Re: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?
What would be insecure about making the Starman/Plack sockets writeable by www-data? It wouldn’t be any different from using TCP sockets (instead of Unix sockets) which is common or a reverse proxy. David Cook Senior Software Engineer Prosentient Systems Suite 7.03 6a Glen St Milsons Point NSW 2061 Australia Office: 02 9212 0899 Online: 02 8005 0595 From: Tomas Cohen Arazi <tomascohen@theke.io> Sent: Tuesday, 26 July 2022 1:10 PM To: Chris Cormack <chris@bigballofwax.co.nz> Cc: David Cook <dcook@prosentient.com.au>; Koha Devel <koha-devel@lists.koha-community.org> Subject: Re: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?
Yet… Koha mostly runs in Starman these days. We don’t necessarily get that much benefit from AssignUserID anymore. The main problem would be permissions for the CGI scripts that we don’t proxy. So maybe we wait until after we’re proxying everything through Apache and Apache is just a reverse proxy to Starman and a static asset server. Because at that point… there’s no reason it couldn’t just run under the “www-data” user.
That's not entirely true, plack runs on a unix socket as a user, with potentially multiple sites on a single server. So having only the right apache sites being able to talk to the right sockets by them both being the same user is a very important thing. +1 Being able to have a secure deployment out of the box is a thing we shouldn't loose!
participants (1)
-
dcook@prosentient.com.au