View Issue Details

IDProjectCategoryView StatusLast Update
0002403CentOS-5-OTHERpublic2008-04-03 20:44
ReporterScratchMonkey Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status assignedResolutionopen 
PlatformDell PE2950OSCentOSOS Version5
Product Version5.0 - i386 
Summary0002403: BackupPC has inappropriate Apache configuration
DescriptionBackupPC in c5-testing is configured to use the stock web server running as user "apache" under mod_perl, but mod_perl doesn't allow BackupPC's CGI script to run as user "backuppc".

In principle one could use suexec, but suexec is compiled to require a userid greater than 500, so the userid assigned in the spec file needs to be adjusted up into that range, which may conflict with end-user assignments.

Another possibility is to launch a separate instance of Apache running as user "backuppc", but this will require a separate init script and config file for the additional web server.

Note that the c4-testing bug tracker is here:

http://bugs.centos.org/view.php?id=1299
TagsNo tags attached.

Activities

JohnnyHughes

JohnnyHughes

2007-10-24 07:33

administrator   ~0006177

If you look at the CentOS.readme file in the docs, it clearly tells you to configure your apache to run as the backuppc user.

I do not think that the RPM should mess with your httpd.conf file ... as there are multiple ways to run backuppc. I think this is something that the user needs to accomplish on their own by reading the docs.

I guess we could configure the system so that it runs out of the box not using mod_perl and working under the apache user, and include instructions (and a sample config files) for running using mod_perl, however the documentation for backuppc says that there is a huge performance penalty for this kind of setup .. also something that I am not sure we want to do.

I also do not want to try to make it run as a separate apache instance because that requires it to either run on a separate IP address or on a port other than port 80. I am not sure we want to try and do either of those things in the RPM.
ScratchMonkey

ScratchMonkey

2007-10-24 09:12

reporter   ~0006178

I'll check on the backuppc mailing list about the use of mod_perl. I'm skeptical that this "performance drop" has any real-world consequence, and likely only affects the speed with which its web interface loads. Presumably one isn't using the web interface on a regular basis, enough for page loading speed to be a big issue.

2007-10-24 19:25

 

backuppc.spec.diff (2,845 bytes)   
--- backuppc.spec	2007-08-01 11:19:30.000000000 -0700
+++ backuppc.spec.new	2007-10-24 10:47:15.000000000 -0700
@@ -10,7 +10,7 @@
 Summary: BackupPC is a high-performance, enterprise-grade system for backing up Unix, Linux 
 Name: backuppc
 Version: 3.0.0 
-Release: 1%{dist}
+Release: 1%{dist}.kp
 Group: Applications/Archiving
 License: GPL
 Source: http://sourceforge.net/projects/backuppc/BackupPC-%{version}.tar.gz
@@ -71,9 +71,9 @@
 	--data-dir /var/lib/%{name} \
 	--dest-dir $RPM_BUILD_ROOT \
 	--install-dir %{_prefix} \
-	--cgi-dir /usr/share/%{name}/cgi-bin \
+	--cgi-dir /var/www/%{name}/cgi-bin \
 	--hostname localhost \
-	--html-dir /usr/share/%{name}/html \
+	--html-dir /var/www/%{name}/html \
 	--html-dir-url /%{name}/html \
 	--uid-ignore
 
@@ -81,15 +81,18 @@
 install -m755 init.d/linux-backuppc $RPM_BUILD_ROOT%{_initdir}/backuppc
 install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{httpd_confd_dir}/
 install -m640 %{SOURCE2} $RPM_BUILD_ROOT%{htpasswd_dir}/
-install -m644 %{SOURCE3} $RPM_BUILD_ROOT/usr/share/%{name}/
-install -m644 README* $RPM_BUILD_ROOT/usr/share/%{name}/html/doc/
+install -m644 %{SOURCE3} $RPM_BUILD_ROOT/var/www/%{name}/
+install -m644 README* $RPM_BUILD_ROOT/var/www/%{name}/html/doc/
 %pre
 if [ -z "`getent group backuppc`" ]; then
     /usr/sbin/groupadd -g 150 backuppc
 fi
 
+# We'd like to use UID 150 here but must use one >= 500
+# until httpd's suexec is recompiled to allow lower UIDs
 if [ -z "`getent passwd backuppc`" ]; then
-    /usr/sbin/useradd -u 150 -d /var/lib/backuppc -M -s /bin/false -g backuppc backuppc
+    # -u 150
+    /usr/sbin/useradd -d /var/lib/backuppc -M -s /bin/false -g backuppc backuppc
 fi
 
