Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Tree: bbcfcfdb2f

Fetching latest commit…

Cannot retrieve the latest commit at this time

..
Failed to load latest commit information.
README
TODO
authen_pause.schema.txt
franz_to_kbx.plan
memo.chapterid-2004-11.txt
memo.schema.txt
memo.upgrade
memo.wipe-out-working-copy.txt
mod.schema.txt
pause-structure.txt

README

=head1 HOW TO SET UP A PRIVATE PAUSE APACHE

I always compiled it myself, so I repeat that exercise. Download
apache 1.3.xx and untar it. Then I prepare the distroprefs file for
this apache. I'm doing all my cpan download through the cpan shell and
collect all intricacies of modules in distorprefs files so I can
forget many details in everyday work. At the time of this writing
mod_perl 1.30 was current and it needed a patch to run with perl 5.10.
You may need this patch too.

  match:
    distribution: "/mod_perl-1"
  pl:
    args:
      - EVERYTHING=1
      - USE_APACI=1
      - APACHE_PREFIX=/home/src/apache/apachebin/1.3.41
      - APACI_ARGS=--enable-module=info,--enable-module=status
      - APACHE_SRC=/home/src/apache/apache_1.3.41/src
      - APACHE_SRC_DEFAULT=/home/src/apache/apache_1.3.41/src
      - DO_HTTPD=1
  depends:
    build_requires:
      LWP::UserAgent: 0
  patches:
    - "ANDK/mod_perl-1.30-SHAY-01.patch.gz"

Fire up the cpan shell and see if it builds and compiles. Recently
somebody believed there must be a /usr/lib/libperl.so. Couldn't figure
out who was to blame, I simply worked around it with:

  cd /usr/lib/
  ln -s libperl.so.5.10 libperl.so

If it builds and tests fine install it.

Next, we need to write the apache configuration. I like it to have the
server standalone so I can run it and stop it whenever I like. The
config I use on my laptop in in the repository as
C<apache-conf/httpd.conf.pause.atk81>, please take it as a blueprint
and adjust your paths and usernames, etc. Fire up the apache with

  /path/to/apache -f /path/to/yourapacheconf

Now try to access C<http://localhost:8406/pause/query> and see your
first page. If it does not show up, consult the error log and fix
missing modules, permissions, etc.

But it's unauthenticated. To get authentication working we need a
database. Let's start with the "mod" database:

  mysqladmin -uroot -p create mod
  rsync -vaP pause::pausedata/moddump.current.bz2 .
  bzcat moddump.current.bz2 | mysql -uroot -p mod

Then the authentication database.

  mysqladmin -uroot -p create authen_pause
  mysql      -uroot -p authen_pause < doc/authen_pause.schema.txt

Now prepare your crypted password with something like

  perl -le 'print crypt "tiger","ef"'

and insert the result into a record for yourself like

  mysql -uroot -p authen_pause -e 'insert into usertable (user,password) values ("ANDK", "efRzRzo0x4kCw")'

You probably want to make yourself an admin to try out the admin
interfaces:

  mysql -uroot -p authen_pause -e 'insert into grouptable (user,ugroup) values ("ANDK", "admin")'

And finally we must make these databases available to the perl.

  mkdir privatelib/

Edit C<privatelib/PrivatePAUSE.pm> and enter something like this:

  use strict;
  package PAUSE;
  our $Config;
  $Config->{AUTHEN_DATA_SOURCE_USER}  = "user1";
  $Config->{AUTHEN_DATA_SOURCE_PW}    = "secret1";
  $Config->{MOD_DATA_SOURCE_USER}     = "user2";
  $Config->{MOD_DATA_SOURCE_PW}       = "secret2";

Now you should be able to access
C<http://localhost:8406/pause/authenquery>

A red rectangle on the upper right reminds you that you're not using
SSL which is usually OK for the development platform.

