[Koha-devel] Thoughts on retiring libapache2-mpm-itk?

[dcook at prosentient.com.au]

What would be insecure about making the Starman/Plack sockets writeable by www-data? It wouldn’t be any different from using TCP sockets (instead of Unix sockets) which is common or a reverse proxy. 

 

David Cook

Senior Software Engineer

Prosentient Systems

Suite 7.03

6a Glen St

Milsons Point NSW 2061

Australia

 

Office: 02 9212 0899

Online: 02 8005 0595

 

From: Tomas Cohen Arazi <tomascohen at theke.io> 
Sent: Tuesday, 26 July 2022 1:10 PM
To: Chris Cormack <chris at bigballofwax.co.nz>
Cc: David Cook <dcook at prosentient.com.au>; Koha Devel <koha-devel at lists.koha-community.org>
Subject: Re: [Koha-devel] Thoughts on retiring libapache2-mpm-itk?

 


> Yet… Koha mostly runs in Starman these days. We don’t necessarily get that much benefit from AssignUserID anymore. The main problem would be permissions for the CGI scripts that we don’t proxy. So maybe we wait until after we’re proxying everything through Apache and Apache is just a reverse proxy to Starman and a static asset server. Because at that point… there’s no reason it couldn’t just run under the “www-data” user.
>
>
That's not entirely true, plack runs on a unix socket as a user, with
potentially multiple sites on a single server. So having only the
right apache sites being able to talk to the right sockets by them
both being the same user is a very important thing.

 

+1

 

Being able to have a secure deployment out of the box is a thing we shouldn't loose!

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20220726/24ef32b7/attachment.htm>