Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

collectstats and user / group permissions

22 views
Skip to first unread message

Rupert Wood

unread,
Sep 22, 2010, 7:40:02 AM9/22/10
to support-...@lists.mozilla.org
Hi -

We've set up a nightly cron job to run collectstats.pl as per the docs

http://www.bugzilla.org/docs/tip/en/html/extraconfig.html

but it's not clear which user you're expecting us to run this as: as root,
or as the apache user / a $webservicegroup user, or as something else?

We opted for the apache user not root because the script operates on
user-supplied data. This does then mean the we need to make parts of data/
group apache and group write so that the script can run. However for a few
versions now checksetup.pl has stripped out the apache group and group write
from data/ every time we run it, even though apache is set as our
$webservicegroup.

What's the correct setting this up - did you intend us to run collectstats
as root, or to restore group and permissions to data/ after checksetup like
this, or something else?

Thanks,
Rupert.

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

Max Kanat-Alexander

unread,
Sep 22, 2010, 7:08:26 PM9/22/10
to support-...@lists.mozilla.org
On 09/22/2010 04:40 AM, Rupert Wood wrote:
> but it's not clear which user you're expecting us to run this as: as root,
> or as the apache user / a $webservicegroup user, or as something else?

As root would be best.

-Max
--
http://www.everythingsolved.com/
Competent, Friendly Bugzilla and Perl Services. Everything Else, too.

Rupert Wood

unread,
Sep 23, 2010, 7:05:51 AM9/23/10
to support-...@lists.mozilla.org
Max Kanat-Alexander wrote:

> > but it's not clear which user you're expecting us to run this as: as
> > root, or as the apache user / a $webservicegroup user, or as something
> > else?
>
> As root would be best.

Thanks. I'm not completely sold on that but I guess it's a fairly slim risk.

I got another reply off-list (thanks!) suggesting I run checksetup.pl as the
apache / web-server user rather than as root. That will prevent it chown /
chgrping permissions away and leave all files owned by apache, which would
work too.

Max Kanat-Alexander

unread,
Sep 23, 2010, 9:26:21 PM9/23/10
to support-...@lists.mozilla.org
On 09/23/2010 04:05 AM, Rupert Wood wrote:
> I got another reply off-list (thanks!) suggesting I run checksetup.pl as the
> apache / web-server user rather than as root. That will prevent it chown /
> chgrping permissions away and leave all files owned by apache, which would
> work too.

However, that would lead to insecure permissions where the web server
has the ability to write to things that it should not have the ability
to write to.

You could also create a "bugzilla" user, make that "bugzilla" user a
member of the Apache group, and run both checksetup.pl and
collectstats.pl as the "bugzilla" user. That leads to greater
complications in setting up permissions for other things (for example,
jobqueue.pl would then also have to run as "bugzilla", email_in.pl would
have to run as "bugzilla", etc.) but if you are seriously concerned
about the security of running as root, it's another option (and much
better than running checksetup.pl as apache).

0 new messages