Forum OpenACS Development: new aolserver-4.0 beta2 gentoo packages available

1: new aolserver-4.0 beta2 gentoo packages available

Posted by Chris Johnson on 03/10/03 07:36 AM

Gents and Ladies, just announcing a new 'ebuild' package for gentoo users that will install aolserver-4.0 beta2. Link is here: http://bugs.gentoo.org/show_bug.cgi?id=17181
Link for aolserver-modules ebuild package is here: http://bugs.gentoo.org/show_bug.cgi?id=17182
Note that the second package is also needed, as it installs nspostgres and the other 4 modules I was recommended would be needed.
These install scripts have been tested, but please send me feedback.

Motivation

It has bothered me that I have to wade through several pages of installation instructions several times to get openacs up and running, and now that I've started using gentoo, it's easy to write my own from-source package for aolserver and its modules. I'll be making equivalent packages for installing openacs point releases hopefully as I get my own projects running.

Previous work

Many openacs users and developers get their aolserver from Mat's AOLServer distribution (linked from many places, but link is dead??), which is great to save time but is a dated package. There are various other things (e.g. a debian 3.3ad13 package) floating around but not much in the way of new aolserver packages (for aolsever >=3.5). Hopefully, we'll soon see things like webdav as a module for aolserver 4.0 (it also apparently has i18n support among other improvements).

Gentoo aolserver packages are have some differences from traditional aolserver installations

I have taken the liberty while making this package to digest and ruminate on the various thoughts on security and e.g. complying with the FHS file-system layout standards (FHS is a part of LSB). My package departs from having aolserver installed in /usr/local/aolserver and follows fairly closely to the way that apache is installed under gentoo. Gentoo follows LHS, and their apache installation is an example of current attitudes toward security and FHS-compliance. Examples I have adopted for my aolserver package:

Location: installed to /home/aolserver (apache goes into /home/apache). This makes sense because although apache and aolserver are services, they run as a user which has its own home dir. I believe this is a result of interpretation of the FHS that Gentoo follows. Further, it is a move away from having e.g. /home/httpd (one could have in theory several httpds after all) and from /usr/local/httpd. Further,
User is aolserver. No more 'what is this nsadmin user?'. Aolserver is the package, product, user, and home dir. Couldn't be clearer. When one sets up aolserver to run as a service, one should invoke
./bin/nsd -t sample-config.tcl -u aolserver -g web.
Aolserver's dir is owned by root.root, just like apache. Aolserver is started as root to grab port 80 but then drops priveleges to run as aolserver, which cannot edit the nsd and module binaries, a security hazard discussed in these threads: Reference Platforms and Supported Platforms and Installation documentation and file permissions.
My package does these things: add user aolserver, add group web if it doesn't already exist, compile and install aolserver binaries, installs man page, chown's /home/aolserver to root.root except logs/ and web/ are root.web.
If you want to install to /usr/local/aolserver, simply change the ${AOLSERVER_HOMEDIR} variable in the eb

2: Re: new aolserver-4.0 beta2 gentoo packages available (response to 1)

Posted by Talli Somekh on 03/10/03 03:42 PM

Chris, this rocks! Thanks!

talli

3: Re: new aolserver-4.0 beta2 gentoo packages available (response to 1)

Posted by Joel Aufrecht on 03/12/03 04:55 AM

nsadmin is now dead in the OpenACS docs as well. I finished the document and realized that I'd written it out the need for it. The test uses nobody and any service install has a dedicated user. I don't use aolserver either, though - its installed to /usr/local/aolserver and root owns it. I just looked at the Filesystem Hierarchy Standard and I think we're fully conformant as-is. "The /usr/local hierarchy is for use by the system administrator when installing software locally."

Now I'm researching to see if "/web" is kosher or not.

4: Re: new aolserver-4.0 beta2 gentoo packages available (response to 3)

Posted by Chris Johnson on 03/12/03 06:00 AM

Cool re: documentation.

I'm almost certain that /web and even djb's /service are either strangely left out of mention in FHS or are no-no's. I sympathize with the unix-admin unfriendliness of crufting up the root dir; but I really don't mind /web and /service because I'm not running a large multihosting facility :)

Agreed that using /usr/local does not go against the FHS. For my gentoo ebuild I am trying to mimic the apache installation for the following reasons:
1) Easy to understand coming from an apache background (on gentoo)
2) Each service gets its own user (* more on this below)
3) Each user gets its own dir that is in /home (this is the most debatable and least important part). This could just as easily be /usr/local/. But /usr/local/somefoo does not connotate that the activities originating in somefoo package should correspond with all processes (`ps aux`) owned by somefoo quite as well as does /home/somefoo to me. Potato Potahto ;) It's a matter of taste: I'm not a fan of a nobody user. Compare with

ps -A |grep qmail
1503 ? 00:00:00 qmail-send
1538 ? 00:00:00 qmail-lspawn
1539 ? 00:00:00 qmail-rspawn
1540 ? 00:00:00 qmail-clean

In my ebuild script, just changing ${AOLSERVER_HOMEDIR} to /usr/local/aolserver will get one back to the 'traditional' install location :)

Just for further reading:
An interesting user/perms model is what EROS-OS (extremely reliable OS) is building into the OS and what djb achieves sort of by accident in his many-small-moving-parts implementation of qmail: i.e. each process should have access to only objects that are explicitly given to it (in EROS-OS this is a Capability). The way unix roughly mimics a true capabilities-based system is by running each process as a unique user rather than give a process capabilities to resources. Then the user, e.g. qmail-send, qmail-clean, aolserver, apache, can only access the files he owns (and that is roughly equivalent to initiating a process as a more priveleged user in a capabilities-based system but only handing it a few file and resource capabilities).

I also gravitate to what someone mentioned when proposing using /home/aolserver-<version> as directory/user: the idea is that the system allows side-by-side installation *and* instantiation of aolserver.

5: Re: new aolserver-4.0 beta2 gentoo packages available (response to 1)

Posted by Jon Griffin on 03/12/03 04:53 PM

All my boxes are gentoo, so I will try your ebuilds. Also, I don't use your directory structure, but it makes sense and I think that using /usr/local/aolserver is wrong if you are going to post this to gentoo.

They won't consider this a locally added software. Your apache type build should be ok from the gentoo point of view