Alle,
Here is our situation:
Our customer leases their machines from us and contract us to to manage them (as far as all systems administration issues). The customer does not have root access to any machine (by their own choice, as they want us to be responsible if something goes awry). In the case of their web servers, we handle all configuration, they manage the content. We make changes to the configuration as necessary to support their content. There is one machine (RHEL5.2) that they are developing on that will become a production box. They have sudo access to manage mysql functions as well as the apache server. They have asked, that we change the default directory permission/ownership of /var/www/html,cgi-bin, instead of using the Documentroot and ScriptAlias parameters in the apache configuration.
drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/cgi-bin drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/html
to
drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/cgi-bin drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/html
We have explained that it is preferable *not* to modify the default filesystem configuration of the underlying OS and have recommended that they customize the app by specifying a location of their choice in httpd.conf. They argue that they "just want to use the system default location". There is no *technical* reason for this, according to them. The location does not affect the app. None of the other web servers we manage for them use the RHEL apache default, they all have customized locations for content and scripts.
My question is:
What argument, if any, would you use to try and convince the customer that this is a bad idea/bad practice?
Best Regards, Camron
On Fri, 31 Oct 2008, Camron W. Fox wrote:
[Our customer has] asked, that we change the default directory permission/ownership of /var/www/html,cgi-bin, instead of using the Documentroot and ScriptAlias parameters in the apache configuration.
drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/cgi-bin drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/html
to
drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/cgi-bin drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/html
We have explained that it is preferable *not* to modify the default filesystem configuration of the underlying OS and have recommended that they customize the app by specifying a location of their choice in httpd.conf. They argue that they "just want to use the system default location". There is no *technical* reason for this, according to them. The location does not affect the app.
None of the other web servers we manage for them use the RHEL apache default, they all have customized locations for content and scripts.
My question is:
What argument, if any, would you use to try and convince the customer that this is a bad idea/bad practice?
Updates to the httpd package will overwrite those permissions, so there will need to be a cron job (or very vigilent SA) that monitors those perms, re-customizing them as necessary.
Otherwise, what they're asking isn't all that unusual, imo.
on 10-31-2008 10:32 AM Camron W. Fox spake the following:
Alle,
Here is our situation: Our customer leases their machines from us and contract us to tomanage them (as far as all systems administration issues). The customer does not have root access to any machine (by their own choice, as they want us to be responsible if something goes awry). In the case of their web servers, we handle all configuration, they manage the content. We make changes to the configuration as necessary to support their content. There is one machine (RHEL5.2) that they are developing on that will become a production box. They have sudo access to manage mysql functions as well as the apache server. They have asked, that we change the default directory permission/ownership of /var/www/html,cgi-bin, instead of using the Documentroot and ScriptAlias parameters in the apache configuration.
drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/cgi-bin drwxr-xr-x 2 root root 4096 Jan 11 2008 /var/www/html
to
drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/cgi-bin drwxrwxr-x 2 root user 4096 Jan 11 2008 /var/www/html
We have explained that it is preferable *not* to modify the defaultfilesystem configuration of the underlying OS and have recommended that they customize the app by specifying a location of their choice in httpd.conf. They argue that they "just want to use the system default location". There is no *technical* reason for this, according to them. The location does not affect the app. None of the other web servers we manage for them use the RHEL apache default, they all have customized locations for content and scripts.
My question is: What argument, if any, would you use to try and convince thecustomer that this is a bad idea/bad practice?
Best Regards, Camron
Tell them that if they want to make a change like this, then they have to sign off that THEY will be liable for this system and any damage it might cause. It may just be a bluff, but it probably won't make it past their legal team if they have one.
On Fri, Oct 31, 2008 at 1:32 PM, Camron W. Fox cwfox@us.fujitsu.com wrote:
What argument, if any, would you use to try and convince the customerthat this is a bad idea/bad practice?
Well, it's entirely possible that on update, the permissions they set will be overridden since the httpd package owns and overwrites all files not marked as config files on updates.
-
Camron W. Fox -
Jim Perrin -
Paul Heinlein -
Scott Silva