Re: [arch-general] [arch-dev-public] adding http user/group to filesystems
Pierre Schmitz wrote:
Hi,
as mentioned in the apache thread I would like to use a dedicated user/group for our different webserver packages. To achieve this I'd like to add the user/group http to our filesystem package. (It allready contains them for mail and ftp)
According to http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database uid/gid 33 should be free for use.
An install script to add those for upgraders have to be added, too.
Another approach would be adding an install script creating those groups to the webserver packages.
What do you think is best?
Pierre
Why not just use nobody for programs that need their own user, as a sane default. Any smart admin should create any groups and users himself when necessairy. And prevents cluttering of unnecessairy users/groups. For example in my httpd setups, the http users would never be used. IMO. Glenn
On Sun, 2008-06-22 at 18:04 +0200, RedShift wrote:
Pierre Schmitz wrote:
Hi,
as mentioned in the apache thread I would like to use a dedicated user/group for our different webserver packages. To achieve this I'd like to add the user/group http to our filesystem package. (It allready contains them for mail and ftp)
According to http://wiki.archlinux.org/index.php/DeveloperWiki:UID_/_GID_Database uid/gid 33 should be free for use.
An install script to add those for upgraders have to be added, too.
Another approach would be adding an install script creating those groups to the webserver packages.
What do you think is best?
Pierre
Why not just use nobody for programs that need their own user, as a sane default. Any smart admin should create any groups and users himself when necessairy. And prevents cluttering of unnecessairy users/groups. For example in my httpd setups, the http users would never be used.
IMO.
Glenn
Using nobody for each and every service makes the nobody user unsafe to use. As soon as one of your daemons is compromised, all of them are compromised also because they share the same user.
Why not just use nobody for programs that need their own user, as a sane default. Any smart admin should create any groups and users himself when necessairy. And prevents cluttering of unnecessairy users/groups. For example in my httpd setups, the http users would never be used.
IMO.
Glenn
Using nobody for each and every service makes the nobody user unsafe to use. As soon as one of your daemons is compromised, all of them are compromised also because they share the same user.
before a specific point in arch history we used to tell people that making a system "secure" and "easy" is the job of a sysadmin. For people who like a default "security" without rtfm, there is always debian. Arch doesnt need any scripts. If you're bored and don't know what to do with your free time i suggest either fixing one of the gazillion bugs in the debian easy-out-of-the-box install scripts or plaing chess. You can waste hours with that without giving us a big time headache when fixing the crap your automatic installers do. -- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani
On Sun, 2008-06-22 at 18:36 +0200, Arvid Ephraim Picciani wrote:
Why not just use nobody for programs that need their own user, as a sane default. Any smart admin should create any groups and users himself when necessairy. And prevents cluttering of unnecessairy users/groups. For example in my httpd setups, the http users would never be used.
IMO.
Glenn
Using nobody for each and every service makes the nobody user unsafe to use. As soon as one of your daemons is compromised, all of them are compromised also because they share the same user.
before a specific point in arch history we used to tell people that making a system "secure" and "easy" is the job of a sysadmin.
For people who like a default "security" without rtfm, there is always debian.
Arch doesnt need any scripts. If you're bored and don't know what to do with your free time i suggest either fixing one of the gazillion bugs in the debian easy-out-of-the-box install scripts or plaing chess. You can waste hours with that without giving us a big time headache when fixing the crap your automatic installers do.
Bad system design is something else than leaving people on their own to secure things. These user accounts own files. Do you think it's sane to tell users to chown the files back to the user they assigned to it on every package upgrade? Pacman takes backups of configuration files, but doesn't preserve ownership on a package upgrade.
On Sunday 22 June 2008 19:41:33 Jan de Groot wrote:
Bad system design is something else than leaving people on their own to secure things.
Depends on your opinion,...
These user accounts own files.
So you're trying to fix a problem that wouldnt be there if arch would use the default upstream package, which doesnt contain user owned files. See why i think the debian way is bad? They're stacking problems since ages, which results in scripts fixing the results of other scripts.
Do you think it's sane to tell users to chown the files back to the user they assigned to it on every package upgrade?
Yes. If the users decide to use software in a way not supported by the upstream (there are no user owned files in the default packages...) then they have to handle the results on their own (PKGBUILD is so easy...) I'm doing this with exim for ages now to add ssl and i feel it is a lot less painfull then what has been done with qt,linux,apache,etc where i have to make my own pkgbuild to get rid of unverified patches, automatic installer scripts, fucked up default configs (arch apache config - a debian rip of- STILL uses AddType, after it has been deprecated for like 10 years), and whatever things people add when they have too much time. Every new script you add makes the mess worse. Just look at debian. If you like the way debian "works", go on. I don't.