 %post
@@ -118,7 +121,7 @@
 %doc ChangeLog README* LICENSE 
 %doc doc/*
 %attr(755,root,root) %{_bindir}/*
-%attr(755,root,root) /usr/share/%{name}/cgi-bin/
+%attr(755,%{backuppc_user},%{backuppc_grp}) /var/www/%{name}/cgi-bin/
 %dir /var/lib/%{name}
 %config(noreplace) /etc/BackupPC/config.pl
 %config(noreplace) /etc/BackupPC/hosts
@@ -137,10 +140,17 @@
 %dir %attr(750,%{backuppc_user},%{backuppc_grp}) /etc/BackupPC/*
 %dir %attr(750,%{backuppc_user},%{backuppc_grp}) %{htpasswd_dir}
 %dir %attr(640,%{backuppc_user},%{backuppc_grp}) %{htpasswd_dir}/*
-/usr/share/%{name}/html/*
-/usr/share/%{name}/index.html
+/var/www/%{name}/html/*
+/var/www/%{name}/index.html
 
 %changelog
+* Wed Oct 24 2007 Kenneth Porter <shiva+c5-backuppc@sewingwitch.com> 3.0.0-1.el5.centos.kp
+- Allow backuppc UID to float above 500 so web admin can be used in a
+  shared Apache with suexec
+- Move web files (particularly CGI script) to /var/www tree to be compliant
+  with suexec's docroot compile-time restriction
+- Make web script owned by backuppc user/group for compliance with suexec
+
 * Wed Aug  1 2007 Johnny Hughes <johnny@centos.org> 3.0.0-1.el5.centos
 - Built for CentOS-5
 
backuppc.spec.diff (2,845 bytes)   
ScratchMonkey

ScratchMonkey

2007-10-24 19:27

reporter   ~0006184

I've successful deployed the package using suexec. I found it necessary to let the UID "float" to above 500 and to move the web content within /var/www to meet the compile-time restrictions of suexec. A patch to the spec file illustrating the changes is attached.
ScratchMonkey

ScratchMonkey

2007-10-24 19:30

reporter   ~0006185

Two replies on the backuppc mailing list confirm that the mod_perl requirement is only to improve performance of the CGI management interface, not the actual backup software. Such a speedup is really only of value for a system under heavy web load by many users managing backups.

Rather than deploy a config file that still requires editing of the main Apache config file, I'd recommend moving the current file to the %doc directory as an example of a mod_perl-based configuration.

2007-10-24 19:32

 

ScratchMonkey

ScratchMonkey

2007-10-24 19:33

reporter   ~0006186

I've attached a sample Apache config that shows how to use the system with suexec and a virtual host.
breun

breun

2008-04-03 20:44

reporter   ~0007090

I have been using BackupPC 3 on a CentOS 4 machine for a long time and didn't go for the mod_perl setup as that allowed us to use apache for a couple of other small things. Indeed, the mod_perl speedup is only for the web interface and I'll say it very usable without mod_perl. It may be "15x" faster when timed (as the BackupPC docs say), but when the CGI is already fast enough to begin with I don't think the requirement to run apache as backuppc (and not be able to easily use apache for other stuff) is worth it.

So, my vote (if I have one) is on the 'Standard setup' instead of the 'Mod_perl setup' as the default for the rpm (see http://backuppc.sourceforge.net/faq/BackupPC.html#step_9__cgi_interface for the notes on these two methods).

Issue History

Date Modified Username Field Change
2007-10-23 15:35 ScratchMonkey New Issue
2007-10-24 07:33 JohnnyHughes Note Added: 0006177
2007-10-24 09:12 ScratchMonkey Note Added: 0006178
2007-10-24 19:25 ScratchMonkey File Added: backuppc.spec.diff
2007-10-24 19:27 ScratchMonkey Note Added: 0006184
2007-10-24 19:30 ScratchMonkey Note Added: 0006185
2007-10-24 19:32 ScratchMonkey File Added: backuppc.conf.suexec
2007-10-24 19:33 ScratchMonkey Note Added: 0006186
2007-10-26 00:43 kbsingh@karan.org Status new => assigned
2008-04-03 20:44 breun Note Added: 0007090