[arch-general] [arch-dev-public] adding http user/group to filesystems

Arvid Ephraim Picciani aep at ibcsolutions.de
Mon Jun 23 15:23:11 EDT 2008


On Monday 23 June 2008 19:47:23 Aaron Griffin wrote:
> I have never NOT admitted it.
> Our packages tend to be about "sane 
> defaults". Period. 

thanks

> It's always been this way. 

really? i remember back when i was in irc that people got slapped around 
pretty badly for asking for such blasphemic things as post install scripts.

> I think you're confused  
> because "sane defaults" usually coincides with "defaults from
> upstream". Not all upstream maintainers are sane. 

Right thats the phylosphical problem i have. I believe the apache project 
knows alot more about apache then some random bash hackers who call 
themself "distro developers" .I  found it always painfull how much distros 
believe to do things better. Just look at debian who even criples packages 
unti they are ABI incompatible.  arch was different, they (whoever i refer 
to, sounds almost like a dream i had, not reality) always agreed that the 
upstream is the autority for their software. 
Now you call them insane but at the same time defend a technicaly wrong  
downstream version -- the arch http config just works becouse the upstream 
knows that alot of distros screw up and so they keep the legacy support. 
Despite they wrote to your tracker since ages btw. These are dark days where 
the upstream has to report bugs to the downstream. sigh.

> There are many  
> packages that have shipped custom Arch config changes since I've been
> here. it's an issue with "change".

Good point, i was very happy with the old arch so i might overact on every 
little change. It began with a sudden change in irc, when suddenly people got 
kicked out for beeing "leet" and unfriendly to the newbies. When i joined 
arch people got kicked out for demanding hand holding. Made me pretty happy 
since i opose any kind of hand holding. Now join the channel and look for the 
questions.... the level of rtfm dropped to zero.


On Monday 23 June 2008 20:37:27 Pierre Chapuis wrote:
> Le Mon, 23 Jun 2008 19:14:58 +0200,
>
> In fact I really meant the page you get when you click on the word "User",
> which is http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user.

oh. sorry.

>
> "It is recommended that you set up a new user and group specifically for
> running the server. Some admins use user nobody, but this is not always
> desirable, since the nobody user can have other uses on the system."
>
> and also:
>
> "Don't set User (or Group) to root unless you know exactly what you are
> doing, and what the dangers are."

yeah, i know that.  I'm not  saying that you are wrong on the security aspect.
In fact my setup has been exactly like that document says for ages.
i'm just saying that arch used to assume that users actually read this 
document _themselfs_. 
the user nobody is a sane enought default for end user machines with local 
apache for playing/testin/whatever. It's obviously not a correct setup for a 
production server, which is why when running a production server, you are 
supposed to RTFM!

Please note that even after you aded that patch, the default arch setup is 
still not a correct production setup.

1) there are gazillions of bugs in the config
2) a  production setup i supposed to be evaluated by an experienced admin 
specificaly for the environment. "Just installing a webserver" is the reason 
why we have so many infected machines around. 

-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani


-- 
mit freundlichen Grüßen / best regards
Arvid Ephraim Picciani




More information about the arch-general mailing list