=head1 PAUSE repository

This repository lives at

    git://github.com/andk/pause.git

and is considered to contain all relevant programs and configuration
data for running pause.perl.org except for the SSL key and certificate
and files containing passwords or other sensible data.

=head2 Excluded files

The following file has been excluded from the repository for obvious
reasons:

    privatelib/PrivatePAUSE.pm

PrivatePAUSE.pm contains only the usernames and passwords of the mysql
users that own the two databases. See below for "Database schema".

Other sensitive files, like the SSL key of the server, password files,
sshd_config need to be maintained separately from the repository. See
below the section about user management.

=head2 File system layout

On PAUSE most config files live in /home/k/PAUSE. Where files are
needed elsewhere in the filesystem, we used to use symlinks. Cfengine
was chosen to maintain the symlinks during the hardware upgrade in
March 2006, so all the symlinks needed are now listed in the
etc/cfengine directory.

[ MISSING documentation:

  /etc/cron.jobs/indexscripts.pl    -> ../../home/kstar/cron/indexscripts.pl
  /etc/security/limits.conf         -> ../../home/k/PAUSE/etc/security/limits.conf

]

(XXX integrate indexscripts.pl with the help of kstar)

=head2 External programs needed to run PAUSE

  apache1.x with mod_perl
  perl
  mysqld
  Apache-SSL (optional)
  mirror     (the good old one; optional)
  mon        (optional)
  proftpd    (optional)
  rsync      (runs as daemon; optional)
  gpg        (optional)
  unzip      (optional)

At the time of this writing (2009), all perl scripts were running
under 5.10.0

Apache-SSL is also known as Ben-SSL as it was written by Ben Laurie
and is available from ftp://ftp.ox.ac.uk/pub/crypto/SSL/Apache-SSL

=head2 Database schema

The files doc/*.schema.txt document the schema of the two databases. A
dump of the mod database is produced every few hours and available for
download in the ftp area. A dump of the authen_pause database is -- of
course -- not available.

=head2 User management

This section is about the fun of makeing mysql safe based on UNIX user
and group permissions. This is dangerous stuff. Be careful here and
follow the advice in the mysql manual about how to secure mysql in
general.

User "nobody" runs the web server.

PAUSE is running processes as user root, nobody, SVN, ftp, and UNSAFE.
The user "k" in the group "k" owns the working copy of the repository
and all the sensitive files. Group "k" must contain all users who
should be able to read sensitive data. So at least "nobody" (who runs
the webserver) must be in that group. Sensitive directories and files
must be group-readable and must not be world readable. The SSL data
for the webservers should not even be readable by that group, only by
root who starts the webservers.

This setup must ensure that the user UNSAFE cannot read the database
account informations. On the database side this is achieved by
granting the privileges on the two tables, nothing else, to one user.
The grant statement looks something like

  grant delete,index,insert,select,update,lock tables on mod.* to \
        'xxx'@'yyy' identified by 'zzz';

For replication, three additional privileges are needed: "reload,
super, replication client".

As an experimental feature we allowed replication to the world with

  grant replication slave on *.* to repl@'%' identified by 'perl';

This is the user whose access codes are stored in PrivatePAUSE.pm. The
root password to mysql is not needed by any script, so can be stored
offline.

=head2 Other security considerations

We practice security by visibility by giving the users as much
information as possible about the status of their requests. This is
mostly done by sending them mail about every action they take.

Another important axiom is that we disallow overwriting of files
except for pure documentation files. That way the whole CPAN cannot
fall out of sync and inconsistencies can be tracked easily. It opens
us the possibility to maintain a I<backpan>, a backup of all relevant
files of all times. Any attempt to upload malicious code can thus be
tracked much better.

=head2 Missing pieces

As always, there are things we didn't bother to integrate into the
repository because they are so basic stuff for any UNIX machine:

  logrotate
  xntpd
  sendmail

and probably more. If you discover pieces that are important but
missing in the repository or documentation, please let us know.

=cut
Something went wrong with that request. Please try again.