[arch-general] [arch-dev-public] adding http user/group to filesystems

bardo ilbardo at gmail.com
Mon Jun 23 17:04:09 EDT 2008 

On Mon, Jun 23, 2008 at 9:23 PM, Arvid Ephraim Picciani
<aep at ibcsolutions.de> wrote:
>> I think you're confused
>> because "sane defaults" usually coincides with "defaults from
>> upstream". Not all upstream maintainers are sane.
>
> Right thats the phylosphical problem i have. I believe the apache project
> knows alot more about apache then some random bash hackers who call
> themself "distro developers" .

Sorry for replying on this point, I really shouldn't, but I couldn't resist.
If you think Aaron is a 'random bash hacker', just take a look at
code.phraktured.net and find out what

> I  found it always painfull how much distros
> believe to do things better. Just look at debian who even criples packages
> unti they are ABI incompatible.  arch was different, they (whoever i refer
> to, sounds almost like a dream i had, not reality) always agreed that the
> upstream is the autority for their software.
> Now you call them insane but at the same time defend a technicaly wrong
> downstream version -- the arch http config just works becouse the upstream
> knows that alot of distros screw up and so they keep the legacy support.
> Despite they wrote to your tracker since ages btw. These are dark days where
> the upstream has to report bugs to the downstream. sigh.
>
>> There are many
>> packages that have shipped custom Arch config changes since I've been
>> here. it's an issue with "change".
>
> Good point, i was very happy with the old arch so i might overact on every
> little change. It began with a sudden change in irc, when suddenly people got
> kicked out for beeing "leet" and unfriendly to the newbies. When i joined
> arch people got kicked out for demanding hand holding. Made me pretty happy
> since i opose any kind of hand holding. Now join the channel and look for the
> questions.... the level of rtfm dropped to zero.
>
>
> On Monday 23 June 2008 20:37:27 Pierre Chapuis wrote:
>> Le Mon, 23 Jun 2008 19:14:58 +0200,
>>
>> In fact I really meant the page you get when you click on the word "User",
>> which is http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user.
>
> oh. sorry.
>
>>
>> "It is recommended that you set up a new user and group specifically for
>> running the server. Some admins use user nobody, but this is not always
>> desirable, since the nobody user can have other uses on the system."
>>
>> and also:
>>
>> "Don't set User (or Group) to root unless you know exactly what you are
>> doing, and what the dangers are."
>
> yeah, i know that.  I'm not  saying that you are wrong on the security aspect.
> In fact my setup has been exactly like that document says for ages.
> i'm just saying that arch used to assume that users actually read this
> document _themselfs_.
> the user nobody is a sane enought default for end user machines with local
> apache for playing/testin/whatever. It's obviously not a correct setup for a
> production server, which is why when running a production server, you are
> supposed to RTFM!
>
> Please note that even after you aded that patch, the default arch setup is
> still not a correct production setup.
>
> 1) there are gazillions of bugs in the config
> 2) a  production setup i supposed to be evaluated by an experienced admin
> specificaly for the environment. "Just installing a webserver" is the reason
> why we have so many infected machines around.
>
> --
> mit freundlichen Grüßen / best regards
> Arvid Ephraim Picciani
>
>
> --
> mit freundlichen Grüßen / best regards
> Arvid Ephraim Picciani
>
>

More information about the arch-general mailing list