tech-pkg: Re: New netsaint packages

Subject: Re: New netsaint packages
To: Murray Armfield <murray@river-styx.org>
From: Greg A. Woods <woods@weird.com>
List: tech-pkg
Date: 03/20/2002 23:37:38
[ On Thursday, March 21, 2002 at 14:12:46 (+1100), Murray Armfield wrote: ]
> Subject: New netsaint packages
>
> 	I have made one major change being that the daemon user and group for the 
> monitoring program changes from netsaint to nobody. It makes the apache 
> integration a bit easier. If this is unacceptable, please let me know.

'nobody' must not ever be used by either apache or netsaint (or anything
else, for that matter) if the server is also an NFS server (at least not
if '-maproot=nobody' is ever used to export any directory)

(nobody should be '-2:-2' too, but that's another story)

In fact it's probably a best if netsaint and apache not even run nder
the same user-ids, and it's definitely best to NEVER use 'nobody' for
things that are not explicitly NFS related (i.e. where you need to allow
client root IDs write access to some exported object).

There's nothing difficult or complex about integrating Netsaint with its
web administration scripts while still keeping it secure, so I don't
think there's any excuse for compromising here.

The only netsaint directory that has to be writable by the web server
(err, rather more properly by the netsaint CGI scripts run by the web
server) is the ~netsaint/var/rw directory, and it should be group
writable by the group the web server runs the CGIs as, but owned (and
writable) by the netsaint user.

For example my netsaint runs as netsaint:netsaint, and my web server
runs as wwwsrvr:wwwsrvr:

$ ll ~netsaint/var
total 136
24 drwxrwxr-x  2 netsaint  netsaint  11776 Mar 20 00:00 archives
486297  2 -rw-r--r--  1 root      netsaint      4 Dec 23 02:15 netsaint.lock
486607 80 -rw-r--r--  1 netsaint  netsaint  40178 Mar 20 23:25 netsaint.log
493709  2 drwxrwxr-x  2 netsaint  wwwsrvr     512 Jan 22  2001 rw
486608 16 -rw-r--r--  1 netsaint  netsaint   8095 Mar 20 23:27 status.log
486296 12 -rw-r--r--  1 netsaint  netsaint   5867 Mar 18 20:00 status.sav

and my netsaint configs are writable by the 'netstadm' group, to which
all netsaint admins are members of (or have the newgrp password for)

$ ll ~netsaint
total 12
293927 2 drwxr-xr-x  2 root      wheel      512 Jan 22  2001 bin
892207 2 drwxrwxr-x  3 root      netstadm   512 Mar 20 11:36 etc
979306 2 drwxr-xr-x  2 root      wheel     1024 Feb 23  2001 libexec
631112 2 drwxr-xr-x  2 root      wheel      512 Jan 22  2001 sbin
968484 2 drwxr-xr-x  6 root      wheel      512 Jan 22  2001 share
500577 2 drwxrwxr-x  4 netsaint  netsaint   512 Mar 20 23:34 var

All the programs and other static files are of course owned by root and
writable only by root.

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>