Pacman takes backups of configuration files, but doesn't preserve ownership on a package upgrade.
Can't find any server software on my machines that has user owned config files. -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
On Sun, Jun 22, 2008 at 06:36:41PM +0200, Arvid Ephraim Picciani wrote:
before a specific point in arch history we used to tell people that making a system "secure" and "easy" is the job of a sysadmin.
For people who like a default "security" without rtfm, there is always debian.
Ehhh... true, but I always read it as "We provide sane and secure defaults, but the rest is up to you". By using different users, we are providing secure defaults. Sort of like /etc/hosts.deny denies all connections by default. -S
On Sun, Jun 22, 2008 at 4:42 PM, Simo Leone <simo@archlinux.org> wrote:
On Sun, Jun 22, 2008 at 06:36:41PM +0200, Arvid Ephraim Picciani wrote:
before a specific point in arch history we used to tell people that making a system "secure" and "easy" is the job of a sysadmin.
For people who like a default "security" without rtfm, there is always debian.
Ehhh... true, but I always read it as "We provide sane and secure defaults, but the rest is up to you".
By using different users, we are providing secure defaults. Sort of like /etc/hosts.deny denies all connections by default.
I agree with Simo and Jan here. While we could easily take the "do it yourself" road, I always preferred the "sane defaults" side of Arch, myself. That is - install some crap and it works out-of-the-box in a pretty decent manner. It's a very small stretch from "sane defaults" to "secure defaults". Unless you think sane != secure.
On Monday 23 June 2008 16:59:30 Aaron Griffin wrote:
I agree with Simo and Jan here. While we could easily take the "do it yourself" road, I always preferred the "sane defaults" side of Arch, myself. That is - install some crap and it works out-of-the-box in a pretty decent manner. It's a very small stretch from "sane defaults" to "secure defaults". Unless you think sane != secure.
so this is the official announcment that the vanilla-style-do-it-yourself for professional engineers and manual readers is no more, and that in future there will be rather debian-style-out-of-the-box solutions for those who want it to "just work" ? I'm fine with that new way. I'm going to look for a different distro then instead of having to unpatch more and more packages. I just would like to have a clear signal finally. The back and forth between those different styles is really painfull for somone who has to actually maintain a few dozens of machines. I guess you can run your systems easy and secure with the debian style, but you have to have a different kind of personality then me. thanks -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
Le Mon, 23 Jun 2008 18:48:12 +0200, Arvid Ephraim Picciani <aep@ibcsolutions.de> a écrit :
so this is the official announcment that the vanilla-style-do-it-yourself for professional engineers and manual readers is no more, and that in future there will be rather debian-style-out-of-the-box solutions for those who want it to "just work" ? I'm fine with that new way. I'm going to look for a different distro then instead of having to unpatch more and more packages. I just would like to have a clear signal finally. The back and forth between those different styles is really painfull for somone who has to actually maintain a few dozens of machines.
This is not a patch but a small change in default configuration to follow upstream advice [1]. I wouldn't go as far as saying that we're becoming Debian for that much. [1] http://httpd.apache.org/docs/2.2/misc/security_tips.html#serverroot
On Monday 23 June 2008 19:10:30 Pierre Chapuis wrote:
[1] http://httpd.apache.org/docs/2.2/misc/security_tips.html#serverroot
that link states exactly the oposit of what you where saing before. no user owned files anywhere. all owned by root. -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Jun 23, 2008 at 13:14, Arvid Ephraim Picciani wrote:
that link states exactly the oposit of what you where saing before. no user owned files anywhere. all owned by root.
The link states that all the directories should be owned by root, not the files. Then if httpd is compromised, only the http owned files are compromised, not the whole directory. (notice they are talking about /, /usr/bin, etc... things that arch HAS set as owned by root) The link states that apache's httpd process will drop to the User set in configuration to serve hits. To my understanding we're just making an http user for httpd to drop to. But no, it's cool. Stay trolling. I'm totally more convinced of your point every time you reply. // jeff - -- . : [ + carpe diem totus tuus + ] : . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: http://getfiregpg.org iEYEARECAAYFAkhf39MACgkQ4SR5wfM7frqZ1ACggjBDsJMrNuP9ALfQyPXPfH4G +w8An2KWHOtBuoBdrx+104r9PUTSmg9G =+TDk -----END PGP SIGNATURE-----
Le Mon, 23 Jun 2008 19:14:58 +0200, Arvid Ephraim Picciani <aep@ibcsolutions.de> a écrit :
On Monday 23 June 2008 19:10:30 Pierre Chapuis wrote:
[1] http://httpd.apache.org/docs/2.2/misc/security_tips.html#serverroot
that link states exactly the oposit of what you where saing before. no user owned files anywhere. all owned by root.
