[389-devel] various admin server stuff
Rich Megginson
rmeggins at redhat.com
Thu Oct 8 18:37:39 UTC 2009
I'd like to move mod_admserv and mod_restartd into the admin.git repo as
sub-directories. I couldn't figure out a way to migrate the CVS history
data into a git subdirectory, so I was thinking about just copying the
files in there with no history. Is this ok? We can always refer back
to the old CVS repo if we need to see history.
It turns out we can't get rid of mod_restartd and use mod_suexec.
mod_suexec explicitly forbids running CGIs as root, so we can't use that
to start the servers. I don't really like the fact that we have to
support this module for the sole purpose of being able to remotely
start, restart, and create instances of servers that run on low ports.
For one, mod_restartd is and always will be a security nightmare waiting
to happen - it is just a bad, bad idea to execute CGIs as root (or run
the admin server as root). For another, usually init or something like
daemontools does a much better job of making sure remote servers are
running (e.g. restarting after a crash). You always have to run
setup-ds-admin.pl when installing on a remote system, and that creates
the directory server instance, so I'm not really sure how useful it is
to be able to remotely create instances. I'd like to propose that we
make this feature optional (that is, can build admin server without it)
and possibly get rid of it altogether.
I would also like to relax the requirement that we have to use the
threaded model Apache. The only reason we require this is because
mod_admserv caches the auth credentials and ACIs in memory, in case you
need to perform a task while the config DS is down (e.g. like start or
restart). There are a few changes required to mod_admserv to relax this
restriction.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20091008/3a1b0f16/attachment.bin>
More information about the Fedora-directory-devel
mailing list