Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#2877 - lighttpd user added too high a number

Attached to Project: Arch Linux
Opened by eliott (cactus) - Saturday, 25 June 2005, 21:41 GMT
Last edited by Dale Blount (dale) - Sunday, 26 June 2005, 00:31 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Kieslich (tobias)
Architecture not specified
Severity Low
Priority Normal
Reported Version 0.7 Wombat
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Due to the post install of lighttpd package, a user and group are created.
The uid and gid specified in the install script are 5200 and 5200, respectively.

This causes any additional users/groups on the system to be created with uids and gids of 5201 and up from there.

I recommend finding a uid/gid combination that is below the 100 mark, so as to not interfere with normal uid/gid progression.

This bug is not really a critical problem, but it is certainly an annoyance.
This task depends upon

Closed by  Tobias Kieslich (tobias)
Sunday, 21 August 2005, 21:54 GMT
Reason for closing:  Fixed
Additional comments about closing:  set back from 5200 to nobody(99) as a generic which can be custoumized by the user
Comment by eliott (cactus) - Saturday, 25 June 2005, 21:42 GMT
in the above bug report, I mean "below the 1000 mark" not "below the 100 mark".
Comment by Dale Blount (dale) - Sunday, 26 June 2005, 00:31 GMT
yes, also some of us have users already in that range too.
Comment by Tobias Kieslich (tobias) - Tuesday, 05 July 2005, 17:49 GMT
As a general thought, shall we have a dedicated www user serving for all available http servers? Might be an idea.
For the time being, I default lighty to nobody:nobody, which at least matches the apache configs and get us rid of the 5200+ issue.
Thoughts, comments ...?
Comment by eliott (cactus) - Wednesday, 06 July 2005, 01:55 GMT
I dont think that would work well. There are a few who have both daemons on the same box. I for one do. >_<
I dont generally like having daemons share a user, unless there is a need (like a mail daemon and a mail scanner or something).
Comment by Tobias Kieslich (tobias) - Wednesday, 06 July 2005, 10:17 GMT
nobody has mor or less the same features like the lighttpd user had. If we stuff them all under 100, we will run out of uids one day when more software which could make good use of a user comes along. Also, these are defaults, anyway. At the moment you set up a custoumized layout you will change the users anyway. One of lightttpd's best feature is that it can run painlessly in userspace.
So the queestion comes up, what would the lighttpd user be for anyway, when files that are uploaded by diffrent users via ftp/sftp have other uids? The main usage is a groupwise ownership for the cgi-created files so that the user and the daemon both can edit them.
From my side I think to have a www user and especially a group in general would be a good thing.
Comment by eliott (cactus) - Thursday, 07 July 2005, 01:58 GMT
I don't see what talking about ftp and sftp has to do with any discussion about the www daemon. *shrug*

The main usage is not groupwise ownership, it is security, and mitigation of privilege escalation. If the lighttpd process is somehow compromised, it does much less damage to the system if it is running as its own user.

I just hope that removing one (apache or lighttpd) will not cause problems (ie. if I remove lighttpd or apache will it the nobody user?).

I for one, will never have apache and lighttp sharing a user. Bummer that this is now the default config.

Comment by eliott (cactus) - Thursday, 07 July 2005, 02:01 GMT
ack! now you are chrooting the php-fcgi processes as the SAME user (nobody)!?!?

ye gads.
Comment by Tobias Kieslich (tobias) - Wednesday, 03 August 2005, 10:21 GMT
eliott, I have a totally differnet approach in 1.3.16 now, which is more complex, hence more error-prone though.
All the user settings have bin ripped out of PKGBUILD and stuffed into post_install. post_install reads the user/group values from lighttpd.conf and sets the directories rights accordingly. The problem with that is, if people who tweak lighttpd.conf don't set this file on NoUpgrade in pacman.conf post_install reads the values from the freshly installed lighttpd.con and not from the .pacsav file.
Comment by eliott (cactus) - Thursday, 04 August 2005, 14:14 GMT
:(
Sounds messy. I would prefer a more simplistic approach.
But, it might well work out wonderfully. I will give it a roll and see how it plays out before I bemoan it. :)

ps. Thanks for your work on the package. It is nice to have someone on the other end who is willing to listen to me griping. thanks :P
Comment by Tobias Kieslich (tobias) - Tuesday, 16 August 2005, 18:53 GMT
*poke*
Comment by eliott (cactus) - Friday, 19 August 2005, 09:03 GMT
Well, it seemed to work ok. It wiped out permissions on the /home/lighttpd/ and /home/lighttpd/html directories, but that was a quick fix.

I have noupgrade set on my config files, so the potential for alteration is considerably lower on my setup anyway. The log file permissions seem to be ok...

lighttpd 1.4 is coming out soon, so I will probably just start packaging it myself again. I have a few squirrely config things that I have been trying lately (which will probably result in me packaging php too). But, the lighttpd package should be good enough for most users out there.

thanks for the good work. :)
Comment by Tobias Kieslich (tobias) - Sunday, 21 August 2005, 21:53 GMT
ok, I take that as a ready to go and close this ticket

Loading...