tech-pkg: Re: New netsaint packages

Subject: Re: New netsaint packages
To: NetBSD Packages Technical Discussion List <tech-pkg@netbsd.org>
From: Murray Armfield <murray@river-styx.org>
List: tech-pkg
Date: 03/21/2002 16:01:59
Thanks for the comments on user/group stuff Greg. Have changed over all 
user/group stuff in new netsaint pkgs to netsaint user and group (as per 
previous pkg). 

Shouldn't this then be fixed in the apache package? It still uses nobody. 
There are probably other packages with the same issue, as you may know. They 
should be fixed, surely?

What about submitting it?

Take care,
	Murray Armfield

On Thu, 21 Mar 2002 15:37, you wrote:
> [ On Thursday, March 21, 2002 at 14:12:46 (+1100), Murray Armfield wrote: ]
>
> > Subject: New netsaint packages
> >
> > 	I have made one major change being that the daemon user and group for
> > the monitoring program changes from netsaint to nobody. It makes the
> > apache integration a bit easier. If this is unacceptable, please let me
> > know.
>
> 'nobody' must not ever be used by either apache or netsaint (or anything
> else, for that matter) if the server is also an NFS server (at least not
> if '-maproot=nobody' is ever used to export any directory)
>
> (nobody should be '-2:-2' too, but that's another story)
>
> In fact it's probably a best if netsaint and apache not even run nder
> the same user-ids, and it's definitely best to NEVER use 'nobody' for
> things that are not explicitly NFS related (i.e. where you need to allow
> client root IDs write access to some exported object).
>
> There's nothing difficult or complex about integrating Netsaint with its
> web administration scripts while still keeping it secure, so I don't
> think there's any excuse for compromising here.
>
> The only netsaint directory that has to be writable by the web server
> (err, rather more properly by the netsaint CGI scripts run by the web
> server) is the ~netsaint/var/rw directory, and it should be group
> writable by the group the web server runs the CGIs as, but owned (and
> writable) by the netsaint user.
>
> For example my netsaint runs as netsaint:netsaint, and my web server
> runs as wwwsrvr:wwwsrvr:
>
> $ ll ~netsaint/var
> total 136
> 24 drwxrwxr-x  2 netsaint  netsaint  11776 Mar 20 00:00 archives
> 486297  2 -rw-r--r--  1 root      netsaint      4 Dec 23 02:15
> netsaint.lock 486607 80 -rw-r--r--  1 netsaint  netsaint  40178 Mar 20
> 23:25 netsaint.log 493709  2 drwxrwxr-x  2 netsaint  wwwsrvr     512 Jan 22
>  2001 rw
> 486608 16 -rw-r--r--  1 netsaint  netsaint   8095 Mar 20 23:27 status.log
> 486296 12 -rw-r--r--  1 netsaint  netsaint   5867 Mar 18 20:00 status.sav
>
> and my netsaint configs are writable by the 'netstadm' group, to which
> all netsaint admins are members of (or have the newgrp password for)
>
> $ ll ~netsaint
> total 12
> 293927 2 drwxr-xr-x  2 root      wheel      512 Jan 22  2001 bin
> 892207 2 drwxrwxr-x  3 root      netstadm   512 Mar 20 11:36 etc
> 979306 2 drwxr-xr-x  2 root      wheel     1024 Feb 23  2001 libexec
> 631112 2 drwxr-xr-x  2 root      wheel      512 Jan 22  2001 sbin
> 968484 2 drwxr-xr-x  6 root      wheel      512 Jan 22  2001 share
> 500577 2 drwxrwxr-x  4 netsaint  netsaint   512 Mar 20 23:34 var
>
> All the programs and other static files are of course owned by root and
> writable only by root.