Hellard - Once Again

Flame-war starting stuff in bold

Apache

Apache is currently 1.3.27 with all the patches I did for CSG, which pretty much makes it 1.3.28. It has my rewrite of Paul Jolly's docsuexec patches in it which work a little like this:

SuEXEC map

Apache no longer has any say in which user to run a CGI script as, except that it can nominate that it's in a user-homedir. But since hellard doesn't run mod_userdir, that's unimportant. But remember the VirtualHost User and Group directives are now useless.

User information is looked up in the cdb /usr/apache/conf/suexec_map.cdb and the most specific directory given is used. Dumping the file looks a little like this:

+30,27:/usr/apache/htdocs/osc/germany-<www_soc_germanysoc_germany
+30,27:/usr/apache/htdocs/rsm/rocksoc-<www_soc_rocksocsoc_rocksoc
+31,25:/usr/apache/htdocs/halls/fisher-<www_soc_fishersoc_fisher
+34,29:/usr/apache/htdocs/guilds/icracing-<www_soc_icracingsoc_icracing
+33,33:/usr/apache/htdocs/acc/rcscricket-<www_soc_rcscricketsoc_rcscricket
+30,27:/usr/apache/htdocs/acc/archery-<www_soc_archerysoc_archery
+33,29:/usr/apache/htdocs/halls/linstead-<www_soc_linsteadsoc_linstead
+33,29:/usr/apache/htdocs/halls/brabazon-<www_soc_brabazonsoc_brabazon
+27,21:/usr/apache/htdocs/rcc/dofe-<www_soc_dofesoc_dofe
+33,33:/usr/apache/htdocs/acc/volleyball-<www_soc_volleyballsoc_volleyball
+28,23:/usr/apache/htdocs/acc/wushu-<www_soc_wushusoc_wushu
+32,31:/usr/apache/htdocs/rsm/hispeople-<www_soc_hispeoplesoc_hispeople 

As you can see, each section and society has its own group and user. Because of this we can finially stop files with db passwords being readable to everyone. SuEXEC map also sets resource limits, but I haven't configured that yet. Society name must be unique across the whole union.

SuEXEC map also `handles' PHP. Don't ask - it Just Works thanks to the way the CGI standard is written. PHP files aren't bodged via a script that includes them, nor do they need #! lines, nor do they need to be executable.

Permissions

Permissions are kindof complicated. Each section (where a section is acc or halls) has a directory, as always. It's owned by root and group owned by sec_xyz. So if you are a member of sec_xyz you can write files into that directory.

Within a section, a society (and things like Beit Hall are classed as societies in the halls section) is owned by root and group owned by soc_abc. Thus a person can admin multiple societies by being in multiple groups.

Of course, we want to protect PHP files. Unfortunately, most people don't understand permissions and so society directories are mode 01770. Section directories are not so they still need to explicitly remove the world read flag from their scripts.

But, since the webserver needs to read the files, the ACL looks like:

# file: .
# owner: root
# group: soc_beit
user::rwx
user:www:r-x
group::rwx
group:wizard:rwx
group:sec_halls:rwx
mask::rwx
other::---
default:user::rwx
default:user:www:r-x
default:group::rwx
default:group:wizard:rwx
default:group:sec_halls:rwx
default:group:soc_beit:rwx
default:mask::rwx
default:other::---

So user www has special read and search access, as do members of group wizard and sec_abc.

You might ask why I don't do the same trick to the section dirs, but SuEXEC would mean that we had O(n) ACL entries with the number of sections - and O(n) is bad for ACL numbers.

Fortunately, you don't need to set this all up manually. There's a Python script that you can run and it will create everything and set permissions.

Currently it's capable of doing all this and running the Dramsoc website.

An install of RT exists, but I don't really want to use it. A mailing list will do, we don't need a request tracker

Mail

Hellard run's qmail with mailman. This already works.

Plans include - letting societies setup their own mailing lists and forwarding providing that the prefix of the address is their society name.

Authentication

It can currently authenticate off DoC Windows servers - leading me to believe that it will work off ICT servers. I still need to get an ICT password so that I can sort this out. DoC students will need to use their ICT passwordi.

Quotas

Quotas are enforced per-society. Current value of thumb is 50MB unless you have a reasonable need for more (e.g. Dramsoc, Stoic, Felix).