On 7 September 2013 07:53, Petter Reinholdtsen <[email protected]> wrote: > But after looking at plinth/exmachina a bit more, I believe the best > way forward right now is to drop exmachina completely and rewrite > plinth to use sudo. Instead of talking to exmachina, it should call > 'sudo /some/privileged/helper/script' we write to handle the > operations plinth need, and ask it to do the privileged operations.
This sounds reasonable, so long as the helper scripts can be run in the background or return quickly. I notice that /etc/sudoers.d exists (since 2009! I've never noticed it before) so the necessary privileges can be maintained in the plinth package. How is plinth being deployed long-term? Presumably it will always run as a new 'plinth' user, not www-data? (Currently I think it just runs the cherrypy server on port 8080?) If the plinth packaging ever changes to run under Apache or nginx, then it would make sense to use FastCGI or mod_wsgi in daemon mode rather than CGI, to avoid having to use mod_suexec or grant these sudo rights to the web server. -- Tim Retout <[email protected]> _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
