Change Request - Change transifex to run under the transifex user

Toshio Kuratomi a.badger at gmail.com
Tue Mar 17 16:18:53 UTC 2009 

Ricky Zhou wrote:
> This should be a pretty safe security change to make transifex run under
> the separate transifex user, instead of the apache user.  I've tested it
> out on publictest14.
> 
> The django transifex isn't 100% in puppet yet, so here are the steps I'd
> like to take:
> 
> mv ~ricky/tx.conf /etc/httpd/conf.d
> /etc/init.d/httpd restart
> mv /var/www/.ssh /var/lib/transifex
> chown -R transifex:transifex /var/lib/transifex/.ssh
> find /var/lib/transifex -user apache -exec chown transifex:transifex {} \;
> mv ~ricky/ssh-add.sh /var/lib/transifex
> # restart ssh-agent to run under the transifex user
> 
> Here's the diff between my edited tx.conf and the original one:
> --- /etc/httpd/conf.d/tx.conf   2009-03-12 13:46:14.000000000 +0000
> +++ /home/fedora/ricky/tx.conf  2009-03-17 14:29:36.000000000 +0000
> @@ -1,6 +1,8 @@
>  WSGIRestrictStdout Off
>  WSGIRestrictStdin Off
>  
> +WSGIDaemonProcess transifex processes=8 threads=2 maximum-requests=50000 user=transifex group=transifex display-name=transifex inactivity-timeout=300
> +
>  Alias   /site_media     /usr/share/transifex/site_media
>  
>  <Directory /usr/share/transifex/site_media>
> @@ -10,5 +12,9 @@
>  
>  SetEnv SSH_AUTH_SOCK /var/lib/transifex/ssh-agent-sock-transifex
>  
> +<Directory /usr/share/transifex>
> +  WSGIProcessGroup transifex
> +</Directory>
> +
>  WSGIScriptAlias /tx /usr/share/transifex/tx-django.wsgi
>  

Rasther found some issues with bzr support wanting to see files in the
user's home directory.  .bazaar/ and .bazaar/ignore.

This will probably continue to work since transifex should only need to
read those files, not write them.  But you might want to move them under
/var/lib/transifex and have them owned by the transifex user for
completeness.  This requires moving the files and changing the directory
that is set via os.environ['HOME'] in the wsgi script.

If you test submission to bzr and it works currently, +1 with or without
moving the .bazaar and ignore file.

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090317/92f25600/attachment.sig>

More information about the Fedora-infrastructure-list mailing list