You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by André Malo <nd...@perlig.de> on 2002/11/10 03:07:50 UTC
[Review] mod_dav.xml split
the attached documents introduce explicit documentation of mod_dav_fs.
any comments and/or suggestions before committing?
DavLockDB is actually defined in mod_dav_fs, but I left a reference in
mod_dav. Is this correct or rather confusing for the user?
Is there's a rule, when to leave an external reference to a directive in a
module?
nd
--
Da f�llt mir ein, wieso gibt es eigentlich in Unicode kein
"i" mit einem Herzchen als T�pfelchen? Das w�r sooo s��ss!
-- Bj�rn H�hrmann in darw
Re: [Review] mod_dav.xml split (Revision)
Posted by André Malo <nd...@perlig.de>.
* Joshua Slive wrote:
> Yes, making the logs directory writable by non-root is NOT an option.
> That is why I suggested the touch/chown technique. But I guess creating a
> separate directory is a better idea. There is some discussion of this
> here: http://www.webdav.org/mod_dav/install.html
>
> What other apache things needs need write access under the httpd user?
> There is CacheRoot and ScriptLog; are there others?
>
> Perhaps we should, at least in the documentation, start talking about a
> /usr/local/apache2/var/ directory that is httpd writable. We could then
> refer to this directory under DavLock and CacheRoot docs and in the
> security docs.
+1 for 'var'.
I think it's more comfortable (not even better...) for a user, simply to
have a writeable directory, rather then do an inital touch. Introducing an
"official" separate directory for such cases will hopefully prevent at
least some users from a 'chown wwwrun logs' or something.
well, this would affect (...scanning directive quickreference...):
(including proposals)
CacheRoot var/cache
CoreDumpDirectory var
DavLockDB var/DavLock
RewriteLock var/rewrite.lock
(runs in child init, i.e. after the setuid call)
---
a developer should probably verify that ;-)
nd
--
sub the($){+shift} sub answer (){ord q
[* It is always 42! *] }
print the answer
# André Malo # http://www.perlig.de/ #
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: [Review] mod_dav.xml split (Revision)
Posted by Joshua Slive <jo...@slive.ca>.
On Wed, 13 Nov 2002, André Malo wrote:
> The problem is: "normal" logfiles are usually opened as root, so in fact
> *nobody* needs write access to the logs directory. Actually one should
> create a separate directory for runtime lo[g|ck]s, like DavLock,
> RewriteLog, ScriptLog (?). Or is this too paranoid?
>
Yes, making the logs directory writable by non-root is NOT an option.
That is why I suggested the touch/chown technique. But I guess creating a
separate directory is a better idea. There is some discussion of this
here: http://www.webdav.org/mod_dav/install.html
What other apache things needs need write access under the httpd user?
There is CacheRoot and ScriptLog; are there others?
Perhaps we should, at least in the documentation, start talking about a
/usr/local/apache2/var/ directory that is httpd writable. We could then
refer to this directory under DavLock and CacheRoot docs and in the
security docs.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: [Review] mod_dav.xml split (Revision)
Posted by André Malo <nd...@perlig.de>.
* Joshua Slive wrote:
> The DavLockDB is written as the httpd User/Group, correct?
yep. (resp. the process uid/gid, think of perchild)
> Is it safe to
> write it to a publicly writable directory like /tmp?
hmm. I think no.
> If so, we should
> change the example in the DavLockDB directivesynopsis to recommend that,
> since it now points to logs/DavLock. If not, we should change the other
> examples to logs/DavLock, and we should document the necessity to
> touch/chown the file before starting apache.
The problem is: "normal" logfiles are usually opened as root, so in fact
*nobody* needs write access to the logs directory. Actually one should
create a separate directory for runtime lo[g|ck]s, like DavLock,
RewriteLog, ScriptLog (?). Or is this too paranoid?
(of course, this doesn't affect the win32 'user concept'...)
nd
--
s s^saaaaaoaaaoaaaaooooaaoaaaomaaaa a alataa aaoat a a
a maoaa a laoata a oia a o a m a o alaoooat aaool aaoaa
matooololaaatoto aaa o a o ms;s;\s;s;g;y;s;:;s;y#mailto: #
\51/\134\137| http://www.perlig.de #;print;# > nd@perlig.de
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: [Review] mod_dav.xml split (Revision)
Posted by Joshua Slive <jo...@slive.ca>.
On Tue, 12 Nov 2002, André Malo wrote:
> > 5. What exactly needs to be done to get lockview in the right place? I
> > can fix it if it's not too complicated, or nag someone else if it is.
>
> some time ago, Kess complained about the missing lockview tool on the dev
> list ;-). I have the version from mod_dav 1.x here (for win32), it seems to
> work fine, but I think it should be really ported to 2.0 (and use apr +
> apu).
OK.
