FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 03-17-2009, 01:35 PM
Ricky Zhou
 
Default Change Request - Change transifex to run under the transifex user

This should be a pretty safe security change to make transifex run under
the separate transifex user, instead of the apache user. I've tested it
out on publictest14.

The django transifex isn't 100% in puppet yet, so here are the steps I'd
like to take:

mv ~ricky/tx.conf /etc/httpd/conf.d
/etc/init.d/httpd restart
mv /var/www/.ssh /var/lib/transifex
chown -R transifex:transifex /var/lib/transifex/.ssh
find /var/lib/transifex -user apache -exec chown transifex:transifex {} ;
mv ~ricky/ssh-add.sh /var/lib/transifex
# restart ssh-agent to run under the transifex user

Here's the diff between my edited tx.conf and the original one:
--- /etc/httpd/conf.d/tx.conf 2009-03-12 13:46:14.000000000 +0000
+++ /home/fedora/ricky/tx.conf 2009-03-17 14:29:36.000000000 +0000
@@ -1,6 +1,8 @@
WSGIRestrictStdout Off
WSGIRestrictStdin Off

+WSGIDaemonProcess transifex processes=8 threads=2 maximum-requests=50000 user=transifex group=transifex display-name=transifex inactivity-timeout=300
+
Alias /site_media /usr/share/transifex/site_media

<Directory /usr/share/transifex/site_media>
@@ -10,5 +12,9 @@

SetEnv SSH_AUTH_SOCK /var/lib/transifex/ssh-agent-sock-transifex

+<Directory /usr/share/transifex>
+ WSGIProcessGroup transifex
+</Directory>
+
WSGIScriptAlias /tx /usr/share/transifex/tx-django.wsgi

Thanks,
Ricky
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-17-2009, 02:00 PM
Mike McGrath
 
Default Change Request - Change transifex to run under the transifex user

On Tue, 17 Mar 2009, Ricky Zhou wrote:

> This should be a pretty safe security change to make transifex run under
> the separate transifex user, instead of the apache user. I've tested it
> out on publictest14.
>
> The django transifex isn't 100% in puppet yet, so here are the steps I'd
> like to take:
>
> mv ~ricky/tx.conf /etc/httpd/conf.d
> /etc/init.d/httpd restart
> mv /var/www/.ssh /var/lib/transifex
> chown -R transifex:transifex /var/lib/transifex/.ssh
> find /var/lib/transifex -user apache -exec chown transifex:transifex {} ;
> mv ~ricky/ssh-add.sh /var/lib/transifex
> # restart ssh-agent to run under the transifex user
>
> Here's the diff between my edited tx.conf and the original one:
> --- /etc/httpd/conf.d/tx.conf 2009-03-12 13:46:14.000000000 +0000
> +++ /home/fedora/ricky/tx.conf 2009-03-17 14:29:36.000000000 +0000
> @@ -1,6 +1,8 @@
> WSGIRestrictStdout Off
> WSGIRestrictStdin Off
>
> +WSGIDaemonProcess transifex processes=8 threads=2 maximum-requests=50000 user=transifex group=transifex display-name=transifex inactivity-timeout=300
> +
> Alias /site_media /usr/share/transifex/site_media
>
> <Directory /usr/share/transifex/site_media>
> @@ -10,5 +12,9 @@
>
> SetEnv SSH_AUTH_SOCK /var/lib/transifex/ssh-agent-sock-transifex
>
> +<Directory /usr/share/transifex>
> + WSGIProcessGroup transifex
> +</Directory>
> +
> WSGIScriptAlias /tx /usr/share/transifex/tx-django.wsgi
>

+1

-Mike

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 
Old 03-17-2009, 03:18 PM
Toshio Kuratomi
 
Default Change Request - Change transifex to run under the transifex user

Ricky Zhou wrote:
> This should be a pretty safe security change to make transifex run under
> the separate transifex user, instead of the apache user. I've tested it
> out on publictest14.
>
> The django transifex isn't 100% in puppet yet, so here are the steps I'd
> like to take:
>
> mv ~ricky/tx.conf /etc/httpd/conf.d
> /etc/init.d/httpd restart
> mv /var/www/.ssh /var/lib/transifex
> chown -R transifex:transifex /var/lib/transifex/.ssh
> find /var/lib/transifex -user apache -exec chown transifex:transifex {} ;
> mv ~ricky/ssh-add.sh /var/lib/transifex
> # restart ssh-agent to run under the transifex user
>
> Here's the diff between my edited tx.conf and the original one:
> --- /etc/httpd/conf.d/tx.conf 2009-03-12 13:46:14.000000000 +0000
> +++ /home/fedora/ricky/tx.conf 2009-03-17 14:29:36.000000000 +0000
> @@ -1,6 +1,8 @@
> WSGIRestrictStdout Off
> WSGIRestrictStdin Off
>
> +WSGIDaemonProcess transifex processes=8 threads=2 maximum-requests=50000 user=transifex group=transifex display-name=transifex inactivity-timeout=300
> +
> Alias /site_media /usr/share/transifex/site_media
>
> <Directory /usr/share/transifex/site_media>
> @@ -10,5 +12,9 @@
>
> SetEnv SSH_AUTH_SOCK /var/lib/transifex/ssh-agent-sock-transifex
>
> +<Directory /usr/share/transifex>
> + WSGIProcessGroup transifex
> +</Directory>
> +
> WSGIScriptAlias /tx /usr/share/transifex/tx-django.wsgi
>

Rasther found some issues with bzr support wanting to see files in the
user's home directory. .bazaar/ and .bazaar/ignore.

This will probably continue to work since transifex should only need to
read those files, not write them. But you might want to move them under
/var/lib/transifex and have them owned by the transifex user for
completeness. This requires moving the files and changing the directory
that is set via os.environ['HOME'] in the wsgi script.

If you test submission to bzr and it works currently, +1 with or without
moving the .bazaar and ignore file.

-Toshio

_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
 

Thread Tools




All times are GMT. The time now is 01:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org