> webapps to play nice with these webserver ?

Wouldn't it be a security problem to have different
daemon sharing the same uid ?

> Same goes for logfiles and config files containing sensitive
> informations.
> 
> I would also be in favor of creating subpackages for webapps that
> provides better integration with apache such as files in
> /etc/httpd/conf/webapps.d/.

That would make life difficult for user, as they would have to answer questions
about things that the package manager would have to figure by 
itself.

( like deduce what configuration file would be used based on system information )

I think we should aim to reduce questions rather to ask more.
 
> That way, webapps should have a Requires on webserver, and the
> subpackage should have one on apache.
> 
> Another issue is the owner of /var/www. This directory is owned by
> apache-conf. Could we instead make a generic package called
> webserver-data for instance that would provide it ? This way each
> package providing webserver would have to require webserver-data.

Put it in filesystem rpm then. And technically, shouldn't
we follow lsb and use /srv ? 

> Finally, that may be a little cosmetic detail, but I would prefer
> template files for apache to be in a separate file in SOURCES/ that’s
> included instead of creating it in the spec like:
> cat > %{buildroot}%{_webappconfdir}/%{name}.conf <<EOF

Well, why ?
Inline  configfile can use macros, that's usually a way to be sure
that /var/ww/%{name} is properly set 
-- 
Michaeli Scherer

More information about the Mageia-dev mailing list