0002403: BackupPC has inappropriate Apache configuration - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0002403	CentOS-5	-OTHER	public	2007-10-23 15:35	2008-04-03 20:44

Reporter	ScratchMonkey	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	assigned	Resolution	open
Platform	Dell PE2950	OS	CentOS	OS Version	5
Product Version	5.0 - i386

Summary	0002403: BackupPC has inappropriate Apache configuration
Description	BackupPC in c5-testing is configured to use the stock web server running as user "apache" under mod_perl, but mod_perl doesn't allow BackupPC's CGI script to run as user "backuppc". In principle one could use suexec, but suexec is compiled to require a userid greater than 500, so the userid assigned in the spec file needs to be adjusted up into that range, which may conflict with end-user assignments. Another possibility is to launch a separate instance of Apache running as user "backuppc", but this will require a separate init script and config file for the additional web server. Note that the c4-testing bug tracker is here: http://bugs.centos.org/view.php?id=1299
Tags	No tags attached.

JohnnyHughes 2007-10-24 07:33 administrator ~0006177	If you look at the CentOS.readme file in the docs, it clearly tells you to configure your apache to run as the backuppc user. I do not think that the RPM should mess with your httpd.conf file ... as there are multiple ways to run backuppc. I think this is something that the user needs to accomplish on their own by reading the docs. I guess we could configure the system so that it runs out of the box not using mod_perl and working under the apache user, and include instructions (and a sample config files) for running using mod_perl, however the documentation for backuppc says that there is a huge performance penalty for this kind of setup .. also something that I am not sure we want to do. I also do not want to try to make it run as a separate apache instance because that requires it to either run on a separate IP address or on a port other than port 80. I am not sure we want to try and do either of those things in the RPM.

ScratchMonkey 2007-10-24 09:12 reporter ~0006178	I'll check on the backuppc mailing list about the use of mod_perl. I'm skeptical that this "performance drop" has any real-world consequence, and likely only affects the speed with which its web interface loads. Presumably one isn't using the web interface on a regular basis, enough for page loading speed to be a big issue.

2007-10-24 19:25	backuppc.spec.diff (2,845 bytes) --- backuppc.spec 2007-08-01 11:19:30.000000000 -0700 +++ backuppc.spec.new 2007-10-24 10:47:15.000000000 -0700 @@ -10,7 +10,7 @@ Summary: BackupPC is a high-performance, enterprise-grade system for backing up Unix, Linux Name: backuppc Version: 3.0.0 -Release: 1%{dist} +Release: 1%{dist}.kp Group: Applications/Archiving License: GPL Source: http://sourceforge.net/projects/backuppc/BackupPC-%{version}.tar.gz @@ -71,9 +71,9 @@ --data-dir /var/lib/%{name} \ --dest-dir $RPM_BUILD_ROOT \ --install-dir %{_prefix} \ - --cgi-dir /usr/share/%{name}/cgi-bin \ + --cgi-dir /var/www/%{name}/cgi-bin \ --hostname localhost \ - --html-dir /usr/share/%{name}/html \ + --html-dir /var/www/%{name}/html \ --html-dir-url /%{name}/html \ --uid-ignore @@ -81,15 +81,18 @@ install -m755 init.d/linux-backuppc $RPM_BUILD_ROOT%{_initdir}/backuppc install -m644 %{SOURCE1} $RPM_BUILD_ROOT%{httpd_confd_dir}/ install -m640 %{SOURCE2} $RPM_BUILD_ROOT%{htpasswd_dir}/ -install -m644 %{SOURCE3} $RPM_BUILD_ROOT/usr/share/%{name}/ -install -m644 README* $RPM_BUILD_ROOT/usr/share/%{name}/html/doc/ +install -m644 %{SOURCE3} $RPM_BUILD_ROOT/var/www/%{name}/ +install -m644 README* $RPM_BUILD_ROOT/var/www/%{name}/html/doc/ %pre if [ -z "`getent group backuppc`" ]; then /usr/sbin/groupadd -g 150 backuppc fi +# We'd like to use UID 150 here but must use one >= 500 +# until httpd's suexec is recompiled to allow lower UIDs if [ -z "`getent passwd backuppc`" ]; then - /usr/sbin/useradd -u 150 -d /var/lib/backuppc -M -s /bin/false -g backuppc backuppc + # -u 150 + /usr/sbin/useradd -d /var/lib/backuppc -M -s /bin/false -g backuppc backuppc fi %post @@ -118,7 +121,7 @@ %doc ChangeLog README* LICENSE %doc doc/* %attr(755,root,root) %{_bindir}/* -%attr(755,root,root) /usr/share/%{name}/cgi-bin/ +%attr(755,%{backuppc_user},%{backuppc_grp}) /var/www/%{name}/cgi-bin/ %dir /var/lib/%{name} %config(noreplace) /etc/BackupPC/config.pl %config(noreplace) /etc/BackupPC/hosts @@ -137,10 +140,17 @@ %dir %attr(750,%{backuppc_user},%{backuppc_grp}) /etc/BackupPC/* %dir %attr(750,%{backuppc_user},%{backuppc_grp}) %{htpasswd_dir} %dir %attr(640,%{backuppc_user},%{backuppc_grp}) %{htpasswd_dir}/* -/usr/share/%{name}/html/* -/usr/share/%{name}/index.html +/var/www/%{name}/html/* +/var/www/%{name}/index.html %changelog +* Wed Oct 24 2007 Kenneth Porter <shiva+c5-backuppc@sewingwitch.com> 3.0.0-1.el5.centos.kp +- Allow backuppc UID to float above 500 so web admin can be used in a + shared Apache with suexec +- Move web files (particularly CGI script) to /var/www tree to be compliant + with suexec's docroot compile-time restriction +- Make web script owned by backuppc user/group for compliance with suexec + * Wed Aug 1 2007 Johnny Hughes <johnny@centos.org> 3.0.0-1.el5.centos - Built for CentOS-5 backuppc.spec.diff (2,845 bytes)

