[Freedombox-discuss] Drop exmachina, use sudo instead - at least short term (Was: Kerberos and remctl instead of exmachina?)
Tim Retout
diocles at debian.org
Sun Sep 8 22:02:29 UTC 2013
On 7 September 2013 07:53, Petter Reinholdtsen <pere at hungry.com> wrote:
> But after looking at plinth/exmachina a bit more, I believe the best
> way forward right now is to drop exmachina completely and rewrite
> plinth to use sudo. Instead of talking to exmachina, it should call
> 'sudo /some/privileged/helper/script' we write to handle the
> operations plinth need, and ask it to do the privileged operations.
This sounds reasonable, so long as the helper scripts can be run in
the background or return quickly. I notice that /etc/sudoers.d exists
(since 2009! I've never noticed it before) so the necessary privileges
can be maintained in the plinth package.
How is plinth being deployed long-term? Presumably it will always run
as a new 'plinth' user, not www-data? (Currently I think it just runs
the cherrypy server on port 8080?) If the plinth packaging ever
changes to run under Apache or nginx, then it would make sense to use
FastCGI or mod_wsgi in daemon mode rather than CGI, to avoid having to
use mod_suexec or grant these sudo rights to the web server.
--
Tim Retout <diocles at debian.org>
More information about the Freedombox-discuss
mailing list