In fact I really meant the page you get when you click on the word "User", which is http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user. It reads: "It is recommended that you set up a new user and group specifically for running the server. Some admins use user nobody, but this is not always desirable, since the nobody user can have other uses on the system." and also: "Don't set User (or Group) to root unless you know exactly what you are doing, and what the dangers are."
On Mon, Jun 23, 2008 at 11:48 AM, Arvid Ephraim Picciani <aep@ibcsolutions.de> wrote:
On Monday 23 June 2008 16:59:30 Aaron Griffin wrote:
I agree with Simo and Jan here. While we could easily take the "do it yourself" road, I always preferred the "sane defaults" side of Arch, myself. That is - install some crap and it works out-of-the-box in a pretty decent manner. It's a very small stretch from "sane defaults" to "secure defaults". Unless you think sane != secure.
so this is the official announcment that the vanilla-style-do-it-yourself for professional engineers and manual readers is no more, and that in future there will be rather debian-style-out-of-the-box solutions for those who want it to "just work" ? I'm fine with that new way. I'm going to look for a different distro then instead of having to unpatch more and more packages. I just would like to have a clear signal finally. The back and forth between those different styles is really painfull for somone who has to actually maintain a few dozens of machines. I guess you can run your systems easy and secure with the debian style, but you have to have a different kind of personality then me. thanks
Not to be snide, but your emails are always confrontational. No it is not an official announcement, no it is not a drastic change - for fuck's sake it's just a user and group added to one package. If you don't like it, then for god's sake build apache yourself.
On Monday 23 June 2008 19:16:28 Aaron Griffin wrote:
Not to be snide, but your emails are always confrontational.
yeah well are YOU sitting here running server farms with arch? if you would, you would be as pissed as me. ask glenn. For a desktop machine, who the heck cares if they crash, but my job security is directly connected to the uptime of these boxes and initially i put alot of trust in archlinux becouse of its root ideas.
No it is not an official announcement, no it is not a drastic change - for fuck's sake it's just a user and group added to one package. If you don't like it, then for god's sake build apache yourself.
the initial idea of arch was that anyone who does want NON upstream supported changes builds it themselfs. I already HAVE to build several packages myself just to REMOVE non verified patches. We had that discussion and back then you agreed that adding features for the sake of adding features is a horrible idea resulting in more work, but hey some dev can feel good about "doing something usefull". For the user you address nowadays thats a good thing: the dont have to read the softwares manual (well they can't anymore anyway becouse the software has been patched so badly that the manual doesnt apply anymore) and if it doesnt work they can always blame the distro. Yes this is debian "out of the box ease". And i would really apprechiate if you finally admit it. You not willing to take a clear position is quite painfull and weakens the position of any fork that may come up. -- best regards/Mit freundlichen Grüßen Arvid Ephraim Picciani
On Mon, Jun 23, 2008 at 12:32 PM, Arvid Ephraim Picciani <aep@ibcsolutions.de> wrote:
Yes this is debian "out of the box ease". And i would really apprechiate if you finally admit it. You not willing to take a clear position is quite painfull and weakens the position of any fork that may come up.
I have never NOT admitted it. Our packages tend to be about "sane defaults". Period. It's always been this way. I think you're confused because "sane defaults" usually coincides with "defaults from upstream". Not all upstream maintainers are sane. There are many packages that have shipped custom Arch config changes since I've been here. Hell, using 'nobody' isn't from upstream either. And we've been doing that for a while, which doesn't seem to be a problem to anyone. I don't think this is an issue with "what is right", it's an issue with "change". If you look here: http://repos.archlinux.org/viewvc.cgi/extra/daemons/apache/httpd.conf?root=extra&view=log we have shipped a custom httpd.conf file with apache for "4 years, 8 months"
On Monday 23 June 2008 19:47:23 Aaron Griffin wrote:
I have never NOT admitted it. Our packages tend to be about "sane defaults". Period.
thanks
It's always been this way.
really? i remember back when i was in irc that people got slapped around pretty badly for asking for such blasphemic things as post install scripts.