ScratchMonkey 2007-10-24 19:27 reporter ~0006184	I've successful deployed the package using suexec. I found it necessary to let the UID "float" to above 500 and to move the web content within /var/www to meet the compile-time restrictions of suexec. A patch to the spec file illustrating the changes is attached.

ScratchMonkey 2007-10-24 19:30 reporter ~0006185	Two replies on the backuppc mailing list confirm that the mod_perl requirement is only to improve performance of the CGI management interface, not the actual backup software. Such a speedup is really only of value for a system under heavy web load by many users managing backups. Rather than deploy a config file that still requires editing of the main Apache config file, I'd recommend moving the current file to the %doc directory as an example of a mod_perl-based configuration.

2007-10-24 19:32	backuppc.conf.suexec (547 bytes)

ScratchMonkey 2007-10-24 19:33 reporter ~0006186	I've attached a sample Apache config that shows how to use the system with suexec and a virtual host.

breun 2008-04-03 20:44 reporter ~0007090	I have been using BackupPC 3 on a CentOS 4 machine for a long time and didn't go for the mod_perl setup as that allowed us to use apache for a couple of other small things. Indeed, the mod_perl speedup is only for the web interface and I'll say it very usable without mod_perl. It may be "15x" faster when timed (as the BackupPC docs say), but when the CGI is already fast enough to begin with I don't think the requirement to run apache as backuppc (and not be able to easily use apache for other stuff) is worth it. So, my vote (if I have one) is on the 'Standard setup' instead of the 'Mod_perl setup' as the default for the rpm (see http://backuppc.sourceforge.net/faq/BackupPC.html#step_9__cgi_interface for the notes on these two methods).

Date Modified	Username	Field	Change
2007-10-23 15:35	ScratchMonkey	New Issue
2007-10-24 07:33	JohnnyHughes	Note Added: 0006177
2007-10-24 09:12	ScratchMonkey	Note Added: 0006178
2007-10-24 19:25	ScratchMonkey	File Added: backuppc.spec.diff
2007-10-24 19:27	ScratchMonkey	Note Added: 0006184
2007-10-24 19:30	ScratchMonkey	Note Added: 0006185
2007-10-24 19:32	ScratchMonkey	File Added: backuppc.conf.suexec
2007-10-24 19:33	ScratchMonkey	Note Added: 0006186
2007-10-26 00:43	kbsingh@karan.org	Status	new => assigned
2008-04-03 20:44	breun	Note Added: 0007090