SP packaging

Russ Allbery rra at debian.org
Sun Jan 31 08:06:03 UTC 2016 

wferi at niif.hu (Ferenc Wágner) writes:

> Hmm, indeed, you provided much more verbose entries.  The relevant ones
> from 2.5.1+dfsg-1:

>   * New upstream release.  (Closes: #685069)
>     - The native.log file is now created as root before Apache child
>       initialization to minimize permission issues.
>   * Update libapache2-mod-shib2's README.Debian:
>     - The reason for switching native.logger to syslog is now obsolete
>       (but the package still does that, possibly to be reconsidered
>       later).

Oh, doh.  Clearly I had already recycled those brain cells and completely
forgotten about this.  Sorry!  Yeah, given that, let's just switch back to
the upstream default and save everyone the confusion.  People can always
override if they want to.  Thanks!

> The full commit message of a6ccea4 tells the other half of the story:

>   Reset native.logger (Apache module logs) to upstream behavior

Ack, I should have gone and read.  Sorry about that!

> As the linked issue shows, the upstream fix in 2.5.1 was partial only,
> because the first file on Apache startup was indeed created as root, but
> the following ones were not, so rotation did not work in the end.  This
> is all fixed by using a private directory owned by www-data (btw. should
> we change the group as well?)

I don't think it should matter.

> www-data is a static user, we can simply ship a directory owned by it.

Yup, makes perfect sense.

> I'm thrilled to remove this fallback from the init script.  But the
> above mentioned problem is largely unrelated.  The issue is that the
> admin can naturally issue shibd -t to check the config after some
> modification, and if this test run creates new metadata files (for
> example) in /var/cache/shibboleth, those will we owned by root.  Thus
> the daemon running as _shibd can't update them later.  I can't see a way
> to fix cleanly without putting the identity change into shibd.

Oh, okay, yes, this is kind of awkward.  But, well, it's a common problem
with a lot of different programs that normally run as some other user when
someone runs them as root, so I'm not *too* worried about it.

I'll hopefully get a chance to review and upload this tomorrow.  Thank you
for all your work on it!

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shibboleth-devel mailing list