I think you're confused because "sane defaults" usually coincides with "defaults from upstream". Not all upstream maintainers are sane.
Right thats the phylosphical problem i have. I believe the apache project knows alot more about apache then some random bash hackers who call themself "distro developers" .I found it always painfull how much distros believe to do things better. Just look at debian who even criples packages unti they are ABI incompatible. arch was different, they (whoever i refer to, sounds almost like a dream i had, not reality) always agreed that the upstream is the autority for their software. Now you call them insane but at the same time defend a technicaly wrong downstream version -- the arch http config just works becouse the upstream knows that alot of distros screw up and so they keep the legacy support. Despite they wrote to your tracker since ages btw. These are dark days where the upstream has to report bugs to the downstream. sigh.
There are many packages that have shipped custom Arch config changes since I've been here. it's an issue with "change".
Good point, i was very happy with the old arch so i might overact on every little change. It began with a sudden change in irc, when suddenly people got kicked out for beeing "leet" and unfriendly to the newbies. When i joined arch people got kicked out for demanding hand holding. Made me pretty happy since i opose any kind of hand holding. Now join the channel and look for the questions.... the level of rtfm dropped to zero. On Monday 23 June 2008 20:37:27 Pierre Chapuis wrote:
Le Mon, 23 Jun 2008 19:14:58 +0200,
In fact I really meant the page you get when you click on the word "User", which is http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user.
oh. sorry.
"It is recommended that you set up a new user and group specifically for running the server. Some admins use user nobody, but this is not always desirable, since the nobody user can have other uses on the system."
and also:
"Don't set User (or Group) to root unless you know exactly what you are doing, and what the dangers are."
yeah, i know that. I'm not saying that you are wrong on the security aspect. In fact my setup has been exactly like that document says for ages. i'm just saying that arch used to assume that users actually read this document _themselfs_. the user nobody is a sane enought default for end user machines with local apache for playing/testin/whatever. It's obviously not a correct setup for a production server, which is why when running a production server, you are supposed to RTFM! Please note that even after you aded that patch, the default arch setup is still not a correct production setup. 1) there are gazillions of bugs in the config 2) a production setup i supposed to be evaluated by an experienced admin specificaly for the environment. "Just installing a webserver" is the reason why we have so many infected machines around. -- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani -- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani
On Mon, Jun 23, 2008 at 9:23 PM, Arvid Ephraim Picciani <aep@ibcsolutions.de> wrote:
I think you're confused because "sane defaults" usually coincides with "defaults from upstream". Not all upstream maintainers are sane.
Right thats the phylosphical problem i have. I believe the apache project knows alot more about apache then some random bash hackers who call themself "distro developers" .
Sorry for replying on this point, I really shouldn't, but I couldn't resist. If you think Aaron is a 'random bash hacker', just take a look at code.phraktured.net and find out what
I found it always painfull how much distros believe to do things better. Just look at debian who even criples packages unti they are ABI incompatible. arch was different, they (whoever i refer to, sounds almost like a dream i had, not reality) always agreed that the upstream is the autority for their software. Now you call them insane but at the same time defend a technicaly wrong downstream version -- the arch http config just works becouse the upstream knows that alot of distros screw up and so they keep the legacy support. Despite they wrote to your tracker since ages btw. These are dark days where the upstream has to report bugs to the downstream. sigh.
There are many packages that have shipped custom Arch config changes since I've been here. it's an issue with "change".
Good point, i was very happy with the old arch so i might overact on every little change. It began with a sudden change in irc, when suddenly people got kicked out for beeing "leet" and unfriendly to the newbies. When i joined arch people got kicked out for demanding hand holding. Made me pretty happy since i opose any kind of hand holding. Now join the channel and look for the questions.... the level of rtfm dropped to zero.
On Monday 23 June 2008 20:37:27 Pierre Chapuis wrote:
Le Mon, 23 Jun 2008 19:14:58 +0200,
In fact I really meant the page you get when you click on the word "User", which is http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user.
oh. sorry.
