[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Change Request - Change transifex to run under the transifex user



This should be a pretty safe security change to make transifex run under
the separate transifex user, instead of the apache user.  I've tested it
out on publictest14.

The django transifex isn't 100% in puppet yet, so here are the steps I'd
like to take:

mv ~ricky/tx.conf /etc/httpd/conf.d
/etc/init.d/httpd restart
mv /var/www/.ssh /var/lib/transifex
chown -R transifex:transifex /var/lib/transifex/.ssh
find /var/lib/transifex -user apache -exec chown transifex:transifex {} \;
mv ~ricky/ssh-add.sh /var/lib/transifex
# restart ssh-agent to run under the transifex user

Here's the diff between my edited tx.conf and the original one:
--- /etc/httpd/conf.d/tx.conf   2009-03-12 13:46:14.000000000 +0000
+++ /home/fedora/ricky/tx.conf  2009-03-17 14:29:36.000000000 +0000
@@ -1,6 +1,8 @@
 WSGIRestrictStdout Off
 WSGIRestrictStdin Off
 
+WSGIDaemonProcess transifex processes=8 threads=2 maximum-requests=50000 user=transifex group=transifex display-name=transifex inactivity-timeout=300
+
 Alias   /site_media     /usr/share/transifex/site_media
 
 <Directory /usr/share/transifex/site_media>
@@ -10,5 +12,9 @@
 
 SetEnv SSH_AUTH_SOCK /var/lib/transifex/ssh-agent-sock-transifex
 
+<Directory /usr/share/transifex>
+  WSGIProcessGroup transifex
+</Directory>
+
 WSGIScriptAlias /tx /usr/share/transifex/tx-django.wsgi
 
Thanks,
Ricky

Attachment: pgpIcy6WgerVc.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]