One other question from someone who rarely uses DAV:
The DavLockDB is written as the httpd User/Group, correct? Is it safe to
write it to a publicly writable directory like /tmp? If so, we should
change the example in the DavLockDB directivesynopsis to recommend that,
since it now points to logs/DavLock. If not, we should change the other
examples to logs/DavLock, and we should document the necessity to
touch/chown the file before starting apache.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: [Review] mod_dav.xml split (Revision)
Posted by André Malo <nd...@perlig.de>.
* Joshua Slive wrote:
> 1. I'd move the more complete example that is now under the Dav directive
> up into the summary section. There is no point in encouraging people to
> do silly things like open an unprotected DAV server. Then in the Dav
> directive section, just include a warning to secure the server before
> enabling Dav.
ok, I've created an own example section. That doesn't belong to a summary,
I think.
> 2. Tone down the "!" marks. We tend to use those very rarely in formal
> english.
ok :)
> 3. No need to call SSL "even better" than digest auth. Digest auth is
> fine. The only advantage to SSL is that it encrypts the contents. You
> might want to mention explictly that basic over SSL is secure.
hmm, digest auth is vulnerable to MIM attacks and can easily be faked by
proxies. SSL is actually more secure (assuming a correct implementation).
> 5. What exactly needs to be done to get lockview in the right place? I
> can fix it if it's not too complicated, or nag someone else if it is.
some time ago, Kess complained about the missing lockview tool on the dev
list ;-). I have the version from mod_dav 1.x here (for win32), it seems to
work fine, but I think it should be really ported to 2.0 (and use apr +
apu).
nd
--
print "Just Another Perl Hacker";
# André Malo, <http://www.perlig.de/> #
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: [Review] mod_dav.xml split (Revision) (was: [Review] mod_dav.xml
split)
Posted by Joshua Slive <jo...@slive.ca>.
On Tue, 12 Nov 2002, André Malo wrote:
> * André Malo wrote:
>
> [mod_dav split]
>
> ok, since I'm currently sitting on typing some content, I've tried to
> extend the dav docs, too. you'll find a new patch and a new mod_dav_fs.xml
> attached for yet another review.
As usual, looks very good. Feel free to commit.
Some suggestions:
1. I'd move the more complete example that is now under the Dav directive
up into the summary section. There is no point in encouraging people to
do silly things like open an unprotected DAV server. Then in the Dav
directive section, just include a warning to secure the server before
enabling Dav.
2. Tone down the "!" marks. We tend to use those very rarely in formal
english.
3. No need to call SSL "even better" than digest auth. Digest auth is
fine. The only advantage to SSL is that it encrypts the contents. You
might want to mention explictly that basic over SSL is secure.
4. In the fs docs, I wouldn't put both "Dav On" and "Dav Filesystem" in
the example. Just use one of them, and mention the other possibility in
the text.
5. What exactly needs to be done to get lockview in the right place? I
can fix it if it's not too complicated, or nag someone else if it is.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: [Review] mod_dav.xml split (Revision) (was: [Review] mod_dav.xml split)
Posted by André Malo <nd...@perlig.de>.
* Andr� Malo wrote:
[mod_dav split]
ok, since I'm currently sitting on typing some content, I've tried to
extend the dav docs, too. you'll find a new patch and a new mod_dav_fs.xml
attached for yet another review.
nd
--
sub the($){+shift} sub answer (){ord q
[* It is always 42! *] }
print the answer
# Andr� Malo # http://www.perlig.de/ #
Re: [Review] mod_dav.xml split
Posted by Joshua Slive <jo...@slive.ca>.
On Sun, 10 Nov 2002, André Malo wrote:
> the attached documents introduce explicit documentation of mod_dav_fs.
> any comments and/or suggestions before committing?
Looks good. My only suggestion is to be EXTREMELY explicit that
mod_dav_fs REQUIRES mod_dav. Just saying it is a "support" module is
probably not explicit enough.
> DavLockDB is actually defined in mod_dav_fs, but I left a reference in
> mod_dav. Is this correct or rather confusing for the user?
>
> Is there's a rule, when to leave an external reference to a directive in a
> module?
I'd use a <seealso> rather than a <directivesynopisis location=...>. The
latter is really only intended for directives that are implemented by more
than one module.
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: [Review] mod_dav.xml split
Posted by "William A. Rowe, Jr." <wr...@apache.org>.
At 08:07 PM 11/9/2002, André Malo wrote:
>the attached documents introduce explicit documentation of mod_dav_fs.
>any comments and/or suggestions before committing?
>
>DavLockDB is actually defined in mod_dav_fs, but I left a reference in
>mod_dav. Is this correct or rather confusing for the user?
DavLockDB only maintains file locks, so the directive needs to be moved
to the mod_dav_fs area :-)
>Is there's a rule, when to leave an external reference to a directive in a
>module?
Definitely Lots of see-also's are good here.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org