224477 - $webservergroup shouldn't default to "nobody" on a new install

Status: RESOLVED FIXED

(Bugzilla :: Installation & Upgrading, defect)

Description

[Dave Miller [:justdave]]

This is coming up as a FAQ on the newsgroup lately, and it just confuses people.

a) Almost every unix-based system on the planet has a "nobody" user, so the
default settings "work" without error.

b) Very few distributions run the webserver as "nobody" anymore.  Almost
everyone has some other user/group assignment, such as "apache", "wwwrun",
"www-data", etc.

c) If the user leaves it as nobody, but their webserver doesn't run as nobody,
then Bugzilla doesn't work.

I propose we do one of the following:

1) default $webservergroup = ""
   a) It'll run as-is on all systems and Bugzilla will work.
   b) the user will get a warning "this is really insecure" and will then know
      to go look up who their webservergroup is.

-or-

2) default $webservergroup = "apache"
   a) A lot of folks seem to be using Bugzilla on RedHat, which uses this group
      for Apache.  For folks using RedHat, this will just work.
   b) For those that are running apache as some other user, the "apache" group
      likely won't exist, so they'll get errors from checksetup.pl telling them
      so, and will then know what to look for.

Comments?

Comment 1

[Zach Lipton [:zach]]

I think option 2 (apache) is best because it defaults to a secure state for the
majority of users (or at least our view of the majority) and it's likely that
most systems with a group apache have apache using that group. If apache doesn't
exist, the user will just get an error and they can go find the correct group
themselves. 

Comment 2

[Gervase Markham [:gerv]]

Well, I'd like 2), because my webserver runs as Apache :-)

Is there any way we can programmatically work out the webservergroup for a given
copy of Linux? Like finding which group `which httpd` belongs to?

Gerv

Comment 3

[Dave Miller [:justdave]]

yep:

egrep '^Group ' httpd.conf

This a) depends on unix/linux, b) depends on knowing where httpd.conf is, which
could in reality be anywhere.

Also thrown into the mix is you can have more than one Group directive in the
httpd.conf file, with listeners on different virtual hosts running as different
groups.

Comment 4

[Vlad Dascalu]

Attachment: Version 1

Comment 5

[Vlad Dascalu]

Requesting approval for the trunk. justdave: if you want this for 2.16 as well
please set the target accordingly.

Comment 6

[Vlad Dascalu]

Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v  <--  checksetup.pl
new revision: 1.277; previous revision: 1.276
done
Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v  <--  checksetup.pl
new revision: 1.149.2.25; previous revision: 1.149.2.24
done

Comment 7

[Christian Reis]

I'm not particularly fond of this change; my webserver doesn't run as apache,
for one. 

We could do other platform-specific hacks here.. or make checksetup.pl query
people for their webserveruser upon installation, which is probably the best
long-term solution.

Comment 8

[Christian Reis]

Sorry.