coherent plan for webserver users and groups?

To: tech-pkg%netbsd.org@localhost
Subject: coherent plan for webserver users and groups?
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Sat, 17 Jun 2023 06:20:24 -0400

(Of course I am not suggesting changing anything pre-freeze.)

I am finding our setup for uid/gid for various packages confusing and
difficult to deal with.  Basically apache and nginx do the same thing,
but default to different uid/gid.  And php-fpm is part of the nginx
world, with yet another uid.

Further, php-nextcloud aligns with nginx.
Then there are other packages that need to match uid/gid, or more
precisely have files that are readable/writable by the web server.

Finally, APACHE_* is defined in mk/defaults/mk.conf, but the rest are in
package Makefiles.

apache:
mk/defaults/mk.conf: APACHE_USER?= www
mk/defaults/mk.conf: APACHE_GROUP?= www

ap2-fcgid:
(this is an apache module)

nginx:
NGINX_USER?=            nginx
NGINX_GROUP?=           nginx

php-fpm:
FPM_USER?=              fpm
FPM_GROUP?=             www

php-nextcloud:
APACHE_USER?=   nginx
APACHE_GROUP?=  nginx
[of course, the name of the variable is not that important; the point is
that by default nextcloud expects to operate under the nginx user]

zoneminder:
BUILD_DEFS+=            APACHE_USER APACHE_GROUP


This all seems unhelpful.  I don't really understand the rationale for
privsep between any of these packages, except:

  if running nginx and apache on same box

  if somehow nginx/fpm proxy the uid so you can have fpm/nextcloud as
  one and othernginx as the other

Practically, to run nextcloud, one has to set APACHE_USER to fpm, so
that nextcloud is fpm.

It strikes me that perhaps:

  We should reduce the number of default uids, perhaps to just www/www.
  Change defaults to define WWW_USER and WWW_GROUP.

  Each package should define PKGNAME_USER/GROUP, but ?= them to
  WWW_USER/GROUP.

That would let people adjust to separate, but it would put
apache/nginx/fpm in the same uid/gid, and let nextcloud/zoneminder and
the other things I don't know about match.

Or perhaps we should have separate uid and the same gid and make
everything group writable.  But I don't see the gain and it's a bunch of
debugging.


Comments?  Objections to doing the "perhaps" paragraph post freeze?

Follow-Ups:
- Re: coherent plan for webserver users and groups?
  - From: Joerg Sonnenberger

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: Cross-compiling libLLVM requires version-matched llvm
Previous by Thread: Rust build failure on Darwin
Next by Thread: Re: coherent plan for webserver users and groups?
Indexes:

Home | Main Index | Thread Index | Old Index