Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unfinished comments (cropped or forgotten) in backend/config.py. #161

Open
awwad opened this issue Oct 15, 2015 · 4 comments
Open

Unfinished comments (cropped or forgotten) in backend/config.py. #161

awwad opened this issue Oct 15, 2015 · 4 comments

Comments

@awwad
Copy link
Contributor

awwad commented Oct 15, 2015

https://github.com/SeattleTestbed/clearinghouse/blob/master/backend/config.py contains comments intended to explain in brief the reason for the recommended permissioning of certain files, but the comment is cut off prematurely, mid-sentence:

"The reason for the restrictions is explained in backend_daemon.py, but
basically it's that we want the backend to be the place where all node-"
@awwad
Copy link
Contributor Author

awwad commented Oct 15, 2015

Also, I don't see any such explanation in backend_daemon.py.

@aaaaalbert
Copy link
Contributor

Okay, this is an interesting find! The comment in config.py was checked in originally like this.

There is some doc on the backend scripts:

@awwad
Copy link
Contributor Author

awwad commented Oct 16, 2015

That's useful, thank you; I think I've learned from those.

However, none of those documents explain the need for the apache user to
not have access to particular config files, which the missing comment would
have explained.

On Fri, Oct 16, 2015 at 5:02 AM aaaaalbert [email protected] wrote:

Okay, this is an interesting find! The comment in config.py was checked
in originally
https://seattle.poly.edu/browser/seattle/trunk/seattlegeni/backend/config.py?annotate=blame&rev=2654
like this.

There is some doc on the backend scripts:


Reply to this email directly or view it on GitHub
#161 (comment)
.

@aaaaalbert
Copy link
Contributor

The authcode is used to authenticate the different backend scripts to the backend daemon (see its appearances in the CH code).

While the backend daemon should not be reachable from the public Internet anyway, it's still good operational practice to not allow the web server read config files. That said, I think with mod_wsgi the user file/dir access configuration in the Apache config has been simplified a lot, so maybe there is less of an issue these days. The old mod_python and/or previous versions of Django required lots of performance hacks for serving static content etc. which were finicky to set up correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aaaaalbert @awwad