"It is recommended that you set up a new user and group specifically for running the server. Some admins use user nobody, but this is not always desirable, since the nobody user can have other uses on the system."
and also:
"Don't set User (or Group) to root unless you know exactly what you are doing, and what the dangers are."
yeah, i know that. I'm not saying that you are wrong on the security aspect. In fact my setup has been exactly like that document says for ages. i'm just saying that arch used to assume that users actually read this document _themselfs_. the user nobody is a sane enought default for end user machines with local apache for playing/testin/whatever. It's obviously not a correct setup for a production server, which is why when running a production server, you are supposed to RTFM!
Please note that even after you aded that patch, the default arch setup is still not a correct production setup.
1) there are gazillions of bugs in the config 2) a production setup i supposed to be evaluated by an experienced admin specificaly for the environment. "Just installing a webserver" is the reason why we have so many infected machines around.
-- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani
-- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani
I'm sorry, the first mail was incomplete. On Mon, Jun 23, 2008 at 9:23 PM, Arvid Ephraim Picciani <aep@ibcsolutions.de> wrote:
On Monday 23 June 2008 19:47:23 Aaron Griffin wrote:
I think you're confused because "sane defaults" usually coincides with "defaults from upstream". Not all upstream maintainers are sane.
Right thats the phylosphical problem i have. I believe the apache project knows alot more about apache then some random bash hackers who call themself "distro developers" .
Sorry for replying on this point, I really shouldn't, but I couldn't resist. If you think Aaron is a 'random bash hacker', just take a look at code.phraktured.net and find out how this is not true.
Now you call them insane
Come on, he was obviously referring to their default configurations, not to the developers themselves. Insane devs exist, just search the archives for 'ion3' or 'sancho' (ok, not this one - I'll write about it in a few days ;).
These are dark days where the upstream has to report bugs to the downstream. sigh.
I've seen this myself, and it's really sad. Anyway I don't feel Arch has outstanding "downstream bugs". I could be very wrong.
Good point, i was very happy with the old arch so i might overact on every little change. It began with a sudden change in irc, when suddenly people got kicked out for beeing "leet" and unfriendly to the newbies. When i joined arch people got kicked out for demanding hand holding. Made me pretty happy since i opose any kind of hand holding. Now join the channel and look for the questions.... the level of rtfm dropped to zero.
The best hacker is not necessarily antisocial, you know. I usually both look for documents by myself and ask real human beings: you should know that the biggest problem nof FOSS projects is the lack of documentation. I shouldn't have to be a search engine guru to use some piece of software.
Please note that even after you aded that patch, the default arch setup is still not a correct production setup.
1) there are gazillions of bugs in the config
So you're saying developers are insane to ship such a config for one of the most used softwares around? </troll> :-)
2) a production setup i supposed to be evaluated by an experienced admin specificaly for the environment. "Just installing a webserver" is the reason why we have so many infected machines around.
Good point. So no users should ever start using linux or - god forbid! - installing a server because, you know, there's so much to learn *before* you actually do that, and a public ip could make their machine a 'production setup'. Corrado
On Monday 23 June 2008 23:16:22 bardo wrote:
Right thats the phylosphical problem i have. I believe the apache project knows alot more about apache then some random bash hackers who call themself "distro developers" .
Sorry for replying on this point, I really shouldn't, but I couldn't resist. If you think Aaron is a 'random bash hacker', just take a look at code.phraktured.net and find out how this is not true.
eww sorry. this was a pretty bad assembled statement indeed. No i wasnt refering to any specific person. fear my social skills... meh
Now you call them insane
Come on, he was obviously referring to their default configurations, not to the developers themselves. Insane devs exist, just search the archives for 'ion3' or 'sancho' (ok, not this one - I'll write about it in a few days ;).
heh, yeah. but thats an upstream problem. whoever wants to use that software has to live with it :P apache though, i strongly believe, has been made by pretty good software engineers. I know some of them and maybe there are a little insane personalities but surely they know how to maintain their software.
These are dark days where the upstream has to report bugs to the downstream. sigh.
I've seen this myself, and it's really sad. Anyway I don't feel Arch has outstanding "downstream bugs". I could be very wrong.
err... apache? qt? linux? no well not outstanding if you compare to other distros like debian who really really screw up (QtGui is even ABI incompatible on debian to other systems) or RHEL who add patches to support pre stonage API. *shudder*
The best hacker is not necessarily antisocial, you know. I usually both look for documents by myself and ask real human beings: you should know that the biggest problem nof FOSS projects is the lack of documentation. I shouldn't have to be a search engine guru to use some piece of software.
I'd like not to comment on that becouse it is not relevant. You know exacly that i didnt say "screw all those n00bs".
