The problem is that these aspects are not packagable as some kind of
"fire and forget" installation. I'd prefer the way Roland proposed,
using some kind of
# cat /etc/apache2/conf.d/gosa.conf
Alias /gosa /usr/share/gosa/html
<Location /gosa>
include /etc/gosa/gosa.secrets
</Location>
# cat /etc/gosa/gosa.secrets
RequestHeader set FooPassword very-secret-credentials
The latter file can only be read by root, so the security "problem" is
as critical as beeing able to read cleartext kerberos or sasldb
passwords as root.
This implementation only requires minimum changes and has no big
overhead on the server side... Uh, and a "a2enmod headers" from
postinst.
Cheers,
Cajus
Am 05.04.2008 um 11:07 schrieb sean finney:
hi,
a few more ideas for you to think about:
- create a user specific to the package, and
1: use a setuid wrapper binary for doing all ldap communications
or
2: use some kind of user-restricted fastcgi type setup instead of
standard
apache mod_php/python/whatever
or
3: run a seperate instance of $webserver listening on a different port
(localhost:8080 or similar), and running as the specific user. you
can then
drop in a proxy config to make that available from the standard
$webserver.
sean
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
