Topic: Installing webapps - "I-bays" vs "/opt"

[cool34000]

Hi all

Sometime it's good to know "why" exactly things are like that...
So, I'm coming with one big question!


SME has a very nice system of ibays, which allows easy websites construction (and more)
But, it seems that a lot of contributors (all of them in fact) put their webapps like Joomla, TorrentFlux, phpMyAdmin, phpLDAPAdmin, etc. in /opt
What are the exact reasons? and what are the advantages of installing webapps in /opt ?
The FAQ is not very helpful about this subject:

Web Applications

* chmod 777

Using 777 is always wrong (despite the fact that many howtos recommend it). 0770 is sufficient, as long as www is a member of the group owning the directory, and is safer.

Use chown www /path/to/dir
and preferably put your app in /opt/app not in an ibay

A lot of us already know that, but many just don't know exactly why! (My self actually don't )


By the way, install in /opt is a bit harder because one must know how to use templates (especially httpd.conf) and sometimes it's just frustrating: no easy control on virtual domains (could this be a NFR?)


I would like to have a bigger explanation... I think this point should be really clear to everyone (so the FAQ can be updated)

Thanks in advance!

[william_syd]

Not exactly an answer...

http://lists.contribs.org/mailman/public/devinfo/msg09462.html

[william_syd]

By the way, install in /opt is a bit harder because one must know how to use templates (especially httpd.conf) and sometimes it's just frustrating: no easy control on virtual domains (could this be a NFR?)

http://bugs.contribs.org/show_bug.cgi?id=2460

[mark_s_tt]

I've wondered about this myself also.

Only reason I can think is so the Joomla rpm for example doesn't have to create an ibay and then install the app inside with a relevant domain pointing to it. Users would probably only want to change the ibay name anyway making things more difficult.

If it's installed in /opt, it's just installed to the same place on every system.

I think these sort of contribs are aimed at less experienced users anyway who don't want to worry about a manual installation. Experienced users will probably want to install Joomla in an ibay.

Could be wrong though.

[cactus]

If it's installed in /opt, it's just installed to the same place on every system.

Yep, and that is a big advantage.

I think these sort of contribs are aimed at less experienced users anyway who don't want to worry about a manual installation. Experienced users will probably want to install Joomla in an ibay.

I don't think experinced users should be doing so, experienced users should make use of the templating system and create a properly configured directive, alias etc. as this strengthems the security instead ofusing an ibay.

Could be wrong though.

I think you are .

Another suggestion: I am not very well known to the joomla interface, but I am to the gallery2 interface. Long before the existence of the rpm installation I already configured gallery to run on my server from one source base, located in the /opt. Does Joomla suport something like this as well? Gallery2 calls this a multisite installation and it only needs to copy a few files to the newly created location, which makes it very easy to make multiple gallery2 sites.

[mark_s_tt]

Cactus,

Are you basically saying that ibays are now insecure, and we should all make more work for ourselves by using the templating system to install our apps in /opt?

Personally, I'd chuck it in an ibay and set the correct permissions using the server-manager, but any more info as to why this is bad practice would be appreciated.

[cactus]

Cactus,

Are you basically saying that ibays are now insecure, and we should all make more work for ourselves by using the templating system to install our apps in /opt?

Nope, that is to strong. As an ibay only specifies for a certain amount of directives (Apache has a lot more) it could become vulnerable as some have to be adopted to get everything to work properly. I have seen people being advised to install in ibays and remove certain lines or chmod the content and adding the /tmp folder in the PHPOpenBasedir directive which could make it insecure. (Experienced) users should read up on the apache configuration directives and the requirements for there application and configure things accordingly keeping in mind the layout of SME Server.

A lot of applications come with configuration examples of the webserver configuration part, where an ibay configuration could work, it might not be strict enough compared to the configuration directives given by application documentation.

[mark_s_tt]

That goes some way to clearing this up, but isn't this what .htaccess is for?

I understand some people may consider .htaccess a greater risk than not using it at all, but it's actually designed to do the very thing you describe, and can even be used to increase site security.

So this takes us back to the beginning I suppose in that the only real benefit is for less experienced installers, and to make compiling rpm's easier. Doesn't it?

Regards
M.

[bpivk]

So this takes us back to the beginning I suppose in that the only real benefit is for less experienced installers, and to make compiling rpm's easier. Doesn't it?

No. AFAIK /opt is more secure because it can't be accessed online like ibays. Search the forums a little becuse some of the developers had a nice topic about it (i can't find it at the moment   )

[cactus]

That goes some way to clearing this up, but isn't this what .htaccess is for?

It could also be done with .htaccess files however one major disadvantage of this option is that with inproper security on the location, people might be able to upload .htaccess files with new contents, even extending to other locations. By putting all information into the configuration file(s) of the webserver, they are far less accessible to people with bad intentions. The .htaccess can be used as override but if you configure everything properly you do not need this override function, which closes one more security hole. Perhaps it might be useful to read up on apache and it's configuration directives on their site.

[mark_s_tt]

I think it's important we clear this up as this thread has the possibility of putting users off using ibays unnecessarily.

It's true, the apache foundation recommends against using .htaccess when it's possible to configure httpd.conf directly (or inderectly as with SME Server). The main reasons for this are twofold:

1. htaccess has a minor performance deficit (Not so important with hardware these days as it is only minor). If you can cope with this then fine.

2. Security, but only in certain circumstances. For example a hosting provider may allow a user to upload their own .htaccess to a html folder on a shared server. Under circumstances such as this you are effectively allowing users to alter your apache configuration.

This isn't the case here. You are modifying your own htaccess on your own server so this negates the risk in number 2. Anything you cock up in your own htaccess, you could cock up templating httpd.conf.

Lets not also forget the server-manager has no options in the ibay section to allow any visitors to alter, or upload a htaccess so this eliminates the threat of improper security, a risk which isn't also present when setting permissions manually. Without ftp access, this isn't possible even with 777 permissions.

I'm still not seeing any advantage to using /opt other than for building rpms, sorry. I never intended to get into a debate over this but I think we need to be realistic here.

**Edit**

If the devs do actually consider htaccess a security risk for options not already discussed here, what if we could add lines to the httpd.conf file from the ibay panel? This would still allow direct alteration of the apache config for the specific ibay without needing to mess with the templating system.

Is it possible to add this as a feature request for a future version perhaps?

[kruhm]

bpivk,

Your discussion was here:
http://forums.contribs.org/index.php?topic=33056.0

I think this has been asked enough to warrant a FAQ.

I'll let you tidy up the explanation.
Submit it to BT.
I'll add it to the FAQ when I'm going through the bugs.

[bpivk]

kruhm yes that was one of the posts and here is another
http://forums.contribs.org/index.php?topic=22307.0
I think that this one is better and i'll add it to the wiki.