Permalink
Switch branches/tags
Nothing to show
Find file
Fetching contributors…
Cannot retrieve contributors at this time
149 lines (102 sloc) 4.59 KB

NAME

PAUSE - Perl Authors Upload Server

SYNOPSIS

This module is the code that runs http://pause.cpan.org/, a server dedicated to collect the work of perl authors worldwide. It provides personal directories and enables their owners to upload their work into that directory themselves.

DESCRIPTION

Here is an overview of PAUSE's structure:

apache-conf/       Apache Configuration
apache-perl/       Legacy from the very first pause
bin/               scripts, mainly paused, the pause daemon
cron/              cronjobs
doc/               doc
htdocs/            symlinked to Apache's document root
lib/               PAUSE.pm and such
mirror/            mirror configuration, symlinked to /usr/local/mirror

The two core scripts are bin/paused and cron/mldistwatch. Both would need to be broken down into reusable and maintainable code.

PAUSE.pm was originally the pure configuration file, but now also contains some frequently used routines.

Excluded files

The following file has been excluded from the repository for obvious reasons:

PrivatePAUSE.pm

PrivatePAUSE.pm contains only the usernames and passwords of the mysql users that own the two databases. See below for "Database schema".

Other sensitive files, like the SSL key of the server, password files need to be maintained separately from the repository. See below the section about user management.

File system layout

(last time updated: 2012-01-03)

If you have an older installation of PAUSE you probably want to know: /home/k is gone, cfengine is gone; puppet is supposed to replace cfengine, but in a way that the master and the client must run on localhost because we often take files directly from the repo.

Debian is gone, centos6 replaces it.

[ MISSING documentation:

/etc/cron.jobs/indexscripts.pl -> ../../home/kstar/cron/indexscripts.pl

]

Cronjob table for PAUSE

The repository has a file CRONTAB.ROOT which is usually quite in sync with the real pause.

External programs needed to run PAUSE

apache with mod_perl and Apache-SSL
perl
mirror (the good old one)
mon
proftpd
mysqld
rsync (runs as daemon)
gpg
unzip
zsh

At the time of this writing (2012-01-03), all perl scripts were running under 5.16.2.

Database schema

See doc/mod.schema.txt and doc/authen_pause.schema.txt for schema of PAUSE's two databases.

A dump of the mod database is produced every few hours and available for download in the ftp area. A dump of the authen_pause database is -- of course -- not available.

User management

This section is about the fun of making mysql safe based on UNIX user and group permissions. This is dangerous stuff. Be careful here and follow the advice in the mysql manual about how to secure mysql in general. E.g. --skip-networking and root user password are a must, etc.

PAUSE is running processes as user root, apache, ftp, and pause-unsafe. The user "puppet" in the group "puppet" owns the working copy of the repository and all the sensitive files. There are no members in the group puppet. The SSL data for the webservers and the passwords for accessing the DB are only readable by root who starts the webservers and runs the cronjobs.

This setup must ensure that the user apuse-unsafe cannot read the database account informations. The root password to mysql is not needed by any script, so can be stored offline.

Other security considerations

We practice security by visibility by giving the users as much information as possible about the status of their requests. This is mostly done by sending them mail about every action they take.

Another important axiom is that we disallow overwriting of files except for pure documentation files. That way the whole CPAN cannot fall out of sync and inconsistencies can be tracked easily. It opens us the possibility to maintain a backpan, a backup of all relevant files of all times. Any attempt to upload malicious code can thus be tracked much better.

Missing pieces

As always, there are things we didn't bother to integrate into the repository because they are so basic stuff for any UNIX machine:

logrotate
xntpd/ntpd
sendmail/postfix

and probably more. If you discover pieces that are important but missing in the repository or documentation, please let us know.

AUTHOR

Andreas Koenig <andreas.koenig@anima.de>

COPYRIGHT

Copyright 1995 - 2012 by Andreas Koenig <andk@cpan.org>

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

See http://www.perl.com/perl/misc/Artistic.html