FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-31-2008, 04:32 PM
"Camron W. Fox"
 
Default OT: SA/Apache "Best Practice"?

Alle,

Here is our situation:

Our customer leases their machines from us and contract us to to manage
them (as far as all systems administration issues). The customer does
not have root access to any machine (by their own choice, as they want
us to be responsible if something goes awry).
In the case of their web servers, we handle all configuration, they
manage the content. We make changes to the configuration as necessary to
support their content.
There is one machine (RHEL5.2) that they are developing on that will
become a production box. They have sudo access to manage mysql functions
as well as the apache server.

They have asked, that we change the default directory
permission/ownership of /var/www/html,cgi-bin, instead of using the
Documentroot and ScriptAlias parameters in the apache configuration.

drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/cgi-bin
drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/html

to

drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/cgi-bin
drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/html

We have explained that it is preferable *not* to modify the default
filesystem configuration of the underlying OS and have recommended that
they customize the app by specifying a location of their choice in
httpd.conf. They argue that they "just want to use the system default
location". There is no *technical* reason for this, according to them.
The location does not affect the app.
None of the other web servers we manage for them use the RHEL apache
default, they all have customized locations for content and scripts.


My question is:

What argument, if any, would you use to try and convince the customer
that this is a bad idea/bad practice?


Best Regards,
Camron

--
Camron W. Fox
Hilo Office
High Performance Computing Group
Fujitsu Management Services of America, Inc.
E-mail: cwfox@us.fujitsu.com
Phone: (808) 934-4102
Cell: (808) 937-5026

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-31-2008, 05:12 PM
Paul Heinlein
 
Default OT: SA/Apache "Best Practice"?

On Fri, 31 Oct 2008, Camron W. Fox wrote:

[Our customer has] asked, that we change the default directory
permission/ownership of /var/www/html,cgi-bin, instead of using the
Documentroot and ScriptAlias parameters in the apache configuration.


drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/cgi-bin
drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/html

to

drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/cgi-bin
drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/html

We have explained that it is preferable *not* to modify the default
filesystem configuration of the underlying OS and have recommended
that they customize the app by specifying a location of their choice
in httpd.conf. They argue that they "just want to use the system
default location". There is no *technical* reason for this,
according to them. The location does not affect the app.


None of the other web servers we manage for them use the RHEL apache
default, they all have customized locations for content and scripts.


My question is:

What argument, if any, would you use to try and convince the
customer that this is a bad idea/bad practice?


Updates to the httpd package will overwrite those permissions, so
there will need to be a cron job (or very vigilent SA) that monitors
those perms, re-customizing them as necessary.


Otherwise, what they're asking isn't all that unusual, imo.

--
Paul Heinlein <> heinlein@madboa.com <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-31-2008, 05:14 PM
Scott Silva
 
Default OT: SA/Apache "Best Practice"?

on 10-31-2008 10:32 AM Camron W. Fox spake the following:
> Alle,
>
> Here is our situation:
>
> Our customer leases their machines from us and contract us to to
> manage them (as far as all systems administration issues). The customer
> does not have root access to any machine (by their own choice, as they
> want us to be responsible if something goes awry).
> In the case of their web servers, we handle all configuration, they
> manage the content. We make changes to the configuration as necessary to
> support their content.
> There is one machine (RHEL5.2) that they are developing on that will
> become a production box. They have sudo access to manage mysql functions
> as well as the apache server.
> They have asked, that we change the default directory
> permission/ownership of /var/www/html,cgi-bin, instead of using the
> Documentroot and ScriptAlias parameters in the apache configuration.
>
> drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/cgi-bin
> drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/html
>
> to
>
> drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/cgi-bin
> drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/html
>
> We have explained that it is preferable *not* to modify the default
> filesystem configuration of the underlying OS and have recommended that
> they customize the app by specifying a location of their choice in
> httpd.conf. They argue that they "just want to use the system default
> location". There is no *technical* reason for this, according to them.
> The location does not affect the app.
> None of the other web servers we manage for them use the RHEL apache
> default, they all have customized locations for content and scripts.
>
> My question is:
>
> What argument, if any, would you use to try and convince the
> customer that this is a bad idea/bad practice?
>
> Best Regards,
> Camron
>
Tell them that if they want to make a change like this, then they have to sign
off that THEY will be liable for this system and any damage it might cause. It
may just be a bluff, but it probably won't make it past their legal team if
they have one.

--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-31-2008, 05:15 PM
"Jim Perrin"
 
Default OT: SA/Apache "Best Practice"?

On Fri, Oct 31, 2008 at 1:32 PM, Camron W. Fox <cwfox@us.fujitsu.com> wrote:

> What argument, if any, would you use to try and convince the customer
> that this is a bad idea/bad practice?

Well, it's entirely possible that on update, the permissions they set
will be overridden since the httpd package owns and overwrites all
files not marked as config files on updates.



--
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 02:55 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org