Closed Bug 224477 Opened 21 years ago Closed 21 years ago

$webservergroup shouldn't default to "nobody" on a new install

Categories

(Bugzilla :: Installation & Upgrading, defect)

Product:
Bugzilla
Component:
Installation & Upgrading
Version:
2.17.4
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: justdave, Assigned: goobix)

Details

Attachments

(1 file)

Version 1
1.00 KB, patch
bugreport
: review+
Details | Diff | Splinter Review
This is coming up as a FAQ on the newsgroup lately, and it just confuses people. a) Almost every unix-based system on the planet has a "nobody" user, so the default settings "work" without error. b) Very few distributions run the webserver as "nobody" anymore. Almost everyone has some other user/group assignment, such as "apache", "wwwrun", "www-data", etc. c) If the user leaves it as nobody, but their webserver doesn't run as nobody, then Bugzilla doesn't work. I propose we do one of the following: 1) default $webservergroup = "" a) It'll run as-is on all systems and Bugzilla will work. b) the user will get a warning "this is really insecure" and will then know to go look up who their webservergroup is. -or- 2) default $webservergroup = "apache" a) A lot of folks seem to be using Bugzilla on RedHat, which uses this group for Apache. For folks using RedHat, this will just work. b) For those that are running apache as some other user, the "apache" group likely won't exist, so they'll get errors from checksetup.pl telling them so, and will then know what to look for. Comments?
I think option 2 (apache) is best because it defaults to a secure state for the majority of users (or at least our view of the majority) and it's likely that most systems with a group apache have apache using that group. If apache doesn't exist, the user will just get an error and they can go find the correct group themselves.
Well, I'd like 2), because my webserver runs as Apache :-) Is there any way we can programmatically work out the webservergroup for a given copy of Linux? Like finding which group `which httpd` belongs to? Gerv
yep: egrep '^Group ' httpd.conf This a) depends on unix/linux, b) depends on knowing where httpd.conf is, which could in reality be anywhere. Also thrown into the mix is you can have more than one Group directive in the httpd.conf file, with listeners on different virtual hosts running as different groups.
Attached patch Version 1Splinter Review
Assignee: zach → vlad
Status: NEW → ASSIGNED
Attachment #146009 - Flags: review?(jouni)
Attachment #146009 - Flags: review?(bugreport)
Attachment #146009 - Flags: review?(jouni)
Attachment #146009 - Flags: review?(bugreport) → review+
Requesting approval for the trunk. justdave: if you want this for 2.16 as well please set the target accordingly.
Flags: approval?
Flags: approval?
Flags: approval2.16+
Flags: approval+
Target Milestone: --- → Bugzilla 2.16
Checking in checksetup.pl; /cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl new revision: 1.277; previous revision: 1.276 done Checking in checksetup.pl; /cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl new revision: 1.149.2.25; previous revision: 1.149.2.24 done
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
I'm not particularly fond of this change; my webserver doesn't run as apache, for one. We could do other platform-specific hacks here.. or make checksetup.pl query people for their webserveruser upon installation, which is probably the best long-term solution.
Flags: approval+ → approval?
Target Milestone: Bugzilla 2.16 → ---
Sorry.
Flags: approval? → approval+
Flags: approval+ → approval?
Target Milestone: --- → Bugzilla 2.16
Flags: approval? → approval+
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: