We've set up a nightly cron job to run collectstats.pl as per the docs
http://www.bugzilla.org/docs/tip/en/html/extraconfig.html
but it's not clear which user you're expecting us to run this as: as root,
or as the apache user / a $webservicegroup user, or as something else?
We opted for the apache user not root because the script operates on
user-supplied data. This does then mean the we need to make parts of data/
group apache and group write so that the script can run. However for a few
versions now checksetup.pl has stripped out the apache group and group write
from data/ every time we run it, even though apache is set as our
$webservicegroup.
What's the correct setting this up - did you intend us to run collectstats
as root, or to restore group and permissions to data/ after checksetup like
this, or something else?
Thanks,
Rupert.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
As root would be best.
-Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.
> > but it's not clear which user you're expecting us to run this as: as
> > root, or as the apache user / a $webservicegroup user, or as something
> > else?
>
> As root would be best.
Thanks. I'm not completely sold on that but I guess it's a fairly slim risk.
I got another reply off-list (thanks!) suggesting I run checksetup.pl as the
apache / web-server user rather than as root. That will prevent it chown /
chgrping permissions away and leave all files owned by apache, which would
work too.
However, that would lead to insecure permissions where the web server
has the ability to write to things that it should not have the ability
to write to.
You could also create a "bugzilla" user, make that "bugzilla" user a
member of the Apache group, and run both checksetup.pl and
collectstats.pl as the "bugzilla" user. That leads to greater
complications in setting up permissions for other things (for example,
jobqueue.pl would then also have to run as "bugzilla", email_in.pl would
have to run as "bugzilla", etc.) but if you are seriously concerned
about the security of running as root, it's another option (and much
better than running checksetup.pl as apache).