So you're saying developers are insane to ship such a config for one of the most used softwares around? </troll> :-)
No, i'm saying that the priorities are broken. Fixing existsing bugs should have a higher prio then introducing new ones. I admit that adding new features is more fun, yeah...
2) a production setup i supposed to be evaluated by an experienced admin specificaly for the environment. "Just installing a webserver" is the reason why we have so many infected machines around.
Good point. So no users should ever start using linux or - god forbid! - installing a server because, you know, there's so much to learn *before* you actually do that, and a public ip could make their machine a 'production setup'.
huh? sorry i wasnt able to follow your points. i'll take that was "trolling" ok? -- mit freundlichen Grüßen / best regards Arvid Ephraim Picciani
On Mon, Jun 23, 2008 at 09:23:11PM +0200, Arvid Ephraim Picciani wrote:
On Monday 23 June 2008 19:47:23 Aaron Griffin wrote:
I have never NOT admitted it. Our packages tend to be about "sane defaults". Period.
thanks
It's always been this way.
really? i remember back when i was in irc that people got slapped around pretty badly for asking for such blasphemic things as post install scripts.
Which part of "it's always been this way, and nothing is changing" don't you get? Arch has ALWAYS shipped with SANE AND SECURE default configurations for packages. NO Arch will not configure them for you, nor will it help you configure them, but installing a package should not and will not compromise your system either. Likewise, while Arch won't configure them for you, it may include heavily commented configs to help you do so yourself. Like Aaron pointed out, these ideas very often coincide with what upstream developers had in mind, so a lot of the time we just ship whatever their default configuration is. What the hell is up with these purist zealots running around nowadays? That's not what Arch is supposed to be about... -S
El Monday 23 June 2008 18:48:12 Arvid Ephraim Picciani escribió:
On Monday 23 June 2008 16:59:30 Aaron Griffin wrote:
I agree with Simo and Jan here. While we could easily take the "do it yourself" road, I always preferred the "sane defaults" side of Arch, myself. That is - install some crap and it works out-of-the-box in a pretty decent manner. It's a very small stretch from "sane defaults" to "secure defaults". Unless you think sane != secure.
so this is the official announcment that the vanilla-style-do-it-yourself for professional engineers and manual readers is no more, and that in future there will be rather debian-style-out-of-the-box solutions for those who want it to "just work" ?
Do you know Debian?. Debian style isn't "just work". Debian is "just don't touch". If you put a dedicated user for apache in arch, you have a better package, (in my opinion more secure, nobody have another uses), and if you want, you can edit PKGBUILD or httpd.conf for use your settings. I don't understand the problem. A distro by default need a good packages. Use a good config for default is a good thing. why do i use a distro package and not custom package?, because the package have good quality, and a dedicated user for apache is a good thing without need of destroy KISS philosophy of arch.
On Mon 2008-06-23 18:48, Arvid Ephraim Picciani wrote:
On Monday 23 June 2008 16:59:30 Aaron Griffin wrote:
I agree with Simo and Jan here. While we could easily take the "do it yourself" road, I always preferred the "sane defaults" side of Arch, myself. That is - install some crap and it works out-of-the-box in a pretty decent manner. It's a very small stretch from "sane defaults" to "secure defaults". Unless you think sane != secure.
so this is the official announcment that the vanilla-style-do-it-yourself for professional engineers and manual readers is no more, and that in future there will be rather debian-style-out-of-the-box solutions for those who want it to "just work" ? I'm fine with that new way. I'm going to look for a different distro then instead of having to unpatch more and more packages. I just would like to have a clear signal finally. The back and forth between those different styles is really painfull for somone who has to actually maintain a few dozens of machines. I guess you can run your systems easy and secure with the debian style, but you have to have a different kind of personality then me. thanks
I don't want to talk about the "philosophy" of the distro, but I'd like to know what's the security issue in having a dedicated user/group for web servers. -- Alessio (molok) Bolognino Please send personal email to themolok@gmail.com Public Key http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFE0270FB GPG Key ID = 1024D / FE0270FB 2007-04-11 Key Fingerprint = 9AF8 9011 F271 450D 59CF 2D7D 96C9 8F2A FE02 70FB
participants (10)
-
Aaron Griffin
-
Alessio Bolognino
-
Antonio de la Rosa
-
Arvid Ephraim Picciani
-
bardo
-
Jan de Groot
-
Jeff Mickey
-
Pierre Chapuis
-
RedShift
-
Simo Leone