PAUSE - Perl Authors Upload Server
This module is the code that runs http://pause.cpan.org/, a server dedicated to collect the work of perl authors worldwide. It provides personal directories and enables their owners to upload their work into that directory themselves.
Here is an overview of PAUSE's structure:
apache-conf/ Apache Configuration apache-perl/ Legacy from the very first pause bin/ scripts, mainly paused, the pause daemon cron/ cronjobs doc/ doc htdocs/ symlinked to Apache's document root lib/ PAUSE.pm and such mirror/ mirror configuration, symlinked to /usr/local/mirror
The two core scripts are bin/paused and cron/mldistwatch. Both would need to be broken down into reusable and maintainable code.
PAUSE.pm was originally the pure configuration file, but now also contains some frequently used routines.
The following file has been excluded from the repository for obvious reasons:
PrivatePAUSE.pm contains only the usernames and passwords of the mysql users that own the two databases. See below for "Database schema".
Other sensitive files, like the SSL key of the server, password files need to be maintained separately from the repository. See below the section about user management.
File system layout
(last time updated: 2012-01-03)
If you have an older installation of PAUSE you probably want to know: /home/k is gone, cfengine is gone; puppet is supposed to replace cfengine, but in a way that the master and the client must run on localhost because we often take files directly from the repo.
Debian is gone, centos6 replaces it.
[ MISSING documentation:
/etc/cron.jobs/indexscripts.pl -> ../../home/kstar/cron/indexscripts.pl
Cronjob table for PAUSE
The repository has a file CRONTAB.ROOT which is usually quite in sync with the real pause.
External programs needed to run PAUSE
apache with mod_perl and Apache-SSL perl mirror (the good old one) mon proftpd mysqld rsync (runs as daemon) gpg unzip zsh
At the time of this writing (2012-01-03), all perl scripts were running under 5.16.2.
See doc/mod.schema.txt and doc/authen_pause.schema.txt for schema of PAUSE's two databases.
A dump of the mod database is produced every few hours and available for download in the ftp area. A dump of the authen_pause database is -- of course -- not available.
This section is about the fun of making mysql safe based on UNIX user and group permissions. This is dangerous stuff. Be careful here and follow the advice in the mysql manual about how to secure mysql in general. E.g.
--skip-networking and root user password are a must, etc.
PAUSE is running processes as user root, apache, ftp, and pause-unsafe. The user "puppet" in the group "puppet" owns the working copy of the repository and all the sensitive files. There are no members in the group puppet. The SSL data for the webservers and the passwords for accessing the DB are only readable by root who starts the webservers and runs the cronjobs.
This setup must ensure that the user apuse-unsafe cannot read the database account informations. The root password to mysql is not needed by any script, so can be stored offline.
Other security considerations
We practice security by visibility by giving the users as much information as possible about the status of their requests. This is mostly done by sending them mail about every action they take.
Another important axiom is that we disallow overwriting of files except for pure documentation files. That way the whole CPAN cannot fall out of sync and inconsistencies can be tracked easily. It opens us the possibility to maintain a backpan, a backup of all relevant files of all times. Any attempt to upload malicious code can thus be tracked much better.
As always, there are things we didn't bother to integrate into the repository because they are so basic stuff for any UNIX machine:
logrotate xntpd/ntpd sendmail/postfix
and probably more. If you discover pieces that are important but missing in the repository or documentation, please let us know.
Andreas Koenig <email@example.com>
Copyright 1995 - 2012 by Andreas Koenig <firstname.lastname@example.org>
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.